From 09e17acdd7c43b9c68dd4b9bbed75e8ac58b9f10 Mon Sep 17 00:00:00 2001 From: dvirlabs Date: Thu, 24 Jul 2025 03:35:51 +0300 Subject: [PATCH] Fix vault init job --- argocd-apps/external-secrets-clients.yaml | 4 +- .../gitea-bitnami/external-secret.yaml | 0 .../wikijs/external-secret.yaml | 0 .../woodpecker/external-secret.yaml | 0 manifests/vault/oidc-job.yaml | 42 +++++++++++-------- 5 files changed, 27 insertions(+), 19 deletions(-) rename manifests/{external-secrets-clients => external-secrets-dev-tools}/gitea-bitnami/external-secret.yaml (100%) rename manifests/{external-secrets-clients => external-secrets-dev-tools}/wikijs/external-secret.yaml (100%) rename manifests/{external-secrets-clients => external-secrets-dev-tools}/woodpecker/external-secret.yaml (100%) diff --git a/argocd-apps/external-secrets-clients.yaml b/argocd-apps/external-secrets-clients.yaml index 4b3bca5..4fa6172 100644 --- a/argocd-apps/external-secrets-clients.yaml +++ b/argocd-apps/external-secrets-clients.yaml @@ -1,14 +1,14 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: external-secrets-clients + name: external-secrets-dev-tools namespace: argocd spec: project: dev-tools source: repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git targetRevision: HEAD - path: manifests/external-secrets-clients + path: manifests/external-secrets-dev-tools directory: recurse: true destination: diff --git a/manifests/external-secrets-clients/gitea-bitnami/external-secret.yaml b/manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml similarity index 100% rename from manifests/external-secrets-clients/gitea-bitnami/external-secret.yaml rename to manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml diff --git a/manifests/external-secrets-clients/wikijs/external-secret.yaml b/manifests/external-secrets-dev-tools/wikijs/external-secret.yaml similarity index 100% rename from manifests/external-secrets-clients/wikijs/external-secret.yaml rename to manifests/external-secrets-dev-tools/wikijs/external-secret.yaml diff --git a/manifests/external-secrets-clients/woodpecker/external-secret.yaml b/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml similarity index 100% rename from manifests/external-secrets-clients/woodpecker/external-secret.yaml rename to manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml index 0dfabec..8df1adf 100644 --- a/manifests/vault/oidc-job.yaml +++ b/manifests/vault/oidc-job.yaml @@ -13,27 +13,35 @@ spec: command: ["/bin/sh", "-c"] args: - | + set -e echo "⏳ Waiting for Vault to become available..." && until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do sleep 2 - done && - export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 && - export VAULT_TOKEN=$(cat /vault/secrets/root-token) && + done - echo "🔐 Enabling OIDC auth method..." && - vault auth enable oidc || true && + export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 + export VAULT_TOKEN=$(cat /vault/secrets/root-token) - echo "🔧 Configuring OIDC connection to Keycloak..." && + echo "🔑 Verifying Vault token..." + if ! vault token lookup >/dev/null 2>&1; then + echo "❌ Invalid Vault token. Exiting." + exit 1 + fi + + echo "🔐 Enabling OIDC auth method..." + vault auth enable oidc || true + + echo "🔧 Configuring OIDC connection to Keycloak..." vault write auth/oidc/config \ oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \ oidc_client_id="vault" \ oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ - default_role="vault-admins" && + default_role="vault-admins" - echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl && - vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl && + echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl + vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl - echo "🎯 Creating OIDC role named 'default'..." && + echo "🎯 Creating OIDC role named 'default'..." vault write auth/oidc/role/default \ bound_audiences="vault" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ @@ -42,23 +50,23 @@ spec: oidc_scopes="profile email groups" \ policies="default" \ token_policies="oidc-ui-access" \ - ttl="1h" && + ttl="1h" - echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl && - vault policy write vault-admin /tmp/vault-admin.hcl && + echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl + vault policy write vault-admin /tmp/vault-admin.hcl - echo "🎯 Creating OIDC role named 'vault-admins'..." && + echo "🎯 Creating OIDC role named 'vault-admins'..." vault write auth/oidc/role/vault-admins \ bound_audiences="vault" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ user_claim="sub" \ groups_claim="groups" \ - bound_claims:groups=vault-admins \ + bound_claims='{"groups": "vault-admins"}' \ oidc_scopes="profile email groups" \ policies="vault-admin" \ - ttl="1h" && + ttl="1h" - echo "✅ All OIDC setup completed." + echo "✅ All OIDC setup completed successfully." volumeMounts: - name: vault-token mountPath: /vault/secrets