dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix vault init job

Browse Source
This commit is contained in:
dvirlabs 2025-07-24 03:35:51 +03:00
parent c62290e422
commit 09e17acdd7
5 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
argocd-apps/external-secrets-clients.yaml
View File

@ -1,14 +1,14 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: external-secrets-clients name: external-secrets-dev-tools
namespace: argocd namespace: argocd
spec: spec:
project: dev-tools project: dev-tools
source: source:
repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git
targetRevision: HEAD targetRevision: HEAD
path: manifests/external-secrets-clients path: manifests/external-secrets-dev-tools
directory: directory:
recurse: true recurse: true
destination: destination:

0
manifests/external-secrets-clients/gitea-bitnami/external-secret.yaml → manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml
View File

0
manifests/external-secrets-clients/wikijs/external-secret.yaml → manifests/external-secrets-dev-tools/wikijs/external-secret.yaml
View File

0
manifests/external-secrets-clients/woodpecker/external-secret.yaml → manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml
View File

42
manifests/vault/oidc-job.yaml
View File

@ -13,27 +13,35 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - |
set -e
echo "⏳ Waiting for Vault to become available..." && echo "⏳ Waiting for Vault to become available..." &&
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2 sleep 2
done && done
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 &&
export VAULT_TOKEN=$(cat /vault/secrets/root-token) &&
echo "🔐 Enabling OIDC auth method..." && export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
vault auth enable oidc || true && export VAULT_TOKEN=$(cat /vault/secrets/root-token)
echo "🔧 Configuring OIDC connection to Keycloak..." && echo "🔑 Verifying Vault token..."
if ! vault token lookup >/dev/null 2>&1; then
echo "❌ Invalid Vault token. Exiting."
exit 1
fi
echo "🔐 Enabling OIDC auth method..."
vault auth enable oidc || true
echo "🔧 Configuring OIDC connection to Keycloak..."
vault write auth/oidc/config \ vault write auth/oidc/config \
oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \ oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \ oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="vault-admins" && default_role="vault-admins"
echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl && echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl
vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl && vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl
echo "🎯 Creating OIDC role named 'default'..." && echo "🎯 Creating OIDC role named 'default'..."
vault write auth/oidc/role/default \ vault write auth/oidc/role/default \
bound_audiences="vault" \ bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
@ -42,23 +50,23 @@ spec:
oidc_scopes="profile email groups" \ oidc_scopes="profile email groups" \
policies="default" \ policies="default" \
token_policies="oidc-ui-access" \ token_policies="oidc-ui-access" \
ttl="1h" && ttl="1h"
echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl && echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl
vault policy write vault-admin /tmp/vault-admin.hcl && vault policy write vault-admin /tmp/vault-admin.hcl
echo "🎯 Creating OIDC role named 'vault-admins'..." && echo "🎯 Creating OIDC role named 'vault-admins'..."
vault write auth/oidc/role/vault-admins \ vault write auth/oidc/role/vault-admins \
bound_audiences="vault" \ bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \ user_claim="sub" \
groups_claim="groups" \ groups_claim="groups" \
bound_claims:groups=vault-admins \ bound_claims='{"groups": "vault-admins"}' \
oidc_scopes="profile email groups" \ oidc_scopes="profile email groups" \
policies="vault-admin" \ policies="vault-admin" \
ttl="1h" && ttl="1h"
echo "✅ All OIDC setup completed." echo "✅ All OIDC setup completed successfully."
volumeMounts: volumeMounts:
- name: vault-token - name: vault-token
mountPath: /vault/secrets mountPath: /vault/secrets