dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix vault init job

Browse Source
This commit is contained in:
dvirlabs 2025-07-24 03:35:51 +03:00
parent c62290e422
commit 09e17acdd7
5 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
argocd-apps/external-secrets-clients.yaml
View File

@ -1,14 +1,14 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets-clients
name: external-secrets-dev-tools
namespace: argocd
spec:
project: dev-tools
source:
repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git
targetRevision: HEAD
path: manifests/external-secrets-clients
path: manifests/external-secrets-dev-tools
directory:
recurse: true
destination:

0
manifests/external-secrets-clients/gitea-bitnami/external-secret.yaml → manifests/external-secrets-dev-tools/gitea-bitnami/external-secret.yaml
View File

0
manifests/external-secrets-clients/wikijs/external-secret.yaml → manifests/external-secrets-dev-tools/wikijs/external-secret.yaml
View File

0
manifests/external-secrets-clients/woodpecker/external-secret.yaml → manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml
View File

42
manifests/vault/oidc-job.yaml
View File

@ -13,27 +13,35 @@ spec:
command: ["/bin/sh", "-c"]
args:
- |
set -e
echo "⏳ Waiting for Vault to become available..." &&
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2
done &&
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 &&
export VAULT_TOKEN=$(cat /vault/secrets/root-token) &&
done
echo "🔐 Enabling OIDC auth method..." &&
vault auth enable oidc || true &&
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
export VAULT_TOKEN=$(cat /vault/secrets/root-token)
echo "🔧 Configuring OIDC connection to Keycloak..." &&
echo "🔑 Verifying Vault token..."
if ! vault token lookup >/dev/null 2>&1; then
echo "❌ Invalid Vault token. Exiting."
exit 1
fi
echo "🔐 Enabling OIDC auth method..."
vault auth enable oidc || true
echo "🔧 Configuring OIDC connection to Keycloak..."
vault write auth/oidc/config \
oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="vault-admins" &&
default_role="vault-admins"
echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl &&
vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl &&
echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl
vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl
echo "🎯 Creating OIDC role named 'default'..." &&
echo "🎯 Creating OIDC role named 'default'..."
vault write auth/oidc/role/default \
bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
@ -42,23 +50,23 @@ spec:
oidc_scopes="profile email groups" \
policies="default" \
token_policies="oidc-ui-access" \
ttl="1h" &&
ttl="1h"
echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl &&
vault policy write vault-admin /tmp/vault-admin.hcl &&
echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl
vault policy write vault-admin /tmp/vault-admin.hcl
echo "🎯 Creating OIDC role named 'vault-admins'..." &&
echo "🎯 Creating OIDC role named 'vault-admins'..."
vault write auth/oidc/role/vault-admins \
bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \
groups_claim="groups" \
bound_claims:groups=vault-admins \
bound_claims='{"groups": "vault-admins"}' \
oidc_scopes="profile email groups" \
policies="vault-admin" \
ttl="1h" &&
ttl="1h"
echo "✅ All OIDC setup completed."
echo "✅ All OIDC setup completed successfully."
volumeMounts:
- name: vault-token
mountPath: /vault/secrets