From 98d0ceb41c52b8abb9e81c750bbee1014b5da25b Mon Sep 17 00:00:00 2001
From: dvirlabs <114520947+dvirlabs@users.noreply.github.com>
Date: Fri, 16 May 2025 14:55:12 +0300
Subject: [PATCH] Add init vault job

---
 manifests/vault/oidc-job.yaml          | 54 ++++++++++++++++++++++++++
 manifests/vault/vault-init-secret.yaml |  8 ++++
 2 files changed, 62 insertions(+)
 create mode 100644 manifests/vault/oidc-job.yaml
 create mode 100644 manifests/vault/vault-init-secret.yaml

diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml
new file mode 100644
index 0000000..0319e24
--- /dev/null
+++ b/manifests/vault/oidc-job.yaml
@@ -0,0 +1,54 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: configure-vault-oidc
+  namespace: dev-tools
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: oidc-setup
+        image: hashicorp/vault:1.15.5
+        command: ["/bin/sh", "-c"]
+        args:
+          - |
+            echo "⏳ Waiting for Vault to become ready..."
+            until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
+              sleep 2
+            done
+
+            export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
+            export VAULT_TOKEN=$(cat /vault/secrets/root-token)
+
+            vault auth enable oidc || true
+
+            vault write auth/oidc/config \
+              oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
+              oidc_client_id="vault" \
+              oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
+              default_role="vault-role"
+
+            vault policy write oidc-ui-access - <<EOF
+            path "auth/oidc/role/vault-role" {
+              capabilities = ["read"]
+            }
+            EOF
+
+            vault write auth/oidc/role/vault-role \
+              bound_audiences="vault" \
+              allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
+              user_claim="preferred_username" \
+              groups_claim="groups" \
+              oidc_scopes="profile email groups" \
+              policies="default" \
+              token_policies="oidc-ui-access" \
+              ttl="1h"
+        volumeMounts:
+        - name: vault-token
+          mountPath: /vault/secrets
+          readOnly: true
+      volumes:
+      - name: vault-token
+        secret:
+          secretName: vault-init
diff --git a/manifests/vault/vault-init-secret.yaml b/manifests/vault/vault-init-secret.yaml
new file mode 100644
index 0000000..ef700ba
--- /dev/null
+++ b/manifests/vault/vault-init-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-init
+  namespace: dev-tools
+type: Opaque
+stringData:
+  root-token: hvs.apikacyQXiHOXeKXfKyPJM1p
\ No newline at end of file