dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add init vault job

Browse Source
This commit is contained in:
dvirlabs 2025-05-16 14:55:12 +03:00
parent 2d3f2b5fae
commit 98d0ceb41c
2 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
manifests/vault/oidc-job.yaml Normal file
View File

@ -0,0 +1,54 @@
apiVersion: batch/v1
kind: Job
metadata:
name: configure-vault-oidc
namespace: dev-tools
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: oidc-setup
image: hashicorp/vault:1.15.5
command: ["/bin/sh", "-c"]
args:
- |
echo "⏳ Waiting for Vault to become ready..."
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2
done
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
export VAULT_TOKEN=$(cat /vault/secrets/root-token)
vault auth enable oidc || true
vault write auth/oidc/config \
oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="vault-role"
vault policy write oidc-ui-access - <<EOF
path "auth/oidc/role/vault-role" {
capabilities = ["read"]
}
EOF
vault write auth/oidc/role/vault-role \
bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="preferred_username" \
groups_claim="groups" \
oidc_scopes="profile email groups" \
policies="default" \
token_policies="oidc-ui-access" \
ttl="1h"
volumeMounts:
- name: vault-token
mountPath: /vault/secrets
readOnly: true
volumes:
- name: vault-token
secret:
secretName: vault-init

8
manifests/vault/vault-init-secret.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: vault-init
namespace: dev-tools
type: Opaque
stringData:
root-token: hvs.apikacyQXiHOXeKXfKyPJM1p