diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml index dc508be..3c7bf95 100644 --- a/manifests/vault/oidc-job.yaml +++ b/manifests/vault/oidc-job.yaml @@ -11,62 +11,54 @@ spec: - name: oidc-setup image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl command: ["/bin/sh", "-c"] - args: |- - echo "⏳ Waiting for Vault to become available..." - until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do - sleep 2 - done + args: + - | + echo "⏳ Waiting for Vault to become available..." && + until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do + sleep 2 + done && + export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 && + export VAULT_TOKEN=$(cat /vault/secrets/root-token) && - export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 - export VAULT_TOKEN=$(cat /vault/secrets/root-token) + echo "🔐 Enabling OIDC auth method..." && + vault auth enable oidc || true && - echo "🔐 Enabling OIDC auth method..." - vault auth enable oidc || true + echo "🔧 Configuring OIDC connection to Keycloak..." && + vault write auth/oidc/config \ + oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \ + oidc_client_id="vault" \ + oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ + default_role="vault-admins" && - echo "🔧 Configuring OIDC connection to Keycloak..." - vault write auth/oidc/config \ - oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \ - oidc_client_id="vault" \ - oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ - default_role="vault-admins" + echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl && + vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl && - echo "📜 Writing Vault policy: oidc-ui-access" - vault policy write oidc-ui-access - < /tmp/vault-admin.hcl && + vault policy write vault-admin /tmp/vault-admin.hcl && - echo "📜 Writing Vault policy: vault-admin" - vault policy write vault-admin - <