dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix yaml lint

Browse Source
This commit is contained in:
dvirlabs 2025-05-18 23:23:43 +03:00
parent 9ba73b7e0e
commit 9a7b7274b1
1 changed files with 41 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
manifests/vault/oidc-job.yaml
View File

@ -11,33 +11,29 @@ spec:
- name: oidc-setup - name: oidc-setup
image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: |- args:
echo "⏳ Waiting for Vault to become available..." - |
echo "⏳ Waiting for Vault to become available..." &&
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2 sleep 2
done done &&
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 &&
export VAULT_TOKEN=$(cat /vault/secrets/root-token) &&
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 echo "🔐 Enabling OIDC auth method..." &&
export VAULT_TOKEN=$(cat /vault/secrets/root-token) vault auth enable oidc || true &&
echo "🔐 Enabling OIDC auth method..." echo "🔧 Configuring OIDC connection to Keycloak..." &&
vault auth enable oidc || true
echo "🔧 Configuring OIDC connection to Keycloak..."
vault write auth/oidc/config \ vault write auth/oidc/config \
oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \ oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \ oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="vault-admins" default_role="vault-admins" &&
echo "📜 Writing Vault policy: oidc-ui-access" echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl &&
vault policy write oidc-ui-access - <<EOF vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl &&
path "auth/oidc/role/default" {
capabilities = ["read"]
}
EOF
echo "🎯 Creating OIDC role named 'default'..." echo "🎯 Creating OIDC role named 'default'..." &&
vault write auth/oidc/role/default \ vault write auth/oidc/role/default \
bound_audiences="vault" \ bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
@ -46,16 +42,12 @@ EOF
oidc_scopes="profile email groups" \ oidc_scopes="profile email groups" \
policies="default" \ policies="default" \
token_policies="oidc-ui-access" \ token_policies="oidc-ui-access" \
ttl="1h" ttl="1h" &&
echo "📜 Writing Vault policy: vault-admin" echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl &&
vault policy write vault-admin - <<EOF vault policy write vault-admin /tmp/vault-admin.hcl &&
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOF
echo "🎯 Creating OIDC role named 'vault-admins'..." echo "🎯 Creating OIDC role named 'vault-admins'..." &&
vault write auth/oidc/role/vault-admins \ vault write auth/oidc/role/vault-admins \
bound_audiences="vault" \ bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
@ -64,7 +56,7 @@ EOF
bound_claims='{"groups": "vault-admins"}' \ bound_claims='{"groups": "vault-admins"}' \
oidc_scopes="profile email groups" \ oidc_scopes="profile email groups" \
policies="vault-admin" \ policies="vault-admin" \
ttl="1h" ttl="1h" &&
echo "✅ All OIDC setup completed." echo "✅ All OIDC setup completed."
volumeMounts: volumeMounts: