dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Role admin

Browse Source
This commit is contained in:
dvirlabs 2025-05-18 05:19:08 +03:00
parent 9dbf546207
commit 9ba73b7e0e
1 changed files with 34 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
manifests/vault/oidc-job.yaml
View File

@ -8,11 +8,10 @@ spec:
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
containers: containers:
- name: oidc-setup - name: oidc-setup
image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args: |-
- |
echo "⏳ Waiting for Vault to become available..." echo "⏳ Waiting for Vault to become available..."
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2 sleep 2
@ -29,14 +28,14 @@ spec:
oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \ oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \ oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="default" default_role="vault-admins"
echo "📜 Writing Vault policy..." echo "📜 Writing Vault policy: oidc-ui-access"
vault policy write oidc-ui-access - <<EOF vault policy write oidc-ui-access - <<EOF
path "auth/oidc/role/default" { path "auth/oidc/role/default" {
capabilities = ["read"] capabilities = ["read"]
} }
EOF EOF
echo "🎯 Creating OIDC role named 'default'..." echo "🎯 Creating OIDC role named 'default'..."
vault write auth/oidc/role/default \ vault write auth/oidc/role/default \
@ -48,11 +47,31 @@ spec:
policies="default" \ policies="default" \
token_policies="oidc-ui-access" \ token_policies="oidc-ui-access" \
ttl="1h" ttl="1h"
volumeMounts:
- name: vault-token echo "📜 Writing Vault policy: vault-admin"
mountPath: /vault/secrets vault policy write vault-admin - <<EOF
readOnly: true path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOF
echo "🎯 Creating OIDC role named 'vault-admins'..."
vault write auth/oidc/role/vault-admins \
bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="sub" \
groups_claim="groups" \
bound_claims='{"groups": "vault-admins"}' \
oidc_scopes="profile email groups" \
policies="vault-admin" \
ttl="1h"
echo "✅ All OIDC setup completed."
volumeMounts:
- name: vault-token
mountPath: /vault/secrets
readOnly: true
volumes: volumes:
- name: vault-token - name: vault-token
secret: secret:
secretName: vault-init secretName: vault-init