Role admin

manifests/vault/oidc-job.yaml

@@ -11,8 +11,7 @@ spec:
         - name: oidc-setup
           image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
           command: ["/bin/sh", "-c"]
-        args:
-          - |
+          args: |-
             echo "⏳ Waiting for Vault to become available..."
             until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
               sleep 2
@@ -29,9 +28,9 @@ spec:
               oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
               oidc_client_id="vault" \
               oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
-              default_role="default"
+              default_role="vault-admins"
 
-            echo "📜 Writing Vault policy..."
+            echo "📜 Writing Vault policy: oidc-ui-access"
             vault policy write oidc-ui-access - <<EOF
             path "auth/oidc/role/default" {
               capabilities = ["read"]
@@ -48,6 +47,26 @@ spec:
               policies="default" \
               token_policies="oidc-ui-access" \
               ttl="1h"
+
+            echo "📜 Writing Vault policy: vault-admin"
+            vault policy write vault-admin - <<EOF
+            path "*" {
+              capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+            }
+EOF
+
+            echo "🎯 Creating OIDC role named 'vault-admins'..."
+            vault write auth/oidc/role/vault-admins \
+              bound_audiences="vault" \
+              allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
+              user_claim="sub" \
+              groups_claim="groups" \
+              bound_claims='{"groups": "vault-admins"}' \
+              oidc_scopes="profile email groups" \
+              policies="vault-admin" \
+              ttl="1h"
+
+            echo "✅ All OIDC setup completed."
           volumeMounts:
             - name: vault-token
               mountPath: /vault/secrets