From 9dbf54620745af82fc845ab6bc1b990d3ae52b3c Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Sun, 18 May 2025 05:13:51 +0300
Subject: [PATCH] Role admin

---
 manifests/vault/oidc-job.yaml | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml
index f5273cb..25b9763 100644
--- a/manifests/vault/oidc-job.yaml
+++ b/manifests/vault/oidc-job.yaml
@@ -29,9 +29,16 @@ spec:
               oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
               oidc_client_id="vault" \
               oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
-              default_role="vault-admins"
+              default_role="default"
 
-            echo "🎯 Creating OIDC role named 'default' (optional)..."
+            echo "📜 Writing Vault policy..."
+            vault policy write oidc-ui-access - <<EOF
+            path "auth/oidc/role/default" {
+              capabilities = ["read"]
+            }
+            EOF
+
+            echo "🎯 Creating OIDC role named 'default'..."
             vault write auth/oidc/role/default \
               bound_audiences="vault" \
               allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
@@ -41,15 +48,6 @@ spec:
               policies="default" \
               token_policies="oidc-ui-access" \
               ttl="1h"
-
-            echo "📜 Writing vault-admin policy..."
-            vault policy write vault-admin - <<EOF
-            path "*" {
-              capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-            }
-            EOF
-
-            echo "✅ All OIDC setup completed."
         volumeMounts:
         - name: vault-token
           mountPath: /vault/secrets