From ba462fe06a6bc85dd16382f896f2c3974d534681 Mon Sep 17 00:00:00 2001 From: dvirlabs Date: Sun, 18 May 2025 02:01:39 +0300 Subject: [PATCH] Add secret for oidc --- manifests/vault/values.yaml | 26 +++++++++++++++++++++++++- manifests/vault/vault-oidc-secret.yaml | 8 ++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 manifests/vault/vault-oidc-secret.yaml diff --git a/manifests/vault/values.yaml b/manifests/vault/values.yaml index b9715cb..f387d3e 100644 --- a/manifests/vault/values.yaml +++ b/manifests/vault/values.yaml @@ -1,4 +1,6 @@ server: + envFromSecret: vault-oidc-secret + dataStorage: enabled: true size: 1Gi @@ -20,8 +22,27 @@ server: disable_mlock = true + auth "oidc" { + config = { + oidc_discovery_url = "https://keycloak.dvirlabs.com/realms/lab" + oidc_client_id = "vault" + oidc_client_secret = "{{ env "VAULT_OIDC_CLIENT_SECRET" }}" + default_role = "vault-admins" + } + } + + role "vault-admins" { + bound_audiences = "vault" + allowed_redirect_uris = "https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" + user_claim = "sub" + groups_claim = "groups" + bound_claims = { "groups": "vault-admins" } + policies = ["vault-admin"] + } + extraEnvironmentVars: VAULT_ADDR: http://127.0.0.1:8200 + VAULT_OIDC_CLIENT_SECRET: {{ .Values.oidc.clientSecret | quote }} ui: enabled: true @@ -41,8 +62,11 @@ ingress: - hosts: - vault.dvirlabs.com -# ✅ Disable CSI fully csi: enabled: false agent: enabled: false + +# Custom section for value injection +oidc: + clientSecret: ${VAULT_OIDC_CLIENT_SECRET} diff --git a/manifests/vault/vault-oidc-secret.yaml b/manifests/vault/vault-oidc-secret.yaml new file mode 100644 index 0000000..cde335a --- /dev/null +++ b/manifests/vault/vault-oidc-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: vault-oidc-secret + namespace: dev-tools +type: Opaque +stringData: + VAULT_OIDC_CLIENT_SECRET: 8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY