From bd9a752e059e8ac8a672c6ec5e940aeded53d74e Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Fri, 9 May 2025 15:51:01 +0300
Subject: [PATCH] Connect vault to oidc

---
 manifests/vault/values.yaml | 54 +++++++++++++++++++++++--------------
 1 file changed, 34 insertions(+), 20 deletions(-)

diff --git a/manifests/vault/values.yaml b/manifests/vault/values.yaml
index bbe30af..cd9ff49 100644
--- a/manifests/vault/values.yaml
+++ b/manifests/vault/values.yaml
@@ -23,28 +23,42 @@ server:
   extraEnvironmentVars:
     VAULT_ADDR: http://127.0.0.1:8200
 
-  postStart:
-    command:
-      - /bin/sh
-      - -c
-      - |
-        export VAULT_ADDR=http://127.0.0.1:8200
-        vault auth enable oidc
+  extraInitContainers:
+    - name: configure-oidc
+      image: hashicorp/vault:1.15.5
+      command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Waiting for Vault to initialize..."
+          until curl -s http://vault:8200/v1/sys/health | grep '"initialized":true'; do
+            sleep 2
+          done
 
-        vault write auth/oidc/config \
-          oidc_discovery_url="https://keycloack/realms/lab" \
-          oidc_client_id="vault" \
-          oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
-          default_role="vault-role"
+          export VAULT_ADDR=http://vault:8200
+          vault auth enable oidc || true
 
-        vault write auth/oidc/role/vault-role \
-          bound_audiences="vault" \
-          allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
-          user_claim="preferred_username" \
-          groups_claim="groups" \
-          oidc_scopes="profile email groups" \
-          policies="default" \
-          ttl="1h"
+          vault write auth/oidc/config \
+            oidc_discovery_url="https://<KEYCLOAK_URL>/realms/<REALM>" \
+            oidc_client_id="vault" \
+            oidc_client_secret="<CLIENT_SECRET>" \
+            default_role="vault-role"
+
+          vault write auth/oidc/role/vault-role \
+            bound_audiences="vault" \
+            allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
+            user_claim="preferred_username" \
+            groups_claim="groups" \
+            oidc_scopes="profile email groups" \
+            policies="default" \
+            ttl="1h"
+
+      env:
+        - name: VAULT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: vault-init
+              key: root-token
 
 ui:
   enabled: true