dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix init vault job

Browse Source
This commit is contained in:
dvirlabs 2025-05-16 15:07:14 +03:00
parent 8302bb2e47
commit d3f7d6aebd
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/vault/oidc-job.yaml
View File

@ -1,7 +1,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: configure-vault-oidc name: oidc-job
namespace: dev-tools namespace: dev-tools
spec: spec:
template: template:
@ -13,7 +13,7 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - |
echo "⏳ Waiting for Vault to become ready..." echo "⏳ Waiting for Vault to become available..."
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2 sleep 2
done done
@ -21,20 +21,24 @@ spec:
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
export VAULT_TOKEN=$(cat /vault/secrets/root-token) export VAULT_TOKEN=$(cat /vault/secrets/root-token)
echo "🔐 Enabling OIDC auth method..."
vault auth enable oidc || true vault auth enable oidc || true
echo "🔧 Configuring OIDC connection to Keycloak..."
vault write auth/oidc/config \ vault write auth/oidc/config \
oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \ oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \ oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \ oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="vault-role" default_role="default"
echo "📜 Writing Vault policy..."
vault policy write oidc-ui-access - <<EOF vault policy write oidc-ui-access - <<EOF
path "auth/oidc/role/vault-role" { path "auth/oidc/role/default" {
capabilities = ["read"] capabilities = ["read"]
} }
EOF EOF
echo "🎯 Creating OIDC role named 'default'..."
vault write auth/oidc/role/default \ vault write auth/oidc/role/default \
bound_audiences="vault" \ bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \