From f2051ed79cbb04debbcaee8981528fb4a2838d87 Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Mon, 6 Oct 2025 04:29:02 +0300
Subject: [PATCH] Fix vault oidc-job

---
 manifests/vault/oidc-job.yaml | 41 ++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/manifests/vault/oidc-job.yaml b/manifests/vault/oidc-job.yaml
index fe9ac7b..7a6c28c 100644
--- a/manifests/vault/oidc-job.yaml
+++ b/manifests/vault/oidc-job.yaml
@@ -14,7 +14,7 @@ spec:
           args:
             - |
               set -e
-              echo "⏳ Waiting for Vault to become available..." &&
+              echo "⏳ Waiting for Vault to become available..."
               until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
                 sleep 2
               done
@@ -29,7 +29,7 @@ spec:
               fi
 
               echo "🔐 Enabling OIDC auth method..."
-              vault auth enable oidc || true  # ok if already enabled
+              vault auth enable oidc || true
 
               echo "🔧 Configuring OIDC connection to Keycloak..."
               vault write auth/oidc/config \
@@ -55,23 +55,34 @@ spec:
               echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl
               vault policy write vault-admin /tmp/vault-admin.hcl
 
-              echo "🎯 Creating OIDC role named 'vault-admins'..."
-              cat >/tmp/bound_claims.json <<'JSON'
-              {"groups": ["vault-admins"]}
+              echo "🎯 Creating OIDC role named 'vault-admins' via API..."
+              cat >/tmp/vault-admins-role.json <<'JSON'
+              {
+                "bound_audiences": ["vault"],
+                "allowed_redirect_uris": [
+                  "https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback",
+                  "http://localhost:8250/oidc/callback"
+                ],
+                "user_claim": "sub",
+                "groups_claim": "groups",
+                "bound_claims": { "groups": ["vault-admins"] },
+                "oidc_scopes": ["profile","email","groups"],
+                "policies": ["vault-admin"],
+                "ttl": "1h"
+              }
               JSON
 
-              vault write auth/oidc/role/vault-admins \
-                bound_audiences="vault" \
-                allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
-                user_claim="sub" \
-                groups_claim="groups" \
-                bound_claims=@/tmp/bound_claims.json \
-                oidc_scopes="profile email groups" \
-                policies="vault-admin" \
-                ttl="1h"
+              curl -sS \
+                -H "X-Vault-Token: $VAULT_TOKEN" \
+                -H "Content-Type: application/json" \
+                -X PUT "$VAULT_ADDR/v1/auth/oidc/role/vault-admins" \
+                --data @/tmp/vault-admins-role.json
+
+              echo "🔎 Verifying role..."
+              curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
+                "$VAULT_ADDR/v1/auth/oidc/role/vault-admins" | sed 's/"client_secret".*"/"client_secret":"***"/'
 
               echo "✅ All OIDC setup completed successfully."
-
           volumeMounts:
             - name: vault-token
               mountPath: /vault/secrets