dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix vault oidc-job

Browse Source
This commit is contained in:
dvirlabs 2025-10-06 04:29:02 +03:00
parent bca20ad827
commit f2051ed79c
1 changed files with 26 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
manifests/vault/oidc-job.yaml
View File

@ -14,7 +14,7 @@ spec:
args: args:
- | - |
set -e set -e
echo "⏳ Waiting for Vault to become available..." && echo "⏳ Waiting for Vault to become available..."
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2 sleep 2
done done
@ -29,7 +29,7 @@ spec:
fi fi
echo "🔐 Enabling OIDC auth method..." echo "🔐 Enabling OIDC auth method..."
vault auth enable oidc || true # ok if already enabled vault auth enable oidc || true
echo "🔧 Configuring OIDC connection to Keycloak..." echo "🔧 Configuring OIDC connection to Keycloak..."
vault write auth/oidc/config \ vault write auth/oidc/config \
@ -55,23 +55,34 @@ spec:
echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl
vault policy write vault-admin /tmp/vault-admin.hcl vault policy write vault-admin /tmp/vault-admin.hcl
echo "🎯 Creating OIDC role named 'vault-admins'..." echo "🎯 Creating OIDC role named 'vault-admins' via API..."
cat >/tmp/bound_claims.json <<'JSON' cat >/tmp/vault-admins-role.json <<'JSON'
{"groups": ["vault-admins"]} {
"bound_audiences": ["vault"],
"allowed_redirect_uris": [
"https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback"
],
"user_claim": "sub",
"groups_claim": "groups",
"bound_claims": { "groups": ["vault-admins"] },
"oidc_scopes": ["profile","email","groups"],
"policies": ["vault-admin"],
"ttl": "1h"
}
JSON JSON
vault write auth/oidc/role/vault-admins \ curl -sS \
bound_audiences="vault" \ -H "X-Vault-Token: $VAULT_TOKEN" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \ -H "Content-Type: application/json" \
user_claim="sub" \ -X PUT "$VAULT_ADDR/v1/auth/oidc/role/vault-admins" \
groups_claim="groups" \ --data @/tmp/vault-admins-role.json
bound_claims=@/tmp/bound_claims.json \
oidc_scopes="profile email groups" \ echo "🔎 Verifying role..."
policies="vault-admin" \ curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
ttl="1h" "$VAULT_ADDR/v1/auth/oidc/role/vault-admins" | sed 's/"client_secret".*"/"client_secret":"***"/'
echo "✅ All OIDC setup completed successfully." echo "✅ All OIDC setup completed successfully."
volumeMounts: volumeMounts:
- name: vault-token - name: vault-token
mountPath: /vault/secrets mountPath: /vault/secrets