server:
  dataStorage:
    enabled: true
    size: 1Gi
    storageClass: nfs-client

  standalone:
    enabled: true
    config: |
      ui = true

      storage "file" {
        path = "/vault/data"
      }

      listener "tcp" {
        address     = "0.0.0.0:8200"
        tls_disable = 1
      }

      disable_mlock = true

  extraEnvironmentVars:
    VAULT_ADDR: http://127.0.0.1:8200

  extraInitContainers:
    - name: configure-oidc
      image: hashicorp/vault:1.15.5
      command:
        - /bin/sh
        - -c
        - |
          echo "Waiting for Vault to initialize..."
          until curl -s http://vault:8200/v1/sys/health | grep '"initialized":true'; do
            sleep 2
          done

          export VAULT_ADDR=http://vault:8200
          vault auth enable oidc || true

          vault write auth/oidc/config \
            oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
            oidc_client_id="vault" \
            oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
            default_role="vault-role"

          vault policy write oidc-ui-access - <<EOF
          path "auth/oidc/role/vault-role" {
            capabilities = ["read"]
          }
          EOF

          vault write auth/oidc/role/vault-role \
            bound_audiences="vault" \
            allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
            user_claim="preferred_username" \
            groups_claim="groups" \
            oidc_scopes="profile email groups" \
            policies="default" \
            token_policies="oidc-ui-access" \
            ttl="1h"


      env:
        - name: VAULT_TOKEN
          valueFrom:
            secretKeyRef:
              name: vault-init
              key: root-token

ui:
  enabled: true

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: vault.dvirlabs.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - vault.dvirlabs.com