apiVersion: batch/v1
kind: Job
metadata:
  name: oidc-job
  namespace: dev-tools
spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: oidc-setup
          image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl-v2
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -e
              echo "⏳ Waiting for Vault to become available..." &&
              until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
                sleep 2
              done

              export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
              export VAULT_TOKEN=$(cat /vault/secrets/root-token)

              echo "🔑 Verifying Vault token..."
              if ! vault token lookup >/dev/null 2>&1; then
                echo "❌ Invalid Vault token. Exiting."
                exit 1
              fi

              echo "🔐 Enabling OIDC auth method..."
              vault auth enable oidc || true

              echo "🔧 Configuring OIDC connection to Keycloak..."
              vault write auth/oidc/config \
                oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
                oidc_client_id="vault" \
                oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
                default_role="vault-admins"

              echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl
              vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl

              echo "🎯 Creating OIDC role named 'default'..."
              vault write auth/oidc/role/default \
                bound_audiences="vault" \
                allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
                user_claim="preferred_username" \
                groups_claim="groups" \
                oidc_scopes="profile email groups" \
                policies="default" \
                token_policies="oidc-ui-access" \
                ttl="1h"

              echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl
              vault policy write vault-admin /tmp/vault-admin.hcl

              echo "🎯 Creating OIDC role named 'vault-admins'..."
              vault write auth/oidc/role/vault-admins \
                bound_audiences="vault" \
                allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
                user_claim="sub" \
                groups_claim="groups" \
                bound_claims='{"groups": "vault-admins"}' \
                oidc_scopes="profile email groups" \
                policies="vault-admin" \
                ttl="1h"

              echo "✅ All OIDC setup completed successfully."
          volumeMounts:
            - name: vault-token
              mountPath: /vault/secrets
              readOnly: true
      volumes:
        - name: vault-token
          secret:
            secretName: vault-root-init-token