apiVersion: batch/v1
kind: Job
metadata:
  name: configure-vault-oidc
  namespace: dev-tools
spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
      - name: oidc-setup
        image: hashicorp/vault:1.15.5
        command: ["/bin/sh", "-c"]
        args:
          - |
            echo "⏳ Waiting for Vault to become ready..."
            until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
              sleep 2
            done

            export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
            export VAULT_TOKEN=$(cat /vault/secrets/root-token)

            vault auth enable oidc || true

            vault write auth/oidc/config \
              oidc_discovery_url="https://keycloack.dvirlabs.com/realms/lab" \
              oidc_client_id="vault" \
              oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
              default_role="vault-role"

            vault policy write oidc-ui-access - <<EOF
            path "auth/oidc/role/vault-role" {
              capabilities = ["read"]
            }
            EOF

            vault write auth/oidc/role/vault-role \
              bound_audiences="vault" \
              allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
              user_claim="preferred_username" \
              groups_claim="groups" \
              oidc_scopes="profile email groups" \
              policies="default" \
              token_policies="oidc-ui-access" \
              ttl="1h"
        volumeMounts:
        - name: vault-token
          mountPath: /vault/secrets
          readOnly: true
      volumes:
      - name: vault-token
        secret:
          secretName: vault-init