apiVersion: batch/v1
kind: Job
metadata:
  name: oidc-job
  namespace: dev-tools
spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
      - name: oidc-setup
        image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
        command: ["/bin/sh", "-c"]
        args:
          - |
            echo "⏳ Waiting for Vault to become available..."
            until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
              sleep 2
            done

            export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
            export VAULT_TOKEN=$(cat /vault/secrets/root-token)

            echo "🔐 Enabling OIDC auth method..."
            vault auth enable oidc || true

            echo "🔧 Configuring OIDC connection to Keycloak..."
            vault write auth/oidc/config \
              oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
              oidc_client_id="vault" \
              oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
              default_role="default"

            echo "📜 Writing Vault policy..."
            vault policy write oidc-ui-access - <<EOF
            path "auth/oidc/role/default" {
              capabilities = ["read"]
            }
            EOF

            echo "🎯 Creating OIDC role named 'default'..."
            vault write auth/oidc/role/default \
              bound_audiences="vault" \
              allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
              user_claim="preferred_username" \
              groups_claim="groups" \
              oidc_scopes="profile email groups" \
              policies="default" \
              token_policies="oidc-ui-access" \
              ttl="1h"
        volumeMounts:
        - name: vault-token
          mountPath: /vault/secrets
          readOnly: true
      volumes:
      - name: vault-token
        secret:
          secretName: vault-init