apiVersion: batch/v1
kind: Job
metadata:
  name: oidc-job
  namespace: dev-tools
spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: oidc-setup
          image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl
          command: ["/bin/sh", "-c"]
          args:
            - |
              echo "⏳ Waiting for Vault to become available..." &&
              until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
                sleep 2
              done &&
              export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 &&
              export VAULT_TOKEN=$(cat /vault/secrets/root-token) &&

              echo "🔐 Enabling OIDC auth method..." &&
              vault auth enable oidc || true &&

              echo "🔧 Configuring OIDC connection to Keycloak..." &&
              vault write auth/oidc/config \
                oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
                oidc_client_id="vault" \
                oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
                default_role="vault-admins" &&

              echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl &&
              vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl &&

              echo "🎯 Creating OIDC role named 'default'..." &&
              vault write auth/oidc/role/default \
                bound_audiences="vault" \
                allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
                user_claim="preferred_username" \
                groups_claim="groups" \
                oidc_scopes="profile email groups" \
                policies="default" \
                token_policies="oidc-ui-access" \
                ttl="1h" &&

              echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl &&
              vault policy write vault-admin /tmp/vault-admin.hcl &&

              echo "🎯 Creating OIDC role named 'vault-admins'..." &&
              vault write auth/oidc/role/vault-admins \
                bound_audiences="vault" \
                allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
                user_claim="sub" \
                groups_claim="groups" \
                bound_claims=groups:vault-admins \
                oidc_scopes="profile email groups" \
                policies="vault-admin" \
                ttl="1h" &&

              echo "✅ All OIDC setup completed."
          volumeMounts:
            - name: vault-token
              mountPath: /vault/secrets
              readOnly: true
      volumes:
        - name: vault-token
          secret:
            secretName: vault-init