dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dev-tools/manifests/vault/oidc-job.yaml
dvirlabs f2051ed79c Fix vault oidc-job
2025-10-06 04:29:02 +03:00

94 lines
3.7 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
name: oidc-job
namespace: dev-tools
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: oidc-setup
image: harbor.dvirlabs.com/dev-tools/vault:1.15.5-curl-v2
command: ["/bin/sh", "-c"]
args:
- |
set -e
echo "⏳ Waiting for Vault to become available..."
until curl -s http://vault.dev-tools.svc.cluster.local:8200/v1/sys/health | grep '"initialized":true'; do
sleep 2
done
export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200
export VAULT_TOKEN=$(cat /vault/secrets/root-token)
echo "🔑 Verifying Vault token..."
if ! vault token lookup >/dev/null 2>&1; then
echo "❌ Invalid Vault token. Exiting."
exit 1
fi
echo "🔐 Enabling OIDC auth method..."
vault auth enable oidc || true
echo "🔧 Configuring OIDC connection to Keycloak..."
vault write auth/oidc/config \
oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
oidc_client_id="vault" \
oidc_client_secret="8GWiUqwUZimb4xXHqFNTYCrTkKyc9hrY" \
default_role="vault-admins"
echo 'path "auth/oidc/role/default" { capabilities = ["read"] }' > /tmp/oidc-ui-access.hcl
vault policy write oidc-ui-access /tmp/oidc-ui-access.hcl
echo "🎯 Creating OIDC role named 'default'..."
vault write auth/oidc/role/default \
bound_audiences="vault" \
allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
user_claim="preferred_username" \
groups_claim="groups" \
oidc_scopes="profile email groups" \
policies="default" \
token_policies="oidc-ui-access" \
ttl="1h"
echo 'path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] }' > /tmp/vault-admin.hcl
vault policy write vault-admin /tmp/vault-admin.hcl
echo "🎯 Creating OIDC role named 'vault-admins' via API..."
cat >/tmp/vault-admins-role.json <<'JSON'
{
"bound_audiences": ["vault"],
"allowed_redirect_uris": [
"https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback"
],
"user_claim": "sub",
"groups_claim": "groups",
"bound_claims": { "groups": ["vault-admins"] },
"oidc_scopes": ["profile","email","groups"],
"policies": ["vault-admin"],
"ttl": "1h"
}
JSON
curl -sS \
-H "X-Vault-Token: $VAULT_TOKEN" \
-H "Content-Type: application/json" \
-X PUT "$VAULT_ADDR/v1/auth/oidc/role/vault-admins" \
--data @/tmp/vault-admins-role.json
echo "🔎 Verifying role..."
curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDR/v1/auth/oidc/role/vault-admins" | sed 's/"client_secret".*"/"client_secret":"***"/'
echo "✅ All OIDC setup completed successfully."
volumeMounts:
- name: vault-token
mountPath: /vault/secrets
readOnly: true
volumes:
- name: vault-token
secret:
secretName: vault-root-init-token
Reference in New Issue View Git Blame Copy Permalink