Disable vault job set-permission

manifests/raw-resources-infra/vault/job-set-permissions.yaml

@@ -0,0 +1,138 @@
+# # Prerequisites – two Kubernetes Secrets must exist in the infra namespace:
+# #
+# #   1. vault-root-token
+# #        key: token   → the Vault root token (created after `vault operator init`)
+# #
+# #   2. vault-oidc-credentials
+# #        key: clientSecret → the Keycloak client secret for the "vault" OIDC client
+# #
+# # This Job runs as an ArgoCD PostSync hook so it fires on every sync of the
+# # raw-resources-infra application. Because selfHeal is enabled, ArgoCD will
+# # re-sync (and re-run this Job) any time the Job resource is removed, which
+# # effectively covers Vault restarts that trigger a pod replacement.
+# #
+# # What the Job configures (all operations are idempotent):
+# #   - Enables the OIDC auth method (if not already enabled)
+# #   - Writes the OIDC config pointing at Keycloak realm "lab"
+# #   - Writes the default OIDC role with groups_claim and redirect URIs
+# #   - Creates the "vault-admins" external identity group with the built-in "admin" policy
+# #   - Creates the group alias that maps the Keycloak group "vault-admins"
+# #     to the Vault external group via the OIDC mount accessor
+# ---
+# apiVersion: batch/v1
+# kind: Job
+# metadata:
+#   name: vault-configure-permissions
+#   namespace: infra
+#   annotations:
+#     argocd.argoproj.io/hook: PostSync
+#     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+# spec:
+#   ttlSecondsAfterFinished: 600
+#   backoffLimit: 5
+#   template:
+#     spec:
+#       restartPolicy: OnFailure
+#       containers:
+#         - name: vault-configure
+#           image: hashicorp/vault:1.17.0
+#           env:
+#             - name: VAULT_ADDR
+#               value: "http://vault.infra.svc.cluster.local:8200"
+#             - name: VAULT_TOKEN
+#               valueFrom:
+#                 secretKeyRef:
+#                   name: vault-root-token
+#                   key: token
+#             - name: OIDC_CLIENT_SECRET
+#               valueFrom:
+#                 secretKeyRef:
+#                   name: vault-oidc-credentials
+#                   key: clientSecret
+#           command:
+#             - /bin/sh
+#             - -c
+#             - |
+#               set -e
+
+#               # jq is not bundled in the Vault image – install it from Alpine repos
+#               apk add jq -q --no-progress
+
+#               # ── Wait for Vault to be unsealed ──────────────────────────────────
+#               echo ">>> Waiting for Vault to be unsealed..."
+#               until vault status 2>&1 | grep -q "Sealed.*false"; do
+#                 echo "    not ready yet, retrying in 5s..."
+#                 sleep 5
+#               done
+#               echo ">>> Vault is ready."
+
+#               # ── OIDC auth method ───────────────────────────────────────────────
+#               if vault auth list | grep -q "^oidc/"; then
+#                 echo ">>> OIDC auth already enabled."
+#               else
+#                 vault auth enable oidc
+#                 echo ">>> OIDC auth enabled."
+#               fi
+
+#               vault write auth/oidc/config \
+#                 oidc_discovery_url="https://keycloak.dvirlabs.com/realms/lab" \
+#                 oidc_client_id="vault" \
+#                 oidc_client_secret="${OIDC_CLIENT_SECRET}" \
+#                 default_role="default"
+#               echo ">>> OIDC config written."
+
+#               vault write auth/oidc/role/default \
+#                 user_claim="sub" \
+#                 groups_claim="groups" \
+#                 allowed_redirect_uris="https://vault.dvirlabs.com/ui/vault/auth/oidc/oidc/callback" \
+#                 allowed_redirect_uris="https://vault.dvirlabs.com/oidc/callback" \
+#                 bound_audiences="vault" \
+#                 ttl="8h"
+#               echo ">>> OIDC role/default written."
+
+#               # ── Resolve OIDC mount accessor ────────────────────────────────────
+#               OIDC_ACCESSOR=$(vault auth list | awk '$1 == "oidc/" {print $3}')
+#               echo ">>> OIDC accessor: ${OIDC_ACCESSOR}"
+
+#               # ── vault-admins external group ────────────────────────────────────
+#               if vault read identity/group/name/vault-admins > /dev/null 2>&1; then
+#                 echo ">>> vault-admins group exists – ensuring policy=admin..."
+#                 vault write identity/group/name/vault-admins \
+#                   type="external" \
+#                   policies="admin"
+#               else
+#                 echo ">>> Creating vault-admins external group..."
+#                 vault write identity/group \
+#                   name="vault-admins" \
+#                   type="external" \
+#                   policies="admin"
+#               fi
+
+#               GROUP_ID=$(vault read -field=id identity/group/name/vault-admins)
+#               echo ">>> vault-admins group id: ${GROUP_ID}"
+
+#               # ── Group alias: Keycloak "vault-admins" → Vault external group ────
+#               # Walk existing aliases and look for one bound to this group + accessor
+#               EXISTING_ALIAS=$(vault list -format=json identity/group-alias/id 2>/dev/null \
+#                 | jq -r '.[]' \
+#                 | while read ALIAS_ID; do
+#                     DATA=$(vault read -format=json "identity/group-alias/id/${ALIAS_ID}" 2>/dev/null)
+#                     CID=$(echo "${DATA}" | jq -r '.data.canonical_id')
+#                     ACC=$(echo "${DATA}" | jq -r '.data.mount_accessor')
+#                     if [ "${CID}" = "${GROUP_ID}" ] && [ "${ACC}" = "${OIDC_ACCESSOR}" ]; then
+#                       echo "${ALIAS_ID}"
+#                     fi
+#                   done | head -1)
+
+#               if [ -n "${EXISTING_ALIAS}" ]; then
+#                 echo ">>> Group alias already exists (id=${EXISTING_ALIAS}), skipping."
+#               else
+#                 vault write identity/group-alias \
+#                   name="vault-admins" \
+#                   canonical_id="${GROUP_ID}" \
+#                   mount_accessor="${OIDC_ACCESSOR}"
+#                 echo ">>> Group alias created."
+#               fi
+
+#               echo ""
+#               echo ">>> Vault OIDC and permissions configuration complete."