From 046c9dc17a46002bd3105f9519cc1277be0cd56f Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 9 Dec 2025 18:38:21 -0300
Subject: [PATCH] vault: default oidc login and middleware fix

---
 services/keycloak/kustomization.yaml   | 1 +
 services/vault/ingress.yaml            | 4 ++--
 services/vault/oidc-bootstrap-job.yaml | 4 +++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml
index a65715c..89f9d46 100644
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@@ -8,3 +8,4 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
+  - zot-client-bootstrap.yaml
diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index 26c9b16..cbc0a74 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -7,10 +7,10 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: vault-login-redirect@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: vault-vault-to-https@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serverstransport: vault-to-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/vault/oidc-bootstrap-job.yaml b/services/vault/oidc-bootstrap-job.yaml
index 059434a..94f3eb5 100644
--- a/services/vault/oidc-bootstrap-job.yaml
+++ b/services/vault/oidc-bootstrap-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-oidc-bootstrap
+  name: vault-oidc-bootstrap-2
   namespace: vault
   labels:
     app: vault-oidc-bootstrap
@@ -76,4 +76,6 @@ spec:
               }
               EOF
               vault write auth/oidc/role/admin @/tmp/role.json
+              # Make OIDC the default UI login method
+              vault write sys/config/ui default_auth_method="oidc"
               echo "vault OIDC bootstrap complete"