vault: read oidc config from vault

services/keycloak/scripts/vault_oidc_secret_ensure.sh

@@ -116,21 +116,3 @@ payload="$(jq -nc \
   '{data:{discovery_url:$discovery_url,client_id:$client_id,client_secret:$client_secret,default_role:$default_role,scopes:$scopes,user_claim:$user_claim,groups_claim:$groups_claim,redirect_uris:$redirect_uris,bound_audiences:$bound_audiences,admin_group:$admin_group,admin_policies:$admin_policies,dev_group:$dev_group,dev_policies:$dev_policies,user_group:$user_group,user_policies:$user_policies}}')"
 curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
   -d "${payload}" "${vault_addr}/v1/kv/data/atlas/vault/vault-oidc-config" >/dev/null
-
-kubectl -n vault create secret generic vault-oidc-config \
-  --from-literal=discovery_url="https://sso.bstein.dev/realms/atlas" \
-  --from-literal=client_id="vault-oidc" \
-  --from-literal=client_secret="${CLIENT_SECRET}" \
-  --from-literal=default_role="admin" \
-  --from-literal=scopes="openid profile email groups" \
-  --from-literal=user_claim="preferred_username" \
-  --from-literal=groups_claim="groups" \
-  --from-literal=redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
-  --from-literal=bound_audiences="vault-oidc" \
-  --from-literal=admin_group="admin" \
-  --from-literal=admin_policies="default,vault-admin" \
-  --from-literal=dev_group="dev" \
-  --from-literal=dev_policies="default,dev-kv" \
-  --from-literal=user_group="dev" \
-  --from-literal=user_policies="default,dev-kv" \
-  --dry-run=client -o yaml | kubectl -n vault apply -f - >/dev/null

services/vault/kustomization.yaml

@@ -23,3 +23,6 @@ configMapGenerator:
   - name: vault-k8s-auth-config-script
     files:
       - vault_k8s_auth_configure.sh=scripts/vault_k8s_auth_configure.sh
+  - name: vault-entrypoint
+    files:
+      - vault-entrypoint.sh=scripts/vault-entrypoint.sh

services/vault/oidc-config-cronjob.yaml

@@ -13,6 +13,32 @@ spec:
     spec:
       backoffLimit: 1
       template:
+        metadata:
+          annotations:
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/role: "vault"
+            vault.hashicorp.com/agent-inject-secret-vault-oidc-env.sh: "kv/data/atlas/vault/vault-oidc-config"
+            vault.hashicorp.com/agent-inject-template-vault-oidc-env.sh: |
+              {{ with secret "kv/data/atlas/vault/vault-oidc-config" }}
+              export VAULT_OIDC_DISCOVERY_URL="{{ .Data.data.discovery_url }}"
+              export VAULT_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
+              export VAULT_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+              export VAULT_OIDC_DEFAULT_ROLE="{{ .Data.data.default_role }}"
+              export VAULT_OIDC_SCOPES="{{ .Data.data.scopes }}"
+              export VAULT_OIDC_USER_CLAIM="{{ .Data.data.user_claim }}"
+              export VAULT_OIDC_GROUPS_CLAIM="{{ .Data.data.groups_claim }}"
+              export VAULT_OIDC_TOKEN_POLICIES="{{ .Data.data.token_policies }}"
+              export VAULT_OIDC_ADMIN_GROUP="{{ .Data.data.admin_group }}"
+              export VAULT_OIDC_ADMIN_POLICIES="{{ .Data.data.admin_policies }}"
+              export VAULT_OIDC_DEV_GROUP="{{ .Data.data.dev_group }}"
+              export VAULT_OIDC_DEV_POLICIES="{{ .Data.data.dev_policies }}"
+              export VAULT_OIDC_USER_GROUP="{{ .Data.data.user_group }}"
+              export VAULT_OIDC_USER_POLICIES="{{ .Data.data.user_policies }}"
+              export VAULT_OIDC_REDIRECT_URIS="{{ .Data.data.redirect_uris }}"
+              export VAULT_OIDC_BOUND_AUDIENCES="{{ .Data.data.bound_audiences }}"
+              export VAULT_OIDC_BOUND_CLAIMS="{{ .Data.data.bound_claims }}"
+              export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}"
+              {{ end }}
         spec:
           serviceAccountName: vault
           restartPolicy: Never
@@ -24,6 +50,8 @@ spec:
               image: hashicorp/vault:1.17.6
               imagePullPolicy: IfNotPresent
               command:
+                - /entrypoint.sh
+              args:
                 - sh
                 - /scripts/vault_oidc_configure.sh
               env:
@@ -34,116 +62,20 @@ spec:
                     secretKeyRef:
                       name: vault-oidc-admin-token
                       key: token
-                - name: VAULT_OIDC_DISCOVERY_URL
+                - name: VAULT_ENV_FILE
-                  valueFrom:
+                  value: /vault/secrets/vault-oidc-env.sh
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: discovery_url
-                - name: VAULT_OIDC_CLIENT_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: client_id
-                - name: VAULT_OIDC_CLIENT_SECRET
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: client_secret
-                - name: VAULT_OIDC_DEFAULT_ROLE
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: default_role
-                      optional: true
-                - name: VAULT_OIDC_SCOPES
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: scopes
-                      optional: true
-                - name: VAULT_OIDC_USER_CLAIM
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: user_claim
-                      optional: true
-                - name: VAULT_OIDC_GROUPS_CLAIM
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: groups_claim
-                      optional: true
-                - name: VAULT_OIDC_TOKEN_POLICIES
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: token_policies
-                      optional: true
-                - name: VAULT_OIDC_ADMIN_GROUP
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: admin_group
-                      optional: true
-                - name: VAULT_OIDC_ADMIN_POLICIES
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: admin_policies
-                      optional: true
-                - name: VAULT_OIDC_DEV_GROUP
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: dev_group
-                      optional: true
-                - name: VAULT_OIDC_DEV_POLICIES
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: dev_policies
-                      optional: true
-                - name: VAULT_OIDC_USER_GROUP
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: user_group
-                      optional: true
-                - name: VAULT_OIDC_USER_POLICIES
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: user_policies
-                      optional: true
-                - name: VAULT_OIDC_REDIRECT_URIS
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: redirect_uris
-                      optional: true
-                - name: VAULT_OIDC_BOUND_AUDIENCES
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: bound_audiences
-                      optional: true
-                - name: VAULT_OIDC_BOUND_CLAIMS
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: bound_claims
-                      optional: true
-                - name: VAULT_OIDC_BOUND_CLAIMS_TYPE
-                  valueFrom:
-                    secretKeyRef:
-                      name: vault-oidc-config
-                      key: bound_claims_type
-                      optional: true
               volumeMounts:
+                - name: vault-entrypoint
+                  mountPath: /entrypoint.sh
+                  subPath: vault-entrypoint.sh
                 - name: oidc-config-script
                   mountPath: /scripts
                   readOnly: true
           volumes:
+            - name: vault-entrypoint
+              configMap:
+                name: vault-entrypoint
+                defaultMode: 493
             - name: oidc-config-script
               configMap:
                 name: vault-oidc-config-script

services/vault/scripts/vault-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+set -eu
+
+if [ -n "${VAULT_ENV_FILE:-}" ]; then
+  if [ -f "${VAULT_ENV_FILE}" ]; then
+    # shellcheck disable=SC1090
+    . "${VAULT_ENV_FILE}"
+  else
+    echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2
+    exit 1
+  fi
+fi
+
+if [ -n "${VAULT_COPY_FILES:-}" ]; then
+  old_ifs="$IFS"
+  IFS=','
+  for pair in ${VAULT_COPY_FILES}; do
+    src="${pair%%:*}"
+    dest="${pair#*:}"
+    if [ -z "${src}" ] || [ -z "${dest}" ]; then
+      echo "Vault copy entry malformed: ${pair}" >&2
+      exit 1
+    fi
+    if [ ! -f "${src}" ]; then
+      echo "Vault file not found: ${src}" >&2
+      exit 1
+    fi
+    mkdir -p "$(dirname "${dest}")"
+    cp "${src}" "${dest}"
+  done
+  IFS="$old_ifs"
+fi
+
+exec "$@"

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -109,6 +109,8 @@ write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
 write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \
   "longhorn/*" ""
+write_policy_and_role "vault" "vault" "vault" \
+  "vault/*" ""
 
 write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
   "shared/keycloak-admin" \