sso: tighten zot and vault oidc flow

services/vault/ingress.yaml

@@ -24,6 +24,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: oauth2-proxy-vault
+                name: vault
                 port:
-                  number: 80
+                  number: 8200

services/vault/kustomization.yaml

@@ -9,5 +9,4 @@ resources:
   - ingress.yaml
   - middleware.yaml
   - serverstransport.yaml
-  - oauth2-proxy-vault.yaml
   - oidc-bootstrap-job.yaml

services/vault/oauth2-proxy-vault.yaml

@@ -1,102 +0,0 @@
-# services/vault/oauth2-proxy-vault.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: oauth2-proxy-vault
-  labels:
-    app: oauth2-proxy-vault
-spec:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 4180
-  selector:
-    app: oauth2-proxy-vault
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: oauth2-proxy-vault
-  labels:
-    app: oauth2-proxy-vault
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: oauth2-proxy-vault
-  template:
-    metadata:
-      labels:
-        app: oauth2-proxy-vault
-    spec:
-      nodeSelector:
-        node-role.kubernetes.io/worker: "true"
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 80
-              preference:
-                matchExpressions:
-                  - key: kubernetes.io/arch
-                    operator: In
-                    values:
-                      - arm64
-                      - arm
-      containers:
-        - name: oauth2-proxy
-          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-          args:
-            - --provider=oidc
-            - --redirect-url=https://secret.bstein.dev/oauth2/callback
-            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
-            - --scope=openid profile email groups
-            - --email-domain=*
-            - --set-xauthrequest=true
-            - --pass-access-token=true
-            - --set-authorization-header=true
-            - --cookie-secure=true
-            - --cookie-samesite=lax
-            - --cookie-refresh=20m
-            - --cookie-expire=168h
-            - --insecure-oidc-allow-unverified-email=true
-            # Vault UI is served over HTTP on the service endpoint.
-            - --upstream=http://vault.vault.svc.cluster.local:8200
-            - --http-address=0.0.0.0:4180
-            - --skip-provider-button=true
-            - --skip-jwt-bearer-tokens=true
-            - --oidc-groups-claim=groups
-            - --allowed-group=admin
-            - --cookie-domain=secret.bstein.dev
-          env:
-            - name: OAUTH2_PROXY_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-vault-oidc
-                  key: client_id
-            - name: OAUTH2_PROXY_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-vault-oidc
-                  key: client_secret
-            - name: OAUTH2_PROXY_COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-vault-oidc
-                  key: cookie_secret
-          ports:
-            - containerPort: 4180
-              name: http
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: 4180
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: 4180
-            initialDelaySeconds: 20
-            periodSeconds: 20

services/vault/oidc-bootstrap-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-oidc-bootstrap-3
+  name: vault-oidc-bootstrap-4
   namespace: vault
   labels:
     app: vault-oidc-bootstrap
@@ -50,7 +50,8 @@ spec:
                 oidc_client_secret="$OIDC_CLIENT_SECRET" \
                 default_role="admin" \
                 bound_issuer="https://sso.bstein.dev/realms/atlas" \
-                allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"
+                allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback" \
+                allowed_redirect_uris="http://localhost:8250/oidc/callback"
 
               # Admin policy (wide permissions)
               vault policy write vault-admin - <<'EOF'
@@ -65,13 +66,16 @@ spec:
                 "user_claim": "sub",
                 "groups_claim": "groups",
                 "bound_audiences": "oauth2-proxy",
-                "allowed_redirect_uris": "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback",
+                "allowed_redirect_uris": [
+                  "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback",
+                  "http://localhost:8250/oidc/callback"
+                ],
                 "claim_mappings": {
                   "email": "email",
                   "name": "name"
                 },
                 "token_policies": ["vault-admin"],
-                "oidc_scopes": ["profile", "email", "groups"],
+                "oidc_scopes": ["openid", "profile", "email", "groups", "oauth2-proxy-audience"],
                 "bound_claims": { "groups": ["admin"] }
               }
               EOF

services/zot/oauth2-proxy-zot.yaml

@@ -51,7 +51,7 @@ spec:
             - --provider=oidc
             - --redirect-url=https://registry.bstein.dev/oauth2/callback
             - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
-            - --scope=openid profile email groups
+            - --scope=openid profile email groups oauth2-proxy-audience
             - --email-domain=*
             - --set-xauthrequest=true
             - --pass-access-token=true