# services/vault/oidc-config-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: vault-oidc-config
  namespace: vault
spec:
  schedule: "*/15 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "vault"
            vault.hashicorp.com/agent-inject-secret-vault-oidc-env.sh: "kv/data/atlas/vault/vault-oidc-config"
            vault.hashicorp.com/agent-inject-template-vault-oidc-env.sh: |
              {{ with secret "kv/data/atlas/vault/vault-oidc-config" }}
              export VAULT_OIDC_DISCOVERY_URL="{{ .Data.data.discovery_url }}"
              export VAULT_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
              export VAULT_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              export VAULT_OIDC_DEFAULT_ROLE="{{ .Data.data.default_role }}"
              export VAULT_OIDC_SCOPES="{{ .Data.data.scopes }}"
              export VAULT_OIDC_USER_CLAIM="{{ .Data.data.user_claim }}"
              export VAULT_OIDC_GROUPS_CLAIM="{{ .Data.data.groups_claim }}"
              export VAULT_OIDC_TOKEN_POLICIES="{{ .Data.data.token_policies }}"
              export VAULT_OIDC_ADMIN_GROUP="{{ .Data.data.admin_group }}"
              export VAULT_OIDC_ADMIN_POLICIES="{{ .Data.data.admin_policies }}"
              export VAULT_OIDC_DEV_GROUP="{{ .Data.data.dev_group }}"
              export VAULT_OIDC_DEV_POLICIES="{{ .Data.data.dev_policies }}"
              export VAULT_OIDC_USER_GROUP="{{ .Data.data.user_group }}"
              export VAULT_OIDC_USER_POLICIES="{{ .Data.data.user_policies }}"
              export VAULT_OIDC_REDIRECT_URIS="{{ .Data.data.redirect_uris }}"
              export VAULT_OIDC_BOUND_AUDIENCES="{{ .Data.data.bound_audiences }}"
              export VAULT_OIDC_BOUND_CLAIMS="{{ .Data.data.bound_claims }}"
              export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}"
              {{ end }}
        spec:
          serviceAccountName: vault
          restartPolicy: Never
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          containers:
            - name: configure-oidc
              image: hashicorp/vault:1.17.6
              imagePullPolicy: IfNotPresent
              command:
                - /entrypoint.sh
              args:
                - sh
                - /scripts/vault_oidc_configure.sh
              env:
                - name: VAULT_ADDR
                  value: http://vault.vault.svc.cluster.local:8200
                - name: VAULT_K8S_ROLE
                  value: vault
                - name: VAULT_ENV_FILE
                  value: /vault/secrets/vault-oidc-env.sh
              volumeMounts:
                - name: vault-entrypoint
                  mountPath: /entrypoint.sh
                  subPath: vault-entrypoint.sh
                - name: oidc-config-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: vault-entrypoint
              configMap:
                name: vault-entrypoint
                defaultMode: 493
            - name: oidc-config-script
              configMap:
                name: vault-oidc-config-script
                defaultMode: 0555