# services/vault/oidc-bootstrap-job.yaml apiVersion: batch/v1 kind: Job metadata: name: vault-oidc-bootstrap-3 namespace: vault labels: app: vault-oidc-bootstrap spec: backoffLimit: 0 ttlSecondsAfterFinished: 86400 template: metadata: labels: app: vault-oidc-bootstrap spec: restartPolicy: Never containers: - name: configure-oidc image: hashicorp/vault:1.20.4 imagePullPolicy: IfNotPresent env: - name: VAULT_ADDR value: http://vault.vault.svc.cluster.local:8200 - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-oidc-admin-token key: token - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-vault-oidc key: client_secret - name: VAULT_CLIENT_TIMEOUT value: "30s" command: - /bin/sh - -c - | set -euo pipefail vault status # Enable OIDC auth (idempotent) vault auth enable oidc >/dev/null 2>&1 || vault auth tune -description="Keycloak OIDC" oidc # Configure Keycloak OIDC vault write auth/oidc/config \ oidc_discovery_url="https://sso.bstein.dev/realms/atlas" \ oidc_client_id="oauth2-proxy" \ oidc_client_secret="$OIDC_CLIENT_SECRET" \ default_role="admin" \ bound_issuer="https://sso.bstein.dev/realms/atlas" \ allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback" # Admin policy (wide permissions) vault policy write vault-admin - <<'EOF' path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } EOF # Role mapping admin group -> vault-admin policy cat >/tmp/role.json <<'EOF' { "user_claim": "sub", "groups_claim": "groups", "bound_audiences": "oauth2-proxy", "allowed_redirect_uris": "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback", "claim_mappings": { "email": "email", "name": "name" }, "token_policies": ["vault-admin"], "oidc_scopes": ["profile", "email", "groups"], "bound_claims": { "groups": ["admin"] } } EOF vault write auth/oidc/role/admin @/tmp/role.json echo "vault OIDC bootstrap complete"