titan-iac/services/vault/oidc-bootstrap-job.yaml

# services/vault/oidc-bootstrap-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-oidc-bootstrap
  namespace: vault
  labels:
    app: vault-oidc-bootstrap
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 86400
  template:
    metadata:
      labels:
        app: vault-oidc-bootstrap
    spec:
      restartPolicy: Never
      containers:
        - name: configure-oidc
          image: hashicorp/vault:1.20.4
          imagePullPolicy: IfNotPresent
          env:
            - name: VAULT_ADDR
              value: http://vault.vault.svc.cluster.local:8200
            - name: VAULT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: vault-oidc-admin-token
                  key: token
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy-vault-oidc
                  key: client_secret
            - name: VAULT_CLIENT_TIMEOUT
              value: "30s"
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              vault status
              # Enable OIDC auth (idempotent)
              vault auth enable oidc >/dev/null 2>&1 || vault auth tune -description="Keycloak OIDC" oidc

              # Configure Keycloak OIDC
              vault write auth/oidc/config \
                oidc_discovery_url="https://sso.bstein.dev/realms/atlas" \
                oidc_client_id="oauth2-proxy" \
                oidc_client_secret="$OIDC_CLIENT_SECRET" \
                default_role="admin" \
                bound_issuer="https://sso.bstein.dev/realms/atlas" \
                allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback"

              # Admin policy (wide permissions)
              vault policy write vault-admin - <<'EOF'
              path "*" {
                capabilities = ["create", "read", "update", "delete", "list", "sudo"]
              }
              EOF

              # Role mapping admin group -> vault-admin policy
              cat >/tmp/role.json <<'EOF'
              {
                "user_claim": "sub",
                "groups_claim": "groups",
                "bound_audiences": "oauth2-proxy",
                "allowed_redirect_uris": "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback",
                "claim_mappings": {
                  "email": "email",
                  "name": "name"
                },
                "token_policies": ["vault-admin"],
                "oidc_scopes": ["profile", "email", "groups"],
                "bound_claims": { "groups": ["admin"] }
              }
              EOF
              vault write auth/oidc/role/admin @/tmp/role.json
              echo "vault OIDC bootstrap complete"