diff --git a/vault/kustomization.yaml b/vault/kustomization.yaml index 9136fb6..397a4cc 100644 --- a/vault/kustomization.yaml +++ b/vault/kustomization.yaml @@ -4,3 +4,5 @@ resources: - manifests/cluster-secret-store.yaml - manifests/external-secret.yaml - manifests/rbac.yaml +- manifests/oidc-secret.yaml +- manifests/oidc-setup-job.yaml diff --git a/vault/manifests/oidc-secret.yaml b/vault/manifests/oidc-secret.yaml new file mode 100644 index 0000000..2274c26 --- /dev/null +++ b/vault/manifests/oidc-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-oidc-secret + namespace: vault +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: vault-oidc-secret + creationPolicy: Owner + data: + - secretKey: VAULT_CLIENT_SECRET + remoteRef: + key: authelia + property: VAULT_CLIENT_SECRET diff --git a/vault/manifests/oidc-setup-job.yaml b/vault/manifests/oidc-setup-job.yaml new file mode 100644 index 0000000..cfa602f --- /dev/null +++ b/vault/manifests/oidc-setup-job.yaml @@ -0,0 +1,89 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-oidc-setup + namespace: vault + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + serviceAccountName: vault + restartPolicy: OnFailure + containers: + - name: vault-oidc-setup + image: hashicorp/vault:1.17.2 + env: + - name: VAULT_ADDR + value: "http://vault.vault.svc.cluster.local:8200" + - name: VAULT_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: vault-oidc-secret + key: VAULT_CLIENT_SECRET + command: + - /bin/sh + - -c + - | + set -e + + # Login with Kubernetes auth + echo "Logging in with Kubernetes auth..." + VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \ + role=vault-setup \ + jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)) + export VAULT_TOKEN + + # Check if OIDC is already enabled + if vault auth list | grep -q "oidc/"; then + echo "OIDC auth method already enabled" + else + echo "Enabling OIDC auth method..." + vault auth enable oidc + fi + + # Configure OIDC with Authelia + echo "Configuring OIDC..." + vault write auth/oidc/config \ + oidc_discovery_url="https://auth0213.kro.kr" \ + oidc_client_id="vault" \ + oidc_client_secret="${VAULT_CLIENT_SECRET}" \ + default_role="default" + + # Create default role + echo "Creating default role..." + vault write auth/oidc/role/default \ + user_claim="sub" \ + groups_claim="" \ + allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \ + allowed_redirect_uris="http://localhost:8250/oidc/callback" \ + token_policies="admin" \ + token_ttl="1h" \ + token_max_ttl="24h" + + # Create admin policy + echo "Creating admin policy..." + vault policy write admin - <