apiVersion: batch/v1
kind: Job
metadata:
  name: vault-oidc-setup
  namespace: vault
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
  ttlSecondsAfterFinished: 300
  template:
    spec:
      serviceAccountName: vault
      restartPolicy: OnFailure
      containers:
        - name: vault-oidc-setup
          image: hashicorp/vault:1.17.2
          env:
            - name: VAULT_ADDR
              value: "http://vault.vault.svc.cluster.local:8200"
            - name: VAULT_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: vault-oidc-secret
                  key: VAULT_CLIENT_SECRET
          command:
            - /bin/sh
            - -c
            - |
              set -e

              # Login with Kubernetes auth
              echo "Logging in with Kubernetes auth..."
              VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
                role=vault-setup \
                jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
              export VAULT_TOKEN

              # Check if OIDC is already enabled
              if vault auth list | grep -q "oidc/"; then
                echo "OIDC auth method already enabled"
              else
                echo "Enabling OIDC auth method..."
                vault auth enable oidc
              fi

              # Configure OIDC with Authelia
              echo "Configuring OIDC..."
              vault write auth/oidc/config \
                oidc_discovery_url="https://auth0213.kro.kr" \
                oidc_client_id="vault" \
                oidc_client_secret="${VAULT_CLIENT_SECRET}" \
                default_role="default"

              # Create default role
              echo "Creating default role..."
              vault write auth/oidc/role/default \
                user_claim="sub" \
                groups_claim="" \
                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
                token_policies="admin" \
                token_ttl="1h" \
                token_max_ttl="24h"

              # Create admin policy
              echo "Creating admin policy..."
              vault policy write admin - <<POLICY
              path "*" {
                capabilities = ["create", "read", "update", "delete", "list", "sudo"]
              }
              POLICY

              # Create admin role
              echo "Creating admin role..."
              vault write auth/oidc/role/admin \
                user_claim="sub" \
                groups_claim="" \
                allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
                allowed_redirect_uris="http://localhost:8250/oidc/callback" \
                token_policies="admin" \
                token_ttl="1h" \
                token_max_ttl="24h"

              echo "OIDC setup complete!"
      tolerations:
        - key: "node-role.kubernetes.io/control-plane"
          operator: "Exists"
          effect: "NoSchedule"