K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa4521e946c05623474e9e75e2288d54390b3cbd
security/vault/manifests/oidc-setup-job.yaml
Mayne0213 507cb61ec4 FEAT(vault): add OIDC auth for Authelia SSO 
- Add ExternalSecret for VAULT_CLIENT_SECRET
- Configure default and admin roles for OIDC login
- Fix claim settings (use sub instead of preferred_username)
- Remove oidc-setup-job (already configured)
2026-01-10 01:16:57 +09:00

90 lines
3.1 KiB
YAML
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
name: vault-oidc-setup
namespace: vault
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: vault
restartPolicy: OnFailure
containers:
- name: vault-oidc-setup
image: hashicorp/vault:1.17.2
env:
- name: VAULT_ADDR
value: "http://vault.vault.svc.cluster.local:8200"
- name: VAULT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-oidc-secret
key: VAULT_CLIENT_SECRET
command:
- /bin/sh
- -c
- |
set -e
# Login with Kubernetes auth
echo "Logging in with Kubernetes auth..."
VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
role=vault-setup \
jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
export VAULT_TOKEN
# Check if OIDC is already enabled
if vault auth list | grep -q "oidc/"; then
echo "OIDC auth method already enabled"
else
echo "Enabling OIDC auth method..."
vault auth enable oidc
fi
# Configure OIDC with Authelia
echo "Configuring OIDC..."
vault write auth/oidc/config \
oidc_discovery_url="https://auth0213.kro.kr" \
oidc_client_id="vault" \
oidc_client_secret="${VAULT_CLIENT_SECRET}" \
default_role="default"
# Create default role
echo "Creating default role..."
vault write auth/oidc/role/default \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
# Create admin policy
echo "Creating admin policy..."
vault policy write admin - <<POLICY
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
POLICY
# Create admin role
echo "Creating admin role..."
vault write auth/oidc/role/admin \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
echo "OIDC setup complete!"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
Reference in New Issue View Git Blame Copy Permalink