feat: working infra with sso

2025-12-04 12:49:43 +02:00
parent 67de982754
commit 7e54ee9099
13 changed files with 329 additions and 222 deletions
--- a/infra/scripts/setup-vault.sh
+++ b/infra/scripts/setup-vault.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+set -e
+
+# Load environment variables
+source infra/environments/production/.env
+
+# Vault Configuration
+VAULT_ADDR="http://127.0.0.1:8200"
+KEYS_FILE="infra/environments/production/.vault-keys"
+
+if [ ! -f "$KEYS_FILE" ]; then
+    echo "Error: Keys file not found at $KEYS_FILE. Run init-vault.sh first."
+    exit 1
+fi
+
+VAULT_TOKEN=$(grep '"root_token":' "$KEYS_FILE" | cut -d'"' -f4)
+CONTAINER_NAME="apa-vault"
+
+echo "Configuring Vault..."
+
+# Helper function to run vault commands inside docker
+vault_cmd() {
+    docker exec -i -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$VAULT_TOKEN $CONTAINER_NAME vault "$@"
+}
+
+# Enable OIDC auth method
+echo "Enabling OIDC auth method..."
+if ! vault_cmd auth list | grep -q "oidc/"; then
+    vault_cmd auth enable oidc
+else
+    echo "OIDC auth method already enabled."
+fi
+
+# Configure OIDC
+echo "Configuring OIDC..."
+vault_cmd write auth/oidc/config \
+    oidc_discovery_url="https://auth.${DOMAIN}/application/o/vault-prod/" \
+    oidc_client_id="vault-prod" \
+    oidc_client_secret="${AUTHENTIK_VAULT_CLIENT_SECRET}" \
+    default_role="reader"
+
+# Create Policies
+echo "Creating policies..."
+
+# Admin Policy
+vault_cmd policy write admin - <<EOF
+path "*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+EOF
+
+# Reader Policy
+vault_cmd policy write reader - <<EOF
+path "secret/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+
+# Create Roles
+echo "Creating roles..."
+
+# Admin Role
+vault_cmd write auth/oidc/role/admin \
+    bound_audiences="vault-prod" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
+    user_claim="email" \
+    policies="admin" \
+    role_type="oidc" \
+    groups_claim="groups" \
+    oidc_scopes="openid,email,profile,groups"
+
+# Reader Role
+vault_cmd write auth/oidc/role/reader \
+    bound_audiences="vault-prod" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
+    allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
+    user_claim="email" \
+    policies="reader" \
+    role_type="oidc" \
+    groups_claim="groups" \
+    oidc_scopes="openid,email,profile,groups"
+
+echo "Vault configuration complete!"