7e54ee9099
Some checks failed
CI/CD Pipeline / Code Quality & Linting (push) Has been cancelled
CI/CD Pipeline / Policy Validation (push) Has been cancelled
CI/CD Pipeline / Test Suite (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-firm-connectors) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-forms) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-hmrc) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ingestion) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-normalize-map) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-ocr) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-indexer) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-reason) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (svc-rpa) (push) Has been cancelled
CI/CD Pipeline / Build Docker Images (ui-review) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-coverage) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-extract) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-kg) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (svc-rag-retriever) (push) Has been cancelled
CI/CD Pipeline / Security Scanning (ui-review) (push) Has been cancelled
CI/CD Pipeline / Generate SBOM (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / Notifications (push) Has been cancelled
85 lines
2.2 KiB
Bash
85 lines
2.2 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
# Load environment variables
|
|
source infra/environments/production/.env
|
|
|
|
# Vault Configuration
|
|
VAULT_ADDR="http://127.0.0.1:8200"
|
|
KEYS_FILE="infra/environments/production/.vault-keys"
|
|
|
|
if [ ! -f "$KEYS_FILE" ]; then
|
|
echo "Error: Keys file not found at $KEYS_FILE. Run init-vault.sh first."
|
|
exit 1
|
|
fi
|
|
|
|
VAULT_TOKEN=$(grep '"root_token":' "$KEYS_FILE" | cut -d'"' -f4)
|
|
CONTAINER_NAME="apa-vault"
|
|
|
|
echo "Configuring Vault..."
|
|
|
|
# Helper function to run vault commands inside docker
|
|
vault_cmd() {
|
|
docker exec -i -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$VAULT_TOKEN $CONTAINER_NAME vault "$@"
|
|
}
|
|
|
|
# Enable OIDC auth method
|
|
echo "Enabling OIDC auth method..."
|
|
if ! vault_cmd auth list | grep -q "oidc/"; then
|
|
vault_cmd auth enable oidc
|
|
else
|
|
echo "OIDC auth method already enabled."
|
|
fi
|
|
|
|
# Configure OIDC
|
|
echo "Configuring OIDC..."
|
|
vault_cmd write auth/oidc/config \
|
|
oidc_discovery_url="https://auth.${DOMAIN}/application/o/vault-prod/" \
|
|
oidc_client_id="vault-prod" \
|
|
oidc_client_secret="${AUTHENTIK_VAULT_CLIENT_SECRET}" \
|
|
default_role="reader"
|
|
|
|
# Create Policies
|
|
echo "Creating policies..."
|
|
|
|
# Admin Policy
|
|
vault_cmd policy write admin - <<EOF
|
|
path "*" {
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
}
|
|
EOF
|
|
|
|
# Reader Policy
|
|
vault_cmd policy write reader - <<EOF
|
|
path "secret/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOF
|
|
|
|
# Create Roles
|
|
echo "Creating roles..."
|
|
|
|
# Admin Role
|
|
vault_cmd write auth/oidc/role/admin \
|
|
bound_audiences="vault-prod" \
|
|
allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
|
|
allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
|
|
user_claim="email" \
|
|
policies="admin" \
|
|
role_type="oidc" \
|
|
groups_claim="groups" \
|
|
oidc_scopes="openid,email,profile,groups"
|
|
|
|
# Reader Role
|
|
vault_cmd write auth/oidc/role/reader \
|
|
bound_audiences="vault-prod" \
|
|
allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
|
|
allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
|
|
user_claim="email" \
|
|
policies="reader" \
|
|
role_type="oidc" \
|
|
groups_claim="groups" \
|
|
oidc_scopes="openid,email,profile,groups"
|
|
|
|
echo "Vault configuration complete!"
|