vault: add OpenBao OIDC integration with Kanidm
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m9s
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m9s
Enable Kanidm users to authenticate to OpenBao via OIDC for Web UI access. Members of the admins group get full read/write access to secrets. Changes: - Add OIDC auth backend in Terraform (oidc.tf) - Add oidc-admin and oidc-default policies - Add openbao OAuth2 client to Kanidm - Enable legacy crypto (RS256) for OpenBao compatibility - Allow imperative group membership management in Kanidm Limitations: - CLI login not supported (Kanidm requires HTTPS for confidential client redirects) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
50
terraform/vault/oidc.tf
Normal file
50
terraform/vault/oidc.tf
Normal file
@@ -0,0 +1,50 @@
|
||||
# OIDC authentication backend for Kanidm integration
|
||||
# Web UI only - CLI localhost redirects not supported with confidential clients
|
||||
resource "vault_jwt_auth_backend" "oidc" {
|
||||
path = "oidc"
|
||||
type = "oidc"
|
||||
oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
|
||||
oidc_client_id = "openbao"
|
||||
oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
|
||||
default_role = "default"
|
||||
|
||||
tune {
|
||||
listing_visibility = "unauth"
|
||||
default_lease_ttl = "1h"
|
||||
max_lease_ttl = "24h"
|
||||
token_type = "default-service"
|
||||
}
|
||||
}
|
||||
|
||||
# Admin role - maps Kanidm admins group to admin policy
|
||||
resource "vault_jwt_auth_backend_role" "admin" {
|
||||
backend = vault_jwt_auth_backend.oidc.path
|
||||
role_name = "admin"
|
||||
token_policies = ["oidc-admin"]
|
||||
|
||||
user_claim = "preferred_username"
|
||||
groups_claim = "groups"
|
||||
bound_claims = { groups = "admins@home.2rjus.net" }
|
||||
role_type = "oidc"
|
||||
oidc_scopes = ["openid", "profile", "email", "groups"]
|
||||
|
||||
allowed_redirect_uris = [
|
||||
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
|
||||
]
|
||||
}
|
||||
|
||||
# Default role - any authenticated user (limited access)
|
||||
resource "vault_jwt_auth_backend_role" "default" {
|
||||
backend = vault_jwt_auth_backend.oidc.path
|
||||
role_name = "default"
|
||||
token_policies = ["oidc-default"]
|
||||
|
||||
user_claim = "preferred_username"
|
||||
groups_claim = "groups"
|
||||
role_type = "oidc"
|
||||
oidc_scopes = ["openid", "profile", "email", "groups"]
|
||||
|
||||
allowed_redirect_uris = [
|
||||
"https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user