vault: add OpenBao OIDC integration with Kanidm

Enable Kanidm users to authenticate to OpenBao via OIDC for Web UI access. Members of the admins group get full read/write access to secrets. Changes: - Add OIDC auth backend in Terraform (oidc.tf) - Add oidc-admin and oidc-default policies - Add openbao OAuth2 client to Kanidm - Enable legacy crypto (RS256) for OpenBao compatibility - Allow imperative group membership management in Kanidm Limitations: - CLI login not supported (Kanidm requires HTTPS for confidential client redirects) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-09 19:42:26 +01:00
parent 2f5a2a4bf1
commit e85f15b73d
5 changed files with 131 additions and 3 deletions
--- a/terraform/vault/policies.tf
+++ b/terraform/vault/policies.tf
@@ -8,3 +8,50 @@ path "sys/metrics" {
 }
 EOT
 }
+
+# OIDC admin policy - full read/write to all secrets
+resource "vault_policy" "oidc_admin" {
+  name = "oidc-admin"
+
+  policy = <<EOT
+# Full access to KV secrets
+path "secret/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Read system health and metrics
+path "sys/health" {
+  capabilities = ["read"]
+}
+
+path "sys/metrics" {
+  capabilities = ["read"]
+}
+
+# List auth methods and mounts
+path "sys/auth" {
+  capabilities = ["read"]
+}
+
+path "sys/mounts" {
+  capabilities = ["read"]
+}
+EOT
+}
+
+# OIDC default policy - minimal access for authenticated users
+resource "vault_policy" "oidc_default" {
+  name = "oidc-default"
+
+  policy = <<EOT
+# Read own token info
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Read system health
+path "sys/health" {
+  capabilities = ["read"]
+}
+EOT
+}