Add Vault OIDC authentication via Authentik

Configure Vault to use Authentik as OIDC identity provider for SSO login. Creates OAuth2 provider/application in Authentik, adds OIDC auth backend, admin policy, and maps "authentik Admins" group to full vault-admin access.
2026-03-14 13:53:05 +00:00 · 2026-03-14 13:53:05 +00:00 · 1dec7e6bea
commit 1dec7e6bea
parent 44aa6d61c2
5 changed files with 410 additions and 214 deletions
--- a/secrets.sops.json
+++ b/secrets.sops.json
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@ -0,0 +1,157 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+variable "vault_authentik_client_id" { type = string }
+variable "vault_authentik_client_secret" {
+  type      = string
+  sensitive = true
+}
+resource "kubernetes_namespace" "vault" {
+  metadata {
+    name = "vault"
+    labels = {
+      tier = local.tiers.core
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.vault.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "helm_release" "vault" {
+  name             = "vault"
+  namespace        = kubernetes_namespace.vault.metadata[0].name
+  create_namespace = false
+  repository       = "https://helm.releases.hashicorp.com"
+  chart            = "vault"
+  version          = "0.29.1"
+  atomic           = true
+  timeout          = 300
+
+  values = [yamlencode({
+    global = {
+      enabled = true
+    }
+
+    server = {
+      enabled = true
+
+      resources = {
+        requests = { memory = "64Mi", cpu = "50m" }
+        limits   = { memory = "256Mi" }
+      }
+
+      dataStorage = {
+        enabled      = true
+        size         = "1Gi"
+        storageClass = "nfs-truenas"
+      }
+
+      standalone = {
+        enabled = true
+        config  = <<-EOT
+          ui = true
+
+          listener "tcp" {
+            tls_disable = 1
+            address     = "[::]:8200"
+            cluster_address = "[::]:8201"
+          }
+
+          storage "file" {
+            path = "/vault/data"
+          }
+        EOT
+      }
+
+      ha = {
+        enabled = false
+      }
+    }
+
+    ui = {
+      enabled = true
+    }
+
+    injector = {
+      enabled = false
+    }
+
+    csi = {
+      enabled = false
+    }
+  })]
+}
+
+# --- OIDC Authentication via Authentik ---
+
+resource "vault_jwt_auth_backend" "oidc" {
+  path               = "oidc"
+  type               = "oidc"
+  oidc_discovery_url = "https://authentik.viktorbarzin.me/application/o/vault/"
+  oidc_client_id     = var.vault_authentik_client_id
+  oidc_client_secret = var.vault_authentik_client_secret
+  default_role       = "default"
+  tune {
+    listing_visibility = "unauth"
+  }
+  depends_on = [helm_release.vault]
+}
+
+resource "vault_jwt_auth_backend_role" "default" {
+  backend        = vault_jwt_auth_backend.oidc.path
+  role_name      = "default"
+  token_policies = ["default"]
+  token_ttl      = 3600
+  token_max_ttl  = 86400
+  user_claim     = "email"
+  groups_claim   = "groups"
+  role_type      = "oidc"
+  allowed_redirect_uris = [
+    "https://vault.viktorbarzin.me/ui/vault/auth/oidc/oidc/callback",
+    "http://localhost:8250/oidc/callback",
+  ]
+  oidc_scopes = ["openid", "email", "profile"]
+}
+
+resource "vault_policy" "admin" {
+  name   = "vault-admin"
+  policy = <<-EOT
+    path "*" {
+      capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+    }
+  EOT
+}
+
+resource "vault_identity_group" "admins" {
+  name     = "authentik-admins"
+  type     = "external"
+  policies = [vault_policy.admin.name]
+}
+
+resource "vault_identity_group_alias" "admins" {
+  name           = "authentik Admins"
+  mount_accessor = vault_jwt_auth_backend.oidc.accessor
+  canonical_id   = vault_identity_group.admins.id
+}
+
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.vault.metadata[0].name
+  name            = "vault"
+  tls_secret_name = var.tls_secret_name
+  port            = 8200
+  extra_annotations = {
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "Vault"
+    "gethomepage.dev/description"  = "HashiCorp Vault - Secrets Management"
+    "gethomepage.dev/icon"         = "vault.png"
+    "gethomepage.dev/group"        = "Core Platform"
+    "gethomepage.dev/pod-selector" = ""
+  }
+}
--- a/stacks/vault/terragrunt.hcl
+++ b/stacks/vault/terragrunt.hcl
@ -0,0 +1,8 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "platform" {
+  config_path  = "../platform"
+  skip_outputs = true
+}
--- a/stacks/vault/tiers.tf
+++ b/stacks/vault/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/vault/vault_provider.tf
+++ b/stacks/vault/vault_provider.tf
@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
+variable "vault_root_token" {
+  type      = string
+  sensitive = true
+}
+
+provider "vault" {
+  address = "https://vault.viktorbarzin.me"
+  token   = var.vault_root_token
+}