add: vault pki basics

roles/vault-pki/files/hashicorp.list

@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com bullseye main

roles/vault-pki/tasks/main.yaml

@@ -0,0 +1,30 @@
+- name: Copy Hashicorp APT-key
+  copy:
+    src: hashicorp-archive-keyring.gpg
+    dest: /usr/share/keyrings/
+    mode: 0644
+  notify:
+    - apt update
+
+- name: Add hashicorp apt repo
+  copy:
+    src: hashicorp.list
+    dest: /etc/apt/sources.list.d/
+    mode: 0644
+  notify:
+    - apt update
+
+- meta: flush_handlers
+
+- name: Install vault
+  apt:
+    name: vault
+    state: present
+
+- name: Template config
+  template:
+    src: "{{ item }}"
+    dest: "/etc/vault.d/"
+  with_items:
+    - vault.hcl
+    - vault.env

roles/vault-pki/templates/vault.hcl

@@ -0,0 +1,106 @@
+ui = true
+
+storage "file" {
+  path = "/opt/vault/data"
+}
+
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_disable = 1
+}
+
+api_addr = "http://127.0.0.1:8200"
+
+# Terraform OIDC config for reference
+#path "/secret/*" {
+#    capabilities = ["read", "list"]
+#}
+#
+#resource "vault_identity_oidc_key" "keycloak_provider_key" {
+#  name      = "keycloak"
+#  algorithm = "RS256"
+#}
+#
+#resource "vault_jwt_auth_backend" "keycloak" {
+#  path               = "oidc"
+#  type               = "oidc"
+#  default_role       = "{{ keycloak_clients['pki']['groups'] }}"
+#
+#  oidc_discovery_url="https://{{ keycloak_address }}/realms/master"
+#  oidc_client_id="{{ keycloak_clients['pki']['client_id'] }}"
+#  oidc_client_secret="{{ keycloak_clients['pki']['client_secret'] }}"
+#
+#  tune {
+#    audit_non_hmac_request_keys  = []
+#    audit_non_hmac_response_keys = []
+#    default_lease_ttl            = "1h"
+#    listing_visibility           = "unauth"
+#    max_lease_ttl                = "1h"
+#    passthrough_request_headers  = []
+#    token_type                   = "default-service"
+#  }
+#}
+#
+#resource "vault_jwt_auth_backend_role" "pki" {
+#  backend        = vault_jwt_auth_backend.keycloak.path
+#  role_name      = "pki"
+#  role_type      = "oidc"
+#  token_ttl      = 3600
+#  token_max_ttl  = 3600
+#
+#  bound_audiences="{{ pki_domain }}"
+#  user_claim      = "sub"
+#  claim_mappings = {
+#    preferred_username = "username"
+#    email              = "email"
+#  }
+#
+#  allowed_redirect_uris = [
+#    "https://{{ pki_domain }}/oidc/oidc/callback",
+#    "https://{{ pki_domain }}/ui/vault/auth/oidc/oidc/callback"
+#  ]
+#  groups_claim = format("/resource_access/%s/roles", 
+#                     keycloak_openid_client.openid_client.client_id)
+#}
+#
+#data "vault_policy_document" "reader_policy" {
+#  rule {
+#    path         = "/secret/*"
+#    capabilities = ["list", "read"]
+#  }
+#}
+#
+#resource "vault_policy" "reader_policy" {
+#  name   = "reader"
+#  policy = data.vault_policy_document.reader_policy.hcl
+#}
+#data "vault_policy_document" "manager_policy" {
+#  rule {
+#    path         = "/secret/*"
+#    capabilities = ["create", "update", "delete"]
+#  }
+#}
+#
+#resource "vault_policy" "manager_policy" {
+#  name   = "management"
+#  policy = data.vault_policy_document.manager_policy.hcl
+#}
+#
+#resource "vault_identity_oidc_role" "management_role" {
+#  name = "management"
+#  key  = vault_identity_oidc_key.keycloak_provider_key.name
+#}
+#
+#resource "vault_identity_group" "management_group" {
+#  name     = vault_identity_oidc_role.management_role.name
+#  type     = "external"
+#  policies = [
+#    vault_policy.manager_policy.name
+#  ]
+#}
+#
+#resource "vault_identity_group_alias" "management_group_alias" {
+#  name           = "pki"
+#  mount_accessor = vault_jwt_auth_backend.keycloak.accessor
+#  canonical_id   = vault_identity_group.management_group.id
+#}