Skip to content
Documentation

This is the Experimental version (Latest). It is under active development and may change. For the most reliable documentation, use the version selector in the top-right to switch to Stable, or click here to go to the Stable version's homepage.

Setup Single Sign-On of Hashicorp Vault with Opstella

Last updated:

Prerequisites

Section titled “Prerequisites”

To Setup Single Sign-On with Opstella, you need

Vault Single Sign-On Integration

Section titled “Vault Single Sign-On Integration”

  1. Load Shell Variables

    Ensure your shell variables are loaded, which includes VAULT_DOMAIN and OIDC configurations.

    Terminal window
    source $BASE_WORKING_DIR/shell-values/kubernetes/management_cluster.vars.sh

  2. Enable Single Sign-On with OIDC Authentication

    Terminal window
    curl --header "X-Vault-Token: ${VAULT_ROOT_TOKEN}" \
      --request POST \
      --data '{"type": "oidc"}' \
      ${VAULT_URL}/v1/sys/auth/oidc

  3. Create OIDC Authentication Configuration

    If your Keycloak uses an internal certificate, you need to provide the internal Root CA to Vault. Ensure you specify the exact path to your Root CA certificate by setting the VAULT_TRUST_ROOT_CA_PATH variable.

    Terminal window
    export VAULT_TRUST_ROOT_CA_PATH="/path/to/your/root-ca.pem"

    Then create OIDC Authentication Configuration

    Terminal window
    cat <<EOF > $BASE_WORKING_DIR/vault-oidc-config.json
    {
      "oidc_discovery_url": "${VAULT_OIDC_ISSUER_ENDPOINT}",
      "oidc_client_id": "${VAULT_OIDC_CLIENT_ID}",
      "oidc_client_secret": "${VAULT_OIDC_CLIENT_SECRET}",
      "default_role": "default",
      "oidc_discovery_ca_pem": $(jq -R -s '.' < ${VAULT_TRUST_ROOT_CA_PATH})
    }
    EOF

    💡 Note: Make sure you update VAULT_TRUST_ROOT_CA_PATH with the correct path. If you are using a public CA, you can simply remove the oidc_discovery_ca_pem value from the JSON payload.

    💡 Note on jq: The $(jq -R -s '.' < file) command natively processes the multi-line PEM certificate and escapes newlines safely for JSON values in newer jq versions. Beware of chaining flags like -Rs as it can lead to compatibility issues across jq iterations.

  4. Create OIDC Authentication Backend Configuration

    • Vault Domain: ${VAULT_DOMAIN} is assumed to be exported as defined in the Shell Variables guide.

      Terminal window
      cat <<EOF > $BASE_WORKING_DIR/vault-oidc-backend.json
      {
      "role_type": "oidc",
      "token_ttl": "1h",
      "token_max_ttl": "1h",
      "bound_audiences": "vault",
      "user_claim": "sub",
      "groups_claim": "groups",
      "claim_mappings": {
          "preferred_username": "username",
          "email": "email"
      },
      "allowed_redirect_uris": [
          "https://${VAULT_DOMAIN}/ui/vault/auth/oidc/oidc/callback",
          "http://${VAULT_DOMAIN}/oidc/callback"
      ]
      }
      EOF

  5. Write OIDC Authentication Configuration

    Terminal window
    curl --header "X-Vault-Token: ${VAULT_ROOT_TOKEN}" \
      --request POST \
      --data @$BASE_WORKING_DIR/vault-oidc-config.json \
      ${VAULT_URL}/v1/auth/oidc/config
    Terminal window
    curl --header "X-Vault-Token: ${VAULT_ROOT_TOKEN}" \
      --request POST \
      --data '{"token_type": "default-service", "listing_visibility": "unauth", "description": "Opstella SSO Integration", "default_lease_ttl": "1h", "max_lease_ttl": "1h"}' \
      ${VAULT_URL}/v1/sys/auth/oidc/tune

  6. Write OIDC Authentication Backend Configuration

    Terminal window
    curl --header "X-Vault-Token: ${VAULT_ROOT_TOKEN}" \
      --request POST \
      --data @$BASE_WORKING_DIR/vault-oidc-backend.json \
      ${VAULT_URL}/v1/auth/oidc/role/default

You will be testing Single Sign-On Integration in End-to-End Testing/Single Sign-On for Vault

Finished?

Use the below navigation to proceed