fix: Remove unnecessary container registry step

roles/vault_setup/tasks/configure_oidc.yml

@@ -0,0 +1,136 @@
+---
+# Configure Keycloak OIDC authentication in Vault.
+#
+# Creates:
+#   - OIDC auth method (auth/oidc)
+#   - OIDC config pointing to Keycloak realm
+#   - Default OIDC role with groups claim
+#   - Admin ACL policy
+#   - External identity group mapped to vault_oidc_admin_group Keycloak group
+
+- name: Set Vault API auth headers
+  ansible.builtin.set_fact:
+    __vault_headers:
+      X-Vault-Token: "{{ vault_vault_root_token }}"
+
+- name: Enable OIDC auth method
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/auth/oidc"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      type: oidc
+      description: Keycloak OIDC
+    status_code: [200, 204, 400]
+  register: __vault_enable_oidc
+  no_log: true
+  changed_when: __vault_enable_oidc.status in [200, 204]
+
+- name: Configure OIDC provider (Keycloak)
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/auth/oidc/config"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      oidc_discovery_url: "{{ vault_oidc_issuer }}"
+      oidc_client_id: "{{ vault_oidc_client_id }}"
+      oidc_client_secret: "{{ vault_vault_oidc_client_secret }}"
+      default_role: default
+    status_code: [200, 204]
+  no_log: true
+
+- name: Create default OIDC role
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/auth/oidc/role/default"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      bound_audiences:
+        - "{{ vault_oidc_client_id }}"
+      allowed_redirect_uris:
+        - "{{ vault_url }}/ui/vault/auth/oidc/oidc/callback"
+        - "http://localhost:8250/oidc/callback"
+      user_claim: preferred_username
+      groups_claim: groups
+      token_policies:
+        - default
+      token_ttl: "{{ vault_oidc_default_ttl }}"
+      token_max_ttl: "{{ vault_oidc_max_ttl }}"
+    status_code: [200, 204]
+  no_log: true
+
+- name: Create admin ACL policy
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/policies/acl/admin"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      policy: |
+        path "*" {
+          capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+        }
+    status_code: [200, 204]
+  no_log: true
+
+- name: Create external identity group for admin
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/identity/group"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      name: "{{ vault_oidc_admin_group }}"
+      type: external
+      policies:
+        - admin
+    status_code: [200, 204]
+  register: __vault_admin_group
+  no_log: true
+
+- name: Get OIDC auth method accessor
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/auth"
+    method: GET
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    status_code: 200
+  register: __vault_auth_list
+  no_log: true
+
+- name: Set OIDC accessor fact
+  ansible.builtin.set_fact:
+    __vault_oidc_accessor: "{{ __vault_auth_list.json['oidc/'].accessor }}"
+
+- name: Create group alias mapping Keycloak group to Vault admin group
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/identity/group-alias"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      name: "{{ vault_oidc_admin_group }}"
+      mount_accessor: "{{ __vault_oidc_accessor }}"
+      canonical_id: "{{ __vault_admin_group.json.data.id }}"
+    status_code: [200, 204]
+  no_log: true
+
+- name: Display OIDC configuration summary
+  ansible.builtin.debug:
+    msg:
+      - "Vault OIDC configured:"
+      - "  Provider : {{ vault_oidc_issuer }}"
+      - "  Client   : {{ vault_oidc_client_id }}"
+      - "  Admin group: {{ vault_oidc_admin_group }}"
+      - ""
+      - "Login at: {{ vault_url }}/ui"
+      - "Select: OIDC → Sign in with Keycloak"

roles/vault_setup/tasks/init.yml

@@ -0,0 +1,54 @@
+---
+# Initialize Vault. Idempotent: skips if already initialized.
+# On success, displays root token and unseal keys for manual saving to 1Password.
+# After saving, rerun the playbook (default play) to complete configuration.
+
+- name: Check Vault initialization status
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/init"
+    method: GET
+    validate_certs: "{{ vault_validate_certs }}"
+  register: __vault_init_status
+
+- name: Skip init (already initialized)
+  ansible.builtin.debug:
+    msg: "Vault is already initialized. Skipping init."
+  when: __vault_init_status.json.initialized | bool
+
+- name: Initialize Vault
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/init"
+    method: POST
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      secret_shares: "{{ vault_init_key_shares }}"
+      secret_threshold: "{{ vault_init_key_threshold }}"
+    status_code: 200
+  register: __vault_init_result
+  no_log: true
+  when: not __vault_init_status.json.initialized | bool
+
+- name: Display init output — SAVE TO 1PASSWORD NOW
+  ansible.builtin.debug:
+    msg:
+      - "*** VAULT INITIALIZED — SAVE THE FOLLOWING TO 1PASSWORD IMMEDIATELY ***"
+      - ""
+      - "Root Token:"
+      - "  vault_vault_root_token: {{ __vault_init_result.json.root_token }}"
+      - ""
+      - "Unseal Keys (need {{ vault_init_key_threshold }} of {{ vault_init_key_shares }}):"
+      - "{% for key in __vault_init_result.json.keys_base64 %}  unseal_key_{{ loop.index }}: {{ key }}{% endfor %}"
+      - ""
+      - "Save vault_unseal_keys as a list of {{ vault_init_key_threshold }} key strings in 1Password."
+      - "Save vault_vault_root_token to 1Password."
+  when: not __vault_init_status.json.initialized | bool
+
+- name: Fail after init — save credentials before continuing
+  ansible.builtin.fail:
+    msg: >-
+      Vault initialization complete.
+      SAVE the root token and unseal keys to 1Password before continuing.
+      Then run the default play to unseal and configure OIDC:
+        ansible-navigator run playbooks/deploy_vault.yml
+  when: not __vault_init_status.json.initialized | bool

roles/vault_setup/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+# Configures a running, initialized HashiCorp Vault instance.
+#
+# Expects Vault to already be initialized (run --tags vault_init first).
+# Unseals if sealed and vault_unseal_keys is defined.
+# Then configures OIDC authentication with Keycloak.
+
+- name: Validate required variables
+  ansible.builtin.assert:
+    that:
+      - vault_url | length > 0
+      - vault_vault_root_token | default('') | length > 0
+      - vault_oidc_issuer | default('') | length > 0
+      - vault_vault_oidc_client_secret | default('') | length > 0
+    fail_msg: >-
+      vault_vault_root_token, vault_oidc_issuer, and vault_vault_oidc_client_secret
+      are required. Run --tags vault_init first, save credentials to 1Password,
+      then run --tags vault_configure_keycloak,vault_configure_oidc or default play.
+
+- name: Check Vault status
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/health"
+    method: GET
+    validate_certs: "{{ vault_validate_certs }}"
+    status_code: [200, 429, 472, 473, 501, 503]
+  register: __vault_health
+
+- name: Assert Vault is initialized
+  ansible.builtin.assert:
+    that:
+      - __vault_health.json.initialized | bool
+    fail_msg: >-
+      Vault is not initialized. Run:
+        ansible-navigator run playbooks/deploy_vault.yml --tags vault_init
+
+- name: Unseal Vault if sealed
+  ansible.builtin.include_tasks: unseal.yml
+  when:
+    - __vault_health.json.sealed | bool
+    - vault_unseal_keys | default([]) | length > 0
+
+- name: Assert Vault is unsealed
+  ansible.builtin.assert:
+    that:
+      - not __vault_health.json.sealed | bool or __vault_unsealed | default(false) | bool
+    fail_msg: >-
+      Vault is sealed. Provide vault_unseal_keys (list of unseal key strings) or
+      unseal manually via the Vault UI, then rerun.
+
+- name: Configure OIDC authentication
+  ansible.builtin.include_tasks: configure_oidc.yml

roles/vault_setup/tasks/unseal.yml

@@ -0,0 +1,37 @@
+---
+# Unseal Vault using keys from vault_unseal_keys list.
+# Submits keys one at a time until Vault reports unsealed.
+# Requires vault_init_key_threshold keys in vault_unseal_keys.
+
+- name: Submit unseal keys
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/unseal"
+    method: POST
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      key: "{{ item }}"
+    status_code: 200
+  loop: "{{ vault_unseal_keys[:vault_init_key_threshold] }}"
+  register: __vault_unseal_result
+  no_log: true
+
+- name: Check unseal status
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/health"
+    method: GET
+    validate_certs: "{{ vault_validate_certs }}"
+    status_code: [200, 429]
+  register: __vault_health
+
+- name: Assert Vault unsealed successfully
+  ansible.builtin.assert:
+    that:
+      - not __vault_health.json.sealed | bool
+    fail_msg: >-
+      Vault is still sealed after submitting {{ vault_init_key_threshold }} keys.
+      Check that vault_unseal_keys contains the correct keys and try again.
+
+- name: Register unseal success
+  ansible.builtin.set_fact:
+    __vault_unsealed: true