fix: Remove unnecessary container registry step

roles/vault_setup/tasks/configure_oidc.yml

@@ -0,0 +1,136 @@
+---
+# Configure Keycloak OIDC authentication in Vault.
+#
+# Creates:
+#   - OIDC auth method (auth/oidc)
+#   - OIDC config pointing to Keycloak realm
+#   - Default OIDC role with groups claim
+#   - Admin ACL policy
+#   - External identity group mapped to vault_oidc_admin_group Keycloak group
+
+- name: Set Vault API auth headers
+  ansible.builtin.set_fact:
+    __vault_headers:
+      X-Vault-Token: "{{ vault_vault_root_token }}"
+
+- name: Enable OIDC auth method
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/auth/oidc"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      type: oidc
+      description: Keycloak OIDC
+    status_code: [200, 204, 400]
+  register: __vault_enable_oidc
+  no_log: true
+  changed_when: __vault_enable_oidc.status in [200, 204]
+
+- name: Configure OIDC provider (Keycloak)
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/auth/oidc/config"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      oidc_discovery_url: "{{ vault_oidc_issuer }}"
+      oidc_client_id: "{{ vault_oidc_client_id }}"
+      oidc_client_secret: "{{ vault_vault_oidc_client_secret }}"
+      default_role: default
+    status_code: [200, 204]
+  no_log: true
+
+- name: Create default OIDC role
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/auth/oidc/role/default"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      bound_audiences:
+        - "{{ vault_oidc_client_id }}"
+      allowed_redirect_uris:
+        - "{{ vault_url }}/ui/vault/auth/oidc/oidc/callback"
+        - "http://localhost:8250/oidc/callback"
+      user_claim: preferred_username
+      groups_claim: groups
+      token_policies:
+        - default
+      token_ttl: "{{ vault_oidc_default_ttl }}"
+      token_max_ttl: "{{ vault_oidc_max_ttl }}"
+    status_code: [200, 204]
+  no_log: true
+
+- name: Create admin ACL policy
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/policies/acl/admin"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      policy: |
+        path "*" {
+          capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+        }
+    status_code: [200, 204]
+  no_log: true
+
+- name: Create external identity group for admin
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/identity/group"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      name: "{{ vault_oidc_admin_group }}"
+      type: external
+      policies:
+        - admin
+    status_code: [200, 204]
+  register: __vault_admin_group
+  no_log: true
+
+- name: Get OIDC auth method accessor
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/auth"
+    method: GET
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    status_code: 200
+  register: __vault_auth_list
+  no_log: true
+
+- name: Set OIDC accessor fact
+  ansible.builtin.set_fact:
+    __vault_oidc_accessor: "{{ __vault_auth_list.json['oidc/'].accessor }}"
+
+- name: Create group alias mapping Keycloak group to Vault admin group
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/identity/group-alias"
+    method: POST
+    headers: "{{ __vault_headers }}"
+    validate_certs: "{{ vault_validate_certs }}"
+    body_format: json
+    body:
+      name: "{{ vault_oidc_admin_group }}"
+      mount_accessor: "{{ __vault_oidc_accessor }}"
+      canonical_id: "{{ __vault_admin_group.json.data.id }}"
+    status_code: [200, 204]
+  no_log: true
+
+- name: Display OIDC configuration summary
+  ansible.builtin.debug:
+    msg:
+      - "Vault OIDC configured:"
+      - "  Provider : {{ vault_oidc_issuer }}"
+      - "  Client   : {{ vault_oidc_client_id }}"
+      - "  Admin group: {{ vault_oidc_admin_group }}"
+      - ""
+      - "Login at: {{ vault_url }}/ui"
+      - "Select: OIDC → Sign in with Keycloak"