From 1a1d7da32901af51774e165cc28b240928e53fc9 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 6 May 2026 15:03:23 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix(ansible):=20gate=20vault=20a?= =?UTF-8?q?uth=20disable=20behind=20vault=5Foidc=5Fforce=5Freset=20(defaul?= =?UTF-8?q?t=20off)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The vault auth disable task added in 437fd506 wipes all gitea_cicd_* per-app JWT roles every ansible run (side effect). Gate it behind a default-off flag so normal re-runs preserve those roles. Opt in with --extra-vars vault_oidc_force_reset=true when intentionally rebuilding the OIDC backend (e.g. bound_issuer config drift). Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe --- .../tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml index de80900..3d92769 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml @@ -36,6 +36,11 @@ +# WARNING : this disables AND wipes ALL gitea_cicd_* per-app JWT roles +# (created by tools/hashicorp-vault/iac/) every time it runs. Default is OFF +# to preserve those roles across normal ansible runs ; opt-in only when you +# really want to rebuild the OIDC backend from scratch (e.g. config drift on +# bound_issuer or similar). - name: Delete existing Gitea OIDC backends if they exist include_tasks: vault_cmd.yml vars: @@ -48,6 +53,7 @@ - gitea_jwt loop_control: loop_var: backend_name + when: vault_oidc_force_reset | default(false) | bool - name: use tofu to provision vault block: