arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

setup gitea as oidc provider for tool vault

Browse Source
This commit is contained in:
Gabriel Radureau
2024-09-27 18:21:52 +02:00
parent 1332def067
commit 407bf12165
24 changed files with 655 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
doc/adr/04_tool_hashicorp_vault.md Normal file
View File

@@ -0,0 +1,56 @@
# [Bases](./README.md)
## Tools
### Hashicorp Vault
>[!WARNING]
>L'unsealKey, le vaultRootToken initial et l'authentification au backend terraform sont pour le moment configurés sur le controleur ansible (Macbook Pro).
>[!NOTE]
> Vault est déployé via [argo cd](https://gitea.arcodange.duckdns.org/arcodange-org/tools/src/branch/main/hashicorp-vault)
```mermaid
%%{init: { 'logLevel': 'debug', 'theme': 'base',
'sequence': {
'showSequenceNumbers': true,
'mirrorActors': false
}
}}%%
sequenceDiagram
participant Ansible
participant Gitea
participant Vault
Note right of Vault: Argo CD App <br> versioned in Gitea
rect rgb(191, 223, 255)
Ansible ->> Gitea : setupAdminAccount(adminPassword)
Ansible ->> Vault : init
activate Vault
Vault -->> Ansible : (unsealKey, vaultRootToken)
deactivate Vault
Ansible ->> Vault: unseal(unsealKey)
Ansible ->> Vault: revoke vaultRootToken
rect rgb(255, 266, 255)
Ansible ->> Gitea : setupApp(adminPassword)
activate Gitea
Note left of Gitea: docker playwright
deactivate Gitea
Gitea -->> Ansible : app(id,secret)
Ansible ->> Vault : generate vaultRootToken
Ansible ->> Vault : enable oidc auth backend with app(id,secret) <br> give admin policy to admin user
activate Vault
Note left of Vault: docker tofu(vaultRootToken)
deactivate Vault
Ansible ->> Vault: revoke vaultRootToken
end
end
```

11
doc/adr/README.md
View File

@@ -9,11 +9,18 @@
- [x] setup postgres
- [x] setup gitea
- [x] setup mail alert
- [ ] [setup gitea runners, Argo CD](./03_cicd_gitea_action_argocd.md)
- [x] [setup gitea runners, Argo CD](./03_cicd_gitea_action_argocd.md)
- [x] sync git repo with github/gitlab
- [ ] docker hub
- [ ] gitea packages
- [x] gitea packages
- [ ] devsecops tools
- [x] [hashicorp vault](./04_tool_hashicorp_vault.md)
- [ ] terrakube
- [ ] prometheus/grafana
- [ ] ansible AWX
- [ ] setup hello world web app
- [ ] manage postgres credentials
- [ ] protect public endpoint (crowdsec)
> [!NOTE]
> Reference: [Arcodange _**Factory**_ Ansible Collection](/ansible/arcodange/factory/README.md)