Fix Vault Gitea OIDC setup: remove trailing slash from bound_issuer and pass CA certificate
This commit is contained in:
@@ -19,7 +19,7 @@ variable "admin_email" {
|
|||||||
}
|
}
|
||||||
variable "gitea_app" {
|
variable "gitea_app" {
|
||||||
type = object({
|
type = object({
|
||||||
url = optional(string, "https://gitea.arcodange.lab/")
|
url = optional(string, "https://gitea.arcodange.lab")
|
||||||
id = string
|
id = string
|
||||||
secret = string
|
secret = string
|
||||||
description = optional(string, "Arcodange Gitea Auth")
|
description = optional(string, "Arcodange Gitea Auth")
|
||||||
@@ -66,7 +66,7 @@ resource "vault_jwt_auth_backend" "gitea" {
|
|||||||
oidc_discovery_ca_pem = file(var.ca_pem)
|
oidc_discovery_ca_pem = file(var.ca_pem)
|
||||||
oidc_client_id = var.gitea_app.id
|
oidc_client_id = var.gitea_app.id
|
||||||
oidc_client_secret = var.gitea_app.secret
|
oidc_client_secret = var.gitea_app.secret
|
||||||
bound_issuer = var.gitea_app.url
|
bound_issuer = trimsuffix(var.gitea_app.url, "/")
|
||||||
|
|
||||||
tune {
|
tune {
|
||||||
allowed_response_headers = []
|
allowed_response_headers = []
|
||||||
@@ -103,7 +103,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
|
|||||||
type = "jwt"
|
type = "jwt"
|
||||||
oidc_discovery_url = var.gitea_app.url
|
oidc_discovery_url = var.gitea_app.url
|
||||||
oidc_discovery_ca_pem = file(var.ca_pem)
|
oidc_discovery_ca_pem = file(var.ca_pem)
|
||||||
bound_issuer = var.gitea_app.url
|
bound_issuer = trimsuffix(var.gitea_app.url, "/")
|
||||||
|
|
||||||
tune {
|
tune {
|
||||||
allowed_response_headers = []
|
allowed_response_headers = []
|
||||||
@@ -167,7 +167,7 @@ resource "vault_kv_secret" "google_credentials" {
|
|||||||
path = "${vault_mount.kvv1.path}/google/credentials"
|
path = "${vault_mount.kvv1.path}/google/credentials"
|
||||||
data_json = jsonencode(
|
data_json = jsonencode(
|
||||||
{
|
{
|
||||||
credentials = file("~/.config/gcloud/application_default_credentials.json")
|
credentials = file("/root/.config/gcloud/application_default_credentials.json")
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -24,6 +24,31 @@
|
|||||||
|
|
||||||
volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}
|
volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}
|
||||||
|
|
||||||
|
- name: Check SSL certificate for Gitea
|
||||||
|
shell: >-
|
||||||
|
openssl s_client -connect gitea.arcodange.lab:443 -CAfile /etc/ssl/certs/arcodange-root.pem -servername gitea.arcodange.lab < /dev/null 2>&1 | grep -E "Verify return code:|subject=|issuer="
|
||||||
|
register: ssl_check
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Debug SSL certificate check
|
||||||
|
debug:
|
||||||
|
var: ssl_check.stdout_lines
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
- name: Delete existing Gitea OIDC backends if they exist
|
||||||
|
include_tasks: vault_cmd.yml
|
||||||
|
vars:
|
||||||
|
vault_cmd: vault auth disable {{ backend_name }}
|
||||||
|
vault_cmd_can_fail: true
|
||||||
|
vault_cmd_json_attr: ''
|
||||||
|
vault_cmd_output_var: false
|
||||||
|
loop:
|
||||||
|
- gitea
|
||||||
|
- gitea_jwt
|
||||||
|
loop_control:
|
||||||
|
loop_var: backend_name
|
||||||
|
|
||||||
- name: use tofu to provision vault
|
- name: use tofu to provision vault
|
||||||
block:
|
block:
|
||||||
- shell: docker volume create {{ volume_name }}
|
- shell: docker volume create {{ volume_name }}
|
||||||
|
|||||||
Reference in New Issue
Block a user