From a6444367468182144f6fbd6e705dc77c2a8f0fd0 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 6 May 2026 14:18:06 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix(ansible):=20propagate=20vaul?= =?UTF-8?q?t=5Foauth=5F=5Fsh=5Fb64=20to=20user-owned=20namespaces=20(arcod?= =?UTF-8?q?ange)=20(#3)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Gabriel Radureau Co-committed-by: Gabriel Radureau --- .../hashicorp_vault/tasks/gitea_oidc_auth.yml | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml index 0622b9c..4d82e17 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml @@ -105,4 +105,25 @@ 'OIDC_CLIENT_ID': gitea_app.id, 'OIDC_CLIENT_SECRET': gitea_app.secret, }) | b64encode }} - gitea_owner_type: 'org' # value != 'user' \ No newline at end of file + gitea_owner_type: 'org' # value != 'user' + +# Also propagate the same secret to user-owned namespaces. Gitea Action secrets +# are scoped per owner, so repos under a user account cannot read org-level +# secrets. Extend this list if other personal-namespace apps need vault auth. +- name: Propagate vault_oauth__sh_b64 to user-owned namespaces + include_role: + name: arcodange.factory.gitea_secret + vars: + gitea_secret_name: vault_oauth__sh_b64 + gitea_secret_value: >- + {{ lookup('ansible.builtin.template', 'oidc_jwt_token.sh.j2', template_vars = { + 'GITEA_BASE_URL': 'https://gitea.arcodange.lab', + 'OIDC_CLIENT_ID': gitea_app.id, + 'OIDC_CLIENT_SECRET': gitea_app.secret, + }) | b64encode }} + gitea_owner_type: 'user' + gitea_owner_name: '{{ item }}' + loop: + - arcodange + loop_control: + label: '{{ item }}' \ No newline at end of file