From 6ede249da9e0e2604c56e803d1634cc0cf7f5628 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 6 May 2026 15:03:33 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix(ansible):=20gate=20vault=20a?= =?UTF-8?q?uth=20disable=20behind=20vault=5Foidc=5Fforce=5Freset=20(defaul?= =?UTF-8?q?t=20off)=20(#5)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Gabriel Radureau Co-committed-by: Gabriel Radureau --- .../tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml index de80900..3d92769 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml @@ -36,6 +36,11 @@ +# WARNING : this disables AND wipes ALL gitea_cicd_* per-app JWT roles +# (created by tools/hashicorp-vault/iac/) every time it runs. Default is OFF +# to preserve those roles across normal ansible runs ; opt-in only when you +# really want to rebuild the OIDC backend from scratch (e.g. config drift on +# bound_issuer or similar). - name: Delete existing Gitea OIDC backends if they exist include_tasks: vault_cmd.yml vars: @@ -48,6 +53,7 @@ - gitea_jwt loop_control: loop_var: backend_name + when: vault_oidc_force_reset | default(false) | bool - name: use tofu to provision vault block: