diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf index 0e9c287..2a44c41 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf @@ -26,9 +26,9 @@ variable "gitea_app" { } # kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.duckdns.org")))[0]' | jq '.certificate' -r | base64 -d | openssl x509 -variable "ca_pem" { - type = string -} +# variable "ca_pem" { +# type = string +# } terraform { required_providers { vault = { @@ -49,7 +49,7 @@ resource "vault_jwt_auth_backend" "gitea" { path = "gitea" type = "oidc" oidc_discovery_url = var.gitea_app.url - oidc_discovery_ca_pem = var.ca_pem + # oidc_discovery_ca_pem = var.ca_pem oidc_client_id = var.gitea_app.id oidc_client_secret = var.gitea_app.secret bound_issuer = var.gitea_app.url @@ -87,7 +87,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" { path = "gitea_jwt" type = "jwt" oidc_discovery_url = var.gitea_app.url - oidc_discovery_ca_pem = var.ca_pem + # oidc_discovery_ca_pem = var.ca_pem bound_issuer = var.gitea_app.url tune { @@ -98,7 +98,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" { listing_visibility = "hidden" max_lease_ttl = "15m" passthrough_request_headers = [] - token_type = "default-batch" + token_type = "default-service" } } diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml index 31baad7..3de75c1 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml @@ -37,12 +37,16 @@ register: last_tofu_command loop: - tofu init -no-color + # - >- + # tofu destroy -auto-approve -no-color + # -var='gitea_app={{ gitea_app | to_json }}' + # -var='vault_address={{ vault_address }}' + # -var='vault_token={{ vault_root_token }}' - >- tofu apply -auto-approve -no-color -var='gitea_app={{ gitea_app | to_json }}' -var='vault_address={{ vault_address }}' -var='vault_token={{ vault_root_token }}' - -var='ca_pem={{ traefik_cert_pem }}' loop_control: loop_var: command extended: true @@ -50,10 +54,12 @@ always: - shell: docker volume rm {{ volume_name }} - - #when: last_tofu_command.stderr | length > 0 + - when: "'failed' in last_tofu_command and last_tofu_command.failed" debug: var: last_tofu_command - # msg: '{{ last_tofu_command.stderr }}' + - when: "'failed' in last_tofu_command and last_tofu_command.failed" + debug: + msg: "{{ (last_tofu_command.results | selectattr('failed') | first ).stderr }}" - include_role: name: arcodange.factory.gitea_secret diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 index 00ca013..ff1d968 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 @@ -34,7 +34,8 @@ poll_state() { echo '' return 0 elif [ "$HTTP_CODE" == "404" ]; then - echo -n "." + printf '.%.0s' $(seq 0 $attempt) + echo else echo "Erreur lors de la requĂȘte (HTTP $HTTP_CODE)." return 1