traefik CA pem is a client crt not the Authority (let's encrypt) and is not needed here

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf

@@ -26,9 +26,9 @@ variable "gitea_app" {
 }
 
 # kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.duckdns.org")))[0]' | jq '.certificate' -r | base64 -d | openssl x509
-variable "ca_pem" {
-  type = string
-}
+# variable "ca_pem" {
+#   type = string
+# }
 terraform {
     required_providers {
       vault = {
@@ -49,7 +49,7 @@ resource "vault_jwt_auth_backend" "gitea" {
     path                = "gitea"
     type                = "oidc"
     oidc_discovery_url  = var.gitea_app.url
-    oidc_discovery_ca_pem = var.ca_pem
+    # oidc_discovery_ca_pem = var.ca_pem
     oidc_client_id      = var.gitea_app.id
     oidc_client_secret  = var.gitea_app.secret
     bound_issuer        = var.gitea_app.url
@@ -87,7 +87,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
     path                = "gitea_jwt"
     type                = "jwt"
     oidc_discovery_url  = var.gitea_app.url
-    oidc_discovery_ca_pem = var.ca_pem
+    # oidc_discovery_ca_pem = var.ca_pem
     bound_issuer        = var.gitea_app.url
     
     tune {
@@ -98,7 +98,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
         listing_visibility           = "hidden"
         max_lease_ttl                = "15m"
         passthrough_request_headers  = []
-        token_type                   = "default-batch"
+        token_type                   = "default-service"
     }
 }
 

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -37,12 +37,16 @@
     register: last_tofu_command
     loop:
       - tofu init -no-color
+      # - >-
+      #   tofu destroy -auto-approve -no-color
+      #   -var='gitea_app={{ gitea_app | to_json }}'
+      #   -var='vault_address={{ vault_address }}'
+      #   -var='vault_token={{ vault_root_token }}'
       - >-
         tofu apply -auto-approve -no-color
         -var='gitea_app={{ gitea_app | to_json }}'
         -var='vault_address={{ vault_address }}'
         -var='vault_token={{ vault_root_token }}'
-        -var='ca_pem={{ traefik_cert_pem }}'
     loop_control:
       loop_var: command
       extended: true
@@ -50,10 +54,12 @@
 
   always:
   - shell: docker volume rm {{ volume_name }}
-  - #when: last_tofu_command.stderr | length > 0
+  - when: "'failed' in last_tofu_command and last_tofu_command.failed"
     debug:
       var: last_tofu_command
-      # msg: '{{ last_tofu_command.stderr }}'
+  - when: "'failed' in last_tofu_command and last_tofu_command.failed"
+    debug:
+      msg: "{{ (last_tofu_command.results | selectattr('failed') | first ).stderr }}"
 
 - include_role:
     name: arcodange.factory.gitea_secret

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2

@@ -34,7 +34,8 @@ poll_state() {
       echo ''
       return 0
     elif [ "$HTTP_CODE" == "404" ]; then
-      echo -n "."
+      printf '.%.0s' $(seq 0 $attempt)
+      echo
     else
       echo "Erreur lors de la requête (HTTP $HTTP_CODE)."
       return 1