create gitea tofu bot user

2024-11-05 16:33:58 +01:00
parent 66e9ec5091
commit fa0df6f175
7 changed files with 145 additions and 1 deletions
--- a/ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml
+++ b/ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml
@@ -14,6 +14,16 @@

  tasks:

+  - name: Generate GITEA_ADMIN_TOKEN
+    run_once: True
+    include_role:
+      name: arcodange.factory.gitea_token
+    vars:
+      gitea_token_name: GITEA_ADMIN_TOKEN
+      gitea_token_fact_name: vault_GITEA_ADMIN_TOKEN
+      gitea_token_scopes: write:admin,write:organization,write:repository,write:user
+      gitea_token_replace: true
+
  - name: Setup Hashicorp Vault
    include_role:
      name: hashicorp_vault
@@ -23,6 +33,7 @@
      postgres_admin_credentials:
        username: '{{ pg_conf.POSTGRES_USER }}'
        password: '{{ pg_conf.POSTGRES_PASSWORD }}'
+      gitea_admin_token: '{{ vault_GITEA_ADMIN_TOKEN }}'
  
  - name: share VAULT CA
    block:
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
@@ -34,6 +34,11 @@ variable "postgres_admin_credentials" {
  sensitive = true
 }

+variable "gitea_admin_token" {
+  type = string
+  sensitive = true
+}
+
 # kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.duckdns.org")))[0]' | jq '.certificate' -r | base64 -d | openssl x509
 # variable "ca_pem" {
 #   type = string
@@ -178,6 +183,16 @@ resource "vault_kv_secret" "gitea_app_id" {
 resource "vault_kv_secret" "postgres_admin_credentials" {
  path = "${vault_mount.kvv1.path}/postgres/credentials"
  data_json = jsonencode(var.postgres_admin_credentials)
+  lifecycle {
+    ignore_changes = [ data_json ] # in case vault changed credentials - do over if pg user is reset outside of vault
+  }
+}
+
+resource "vault_kv_secret" "gitea_admin_token" {
+  path = "${vault_mount.kvv1.path}/admin/gitea"
+  data_json = jsonencode({
+    token = var.gitea_admin_token
+  })
 }

 resource "vault_audit" "stdout" {
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -43,6 +43,7 @@
        -var='vault_address={{ vault_address }}'
        -var='vault_token={{ vault_root_token }}'
        -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
+        -var='gitea_admin_token={{ gitea_admin_token }}'
    loop_control:
      loop_var: command
      extended: true