Merge remote-tracking branch 'origin/main'

Removes the commented PACKAGES_TOKEN/HOMELAB_CA_CERT blocks and the legacy
"Deploy Argo CD" play that were left behind during the migration to
Helm-based ArgoCD.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ansible/arcodange/factory/playbooks/03_cicd.yml

@@ -157,235 +157,3 @@
       loop: ["absent", "present"]
       loop_control:
         loop_var: docker_compose_down_then_up
-    
-#     - name: Set PACKAGES_TOKEN secret to upload packages from CI
-#       run_once: True
-#       block:
-#         - name: Generate cicd PACKAGES_TOKEN
-#           include_role:
-#             name: arcodange.factory.gitea_token
-#           vars:
-#             gitea_token_name: PACKAGES_TOKEN
-#             gitea_token_fact_name: cicd_PACKAGES_TOKEN
-#             gitea_token_scopes: write:package
-#             gitea_token_replace: true
-
-#         - name: Register cicd PACKAGES_TOKEN secrets
-#           include_role:
-#             name: arcodange.factory.gitea_secret
-#           vars:
-#             gitea_secret_name: PACKAGES_TOKEN
-#             gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}"
-#           loop: ["organization", "user"]
-#           loop_control:
-#             loop_var: gitea_owner_type # Peut être "user" ou "organization"
-    
-#     - name: Set HOMELAB_CA_CERT secret to validate self signed ssl
-#       run_once: True
-#       block:
-#         - name: Download homelab CA certificate
-#           ansible.builtin.uri:
-#             url: "https://ssl-ca.arcodange.lab:8443/roots.pem"
-#             return_content: yes
-#             validate_certs: no
-#           register: homelab_ca_cert
-#         - name: Debug cert
-#           debug:
-#             msg: "{{ homelab_ca_cert.content }}..."
-#         - name: Register cicd HOMELAB_CA_CERT secrets
-#           include_role:
-#             name: arcodange.factory.gitea_secret
-#           vars:
-#             gitea_secret_name: HOMELAB_CA_CERT
-#             gitea_secret_value: "{{ homelab_ca_cert.content | b64encode }}"
-#           loop: ["organization", "user"]
-#           loop_control:
-#             loop_var: gitea_owner_type # Peut être "user" ou "organization"
-  
-#   post_tasks:
-#     - include_role:
-#         name: arcodange.factory.gitea_token
-#       vars:
-#         gitea_token_delete: true
-
-
-# - name: Deploy Argo CD
-#   hosts: localhost
-#   roles:
-#     - role: arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required
-#       tags:
-#         - gitea_sync
-#   tasks:
-#     - name: Set factory repo
-#       include_role:
-#         name: arcodange.factory.gitea_repo
-#       vars:
-#         gitea_repo_name: factory
-#     - name: Sync other repos
-#       tags: gitea_sync
-#       include_role:
-#         name: arcodange.factory.gitea_sync
-#         apply:
-#           tags: gitea_sync
-#     - name: Generate Argo CD token
-#       include_role:
-#         name: arcodange.factory.gitea_token
-#       vars:
-#         gitea_token_name: ARGOCD_TOKEN
-#         gitea_token_fact_name: argocd_token
-#         gitea_token_scopes: read:repository,read:package
-#         gitea_token_replace: true
-#     - name: Figure out k3s master node
-#       shell:
-#         kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##'
-#       register: get_k3s_master_node
-#       changed_when: false
-#     - name: Get kubernetes server internal url
-#       command: >-
-#         echo https://kubernetes.default.svc
-#         # {%raw%}
-#         # kubectl get svc/kubernetes -o template="{{.spec.clusterIP}}:{{(index .spec.ports 0).port}}"
-#         # {%endraw%}
-#       register: get_k3s_internal_server_url
-#       changed_when: false
-#     - set_fact:
-#         k3s_master_node: "{{ get_k3s_master_node.stdout }}"
-#         k3s_internal_server_url: "{{ get_k3s_internal_server_url.stdout }}"
-#     - name: Read Step CA root certificate from k3s master
-#       become: true
-#       delegate_to: "{{ k3s_master_node }}"
-#       slurp:
-#         src: /home/step/.step/certs/root_ca.crt
-#       register: step_ca_root_cert
-#     - name: Decode Step CA root certificate
-#       set_fact:
-#         step_ca_root_cert_pem: "{{ step_ca_root_cert.content | b64decode }}"
-#     - name: Install Argo CD
-#       become: true
-#       delegate_to: "{{ k3s_master_node }}"
-#       vars:
-#         gitea_credentials:
-#           username: arcodange
-#           password: "{{ argocd_token }}"
-#         argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
-#           global:
-#             domain: argocd.arcodange.lab
-#           configs:
-#             cm:
-#               kustomize.buildOptions: "--enable-helm"
-#               helm.enablePostRenderer: "true"
-#               exec.enabled: "true"
-#             params:
-#               server.insecure: true # let k3s traefik do TLS termination
-#       ansible.builtin.copy:
-#         dest: /var/lib/rancher/k3s/server/manifests/argocd.yaml
-#         content: |-
-#           apiVersion: v1
-#           kind: Namespace
-#           metadata:
-#             name: argocd
-#           ---
-#           apiVersion: v1
-#           kind: ConfigMap
-#           metadata:
-#             name: argocd-tls-certs-cm
-#             namespace: argocd
-#           data:
-#             gitea.arcodange.lab: |
-#               {{ step_ca_root_cert_pem | indent(4) }}
-#           ---
-#           apiVersion: helm.cattle.io/v1
-#           kind: HelmChart
-#           metadata:
-#             name: argocd
-#             namespace: kube-system
-#           spec:
-#             repo: https://argoproj.github.io/argo-helm
-#             chart: argo-cd
-#             targetNamespace: argocd
-#             valuesContent: |-
-#               {{ argocd_helm_values | to_nice_yaml | indent( width=4 ) }}  
-#           ---
-#           apiVersion: networking.k8s.io/v1
-#           kind: Ingress
-#           metadata:
-#             name: argocd-server-ingress
-#             namespace: argocd
-#             annotations:
-#               # For Traefik v2.x
-#               traefik.ingress.kubernetes.io/router.entrypoints: websecure
-#               traefik.ingress.kubernetes.io/router.tls: "true"
-#               traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-#               traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
-#               traefik.ingress.kubernetes.io/router.tls.domains.0.sans: argocd.arcodange.lab
-#               traefik.ingress.kubernetes.io/router.middlewares: localIp@file
-#           spec:
-#             rules:
-#             - host: argocd.arcodange.lab
-#               http:
-#                 paths:
-#                 - path: /
-#                   pathType: Prefix
-#                   backend:
-#                     service:
-#                       name: argocd-server
-#                       port:
-#                         number: 80 #TLS is terminated at Traefik
-#           ---
-#           apiVersion: v1
-#           kind: Secret
-#           metadata:
-#             name: gitea-arcodangeorg-factory-repo
-#             namespace: argocd
-#             labels:
-#               argocd.argoproj.io/secret-type: repository
-#           stringData:
-#             type: git
-#             url: https://gitea.arcodange.lab/arcodange-org/factory
-#           ---
-#           apiVersion: v1
-#           kind: Secret
-#           metadata:
-#             name: gitea-arcodangeorg-repo-creds
-#             namespace: argocd
-#             labels:
-#               argocd.argoproj.io/secret-type: repo-creds
-#           stringData:
-#             type: git
-#             url: https://gitea.arcodange.lab/arcodange-org
-#             password: {{ gitea_credentials.password }}
-#             username: {{ gitea_credentials.username }}
-#           ---
-#           apiVersion: argoproj.io/v1alpha1
-#           kind: Application
-#           metadata:
-#             name: factory
-#             namespace: argocd
-#           spec:
-#             project: default
-#             source:
-#               repoURL: https://gitea.arcodange.lab/arcodange-org/factory
-#               targetRevision: HEAD
-#               path: argocd
-#             destination:
-#               server: {{ k3s_internal_server_url }}
-#               namespace: argocd
-#             syncPolicy:
-#               automated:
-#                 prune: true
-#                 selfHeal: true
-#     - name: touch manifests/argocd.yaml to trigger update
-#       delegate_to: "{{ k3s_master_node }}"
-#       ansible.builtin.file:
-#         path: /var/lib/rancher/k3s/server/manifests/argocd.yaml
-#         state: touch
-#       become: true
-#   post_tasks:
-#     - include_role:
-#         name: arcodange.factory.gitea_token
-#         apply:
-#           tags: gitea_sync
-#       tags:
-#         - gitea_sync
-#       vars:
-#         gitea_token_delete: true

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -106,3 +106,24 @@
         'OIDC_CLIENT_SECRET': gitea_app.secret,
       }) | b64encode }}
     gitea_owner_type: 'org' # value != 'user'
+
+# Also propagate the same secret to user-owned namespaces. Gitea Action secrets
+# are scoped per owner, so repos under a user account cannot read org-level
+# secrets. Extend this list if other personal-namespace apps need vault auth.
+- name: Propagate vault_oauth__sh_b64 to user-owned namespaces
+  include_role:
+    name: arcodange.factory.gitea_secret
+  vars:
+    gitea_secret_name: vault_oauth__sh_b64
+    gitea_secret_value: >-
+      {{ lookup('ansible.builtin.template', 'oidc_jwt_token.sh.j2', template_vars = {
+        'GITEA_BASE_URL': 'https://gitea.arcodange.lab',
+        'OIDC_CLIENT_ID': gitea_app.id,
+        'OIDC_CLIENT_SECRET': gitea_app.secret,
+      }) | b64encode }}
+    gitea_owner_type: 'user'
+    gitea_owner_name: '{{ item }}'
+  loop:
+    - arcodange
+  loop_control:
+    label: '{{ item }}'