🔒 fix(ansible): gate vault auth disable behind vault_oidc_force_reset (default off) (#5)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

ansible/arcodange/factory/inventory/group_vars/all/gitea.yml

@@ -0,0 +1,11 @@
+---
+# Gitea ownership configuration consumed by playbooks running on `localhost`
+# (e.g. tools/hashicorp_vault.yml). Role-level defaults (gitea_username,
+# gitea_organization) live in roles/gitea_secret/defaults/main.yml ; this file
+# is for fact lists that the inventory should declare.
+
+# Users (Gitea owner_type=user) to which org-level Gitea Action secrets must
+# also be propagated. Repos owned by these users cannot read org-level secrets,
+# so the secret propagation playbook iterates over this list.
+gitea_secret_propagation_users:
+  - arcodange

ansible/arcodange/factory/playbooks/03_cicd.yml

@@ -157,235 +157,3 @@
       loop: ["absent", "present"]
       loop_control:
         loop_var: docker_compose_down_then_up
-    
-#     - name: Set PACKAGES_TOKEN secret to upload packages from CI
-#       run_once: True
-#       block:
-#         - name: Generate cicd PACKAGES_TOKEN
-#           include_role:
-#             name: arcodange.factory.gitea_token
-#           vars:
-#             gitea_token_name: PACKAGES_TOKEN
-#             gitea_token_fact_name: cicd_PACKAGES_TOKEN
-#             gitea_token_scopes: write:package
-#             gitea_token_replace: true
-
-#         - name: Register cicd PACKAGES_TOKEN secrets
-#           include_role:
-#             name: arcodange.factory.gitea_secret
-#           vars:
-#             gitea_secret_name: PACKAGES_TOKEN
-#             gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}"
-#           loop: ["organization", "user"]
-#           loop_control:
-#             loop_var: gitea_owner_type # Peut être "user" ou "organization"
-    
-#     - name: Set HOMELAB_CA_CERT secret to validate self signed ssl
-#       run_once: True
-#       block:
-#         - name: Download homelab CA certificate
-#           ansible.builtin.uri:
-#             url: "https://ssl-ca.arcodange.lab:8443/roots.pem"
-#             return_content: yes
-#             validate_certs: no
-#           register: homelab_ca_cert
-#         - name: Debug cert
-#           debug:
-#             msg: "{{ homelab_ca_cert.content }}..."
-#         - name: Register cicd HOMELAB_CA_CERT secrets
-#           include_role:
-#             name: arcodange.factory.gitea_secret
-#           vars:
-#             gitea_secret_name: HOMELAB_CA_CERT
-#             gitea_secret_value: "{{ homelab_ca_cert.content | b64encode }}"
-#           loop: ["organization", "user"]
-#           loop_control:
-#             loop_var: gitea_owner_type # Peut être "user" ou "organization"
-  
-#   post_tasks:
-#     - include_role:
-#         name: arcodange.factory.gitea_token
-#       vars:
-#         gitea_token_delete: true
-
-
-# - name: Deploy Argo CD
-#   hosts: localhost
-#   roles:
-#     - role: arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required
-#       tags:
-#         - gitea_sync
-#   tasks:
-#     - name: Set factory repo
-#       include_role:
-#         name: arcodange.factory.gitea_repo
-#       vars:
-#         gitea_repo_name: factory
-#     - name: Sync other repos
-#       tags: gitea_sync
-#       include_role:
-#         name: arcodange.factory.gitea_sync
-#         apply:
-#           tags: gitea_sync
-#     - name: Generate Argo CD token
-#       include_role:
-#         name: arcodange.factory.gitea_token
-#       vars:
-#         gitea_token_name: ARGOCD_TOKEN
-#         gitea_token_fact_name: argocd_token
-#         gitea_token_scopes: read:repository,read:package
-#         gitea_token_replace: true
-#     - name: Figure out k3s master node
-#       shell:
-#         kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##'
-#       register: get_k3s_master_node
-#       changed_when: false
-#     - name: Get kubernetes server internal url
-#       command: >-
-#         echo https://kubernetes.default.svc
-#         # {%raw%}
-#         # kubectl get svc/kubernetes -o template="{{.spec.clusterIP}}:{{(index .spec.ports 0).port}}"
-#         # {%endraw%}
-#       register: get_k3s_internal_server_url
-#       changed_when: false
-#     - set_fact:
-#         k3s_master_node: "{{ get_k3s_master_node.stdout }}"
-#         k3s_internal_server_url: "{{ get_k3s_internal_server_url.stdout }}"
-#     - name: Read Step CA root certificate from k3s master
-#       become: true
-#       delegate_to: "{{ k3s_master_node }}"
-#       slurp:
-#         src: /home/step/.step/certs/root_ca.crt
-#       register: step_ca_root_cert
-#     - name: Decode Step CA root certificate
-#       set_fact:
-#         step_ca_root_cert_pem: "{{ step_ca_root_cert.content | b64decode }}"
-#     - name: Install Argo CD
-#       become: true
-#       delegate_to: "{{ k3s_master_node }}"
-#       vars:
-#         gitea_credentials:
-#           username: arcodange
-#           password: "{{ argocd_token }}"
-#         argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
-#           global:
-#             domain: argocd.arcodange.lab
-#           configs:
-#             cm:
-#               kustomize.buildOptions: "--enable-helm"
-#               helm.enablePostRenderer: "true"
-#               exec.enabled: "true"
-#             params:
-#               server.insecure: true # let k3s traefik do TLS termination
-#       ansible.builtin.copy:
-#         dest: /var/lib/rancher/k3s/server/manifests/argocd.yaml
-#         content: |-
-#           apiVersion: v1
-#           kind: Namespace
-#           metadata:
-#             name: argocd
-#           ---
-#           apiVersion: v1
-#           kind: ConfigMap
-#           metadata:
-#             name: argocd-tls-certs-cm
-#             namespace: argocd
-#           data:
-#             gitea.arcodange.lab: |
-#               {{ step_ca_root_cert_pem | indent(4) }}
-#           ---
-#           apiVersion: helm.cattle.io/v1
-#           kind: HelmChart
-#           metadata:
-#             name: argocd
-#             namespace: kube-system
-#           spec:
-#             repo: https://argoproj.github.io/argo-helm
-#             chart: argo-cd
-#             targetNamespace: argocd
-#             valuesContent: |-
-#               {{ argocd_helm_values | to_nice_yaml | indent( width=4 ) }}  
-#           ---
-#           apiVersion: networking.k8s.io/v1
-#           kind: Ingress
-#           metadata:
-#             name: argocd-server-ingress
-#             namespace: argocd
-#             annotations:
-#               # For Traefik v2.x
-#               traefik.ingress.kubernetes.io/router.entrypoints: websecure
-#               traefik.ingress.kubernetes.io/router.tls: "true"
-#               traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-#               traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
-#               traefik.ingress.kubernetes.io/router.tls.domains.0.sans: argocd.arcodange.lab
-#               traefik.ingress.kubernetes.io/router.middlewares: localIp@file
-#           spec:
-#             rules:
-#             - host: argocd.arcodange.lab
-#               http:
-#                 paths:
-#                 - path: /
-#                   pathType: Prefix
-#                   backend:
-#                     service:
-#                       name: argocd-server
-#                       port:
-#                         number: 80 #TLS is terminated at Traefik
-#           ---
-#           apiVersion: v1
-#           kind: Secret
-#           metadata:
-#             name: gitea-arcodangeorg-factory-repo
-#             namespace: argocd
-#             labels:
-#               argocd.argoproj.io/secret-type: repository
-#           stringData:
-#             type: git
-#             url: https://gitea.arcodange.lab/arcodange-org/factory
-#           ---
-#           apiVersion: v1
-#           kind: Secret
-#           metadata:
-#             name: gitea-arcodangeorg-repo-creds
-#             namespace: argocd
-#             labels:
-#               argocd.argoproj.io/secret-type: repo-creds
-#           stringData:
-#             type: git
-#             url: https://gitea.arcodange.lab/arcodange-org
-#             password: {{ gitea_credentials.password }}
-#             username: {{ gitea_credentials.username }}
-#           ---
-#           apiVersion: argoproj.io/v1alpha1
-#           kind: Application
-#           metadata:
-#             name: factory
-#             namespace: argocd
-#           spec:
-#             project: default
-#             source:
-#               repoURL: https://gitea.arcodange.lab/arcodange-org/factory
-#               targetRevision: HEAD
-#               path: argocd
-#             destination:
-#               server: {{ k3s_internal_server_url }}
-#               namespace: argocd
-#             syncPolicy:
-#               automated:
-#                 prune: true
-#                 selfHeal: true
-#     - name: touch manifests/argocd.yaml to trigger update
-#       delegate_to: "{{ k3s_master_node }}"
-#       ansible.builtin.file:
-#         path: /var/lib/rancher/k3s/server/manifests/argocd.yaml
-#         state: touch
-#       become: true
-#   post_tasks:
-#     - include_role:
-#         name: arcodange.factory.gitea_token
-#         apply:
-#           tags: gitea_sync
-#       tags:
-#         - gitea_sync
-#       vars:
-#         gitea_token_delete: true

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -36,6 +36,11 @@
 
 
 
+# WARNING : this disables AND wipes ALL gitea_cicd_* per-app JWT roles
+# (created by tools/hashicorp-vault/iac/) every time it runs. Default is OFF
+# to preserve those roles across normal ansible runs ; opt-in only when you
+# really want to rebuild the OIDC backend from scratch (e.g. config drift on
+# bound_issuer or similar).
 - name: Delete existing Gitea OIDC backends if they exist
   include_tasks: vault_cmd.yml
   vars:
@@ -48,6 +53,7 @@
     - gitea_jwt
   loop_control:
     loop_var: backend_name
+  when: vault_oidc_force_reset | default(false) | bool
 
 - name: use tofu to provision vault
   block:
@@ -105,4 +111,24 @@
         'OIDC_CLIENT_ID': gitea_app.id,
         'OIDC_CLIENT_SECRET': gitea_app.secret,
       }) | b64encode }}
-    gitea_owner_type: 'org' # value != 'user'
+    gitea_owner_type: 'org' # value != 'user'
+
+# Also propagate the same secret to user-owned namespaces. Gitea Action secrets
+# are scoped per owner, so repos under a user account cannot read org-level
+# secrets. Extend this list if other personal-namespace apps need vault auth.
+- name: Propagate vault_oauth__sh_b64 to user-owned namespaces
+  include_role:
+    name: arcodange.factory.gitea_secret
+  vars:
+    gitea_secret_name: vault_oauth__sh_b64
+    gitea_secret_value: >-
+      {{ lookup('ansible.builtin.template', 'oidc_jwt_token.sh.j2', template_vars = {
+        'GITEA_BASE_URL': 'https://gitea.arcodange.lab',
+        'OIDC_CLIENT_ID': gitea_app.id,
+        'OIDC_CLIENT_SECRET': gitea_app.secret,
+      }) | b64encode }}
+    gitea_owner_type: 'user'
+    gitea_owner_name: '{{ item }}'
+  loop: '{{ gitea_secret_propagation_users }}'
+  loop_control:
+    label: '{{ item }}'