🔒 fix(ansible): gate vault auth disable behind vault_oidc_force_reset (default off) #5

arcodange · 2026-05-06T15:03:29+02:00

arcodange commented

2026-05-06 15:03:29 +02:00

The vault auth disable task added in 437fd506 wipes all gitea_cicd_* per-app JWT roles every ansible run (side effect). Gate it behind a default-off flag so normal re-runs preserve those roles. Opt in with --extra-vars vault_oidc_force_reset=true when intentionally rebuilding the OIDC backend (e.g. bound_issuer config drift).

The vault auth disable task added in 437fd506 wipes all gitea_cicd_* per-app JWT roles every ansible run (side effect). Gate it behind a default-off flag so normal re-runs preserve those roles. Opt in with --extra-vars vault_oidc_force_reset=true when intentionally rebuilding the OIDC backend (e.g. bound_issuer config drift).

arcodange added 1 commit 2026-05-06 15:03:30 +02:00

🔒 fix(ansible): gate vault auth disable behind vault_oidc_force_reset (default off) 1a1d7da329

The vault auth disable task added in 437fd506 wipes all gitea_cicd_* per-app JWT roles every ansible run (side effect). Gate it behind a default-off flag so normal re-runs preserve those roles. Opt in with --extra-vars vault_oidc_force_reset=true when intentionally rebuilding the OIDC backend (e.g. bound_issuer config drift).

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>

arcodange merged commit 6ede249da9 into main

2026-05-06 15:03:34 +02:00

arcodange referenced this issue from a commit

2026-05-06 15:03:36 +02:00

🔒 fix(ansible): gate vault auth disable behind vault_oidc_force_reset (default off) (#5)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: arcodange-org/factory#5