arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use internal .lab instead of failing duckdns.org
Some checks failed
Helm Charts / Detect changed charts (push) Successful in 22s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Failing after 34s
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-12-31 17:54:36 +01:00
parent 2c8de3468a
commit 02322e9a24
22 changed files with 33 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hashicorp-vault/Chart.yaml
View File

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
dependencies:
- name: tool
version: 0.1.0
repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
- name: vault
version: 0.28.1
repository: https://helm.releases.hashicorp.com

4
hashicorp-vault/README.md
View File

@@ -1,8 +1,8 @@
# Vault
1. Les [playbooks ansible](https://gitea.arcodange.duckdns.org/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
3. [Le dépot de l'application webapp](https://gitea.arcodange.duckdns.org/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
```mermaid
flowchart LR

2
hashicorp-vault/iac/providers.tf
View File

@@ -8,7 +8,7 @@ terraform {
}
provider "vault" {
address = "https://vault.arcodange.duckdns.org"
address = "https://vault.arcodange.lab"
auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
mount = "gitea_jwt"
role = "gitea_cicd"

6
hashicorp-vault/values.yaml
View File

@@ -15,11 +15,11 @@ vault: &vault_config
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.duckdns.org
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.lab
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
hosts:
- host: vault.arcodange.duckdns.org
- host: vault.arcodange.lab
paths: []
postStart: [] # https://github.com/hashicorp/vault-helm/blob/main/values.yaml