apply vault config from CI

2024-10-01 15:49:21 +02:00
parent 24a559fb1a
commit 781a04b26f
4 changed files with 90 additions and 0 deletions
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -0,0 +1,48 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Hashicorp Vault
+
+on: [push,pull_request]
+  # push: &helmPaths # turns out gitea don't handle well the paths filter
+  #   paths:
+  #     - '*/\.yaml'
+  #     - '*/\.tpl'
+  #     - '*/NOTES.txt'
+  #     - '*/\.helmignore'
+  # pull_request: *helmPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.access_token}}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          VAULT_AUTH_JWT=`echo -n "${{ secrets.get_gitea_vault_jwt__sh_b64 }}" | base64 -d | sh \
+           | tee /dev/tty | tail -n 1 | awk '{print $NF}'`
+          echo "access_token=$VAULT_AUTH_JWT" >> $GITHUB_OUTPUT
+
+  tofu:
+    name: Library charts ${{ matrix.chart }}
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/opentofu/opentofu:latest
+      env:
+        TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.access_token }}
+    steps:
+
+      - uses: actions/checkout@v4
+      - tofu -chdir=hashicorp-vault/iac init
+      - tofu -chdir=hashicorp-vault/iac apply -no-color -auto-approve
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 .DS_Store
 Chart.lock
 */charts/*.tgz
+.terraform
+.terraform.lock.hcl
--- a/hashicorp-vault/.helmignore
+++ b/hashicorp-vault/.helmignore
@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+iac/
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  backend "gcs" {
+    bucket  = "arcodange-tf"
+    prefix  = "tools/hashicorp_vault/main"
+  }
+}
+
+variable "vault_address" {
+  type = string
+  default = "http://127.0.0.1:8200"
+}
+
+terraform {
+    required_providers {
+      vault = {
+        source = "vault"
+        version = "4.4.0"
+      }
+    }
+}
+
+provider vault {
+    address = var.vault_address
+    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+        role = "admin"
+    }
+}
+
+data "vault_policy_document" "admin" {
+  rule {
+    path         = "*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+    description  = "admin privileges"
+  }
+}
+resource "vault_policy" "admin" {
+    name = "admin"
+    policy = data.vault_policy_document.admin.hcl
+}