# Vault 1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/). 2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications. 3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres. ```mermaid flowchart LR classDef playbook stroke:#0f0,fill:#440,stroke-width: 1px classDef tofu stroke:#f00,fill:#404,stroke-width: 2px classDef argocd stroke:#00f,fill:#044,stroke-width: 3px classDef database stroke:#bb0,fill:#ff0,stroke-width: 5px,color: black classDef secret stroke:#f00,fill:#f00,stroke-width: 5px,color: yellow classDef secretOperator stroke:#f00,fill:DarkRed,stroke-width: 5px,color: Orange subgraph git_code[factory.git] subgraph ansible_collection setup_playbook[playbook arcodange.factory.setup]:::playbook tools_playbook[playbook arcodange.factory.tools]:::playbook end git_code_tofu_vault{{tofu}}:::tofu end subgraph git_tools[tools.git] argocd_tools{{Argo CD Apps}}:::argocd git_tools_tofu_vault{{tofu}}:::tofu end subgraph git_webapp[webapp.git] webapp["Go(lang) web app"] argocd_webapp{{Argo CD App}}:::argocd git_webapp_tofu_vault{{tofu}}:::tofu end subgraph servers subgraph k3s subgraph k3s_ns_tools[ns:tools] argocd{{Argo CD}}:::argocd pgbouncer subgraph vault subgraph vault_auth[auth] subgraph vault_auth_openid[openid] end vault_auth_jwt[jwt] vault_auth_k8s[kubernetes] vault_auth_jwt_role_gitea_cicd[gitea_cicd role] vault_auth_jwt_role_gitea_cicd_webapp_ops[gitea_cicd_webapp ops role] vault_auth_k8s_role_vso[vault-secret-operator role] vault_auth_k8s_role_webapp[webapp role] subgraph policies policy_default[default] policy_webapp[webapp] policy_webapp_ops[webapp ops] policy_admin[admin] policy_vso[edit-vso-client-cache] end end subgraph vault_secrets[secrets] subgraph kvv2 google/credentials webapp/config end end subgraph vault_postgres[postgres] creds/creds-editor creds/webapp end subgraph vault_transit[transit] end end vault-secret-operator:::secretOperator end subgraph k3s_ns_webapp[ns:webapp] webapp_deployment[deployment:webapp] webapp_postgres_creds_secret[secret:postgres creds]:::secret webapp_config_secret[secret:config]:::secret webapp_service_account[sa:webapp] end end subgraph postgres root_credentials postgres_db[(postgres)]:::database webapp_credentials:::secret webapp_db[(webpp)]:::database vault_creds_editor_role{{credentials_editor}} end end setup_playbook -. setup postgres .-> postgres tools_playbook -.-o git_code_tofu_vault git_code_tofu_vault -..-> vault_auth_openid git_code_tofu_vault -..-> vault_auth_jwt -- tofu:factory --- vault_auth_jwt_role_gitea_cicd git_code_tofu_vault -..-> kvv2 git_code_tofu_vault -..-> google/credentials linkStyle 0,1 stroke:#ff3,stroke-width:1px,color:DarkKhaki; linkStyle 2,3,5,6 stroke:#f3f,stroke-width:2px,color:DarkOrange; git_tools -.-o argocd_tools argocd_tools -.-> pgbouncer argocd_tools -.-> vault argocd_tools -.-> vault-secret-operator argocd_tools o--o argocd linkStyle 7,8,9,10,11 stroke:#3ff,stroke-width:3px,color:DarkSlateBlue; git_tools_tofu_vault -..-> vault_auth_k8s -- sa:vso --- vault_auth_k8s_role_vso git_tools_tofu_vault -..-> webapp/config git_tools_tofu_vault -..-> vault_transit git_tools_tofu_vault -..-> vault_postgres vault_auth_k8s ---> k3s vault_postgres --> pgbouncer x==> postgres; webapp_deployment --> pgbouncer linkStyle 12,14,15,16 stroke:#f3f,stroke-width:2px,color:DarkOrange; linkStyle 18,19,20 stroke:gold,stroke-width:2px; vault_transit x---x vault-secret-operator vault-secret-operator x---x vault_auth_k8s_role_vso vault_auth_jwt_role_gitea_cicd x--x policy_default vault_auth_k8s_role_vso x--x policy_vso creds/webapp -.-> webapp_credentials creds/webapp -.-> vault-secret-operator vault-secret-operator -.-> webapp_postgres_creds_secret webapp/config -.-> vault-secret-operator vault-secret-operator -.-> webapp_config_secret argocd_webapp -.-> k3s_ns_webapp webapp --o webapp_deployment webapp_postgres_creds_secret --o webapp_deployment webapp_deployment --> webapp_service_account vault_auth_jwt -- tofu:tools --- vault_auth_jwt_role_gitea_cicd_webapp_ops vault_auth_jwt_role_gitea_cicd_webapp_ops x--x policy_webapp_ops vault_auth_k8s -- sa:webapp --- vault_auth_k8s_role_webapp x-- tofu:webapp --x policy_webapp git_webapp_tofu_vault -.-> vault_auth_k8s_role_webapp git_webapp_tofu_vault -.-> creds/webapp root_credentials x--x postgres_db webapp_credentials x--x webapp_db tools_playbook --> vault_creds_editor_role vault_creds_editor_role -. change password .-> webapp_credentials vault_postgres x--x vault_creds_editor_role ```