Gabriel Radureau
3170a341d1
Some checks failed
Helm Charts / Library charts tool (push) Blocked by required conditions
Helm Charts / Application charts pgcat (push) Blocked by required conditions
Helm Charts / Detect changed charts (pull_request) Successful in 19s
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Helm Charts / Detect changed charts (push) Failing after 13m59s
The `applications` object field was declared `policies` in variables.tf, but the cms tfvars entry, the runbook (doc/runbooks/new-web-app/03-vault-platform.md), the guidebook (vibe/guidebooks/tools/secrets-and-vso.md) and the module input (modules/app_policy variable `ops_policies`) all use the name `ops_policies`. Because Terraform silently drops unknown attributes when converting a value to an object() type, cms's `ops_policies = ["factory__cf_r2_arcodange_tf"]` was discarded and `each.value.policies` fell back to [] — so gitea_cicd_cms never received the `factory__cf_r2_arcodange_tf` token policy (read on kvv1/cloudflare/r2/arcodange-tf + kvv1/zoho/self_client, defined in factory iac/cloudflare.tf). cms CI was missing its Cloudflare R2 Terraform-state permissions. Fix at the root: rename the schema field `policies` -> `ops_policies` (and its single reference main.tf:82 `each.value.policies` -> `each.value.ops_policies`), aligning the whole chain. This is lower-churn than renaming the tfvars key (the chosen alternative would also have required fixing the runbook + guidebook, which both already document `ops_policies`) and prevents the next app created from the runbook from re-introducing the same silently-dropped key. Behavioural change: gitea_cicd_cms gains `factory__cf_r2_arcodange_tf` in its token_policies. No other app sets this field (all default []), so no other role changes. Reviewer: confirm the R2 policy is the intended grant for cms CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Vault
- Les playbooks ansible configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action une configuration vault via tofu.
- Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
- Le dépot de l'application webapp gère l'obtention de ses crédentials pour postgres.
flowchart LR
classDef playbook stroke:#0f0,fill:#440,stroke-width: 1px
classDef tofu stroke:#f00,fill:#404,stroke-width: 2px
classDef argocd stroke:#00f,fill:#044,stroke-width: 3px
classDef database stroke:#bb0,fill:#ff0,stroke-width: 5px,color: black
classDef secret stroke:#f00,fill:#f00,stroke-width: 5px,color: yellow
classDef secretOperator stroke:#f00,fill:DarkRed,stroke-width: 5px,color: Orange
subgraph git_code[factory.git]
subgraph ansible_collection
setup_playbook[playbook arcodange.factory.setup]:::playbook
tools_playbook[playbook arcodange.factory.tools]:::playbook
end
git_code_tofu_vault{{tofu}}:::tofu
end
subgraph git_tools[tools.git]
argocd_tools{{Argo CD Apps}}:::argocd
git_tools_tofu_vault{{tofu}}:::tofu
end
subgraph git_webapp[webapp.git]
webapp["Go(lang) web app"]
argocd_webapp{{Argo CD App}}:::argocd
git_webapp_tofu_vault{{tofu}}:::tofu
end
subgraph servers
subgraph k3s
subgraph k3s_ns_tools[ns:tools]
argocd{{Argo CD}}:::argocd
pgbouncer
subgraph vault
subgraph vault_auth[auth]
subgraph vault_auth_openid[openid]
end
vault_auth_jwt[jwt]
vault_auth_k8s[kubernetes]
vault_auth_jwt_role_gitea_cicd[gitea_cicd role]
vault_auth_jwt_role_gitea_cicd_webapp_ops[gitea_cicd_webapp ops role]
vault_auth_k8s_role_vso[vault-secret-operator role]
vault_auth_k8s_role_webapp[webapp role]
subgraph policies
policy_default[default]
policy_webapp[webapp]
policy_webapp_ops[webapp ops]
policy_admin[admin]
policy_vso[edit-vso-client-cache]
end
end
subgraph vault_secrets[secrets]
subgraph kvv2
google/credentials
webapp/config
end
end
subgraph vault_postgres[postgres]
creds/creds-editor
creds/webapp
end
subgraph vault_transit[transit]
end
end
vault-secret-operator:::secretOperator
end
subgraph k3s_ns_webapp[ns:webapp]
webapp_deployment[deployment:webapp]
webapp_postgres_creds_secret[secret:postgres creds]:::secret
webapp_config_secret[secret:config]:::secret
webapp_service_account[sa:webapp]
end
end
subgraph postgres
root_credentials
postgres_db[(postgres)]:::database
webapp_credentials:::secret
webapp_db[(webpp)]:::database
vault_creds_editor_role{{credentials_editor}}
end
end
setup_playbook -. setup postgres .-> postgres
tools_playbook -.-o git_code_tofu_vault
git_code_tofu_vault -..-> vault_auth_openid
git_code_tofu_vault -..-> vault_auth_jwt -- tofu:factory --- vault_auth_jwt_role_gitea_cicd
git_code_tofu_vault -..-> kvv2
git_code_tofu_vault -..-> google/credentials
linkStyle 0,1 stroke:#ff3,stroke-width:1px,color:DarkKhaki;
linkStyle 2,3,5,6 stroke:#f3f,stroke-width:2px,color:DarkOrange;
git_tools -.-o argocd_tools
argocd_tools -.-> pgbouncer
argocd_tools -.-> vault
argocd_tools -.-> vault-secret-operator
argocd_tools o--o argocd
linkStyle 7,8,9,10,11 stroke:#3ff,stroke-width:3px,color:DarkSlateBlue;
git_tools_tofu_vault -..-> vault_auth_k8s -- sa:vso --- vault_auth_k8s_role_vso
git_tools_tofu_vault -..-> webapp/config
git_tools_tofu_vault -..-> vault_transit
git_tools_tofu_vault -..-> vault_postgres
vault_auth_k8s ---> k3s
vault_postgres --> pgbouncer x==> postgres; webapp_deployment --> pgbouncer
linkStyle 12,14,15,16 stroke:#f3f,stroke-width:2px,color:DarkOrange;
linkStyle 18,19,20 stroke:gold,stroke-width:2px;
vault_transit x---x vault-secret-operator
vault-secret-operator x---x vault_auth_k8s_role_vso
vault_auth_jwt_role_gitea_cicd x--x policy_default
vault_auth_k8s_role_vso x--x policy_vso
creds/webapp -.-> webapp_credentials
creds/webapp -.-> vault-secret-operator
vault-secret-operator -.-> webapp_postgres_creds_secret
webapp/config -.-> vault-secret-operator
vault-secret-operator -.-> webapp_config_secret
argocd_webapp -.-> k3s_ns_webapp
webapp --o webapp_deployment
webapp_postgres_creds_secret --o webapp_deployment
webapp_deployment --> webapp_service_account
vault_auth_jwt -- tofu:tools --- vault_auth_jwt_role_gitea_cicd_webapp_ops
vault_auth_jwt_role_gitea_cicd_webapp_ops x--x policy_webapp_ops
vault_auth_k8s -- sa:webapp --- vault_auth_k8s_role_webapp x-- tofu:webapp --x policy_webapp
git_webapp_tofu_vault -.-> vault_auth_k8s_role_webapp
git_webapp_tofu_vault -.-> creds/webapp
root_credentials x--x postgres_db
webapp_credentials x--x webapp_db
tools_playbook --> vault_creds_editor_role
vault_creds_editor_role -. change password .-> webapp_credentials
vault_postgres x--x vault_creds_editor_role