From 4a8a64f16119a8b7c83305a5e19565ffb3790aa9 Mon Sep 17 00:00:00 2001 From: Jan Novak Date: Sun, 1 Mar 2026 22:56:27 +0100 Subject: [PATCH] ci: add verbose debugging to Vault token step Split curl calls into separate variables and log intermediate responses to stderr to identify which request is failing. Added set -euxo pipefail for immediate failure visibility. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/kubernetes-deploy.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml index 69b8f66..bef3075 100644 --- a/.gitea/workflows/kubernetes-deploy.yaml +++ b/.gitea/workflows/kubernetes-deploy.yaml @@ -19,15 +19,23 @@ jobs: - name: Get Kanidm token from Vault id: vault run: | + set -euxo pipefail + # Authenticate to Vault (AppRole — no CLI needed) - VAULT_TOKEN=$(curl -sf --request POST \ + VAULT_AUTH_RESPONSE=$(curl -f --request POST \ --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \ - https://vault.hrajfrisbee.cz/v1/auth/approle/login | jq -r '.auth.client_token') + https://vault.hrajfrisbee.cz/v1/auth/approle/login) + + echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2 + VAULT_TOKEN=$(echo "$VAULT_AUTH_RESPONSE" | jq -r '.auth.client_token') # Read the kanidm API token - API_TOKEN=$(curl -sf \ + SECRET_RESPONSE=$(curl -f \ -H "X-Vault-Token: ${VAULT_TOKEN}" \ - https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token') + https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token) + + echo "Secret response: $SECRET_RESPONSE" >&2 + API_TOKEN=$(echo "$SECRET_RESPONSE" | jq -r '.data.data.token') echo "::add-mask::${API_TOKEN}" echo "api_token=${API_TOKEN}" >> "$GITHUB_OUTPUT"