This commit is contained in:
Jan Novak
@@ -11,6 +11,35 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Get Vault token
|
||||
run: |
|
||||
IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
|
||||
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
|
||||
|
||||
TOKEN=$(echo "$IDTOKEN" | jq -r '.value')
|
||||
|
||||
VAULT_TOKEN=$(curl -sS --request POST \
|
||||
--data "{\"jwt\": \"$TOKEN\", \"role\": \"gitea-actions\"}" \
|
||||
https://vault.hrajfrisbee.cz/v1/auth/jwt/login | jq -r '.auth.client_token')
|
||||
|
||||
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Debug - print env and OIDC info
|
||||
run: |
|
||||
echo "=== Environment ==="
|
||||
env | sort
|
||||
echo ""
|
||||
echo "=== ID Token (decoded) ==="
|
||||
IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
|
||||
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
|
||||
echo "$IDTOKEN" | jq -r '.value' | cut -d. -f2 | base64 -d 2>/dev/null | jq .
|
||||
|
||||
- name: Read secret from Vault
|
||||
run: |
|
||||
SECRET=$(curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
|
||||
https://vault.hrajfrisbee.cz//v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
|
||||
echo "SECRET=$SECRET" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Install kubectl
|
||||
run: |
|
||||
curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
|
||||
|
||||
Reference in New Issue
Block a user