From 695b08819ad1063313af56582a052ff869190d1c Mon Sep 17 00:00:00 2001 From: Jan Novak Date: Sun, 1 Mar 2026 23:11:33 +0100 Subject: [PATCH] ci: use runner host env vars for Vault AppRole credentials MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Switch VAULT_ROLE_ID, VAULT_SECRET_ID, and K8S_CA_CERT from Gitea repo secrets to shell env vars, which are injected via the runner host's systemd EnvironmentFile — keeping credentials off Gitea entirely. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/kubernetes-deploy.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml index 7488d6a..c4beec2 100644 --- a/.gitea/workflows/kubernetes-deploy.yaml +++ b/.gitea/workflows/kubernetes-deploy.yaml @@ -13,6 +13,8 @@ jobs: - name: Get Vault token run: | + set -euxo pipefail + IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/") @@ -50,9 +52,10 @@ jobs: run: | set -euxo pipefail - # Authenticate to Vault (AppRole — no CLI needed) + # Credentials come from runner host env vars (set via systemd EnvironmentFile), + # not from Gitea repo secrets — so they never touch Gitea's secret store. VAULT_AUTH_RESPONSE=$(curl -f --request POST \ - --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \ + --data "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \ https://vault.hrajfrisbee.cz/v1/auth/approle/login) echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2 @@ -91,7 +94,7 @@ jobs: - name: Configure kubectl & deploy run: | - echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt + echo "${K8S_CA_CERT}" > /tmp/ca.crt kubectl config set-cluster mycluster \ --server=https://192.168.0.31:6443 \