ci: remove dead OIDC steps, use repo secrets for AppRole auth
Some checks failed
Deploy to K8s / deploy (push) Failing after 9s
Some checks failed
Deploy to K8s / deploy (push) Failing after 9s
Gitea doesn't implement Actions OIDC tokens yet. Drop the experimental id_token steps and use VAULT_ROLE_ID/VAULT_SECRET_ID/K8S_CA_CERT as standard Gitea repo secrets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jan Novak
@@ -11,37 +11,6 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Get Vault token
|
||||
run: |
|
||||
set -euxo pipefail
|
||||
|
||||
IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
|
||||
"${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
|
||||
|
||||
TOKEN=$(echo "$IDTOKEN" | jq -r '.value')
|
||||
|
||||
VAULT_TOKEN=$(curl -sS --request POST \
|
||||
--data "{\"jwt\": \"$TOKEN\", \"role\": \"gitea-actions\"}" \
|
||||
https://vault.hrajfrisbee.cz/v1/auth/jwt/login | jq -r '.auth.client_token')
|
||||
|
||||
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Debug - print env and OIDC info
|
||||
run: |
|
||||
echo "=== Environment ==="
|
||||
env | sort
|
||||
echo ""
|
||||
echo "=== ID Token (decoded) ==="
|
||||
IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
|
||||
"${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
|
||||
echo "$IDTOKEN" | jq -r '.value' | cut -d. -f2 | base64 -d 2>/dev/null | jq .
|
||||
|
||||
- name: Read secret from Vault
|
||||
run: |
|
||||
SECRET=$(curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
|
||||
https://vault.hrajfrisbee.cz//v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
|
||||
echo "SECRET=$SECRET" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Install kubectl
|
||||
run: |
|
||||
curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
|
||||
@@ -52,10 +21,8 @@ jobs:
|
||||
run: |
|
||||
set -euxo pipefail
|
||||
|
||||
# Credentials come from runner host env vars (set via systemd EnvironmentFile),
|
||||
# not from Gitea repo secrets — so they never touch Gitea's secret store.
|
||||
VAULT_AUTH_RESPONSE=$(curl -f --request POST \
|
||||
--data "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
|
||||
--data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
|
||||
https://vault.hrajfrisbee.cz/v1/auth/approle/login)
|
||||
|
||||
echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
|
||||
@@ -94,7 +61,7 @@ jobs:
|
||||
|
||||
- name: Configure kubectl & deploy
|
||||
run: |
|
||||
echo "${K8S_CA_CERT}" > /tmp/ca.crt
|
||||
echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt
|
||||
|
||||
kubectl config set-cluster mycluster \
|
||||
--server=https://192.168.0.31:6443 \
|
||||
|
||||
Reference in New Issue
Block a user