ci: remove dead OIDC steps, use repo secrets for AppRole auth

Gitea doesn't implement Actions OIDC tokens yet. Drop the experimental id_token steps and use VAULT_ROLE_ID/VAULT_SECRET_ID/K8S_CA_CERT as standard Gitea repo secrets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-01 23:30:39 +01:00
parent bed8e93b5d
commit ed8abc9b56
1 changed files with 2 additions and 35 deletions
--- a/.gitea/workflows/kubernetes-deploy.yaml
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -11,37 +11,6 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Get Vault token
        run: |
          set -euxo pipefail
          IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
            "${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
          TOKEN=$(echo "$IDTOKEN" | jq -r '.value')
          VAULT_TOKEN=$(curl -sS --request POST \
            --data "{\"jwt\": \"$TOKEN\", \"role\": \"gitea-actions\"}" \
            https://vault.hrajfrisbee.cz/v1/auth/jwt/login | jq -r '.auth.client_token')
          echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
      - name: Debug - print env and OIDC info
        run: |
          echo "=== Environment ==="
          env | sort
          echo ""
          echo "=== ID Token (decoded) ==="
          IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
            "${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
          echo "$IDTOKEN" | jq -r '.value' | cut -d. -f2 | base64 -d 2>/dev/null | jq .
      - name: Read secret from Vault
        run: |
          SECRET=$(curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
            https://vault.hrajfrisbee.cz//v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
          echo "SECRET=$SECRET" >> "$GITHUB_ENV"
      - name: Install kubectl
        run: |
          curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
@@ -52,10 +21,8 @@ jobs:
        run: |
          set -euxo pipefail
          # Credentials come from runner host env vars (set via systemd EnvironmentFile),
          # not from Gitea repo secrets — so they never touch Gitea's secret store.
          VAULT_AUTH_RESPONSE=$(curl -f --request POST \
-            --data "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
+            --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
            https://vault.hrajfrisbee.cz/v1/auth/approle/login)
          echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
@@ -94,7 +61,7 @@ jobs:
      - name: Configure kubectl & deploy
        run: |
-          echo "${K8S_CA_CERT}" > /tmp/ca.crt
+          echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt
          kubectl config set-cluster mycluster \
            --server=https://192.168.0.31:6443 \