docker-30: gitea CI/CD integration with Vault and Kanidm, misc updates
vault: - Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys) - Add gitea-ci-read policy scoped to secret/data/gitea/* - Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL) - Add AppRole gitea-ci as alternative auth method for the same policy - Add gitea-access-into-vault.md documenting the setup end-to-end - Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources) kanidm: - Add run.sh with docker run command (pinned to v1.9.1) - Add gitea-action-kubernetes-access.md documenting how to set up a Kanidm service account and OAuth2 client for Gitea CI k8s access - readme: add upgrade procedure, recover-account command, and service account + API token setup for gitea-ci-token maru-hleda-byt: - Add --restart=always to docker run command fuj-management: - Add run.sh (new service config) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jan Novak
@@ -1,3 +1,27 @@
|
||||
## Upgrade
|
||||
|
||||
```bash
|
||||
docker exec -it kanidmd kanidmd domain upgrade-check
|
||||
# make sure backup exists: /srv/docker/kanidm/data/kanidm/backups
|
||||
|
||||
# change container image in: /srv/docker/kanidm/run.sh
|
||||
|
||||
# kanidm data restore
|
||||
docker stop kanidmd
|
||||
docker run --rm -it \
|
||||
-v kanidmd:/data \
|
||||
-v kanidmd_backups:/backup \
|
||||
kanidm/server:latest \
|
||||
/sbin/kanidmd database restore -c /data/server.toml /backup/kanidm.backup.json
|
||||
docker start kanidmd
|
||||
```
|
||||
|
||||
## Recover passwords from kanidm instance
|
||||
|
||||
```bash
|
||||
docker exec -i -t kanidmd kanidmd recover-account idm_admin
|
||||
```
|
||||
|
||||
## add user to k8s group
|
||||
|
||||
based on: https://blog.kammel.dev/post/k8s_home_lab_2025_06/
|
||||
@@ -115,4 +139,31 @@ docker run --rm -i -t -v --restart=always \
|
||||
docker.io/kanidm/server:latest \
|
||||
kanidmd cert-generate
|
||||
|
||||
```
|
||||
|
||||
|
||||
## Service account for gitea runner
|
||||
|
||||
```bash
|
||||
# create service account
|
||||
#kanidm service-account create \
|
||||
# gitea_ci \ # account name
|
||||
# "Gitea CI Deploy" \ # display name
|
||||
# idm_admins \ # entry-managed-by (delegation group)
|
||||
# --name idm_admin # authenticate as this user
|
||||
|
||||
kanidm service-account create gitea_ci "Gitea CI Deploy" idm_admins --name idm_admin
|
||||
|
||||
# Create a group and add the service account
|
||||
kanidm group create k8s_deployers
|
||||
kanidm group add-members k8s_deployers gitea_ci
|
||||
|
||||
# Create the OAuth2 client (or reuse existing k8s one)
|
||||
# If you already have a k8s OIDC client, just add scope maps:
|
||||
kanidm system oauth2 update-scope-map k8s k8s_deployers openid groups
|
||||
|
||||
# Generate an API token for the service account
|
||||
kanidm service-account api-token generate --name idm_admin gitea_ci "gitea-ci-token"
|
||||
# ⚠️ Save the output token — this is the subject_token for exchange
|
||||
|
||||
```
|
||||
Reference in New Issue
Block a user