docker-30: gitea CI/CD integration with Vault and Kanidm, misc updates
vault: - Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys) - Add gitea-ci-read policy scoped to secret/data/gitea/* - Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL) - Add AppRole gitea-ci as alternative auth method for the same policy - Add gitea-access-into-vault.md documenting the setup end-to-end - Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources) kanidm: - Add run.sh with docker run command (pinned to v1.9.1) - Add gitea-action-kubernetes-access.md documenting how to set up a Kanidm service account and OAuth2 client for Gitea CI k8s access - readme: add upgrade procedure, recover-account command, and service account + API token setup for gitea-ci-token maru-hleda-byt: - Add --restart=always to docker run command fuj-management: - Add run.sh (new service config) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jan Novak
10
docker-30/vault/gitea-access-into-vault.md
Normal file
10
docker-30/vault/gitea-access-into-vault.md
Normal file
@@ -0,0 +1,10 @@
|
||||
## 1. Enable & configure JWT auth in Vault
|
||||
|
||||
```bash
|
||||
vault auth enable jwt
|
||||
|
||||
vault write auth/jwt/config \
|
||||
bound_issuer="https://gitea.home.hrajfrisbee.cz" \
|
||||
jwks_url="https://gitea.home.hrajfrisbee.cz/login/oauth/keys"
|
||||
|
||||
```
|
||||
Reference in New Issue
Block a user