kacerr/home-kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
96ba77a606eefd38101aacec8b4763f9df08b3e6
home-kubernetes/docker-30/vault/terraform/terraform.tfstate
Jan Novak 96ba77a606 docker-30: gitea CI/CD integration with Vault and Kanidm, misc updates 
vault:
- Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys)
- Add gitea-ci-read policy scoped to secret/data/gitea/*
- Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL)
- Add AppRole gitea-ci as alternative auth method for the same policy
- Add gitea-access-into-vault.md documenting the setup end-to-end
- Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources)

kanidm:
- Add run.sh with docker run command (pinned to v1.9.1)
- Add gitea-action-kubernetes-access.md documenting how to set up
  a Kanidm service account and OAuth2 client for Gitea CI k8s access
- readme: add upgrade procedure, recover-account command, and
  service account + API token setup for gitea-ci-token

maru-hleda-byt:
- Add --restart=always to docker run command

fuj-management:
- Add run.sh (new service config)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 23:09:52 +01:00

2 lines
8.7 KiB
JSON
Raw Blame History

{"version":4,"terraform_version":"1.11.5","serial":6,"lineage":"88d0da45-267c-24b8-34e1-c9a1c58ab70f","outputs":{"gitea_ci_role_id":{"value":"02fc6463-af48-1d88-1f60-1569ec3d90e2","type":"string","sensitive":true},"gitea_ci_secret_id":{"value":"95c63c88-c2f6-c3bd-4ba7-cba79df5f011","type":"string","sensitive":true},"role_id":{"value":"864e352d-2064-2bf9-2c73-dbd676a95368","type":"string","sensitive":true},"secret_id":{"value":"8dd0e675-f4dc-50ba-6665-3db5ae423702","type":"string","sensitive":true}},"resources":[{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/external-secrets/role-id","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets"},"sensitive_attributes":[]}]},{"mode":"data","type":"vault_approle_auth_backend_role_id","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","id":"auth/approle/role/gitea-ci/role-id","namespace":null,"role_id":"02fc6463-af48-1d88-1f60-1569ec3d90e2","role_name":"gitea-ci"},"sensitive_attributes":[]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/external-secrets","namespace":null,"role_id":"864e352d-2064-2bf9-2c73-dbd676a95368","role_name":"external-secrets","secret_id_bound_cidrs":[],"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":[],"token_explicit_max_ttl":0,"token_max_ttl":14400,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["external-secrets-read"],"token_ttl":3600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"backend":"approle","bind_secret_id":true,"id":"auth/approle/role/gitea-ci","namespace":null,"role_id":"02fc6463-af48-1d88-1f60-1569ec3d90e2","role_name":"gitea-ci","secret_id_bound_cidrs":null,"secret_id_num_uses":0,"secret_id_ttl":0,"token_bound_cidrs":null,"token_explicit_max_ttl":0,"token_max_ttl":1200,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["gitea-ci-read"],"token_ttl":600,"token_type":"default"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_auth_backend.approle","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"eso","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"f20ef8a0-f21f-8c9b-fc38-887a005af763","backend":"approle","cidr_list":[],"id":"backend=approle::role=external-secrets::accessor=f20ef8a0-f21f-8c9b-fc38-887a005af763","metadata":"{}","namespace":null,"num_uses":0,"role_name":"external-secrets","secret_id":"8dd0e675-f4dc-50ba-6665-3db5ae423702","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.eso","vault_auth_backend.approle","vault_mount.kv","vault_policy.eso_read"]}]},{"mode":"managed","type":"vault_approle_auth_backend_role_secret_id","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"fc004726-1fc7-b6c4-c9e3-1dac77712ce6","backend":"approle","cidr_list":null,"id":"backend=approle::role=gitea-ci::accessor=fc004726-1fc7-b6c4-c9e3-1dac77712ce6","metadata":"{}","namespace":null,"num_uses":0,"role_name":"gitea-ci","secret_id":"95c63c88-c2f6-c3bd-4ba7-cba79df5f011","ttl":0,"with_wrapped_accessor":null,"wrapping_accessor":null,"wrapping_token":null,"wrapping_ttl":null},"sensitive_attributes":[[{"type":"get_attr","value":"secret_id"}],[{"type":"get_attr","value":"wrapping_token"}]],"private":"bnVsbA==","dependencies":["vault_approle_auth_backend_role.gitea_ci","vault_auth_backend.approle","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_auth_backend","name":"approle","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_approle_409190cb","description":"","disable_remount":false,"id":"approle","identity_token_key":null,"local":false,"namespace":null,"path":"approle","tune":[],"type":"approle"},"sensitive_attributes":[],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_jwt_auth_backend","name":"gitea","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":1,"attributes":{"accessor":"auth_jwt_d2814e6f","bound_issuer":"https://gitea.home.hrajfrisbee.cz","default_role":"","description":null,"disable_remount":null,"id":"jwt","jwks_ca_pem":"","jwks_url":"https://gitea.home.hrajfrisbee.cz/login/oauth/keys","jwt_supported_algs":[],"jwt_validation_pubkeys":[],"local":false,"namespace":null,"namespace_in_state":true,"oidc_client_id":"","oidc_client_secret":null,"oidc_discovery_ca_pem":"","oidc_discovery_url":"","oidc_response_mode":"","oidc_response_types":[],"path":"jwt","provider_config":{},"tune":[{"allowed_response_headers":[],"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl":"168h","listing_visibility":"","max_lease_ttl":"768h","passthrough_request_headers":[],"token_type":"default-service"}],"type":"jwt"},"sensitive_attributes":[[{"type":"get_attr","value":"oidc_client_secret"}]],"private":"eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ=="}]},{"mode":"managed","type":"vault_jwt_auth_backend_role","name":"gitea_ci","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"allowed_redirect_uris":null,"backend":"jwt","bound_audiences":["https://gitea.home.hrajfrisbee.cz"],"bound_claims":{},"bound_claims_type":"string","bound_subject":"","claim_mappings":null,"clock_skew_leeway":0,"disable_bound_claims_parsing":false,"expiration_leeway":0,"groups_claim":"","id":"auth/jwt/role/gitea-ci","max_age":0,"namespace":null,"not_before_leeway":0,"oidc_scopes":[],"role_name":"gitea-ci","role_type":"jwt","token_bound_cidrs":[],"token_explicit_max_ttl":0,"token_max_ttl":1200,"token_no_default_policy":false,"token_num_uses":0,"token_period":0,"token_policies":["gitea-ci-read"],"token_ttl":600,"token_type":"default","user_claim":"sub","user_claim_json_pointer":false,"verbose_oidc_logging":false},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_jwt_auth_backend.gitea","vault_mount.kv","vault_policy.gitea_ci_read"]}]},{"mode":"managed","type":"vault_mount","name":"kv","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"accessor":"kv_d207dd40","allowed_managed_keys":[],"allowed_response_headers":[],"audit_non_hmac_request_keys":[],"audit_non_hmac_response_keys":[],"default_lease_ttl_seconds":0,"delegated_auth_accessors":null,"description":"KV v2 secrets engine","external_entropy_access":false,"id":"secret","identity_token_key":"","listing_visibility":"","local":false,"max_lease_ttl_seconds":0,"namespace":null,"options":{},"passthrough_request_headers":[],"path":"secret","plugin_version":null,"seal_wrap":false,"type":"kv-v2"},"sensitive_attributes":[],"private":"bnVsbA=="}]},{"mode":"managed","type":"vault_policy","name":"eso_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"external-secrets-read","name":"external-secrets-read","namespace":null,"policy":"path \"secret/data/*\" {\n capabilities = [\"read\"]\n}\npath \"secret/metadata/*\" {\n capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]},{"mode":"managed","type":"vault_policy","name":"gitea_ci_read","provider":"provider[\"registry.opentofu.org/hashicorp/vault\"]","instances":[{"schema_version":0,"attributes":{"id":"gitea-ci-read","name":"gitea-ci-read","namespace":null,"policy":"path \"secret/data/gitea/*\" {\n capabilities = [\"read\"]\n}\npath \"secret/metadata/gitea/*\" {\n capabilities = [\"read\", \"list\"]\n}\n"},"sensitive_attributes":[],"private":"bnVsbA==","dependencies":["vault_mount.kv"]}]}],"check_results":null}
Reference in New Issue View Git Blame Copy Permalink