Use groups for Minio oauth (#36)

Now gitea orgs are used as policies, so it's easier to handle access. Also, drone is switched to a global Gitea oauth app, instead of my personal Reviewed-on: #36
2023-03-13 09:08:33 +00:00 · 2023-03-13 09:08:33 +00:00 · c9a45797bf
parent db538f7181
commit c9a45797bf
3 changed files with 10 additions and 16 deletions
--- a/badhouseplants/values/secrets.drone.yaml
+++ b/badhouseplants/values/secrets.drone.yaml
@ -1,6 +1,6 @@
 env:
-    DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:BbhUhVbrqFhD3Bw3w0ZfXRFNDkR7LV2gtabUOR990UQ6xDFw,iv:PfsuCU8A0C7MxVd9q6h6hexpeqxDJIshG16+Yoj9uTA=,tag:5mqw0hVJSlIta4p9VxGomw==,type:str]
-    DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:W3NzKBlKhzB1lPmLbMfVkHxtnod25tGi1lHJW2RWc46je6NeWHX1XZlRefbVqKO6gO4AUTlJOq4=,iv:08EQ/9iVZ93P0I+mYBv3SuKfLs/T3ZS6yZkdAuzU4KI=,tag:c2OiB4R/aBLjVY5EfPSJgA==,type:str]
+    DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:7Ohn3nGR9VeIhAr9EdW1/juRFo3TXpKIwU07hD8mGoyBrbyn,iv:9/y3Ou8H/PL2hMsirJaqviKGQuzVlzL43iGAKQb9NII=,tag:EZoo2F4/HoOcacWOVU9yjA==,type:str]
+    DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:2wAbiSJdDb5lGUOocK14pZtwQI0EFmXGStAigKsPGAZUKyn7M0B6xBO1+B3wZYVnIKEohiNIZF7k,iv:Y9aCzdSH5cAIZfk84Clto/IrQMRaoH+bOkvbP+9CcLM=,tag:FVfLsEA56WGNCl/8ut4F/Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -16,8 +16,8 @@ sops:
            QStxOG1iMWlxQ2dmOXRabXp4cm9NSU0K/+CRAc7DH4PgbQscXvDb7yLe8VoEpixr
            icD3GL37kYE2D4h1cm+p+/b7BF4/yjNlCUvo5cITXRjZAuiWGwUixQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-02-19T10:39:39Z"
-    mac: ENC[AES256_GCM,data:UXfogL8cIidQpdrTNVCofPRkoC00OczHIQcISQ1AlL+BTl8NjdQfzVdknczDagtooAXdV8Cf+Qf9xMzDd7svFv2Uyc6Tzz80171My9d8bHLtv1Q5TbJ4OSAVr38tOd35APnPgsvgX2SXEDf/vvUuTN7mljPTFuF0raCqLlN+LGg=,iv:s2AH5PUohmLTo2LN3Vq9RW1OOO4I9YkyuK1/ODGwegc=,tag:YmzJBbt2TGJsy5ym8ZkP2Q==,type:str]
+    lastmodified: "2023-03-13T09:01:15Z"
+    mac: ENC[AES256_GCM,data:cHdSHMa5dJTMrQsDOvTAORHON3WlFVRApaajAoZ8QIWWxC1ZCNIyMp1NlgZ+vv1vY951+JsOu4WYJdfygMvCplSz2ughqWgPFvykKOCBGTLfEKxSagnxuxuDpJ3FT2zlzzUxLFSOg8iGgpxZc9mF28divlAem4POkGgWs+7s7tE=,iv:Zjx1Zscf6G4QyZJayJLktSg6kOCl3K32G7U41dL1RVQ=,tag:v3m/hIt5A4xe6R1G9b30cA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/badhouseplants/values/secrets.minio.yaml
+++ b/badhouseplants/values/secrets.minio.yaml
@ -8,11 +8,11 @@ oidc:
    configUrl: ENC[AES256_GCM,data:ZNVvWPlFPA1xgfysavsEusfxE2ySIM9FYatYqfWPnUrHKMtCxYlrn1ip3nTYL2JHvjM3yltLBNbqWMCGlgtw,iv:p1F2DqCFaKvjYKhMieFytnMuggrec8DmBzDATLTVe+8=,tag:3EtpPSyRlGThov5OcZfV+g==,type:str]
    clientId: ENC[AES256_GCM,data:kO7PkjN+5GqZCxChvtbTQb/5zo7nVxfh7MZqbDoJLIKMEfth,iv:ti3Xlc3sRVOVGtxGw/pT5iBy5rBqV2v+MhiNF3Krb9U=,tag:3LUDIkq08zGmvjJtSnE/jA==,type:str]
    clientSecret: ENC[AES256_GCM,data:PVe+8SlNrznBiFVNpuQXIcuPkUXyUJ7DObZpRvlgA8JjUHXTy3VY7soyJVBZEMfYbNjSLLcKcWM=,iv:fbh2RcQdPf3jUt2AOI3xp09SSEaWzI4rLGZmlZY46uM=,tag:wvEBkkPsXoQXAP7fN1iDMA==,type:str]
-    claimName: ENC[AES256_GCM,data:K7IO7TyaAUr4U80Ni5Xt/bma,iv:R8RQLttCNMHpAit+3OQ/STXo7u6xqQ1+RYgGLpJTpn4=,tag:3Wsh7TNnh1V0GrqjF/4Uiw==,type:str]
+    claimName: ENC[AES256_GCM,data:+XEw9sQ5,iv:DgGZf/GwkJsk4lfI8TBBaGfwN8YESMu9BSOBLJkbz78=,tag:A4hvQYEaZxPNf9CZp9+YUQ==,type:str]
    redirectUri: ENC[AES256_GCM,data:+Q8cNCvslAcO4m7VJwNe/CpEntyHfuHOrHqqtlrDILkfc0IRAA8aSbZwbA2v+So=,iv:GwzNILyqLuAYUQFKbt5WE+VCdOzSTBmGCAHcCAnzxXk=,tag:p9/86/r2DfT1mkQu+aQJfQ==,type:str]
    comment: ENC[AES256_GCM,data:TO3kA0i503ZA+EFhKa2AZw==,iv:Cl3NvvgXz71AaCgMl062urNtcBtgk832vtxTs9MJwik=,tag:JwerK2q1L7xMv/NIoWkESw==,type:str]
    claimPrefix: ""
-    scopes: ENC[AES256_GCM,data:kyewug7Dv2UOcsc8UWe1ssepra8uBW7uYw==,iv:RfQQiwBWWSd9DSgSlYZFwyZy2xaizMuVjeCZAws3ddM=,tag:jnegIPBviRTPi4kwM1jexQ==,type:str]
+    scopes: ENC[AES256_GCM,data:TuXqq8d+Xo/1ZNi036wx1GhbNPSF2sv8uYUy,iv:u9VfqbAGR94vLPD7nnsKuz5b2sbpUhs1TT7Ah8quX7c=,tag:jZplD/t4rA+p7TtisrC9mg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -28,8 +28,8 @@ sops:
            NFd0WDBXRERZc2ZDbWhDTFhnZExjVmcKDKHKoouDK66AYXenznGjTMnahqIwbp1y
            zA+MZx0FPO7xm9UCGaxIFzdLXK6O2ctw9fDceR6oMj+YehLOKwEmoA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-12T10:17:38Z"
-    mac: ENC[AES256_GCM,data:I6DCLZNMl3LuGif/mDDNKKODZ6O/CSYty0+N60Xw4go2mH9J8/PPX0fEYL0ilRG2VDLuZ86RTiPCwAtUXVrtu1jzlkajbZPytWMpURZk+4m2XxXSDrTHNt6KJglF29DhENCkVXeZ75fHSKOS0yliZ+Q/90Ye18FJSlvVUy6HSfM=,iv:4y4pU0OTK6c2Oj5LvoJALtcn5TJ7OQFNys2swbYkodU=,tag:GSPQ64Ntu/oYnz6BfWXOTg==,type:str]
+    lastmodified: "2023-03-13T07:52:39Z"
+    mac: ENC[AES256_GCM,data:ognemBsF32MrBDoUTcmwW1W5VI//FADb/p0Do8aQttsikYMVLcFZqWx7Dyhu8CfOWsXL/atVLh2Gj3dkxjsmDFI8uUd4gwq0oMYtk7gR09WrrigDtV1UPgDgyLO3nW4/YmTYGx0fLcsFyGJMm1Pp08Sk+oGcP2Xt+zBAch6/xyE=,iv:Q6dAGFlaTQL7zbR1Z868zo3HbWW4/xpoaWdyw/k/c0U=,tag:I6X2USyt1AhgzjlY469jOA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/badhouseplants/values/values.minio.yaml
+++ b/badhouseplants/values/values.minio.yaml
@ -57,19 +57,13 @@ policies:
          - 'arn:aws:s3:::*'
        actions:
          - "s3:*"
-      - resources: []
-        actions:
-          - "admin:*"
-      - resources: []
-        actions:
-          - "kms:*"
  - name: badhouseplants
    statements:
      - resources:
-          - 'arn:aws:s3:::badhouseplants'
+          - 'arn:aws:s3:::badhouseplants-net'
        actions:
          - "s3:*"
      - resources:
-          - 'arn:aws:s3:::badhouseplants/*'
+          - 'arn:aws:s3:::badhouseplants-net/*'
        actions:
          - "s3:*"