infra/scripts/tg

#!/usr/bin/env bash
# scripts/tg — wrapper: inject -auto-approve for non-interactive apply
# Usage: scripts/tg apply --non-interactive
#        scripts/tg run --all -- plan
# Auth: `vault login -method=oidc` (token at ~/.vault-token)
set -euo pipefail

# If running apply with --non-interactive, add -auto-approve for Terraform
args=("$@")
has_apply=false
has_non_interactive=false
for arg in "${args[@]}"; do
  case "$arg" in
    apply) has_apply=true ;;
    --non-interactive) has_non_interactive=true ;;
  esac
done

if $has_apply && $has_non_interactive; then
  # Rebuild args: insert -auto-approve after apply
  new_args=()
  for arg in "${args[@]}"; do
    new_args+=("$arg")
    if [ "$arg" = "apply" ]; then
      new_args+=("-auto-approve")
    fi
  done
  exec terragrunt "${new_args[@]}"
else
  exec terragrunt "$@"
fi
[ci skip] phase 1: SOPS tooling setup (.sops.yaml, scripts/tg, .gitignore) Part of SOPS multi-user secrets migration. - .sops.yaml: defines age recipients (Viktor + CI) - scripts/tg: wrapper that decrypts secrets before running terragrunt - .gitignore: excludes decrypted secrets.auto.tfvars.json No functional change — terraform.tfvars still works as before. 2026-03-07 13:57:42 +00:00			`#!/usr/bin/env bash`
remove SOPS pipeline, deploy ESO + Vault DB/K8s engines Vault is now the sole source of truth for secrets. SOPS pipeline removed entirely — auth via `vault login -method=oidc`. Part A: SOPS removal - vault/main.tf: delete 990 lines (93 vars + 43 KV write resources), add self-read data source for OIDC creds from secret/vault - terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook - scripts/tg: remove SOPS decryption, keep -auto-approve logic - .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl - Delete secrets.sops.json, .sops.yaml Part B: External Secrets Operator - New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores (vault-kv for KV v2, vault-database for DB engine) Part C: Database secrets engine (in vault/main.tf) - MySQL + PostgreSQL connections with static role rotation (24h) - 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana) - 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory) Part D: Kubernetes secrets engine (in vault/main.tf) - RBAC for Vault SA to manage K8s tokens - Roles: dashboard-admin, ci-deployer, openclaw, local-admin - New scripts/vault-kubeconfig helper for dynamic kubeconfig K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync. 2026-03-15 16:37:38 +00:00			`# scripts/tg — wrapper: inject -auto-approve for non-interactive apply`
[ci skip] phase 1: SOPS tooling setup (.sops.yaml, scripts/tg, .gitignore) Part of SOPS multi-user secrets migration. - .sops.yaml: defines age recipients (Viktor + CI) - scripts/tg: wrapper that decrypts secrets before running terragrunt - .gitignore: excludes decrypted secrets.auto.tfvars.json No functional change — terraform.tfvars still works as before. 2026-03-07 13:57:42 +00:00			`# Usage: scripts/tg apply --non-interactive`
			`# scripts/tg run --all -- plan`
remove SOPS pipeline, deploy ESO + Vault DB/K8s engines Vault is now the sole source of truth for secrets. SOPS pipeline removed entirely — auth via `vault login -method=oidc`. Part A: SOPS removal - vault/main.tf: delete 990 lines (93 vars + 43 KV write resources), add self-read data source for OIDC creds from secret/vault - terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook - scripts/tg: remove SOPS decryption, keep -auto-approve logic - .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl - Delete secrets.sops.json, .sops.yaml Part B: External Secrets Operator - New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores (vault-kv for KV v2, vault-database for DB engine) Part C: Database secrets engine (in vault/main.tf) - MySQL + PostgreSQL connections with static role rotation (24h) - 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana) - 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory) Part D: Kubernetes secrets engine (in vault/main.tf) - RBAC for Vault SA to manage K8s tokens - Roles: dashboard-admin, ci-deployer, openclaw, local-admin - New scripts/vault-kubeconfig helper for dynamic kubeconfig K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync. 2026-03-15 16:37:38 +00:00			# Auth: `vault login -method=oidc` (token at ~/.vault-token)
[ci skip] phase 1: SOPS tooling setup (.sops.yaml, scripts/tg, .gitignore) Part of SOPS multi-user secrets migration. - .sops.yaml: defines age recipients (Viktor + CI) - scripts/tg: wrapper that decrypts secrets before running terragrunt - .gitignore: excludes decrypted secrets.auto.tfvars.json No functional change — terraform.tfvars still works as before. 2026-03-07 13:57:42 +00:00			`set -euo pipefail`

fix openclaw config mount and OOM: use init container, increase memory to 2Gi - Replace subPath ConfigMap mount with init container that copies openclaw.json to writable NFS home (OpenClaw writes back to the file at runtime) - Remove invalid memory-api plugin references causing "Config invalid" - Increase memory to 2Gi (req+limit) with NODE_OPTIONS=--max-old-space-size=1536 - Fix tg wrapper to inject -auto-approve when apply --non-interactive is used 2026-03-14 23:42:08 +00:00			`# If running apply with --non-interactive, add -auto-approve for Terraform`
			`args=("$@")`
			`has_apply=false`
			`has_non_interactive=false`
			`for arg in "${args[@]}"; do`
			`case "$arg" in`
			`apply) has_apply=true ;;`
			`--non-interactive) has_non_interactive=true ;;`
			`esac`
			`done`

			`if $has_apply && $has_non_interactive; then`
			`# Rebuild args: insert -auto-approve after apply`
			`new_args=()`
			`for arg in "${args[@]}"; do`
			`new_args+=("$arg")`
			`if [ "$arg" = "apply" ]; then`
			`new_args+=("-auto-approve")`
			`fi`
			`done`
			`exec terragrunt "${new_args[@]}"`
			`else`
			`exec terragrunt "$@"`
			`fi`