viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/.woodpecker/renew-tls.yml

80 lines
2.9 KiB
YAML
Raw Normal View History

[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions
2026-02-22 21:30:25 +00:00
when:
event: cron
cron: renew-tls-certificate
Woodpecker CI: use built-in clone, fix CoreDNS DNS resolution [CI SKIP] - Switch from custom clone override to woodpeckerci/plugin-git built-in clone (handles auth automatically via netrc from GitHub OAuth token) - Add 8.8.8.8 and 1.1.1.1 as CoreDNS upstream resolvers alongside pfSense (fixes intermittent DNS timeouts causing clone failures) - Fix missing comma after heredoc in audit-policy.tf (syntax error)
2026-02-23 00:08:42 +00:00
clone:
git:
image: woodpeckerci/plugin-git
settings:
attempts: 5
backoff: 10s
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions
2026-02-22 21:30:25 +00:00
steps:
- name: prepare
image: alpine
commands:
- "apk update && apk add jq curl git git-crypt"
- |
curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars Phase 5 — CI pipelines: - default.yml: add SOPS decrypt in prepare step, change git add . to specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure - renew-tls.yml: change git add . to git add secrets/ state/ Phase 6 — sensitive=true: - Add sensitive = true to 256 variable declarations across 149 stack files - Prevents secret values from appearing in terraform plan output - Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid breaking module interface contracts Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret to be created before the pipeline will work with SOPS. Until then, the old terraform.tfvars path continues to function.
2026-03-07 14:30:36 +00:00
- "git-crypt unlock /tmp/key && rm /tmp/key"
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions
2026-02-22 21:30:25 +00:00
- name: renew-tls
image: alpine
environment:
TECHNITIUM_API_KEY:
from_secret: TECHNITIUM_API_KEY
CLOUDFLARE_TOKEN:
from_secret: CLOUDFLARE_TOKEN
CLOUDFLARE_ZONE_ID:
from_secret: CLOUDFLARE_ZONE_ID
commands:
- "apk update && apk add certbot curl jq"
- "./modules/kubernetes/setup_tls_secret/renew2.sh"
- name: commit-certs
image: alpine
commands:
- "apk update && apk add openssh-client git git-crypt"
[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars Phase 5 — CI pipelines: - default.yml: add SOPS decrypt in prepare step, change git add . to specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure - renew-tls.yml: change git add . to git add secrets/ state/ Phase 6 — sensitive=true: - Add sensitive = true to 256 variable declarations across 149 stack files - Prevents secret values from appearing in terraform plan output - Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid breaking module interface contracts Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret to be created before the pipeline will work with SOPS. Until then, the old terraform.tfvars path continues to function.
2026-03-07 14:30:36 +00:00
- "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions
2026-02-22 21:30:25 +00:00
- "chmod 400 secrets/deploy_key"
[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars Phase 5 — CI pipelines: - default.yml: add SOPS decrypt in prepare step, change git add . to specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure - renew-tls.yml: change git add . to git add secrets/ state/ Phase 6 — sensitive=true: - Add sensitive = true to 256 variable declarations across 149 stack files - Prevents secret values from appearing in terraform plan output - Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid breaking module interface contracts Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret to be created before the pipeline will work with SOPS. Until then, the old terraform.tfvars path continues to function.
2026-03-07 14:30:36 +00:00
# Only add specific paths — never git add .
- "git add secrets/ state/ || true"
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions
2026-02-22 21:30:25 +00:00
- "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
- "git commit -m 'Woodpecker CI Update TLS Certificates Commit' || echo 'No changes'"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
add Kyverno TLS secret sync + enhance renewal pipeline Kyverno ClusterPolicy clones tls-secret from kyverno namespace to all namespaces with synchronize=true. Renewal pipeline now updates the source secret via kubectl, verifies cert validity, and sends Slack notification.
2026-03-23 22:19:34 +02:00
- name: verify-cert
image: alpine
commands:
- "apk update && apk add openssl"
- "openssl x509 -checkend 604800 -noout -in secrets/fullchain.pem"
- "echo 'Certificate is valid for at least 7 more days'"
- name: update-tls-source-secret
fix(renew-tls): use alpine+curl for kubectl step to avoid permission denied bitnami/kubectl runs as non-root UID 1001, cannot read git-crypt decrypted secrets owned by root. Switch to alpine (runs as root) with kubectl downloaded directly.
2026-03-23 22:28:37 +02:00
image: alpine
add Kyverno TLS secret sync + enhance renewal pipeline Kyverno ClusterPolicy clones tls-secret from kyverno namespace to all namespaces with synchronize=true. Renewal pipeline now updates the source secret via kubectl, verifies cert validity, and sends Slack notification.
2026-03-23 22:19:34 +02:00
commands:
fix(renew-tls): use alpine+curl for kubectl step to avoid permission denied bitnami/kubectl runs as non-root UID 1001, cannot read git-crypt decrypted secrets owned by root. Switch to alpine (runs as root) with kubectl downloaded directly.
2026-03-23 22:28:37 +02:00
- "apk update && apk add curl"
- "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
add Kyverno TLS secret sync + enhance renewal pipeline Kyverno ClusterPolicy clones tls-secret from kyverno namespace to all namespaces with synchronize=true. Renewal pipeline now updates the source secret via kubectl, verifies cert validity, and sends Slack notification.
2026-03-23 22:19:34 +02:00
- |
fix(renew-tls): update TLS secret in ALL namespaces, not just kyverno Kyverno generate+synchronize only manages secrets it created itself. Existing Terraform-managed secrets in ~70 namespaces weren't updated. Now loops through all namespaces and kubectl apply the new cert.
2026-03-23 22:36:22 +02:00
SECRET_YAML=$(kubectl create secret tls tls-secret \
add Kyverno TLS secret sync + enhance renewal pipeline Kyverno ClusterPolicy clones tls-secret from kyverno namespace to all namespaces with synchronize=true. Renewal pipeline now updates the source secret via kubectl, verifies cert validity, and sends Slack notification.
2026-03-23 22:19:34 +02:00
--cert=secrets/fullchain.pem --key=secrets/privkey.pem \
fix(renew-tls): update TLS secret in ALL namespaces, not just kyverno Kyverno generate+synchronize only manages secrets it created itself. Existing Terraform-managed secrets in ~70 namespaces weren't updated. Now loops through all namespaces and kubectl apply the new cert.
2026-03-23 22:36:22 +02:00
--namespace=placeholder --dry-run=client -o yaml)
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep -v '^kube-'); do
echo "$SECRET_YAML" | sed "s/namespace: placeholder/namespace: $ns/" | kubectl apply -f - 2>/dev/null || true
done
- "echo 'TLS secret updated in all namespaces'"
add Kyverno TLS secret sync + enhance renewal pipeline Kyverno ClusterPolicy clones tls-secret from kyverno namespace to all namespaces with synchronize=true. Renewal pipeline now updates the source secret via kubectl, verifies cert validity, and sends Slack notification.
2026-03-23 22:19:34 +02:00
- name: slack
image: curlimages/curl
commands:
- |
curl -s -X POST -H 'Content-type: application/json' \
--data "{\"channel\":\"general\",\"text\":\"Woodpecker CI: TLS certificate renewal ${CI_PIPELINE_STATUS}\"}" \
"$SLACK_WEBHOOK" || true
environment:
SLACK_WEBHOOK:
from_secret: slack_webhook
when:
status: [success, failure]
Reference in a new issue Copy permalink