From 26ef97d294c06e591f525632f96b4b36583794ab Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 19 Apr 2026 13:23:12 +0000
Subject: [PATCH] [claude-agent-service] Add WOODPECKER_API_TOKEN +
 SLACK_WEBHOOK_URL env vars
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Context
Companion fix to 2026-04-19's service-upgrade spec refactor. The agent
pod has no Vault CLI auth (no VAULT_TOKEN, port 8200 refused), so every
`vault kv get` in the spec returned empty:
  - `WOODPECKER_TOKEN=""` → 401 on /api/repos/1/pipelines → agent can't
    find its pipeline → 15m poll timeout → rollback loop → >30m cap.
  - `SLACK_WEBHOOK=""` → webhook POST to empty URL → no Slack messages
    for 3+ days (the surface symptom that kicked off bd code-3o3).

## This change
Extends the `claude-agent-secrets` ExternalSecret with two more keys,
making them available to the agent via `envFrom`:
  - `WOODPECKER_API_TOKEN` ← `secret/ci/global.woodpecker_api_token`
    (already used by the vault-woodpecker-sync CronJob, same key)
  - `SLACK_WEBHOOK_URL` ← `secret/viktor.alertmanager_slack_api_url`
    (shared webhook also consumed by Alertmanager)

Pairs with commit a5963169 which refactored service-upgrade.md to read
these env vars directly instead of shelling out to `vault kv get`.

## What is NOT in this change
- REGISTRY_USER / REGISTRY_PASSWORD — not needed on the agent side.
  The separate `.woodpecker/build-cli.yml` fix (bd code-3o3 fix C)
  will add those to `secret/ci/global` for the vault-woodpecker-sync
  CronJob to publish as Woodpecker secrets, not here.

## Test Plan
### Automated
`terraform plan` reported `Plan: 0 to add, 2 to change, 0 to destroy`
(ExternalSecret + a cosmetic `tier` label drop on the Deployment).
Applied cleanly.

### Manual Verification
```
$ kubectl -n claude-agent get externalsecret claude-agent-secrets \
    -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}'
secret synced

$ kubectl -n claude-agent exec deploy/claude-agent-service -- sh -c \
    'echo "WP=${WOODPECKER_API_TOKEN:0:20}... SLACK=${SLACK_WEBHOOK_URL:0:40}..."'
WP=eyJhbGciOiJIUzI1NiIs... SLACK=https://hooks.slack.com/services/T02SV75...

$ kubectl -n claude-agent rollout status deploy/claude-agent-service
deployment "claude-agent-service" successfully rolled out
```

Next step: fire one synthetic DIUN webhook to confirm the agent reaches
Slack + lands a commit + exits cleanly, completing code-3o3.

Refs: bd code-3o3

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 stacks/claude-agent-service/main.tf | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf
index abde491c..598572ee 100644
--- a/stacks/claude-agent-service/main.tf
+++ b/stacks/claude-agent-service/main.tf
@@ -78,6 +78,25 @@ resource "kubernetes_manifest" "external_secret" {
             property = "claude_oauth_token"
           }
         },
+        {
+          # Consumed by service-upgrade agent to poll ci.viktorbarzin.me
+          # per-workflow status. Pod has no Vault CLI auth, so the old
+          # `vault kv get` path is dead — see bd code-3o3.
+          secretKey = "WOODPECKER_API_TOKEN"
+          remoteRef = {
+            key      = "ci/global"
+            property = "woodpecker_api_token"
+          }
+        },
+        {
+          # Consumed by service-upgrade agent for Start/Success/Failure
+          # notifications. Same shared webhook as alertmanager.
+          secretKey = "SLACK_WEBHOOK_URL"
+          remoteRef = {
+            key      = "viktor"
+            property = "alertmanager_slack_api_url"
+          }
+        },
       ]
     }
   }