From 5b24c8d437a03a548faa81d368ee20f68b90cd57 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 15 Mar 2026 23:12:52 +0000
Subject: [PATCH] fix woodpecker sync: single $ in heredoc, alpine image for
 jq, port 80 not 8000

---
 stacks/woodpecker/main.tf | 48 +++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf
index cad34908..3105e44a 100644
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@@ -277,51 +277,51 @@ resource "kubernetes_config_map" "vault_woodpecker_sync" {
       #!/bin/sh
       set -e
       VAULT_ADDR="http://vault-active.vault.svc.cluster.local:8200"
-      WP_API="http://woodpecker-server.woodpecker.svc.cluster.local:8000/api"
+      WP_API="http://woodpecker-server.woodpecker.svc.cluster.local/api"
 
       # Authenticate to Vault via K8s SA
-      SA_TOKEN=$$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-      VAULT_TOKEN=$$(curl -sf -X POST "$$VAULT_ADDR/v1/auth/kubernetes/login" \
-        -d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$$SA_TOKEN\"}" | jq -r .auth.client_token)
+      SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+      VAULT_TOKEN=$(curl -sf -X POST "$VAULT_ADDR/v1/auth/kubernetes/login" \
+        -d "{\"role\":\"woodpecker-sync\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
 
-      if [ -z "$$VAULT_TOKEN" ] || [ "$$VAULT_TOKEN" = "null" ]; then
+      if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
         echo "ERROR: Failed to authenticate to Vault"
         exit 1
       fi
 
       # Get Woodpecker API token from Vault
-      WP_TOKEN=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
-        "$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
+      WP_TOKEN=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
+        "$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data.woodpecker_api_token // empty')
 
-      if [ -z "$$WP_TOKEN" ]; then
+      if [ -z "$WP_TOKEN" ]; then
         echo "ERROR: No woodpecker_api_token in secret/ci/global"
         exit 1
       fi
 
       # Sync global secrets
-      SECRETS=$$(curl -sf -H "X-Vault-Token: $$VAULT_TOKEN" \
-        "$$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
+      SECRETS=$(curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
+        "$VAULT_ADDR/v1/secret/data/ci/global" | jq -r '.data.data | to_entries[] | select(.key != "woodpecker_api_token") | @base64')
 
       synced=0
-      for entry in $$SECRETS; do
-        NAME=$$(echo "$$entry" | base64 -d | jq -r .key)
-        VALUE=$$(echo "$$entry" | base64 -d | jq -r .value)
+      for entry in $SECRETS; do
+        NAME=$(echo "$entry" | base64 -d | jq -r .key)
+        VALUE=$(echo "$entry" | base64 -d | jq -r .value)
 
         # Try PATCH first (update), fall back to POST (create)
-        STATUS=$$(curl -sf -o /dev/null -w "%%{http_code}" -X PATCH "$$WP_API/secrets/$$NAME" \
-          -H "Authorization: Bearer $$WP_TOKEN" \
+        STATUS=$(curl -sf -o /dev/null -w "%%{http_code}" -X PATCH "$WP_API/secrets/$NAME" \
+          -H "Authorization: Bearer $WP_TOKEN" \
           -H "Content-Type: application/json" \
-          -d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
+          -d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" 2>/dev/null || echo "000")
 
-        if [ "$$STATUS" != "200" ]; then
-          curl -sf -X POST "$$WP_API/secrets" \
-            -H "Authorization: Bearer $$WP_TOKEN" \
+        if [ "$STATUS" != "200" ]; then
+          curl -sf -X POST "$WP_API/secrets" \
+            -H "Authorization: Bearer $WP_TOKEN" \
             -H "Content-Type: application/json" \
-            -d "{\"name\":\"$$NAME\",\"value\":\"$$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
+            -d "{\"name\":\"$NAME\",\"value\":\"$VALUE\",\"events\":[\"push\",\"tag\",\"deployment\"]}" > /dev/null
         fi
-        synced=$$((synced + 1))
+        synced=$((synced + 1))
       done
-      echo "Synced $$synced global secrets from Vault to Woodpecker"
+      echo "Synced $synced global secrets from Vault to Woodpecker"
     SCRIPT
   }
 }
@@ -344,8 +344,8 @@ resource "kubernetes_cron_job_v1" "vault_secret_sync" {
           spec {
             container {
               name    = "sync"
-              image   = "curlimages/curl"
-              command = ["/bin/sh", "/scripts/sync.sh"]
+              image   = "alpine"
+              command = ["/bin/sh", "-c", "apk add --no-cache curl jq && /bin/sh /scripts/sync.sh"]
               volume_mount {
                 name       = "sync-script"
                 mount_path = "/scripts"