viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

[forgejo] Tolerate missing Vault keys during Phase 0 bootstrap

Browse source 
Wrap the three new Vault key reads in try(...) so the first apply
succeeds even when forgejo_pull_token / forgejo_cleanup_token /
secret/ci/global haven't been populated yet. Without this, CI
auto-apply blocks on the very push that introduces the references —
chicken-and-egg with the runbook order (which is: apply Forgejo bumps,
then create users + PATs, then apply the rest).

Empty tokens are intentionally visible-broken (auth fails, probe
reports auth failure, cleanup CronJob errors) — that's the signal
to run the bootstrap runbook. Subsequent apply picks up the real
values.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-05-07 15:53:08 +00:00
parent 5d22b449f9
commit 6d5204db10
3 changed files with 14 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
stacks/forgejo/cleanup.tf
View file

@ -35,7 +35,10 @@ resource "kubernetes_secret" "forgejo_cleanup_token" {
} }
type = "Opaque" type = "Opaque"
data = { data = {
FORGEJO_TOKEN = data.vault_kv_secret_v2.forgejo_viktor.data["forgejo_cleanup_token"] # try() so the apply succeeds before the Vault key is populated during
# Phase 0 bootstrap (see docs/runbooks/forgejo-registry-setup.md). Empty
# token causes the cleanup CronJob to fail visibly that's intended.
FORGEJO_TOKEN = try(data.vault_kv_secret_v2.forgejo_viktor.data["forgejo_cleanup_token"], "")
} }
} }

5
stacks/kyverno/modules/kyverno/registry-credentials.tf
View file

@ -32,8 +32,11 @@ resource "kubernetes_secret" "registry_credentials" {
# Forgejo OCI registry read-only PAT for the cluster-puller service # Forgejo OCI registry read-only PAT for the cluster-puller service
# account user. Pushes go through ci-pusher (separate PAT in Vault # account user. Pushes go through ci-pusher (separate PAT in Vault
# secret/ci/global, surfaced to Woodpecker). # secret/ci/global, surfaced to Woodpecker).
# try() lets the apply succeed before the Vault key is populated
# during Phase 0 bootstrap (see docs/runbooks/forgejo-registry-setup.md).
# The cluster has no consumers yet broken creds are visible but harmless.
"forgejo.viktorbarzin.me" = { "forgejo.viktorbarzin.me" = {
auth = base64encode("cluster-puller:${data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"]}") auth = base64encode("cluster-puller:${try(data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"], "")}")
} }
} }
}) })

8
stacks/monitoring/main.tf
View file

@ -33,6 +33,10 @@ module "monitoring" {
kube_config_path = var.kube_config_path kube_config_path = var.kube_config_path
registry_user = data.vault_kv_secret_v2.viktor.data["registry_user"] registry_user = data.vault_kv_secret_v2.viktor.data["registry_user"]
registry_password = data.vault_kv_secret_v2.viktor.data["registry_password"] registry_password = data.vault_kv_secret_v2.viktor.data["registry_password"]
forgejo_pull_token = data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"] # try() so apply succeeds before the Vault key is populated during Phase 0
tier = local.tiers.cluster # bootstrap (see docs/runbooks/forgejo-registry-setup.md). Empty token =
# probe will report an auth failure and fire RegistryCatalogInaccessible
# that's the intended visible-broken state until the PAT is created.
forgejo_pull_token = try(data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"], "")
tier = local.tiers.cluster
} }