From 70ea1cf6fd13079b03a8b9aa204756dd12c87ccb Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 7 May 2026 15:53:08 +0000
Subject: [PATCH] [forgejo] Tolerate missing Vault keys during Phase 0
 bootstrap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wrap the three new Vault key reads in try(...) so the first apply
succeeds even when forgejo_pull_token / forgejo_cleanup_token /
secret/ci/global haven't been populated yet. Without this, CI
auto-apply blocks on the very push that introduces the references —
chicken-and-egg with the runbook order (which is: apply Forgejo bumps,
then create users + PATs, then apply the rest).

Empty tokens are intentionally visible-broken (auth fails, probe
reports auth failure, cleanup CronJob errors) — that's the signal
to run the bootstrap runbook. Subsequent apply picks up the real
values.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/forgejo/cleanup.tf                              | 5 ++++-
 stacks/kyverno/modules/kyverno/registry-credentials.tf | 5 ++++-
 stacks/monitoring/main.tf                              | 8 ++++++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/stacks/forgejo/cleanup.tf b/stacks/forgejo/cleanup.tf
index 6b180089..add332d3 100644
--- a/stacks/forgejo/cleanup.tf
+++ b/stacks/forgejo/cleanup.tf
@@ -35,7 +35,10 @@ resource "kubernetes_secret" "forgejo_cleanup_token" {
   }
   type = "Opaque"
   data = {
-    FORGEJO_TOKEN = data.vault_kv_secret_v2.forgejo_viktor.data["forgejo_cleanup_token"]
+    # try() so the apply succeeds before the Vault key is populated during
+    # Phase 0 bootstrap (see docs/runbooks/forgejo-registry-setup.md). Empty
+    # token causes the cleanup CronJob to fail visibly — that's intended.
+    FORGEJO_TOKEN = try(data.vault_kv_secret_v2.forgejo_viktor.data["forgejo_cleanup_token"], "")
   }
 }
 
diff --git a/stacks/kyverno/modules/kyverno/registry-credentials.tf b/stacks/kyverno/modules/kyverno/registry-credentials.tf
index 6d55f005..18949cad 100644
--- a/stacks/kyverno/modules/kyverno/registry-credentials.tf
+++ b/stacks/kyverno/modules/kyverno/registry-credentials.tf
@@ -32,8 +32,11 @@ resource "kubernetes_secret" "registry_credentials" {
         # Forgejo OCI registry — read-only PAT for the cluster-puller service
         # account user. Pushes go through ci-pusher (separate PAT in Vault
         # secret/ci/global, surfaced to Woodpecker).
+        # try() lets the apply succeed before the Vault key is populated
+        # during Phase 0 bootstrap (see docs/runbooks/forgejo-registry-setup.md).
+        # The cluster has no consumers yet — broken creds are visible but harmless.
         "forgejo.viktorbarzin.me" = {
-          auth = base64encode("cluster-puller:${data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"]}")
+          auth = base64encode("cluster-puller:${try(data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"], "")}")
         }
       }
     })
diff --git a/stacks/monitoring/main.tf b/stacks/monitoring/main.tf
index b222e226..3951e4e5 100644
--- a/stacks/monitoring/main.tf
+++ b/stacks/monitoring/main.tf
@@ -33,6 +33,10 @@ module "monitoring" {
   kube_config_path              = var.kube_config_path
   registry_user                 = data.vault_kv_secret_v2.viktor.data["registry_user"]
   registry_password             = data.vault_kv_secret_v2.viktor.data["registry_password"]
-  forgejo_pull_token            = data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"]
-  tier                          = local.tiers.cluster
+  # try() so apply succeeds before the Vault key is populated during Phase 0
+  # bootstrap (see docs/runbooks/forgejo-registry-setup.md). Empty token =
+  # probe will report an auth failure and fire RegistryCatalogInaccessible —
+  # that's the intended visible-broken state until the PAT is created.
+  forgejo_pull_token = try(data.vault_kv_secret_v2.viktor.data["forgejo_pull_token"], "")
+  tier               = local.tiers.cluster
 }