viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tripit: wire planner subsystem (merged trip-planner) secrets + Slack webhook ingress
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details
ci/woodpecker/push/build-cli Pipeline was successful
Details

Browse source 
- ExternalSecret gains SLACK_SIGNING_SECRET / TREK_USER / TREK_PASSWORD /
  CLAUDE_AGENT_TOKEN (SLACK_BOT_TOKEN reused from nudges).
- New auth=none ingress carve-out /api/planner/slack (Slack v0 signature-gated,
  same pattern as the calendar + emails-confirm carve-outs).
- Remove the superseded standalone stacks/trip-planner (merged into tripit per
  the "future travel logic goes in tripit" policy).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-08 09:26:21 +00:00
parent 838343184b
commit 7501ea286b
4 changed files with 25 additions and 299 deletions
Download patch file Download diff file Expand all files Collapse all files

25
stacks/tripit/main.tf
View file

@ -143,6 +143,12 @@ resource "kubernetes_manifest" "external_secret" {
{ secretKey = "AERODATABOX_API_KEY", remoteRef = { key = "tripit", property = "AERODATABOX_API_KEY" } },
# UK rail status Realtime Trains (data.rtt.io) long-life refresh token.
{ secretKey = "RTT_API_TOKEN", remoteRef = { key = "tripit", property = "RTT_API_TOKEN" } },
# Planner subsystem (merged trip-planner): Slack v0-signature secret + TREK
# creds + claude-agent token. SLACK_BOT_TOKEN above is reused (nudges + planner).
{ secretKey = "SLACK_SIGNING_SECRET", remoteRef = { key = "tripit", property = "SLACK_SIGNING_SECRET" } },
{ secretKey = "TREK_USER", remoteRef = { key = "tripit", property = "TREK_USER" } },
{ secretKey = "TREK_PASSWORD", remoteRef = { key = "tripit", property = "TREK_PASSWORD" } },
{ secretKey = "CLAUDE_AGENT_TOKEN", remoteRef = { key = "tripit", property = "CLAUDE_AGENT_TOKEN" } },
]
}
}
@ -676,3 +682,22 @@ module "ingress_emails_confirm" {
port = 8080
tls_secret_name = var.tls_secret_name
}
# Planner Slack webhook carve-out: POST /api/planner/slack/{events,interactions,commands}
# is gated by Slack v0 HMAC signature verification (SLACK_SIGNING_SECRET) in-app, not
# Authentik Slack posts events server-to-server and can't do the forward-auth dance.
module "ingress_planner_slack" {
source = "../../modules/kubernetes/ingress_factory"
# auth = "none": Slack Events/Interactivity webhooks are gated by Slack v0
# signature verification in-app (SLACK_SIGNING_SECRET), not Authentik.
auth = "none"
anti_ai_scraping = false
dns_type = "none" # main `module.ingress` owns the DNS record for this host
namespace = kubernetes_namespace.tripit.metadata[0].name
name = "tripit-planner-slack"
service_name = "tripit"
full_host = "tripit.viktorbarzin.me"
ingress_path = ["/api/planner/slack"]
port = 8080
tls_secret_name = var.tls_secret_name
}