From a72590db7d2d2dc01f755d9ebdebb84e5c57f71f Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 15 May 2026 22:47:45 +0000 Subject: [PATCH] recruiter-responder: vault DB role + switch proactive push to Telegram - stacks/vault/main.tf: register pg-recruiter-responder static role on the postgresql connection (7d password rotation). Adds the role to allowed_roles and creates vault_database_secret_backend_static_role for `recruiter_responder` user. - stacks/recruiter-responder/main.tf: drop TASK_WEBHOOK_URL env, swap TASK_WEBHOOK_TOKEN secret for TELEGRAM_BOT_TOKEN + TELEGRAM_CHAT_ID. Updated header doc. Co-Authored-By: Claude Opus 4.7 --- stacks/recruiter-responder/main.tf | 14 ++++++-------- stacks/vault/main.tf | 9 +++++++++ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/stacks/recruiter-responder/main.tf b/stacks/recruiter-responder/main.tf index f8685567..cbc74a7f 100644 --- a/stacks/recruiter-responder/main.tf +++ b/stacks/recruiter-responder/main.tf @@ -38,8 +38,9 @@ resource "kubernetes_namespace" "recruiter_responder" { # imap_spam_pass — IMAP password for spam@ # smtp_password — SMTP password for me@viktorbarzin.me # claude_agent_token — Bearer for claude-agent-service (Tier-2) -# task_webhook_token — Bearer for OpenClaw task-webhook (optional; -# empty allowed if task-webhook is unauthed) +# telegram_bot_token — Bot token for @ViktorBarzinOpenClawBot +# (same as secret/openclaw.telegram_bot_token) +# telegram_chat_id — Viktor's Telegram chat id (8281953845) # # Schema in CNPG: `recruiter_responder` (alembic creates on first migrate). # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder. @@ -75,7 +76,8 @@ resource "kubernetes_manifest" "external_secret" { { secretKey = "IMAP_SPAM_PASS", remoteRef = { key = "recruiter-responder", property = "imap_spam_pass" } }, { secretKey = "SMTP_PASSWORD", remoteRef = { key = "recruiter-responder", property = "smtp_password" } }, { secretKey = "CLAUDE_AGENT_TOKEN", remoteRef = { key = "recruiter-responder", property = "claude_agent_token" } }, - { secretKey = "TASK_WEBHOOK_TOKEN", remoteRef = { key = "recruiter-responder", property = "task_webhook_token" } }, + { secretKey = "TELEGRAM_BOT_TOKEN", remoteRef = { key = "recruiter-responder", property = "telegram_bot_token" } }, + { secretKey = "TELEGRAM_CHAT_ID", remoteRef = { key = "recruiter-responder", property = "telegram_chat_id" } }, ] } } @@ -240,11 +242,7 @@ resource "kubernetes_deployment" "recruiter_responder" { name = "CLAUDE_AGENT_URL" value = "http://claude-agent-service.claude-agent.svc.cluster.local:8080" } - # OpenClaw proactive push - env { - name = "TASK_WEBHOOK_URL" - value = "http://task-webhook.openclaw.svc.cluster.local" - } + # Telegram bot (no URL env needed — token in secret) readiness_probe { http_get { diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf index 4433be3e..f6a4f5d6 100644 --- a/stacks/vault/main.tf +++ b/stacks/vault/main.tf @@ -577,6 +577,7 @@ resource "vault_database_secret_backend_connection" "postgresql" { "pg-terraform-state", "pg-payslip-ingest", "pg-job-hunter", "pg-wealthfolio-sync", "pg-fire-planner", "pg-postiz", "pg-instagram-poster", + "pg-recruiter-responder", ] postgresql { @@ -765,6 +766,14 @@ resource "vault_database_secret_backend_static_role" "pg_instagram_poster" { rotation_period = 604800 } +resource "vault_database_secret_backend_static_role" "pg_recruiter_responder" { + backend = vault_mount.database.path + db_name = vault_database_secret_backend_connection.postgresql.name + name = "pg-recruiter-responder" + username = "recruiter_responder" + rotation_period = 604800 +} + # ============================================================================= # Kubernetes Secrets Engine — Dynamic K8s Credentials # =============================================================================