ci(woodpecker): generate kubeconfig from projected SA token

terragrunt.hcl injects -var kube_config_path=${repo_root}/config for every terraform invocation, but the pipeline never created that file. Every commit that touched a TF stack since #545 (2026-05-08) failed with 'config_path refers to an invalid path: \"../../config\": no such file or directory' followed by the kubernetes provider falling back to localhost:80. Add a step that writes a kubeconfig at <repo>/config using the projected SA token + cluster CA. The woodpecker namespace's default SA is already cluster-admin (woodpecker-default ClusterRoleBinding), so the projected token is sufficient for any stack apply. Using tokenFile (not an inline token) lets the provider re-read it if kubelet rotates the projected token mid-pipeline. #545 was the last green run because that commit only changed the build-cli pipeline — 0 stacks applied so the missing kubeconfig never mattered.
2026-05-09 11:26:47 +00:00 · 2026-05-09 11:26:47 +00:00 · ce45e69e38
commit ce45e69e38
parent 9c1df3ad96
1 changed files with 32 additions and 0 deletions
--- a/.woodpecker/default.yml
+++ b/.woodpecker/default.yml
@ -73,6 +73,38 @@ steps:
        # the env var is unset.
        umask 077; printf '%s' "$VAULT_TOKEN" > "$HOME/.vault-token"

+      # ── Generate kubeconfig from projected SA token ──
+      # terragrunt.hcl injects `-var kube_config_path=<repo>/config` for every
+      # terraform invocation, so we need a kubeconfig file at that path. The
+      # `default` SA in the woodpecker namespace is cluster-admin (via the
+      # `woodpecker-default` ClusterRoleBinding), so the projected token is
+      # sufficient to apply any stack. Using `tokenFile` (not an inline token)
+      # so the provider re-reads it if kubelet rotates the projected token
+      # mid-pipeline.
+      - |
+        cat > config <<'EOF'
+        apiVersion: v1
+        kind: Config
+        clusters:
+          - name: kubernetes
+            cluster:
+              server: https://10.0.20.100:6443
+              certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        contexts:
+          - name: ci
+            context:
+              cluster: kubernetes
+              user: ci
+        current-context: ci
+        users:
+          - name: ci
+            user:
+              tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+        EOF
+        chmod 600 config
+        # Sanity check: kubeconfig works
+        kubectl --kubeconfig=config get ns kube-system -o name >/dev/null
+
      # ── Detect changed stacks ──
      - |
        PLATFORM_STACKS="dbaas authentik crowdsec monitoring nvidia mailserver cloudflared kyverno metallb redis traefik technitium headscale rbac k8s-portal vaultwarden reverse-proxy metrics-server vpa nfs-csi iscsi-csi cnpg sealed-secrets uptime-kuma wireguard xray infra-maintenance platform vault reloader descheduler external-secrets"