From e883c9d63f16f98367b7256202c6d873025e8cb0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 9 May 2026 11:31:53 +0000
Subject: [PATCH] ci(drift-detection): generate kubeconfig from projected SA
 token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same fix as default.yml — drift-detection cron also runs terragrunt
plan on every stack, which requires the kubeconfig at <repo>/config
that terragrunt.hcl injects via -var kube_config_path. Pipeline #547
(latest scheduled drift-detection run) failed with the same
'config_path refers to an invalid path' error.
---
 .woodpecker/drift-detection.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/.woodpecker/drift-detection.yml b/.woodpecker/drift-detection.yml
index 438c408c..38cc60b9 100644
--- a/.woodpecker/drift-detection.yml
+++ b/.woodpecker/drift-detection.yml
@@ -41,6 +41,34 @@ steps:
         export VAULT_TOKEN=$(curl -s -X POST "$VAULT_ADDR/v1/auth/kubernetes/login" \
           -d "{\"role\":\"ci\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
 
+      # ── Generate kubeconfig from projected SA token ──
+      # See default.yml for rationale. terragrunt.hcl injects
+      # `-var kube_config_path=<repo>/config` for every terraform invocation,
+      # so we need a kubeconfig file at that path. The woodpecker default SA
+      # is cluster-admin, so the projected token is sufficient.
+      - |
+        cat > config <<'EOF'
+        apiVersion: v1
+        kind: Config
+        clusters:
+          - name: kubernetes
+            cluster:
+              server: https://10.0.20.100:6443
+              certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        contexts:
+          - name: ci
+            context:
+              cluster: kubernetes
+              user: ci
+        current-context: ci
+        users:
+          - name: ci
+            user:
+              tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+        EOF
+        chmod 600 config
+        kubectl --kubeconfig=config get ns kube-system -o name >/dev/null
+
       # ── Run terraform plan on all stacks ──
       # Emits two timestamps per drifted stack so the Pushgateway/Prometheus
       # side can compute drift-age-hours via `time() - drift_stack_first_seen`.