infra

History

Viktor Barzin 26ef97d294 [claude-agent-service] Add WOODPECKER_API_TOKEN + SLACK_WEBHOOK_URL env vars ## Context Companion fix to 2026-04-19's service-upgrade spec refactor. The agent pod has no Vault CLI auth (no VAULT_TOKEN, port 8200 refused), so every `vault kv get` in the spec returned empty: - `WOODPECKER_TOKEN=""` → 401 on /api/repos/1/pipelines → agent can't find its pipeline → 15m poll timeout → rollback loop → >30m cap. - `SLACK_WEBHOOK=""` → webhook POST to empty URL → no Slack messages for 3+ days (the surface symptom that kicked off bd code-3o3). ## This change Extends the `claude-agent-secrets` ExternalSecret with two more keys, making them available to the agent via `envFrom`: - `WOODPECKER_API_TOKEN` ← `secret/ci/global.woodpecker_api_token` (already used by the vault-woodpecker-sync CronJob, same key) - `SLACK_WEBHOOK_URL` ← `secret/viktor.alertmanager_slack_api_url` (shared webhook also consumed by Alertmanager) Pairs with commit `a5963169` which refactored service-upgrade.md to read these env vars directly instead of shelling out to `vault kv get`. ## What is NOT in this change - REGISTRY_USER / REGISTRY_PASSWORD — not needed on the agent side. The separate `.woodpecker/build-cli.yml` fix (bd code-3o3 fix C) will add those to `secret/ci/global` for the vault-woodpecker-sync CronJob to publish as Woodpecker secrets, not here. ## Test Plan ### Automated `terraform plan` reported `Plan: 0 to add, 2 to change, 0 to destroy` (ExternalSecret + a cosmetic `tier` label drop on the Deployment). Applied cleanly. ### Manual Verification ``` $ kubectl -n claude-agent get externalsecret claude-agent-secrets \ -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}' secret synced $ kubectl -n claude-agent exec deploy/claude-agent-service -- sh -c \ 'echo "WP=${WOODPECKER_API_TOKEN:0:20}... SLACK=${SLACK_WEBHOOK_URL:0:40}..."' WP=eyJhbGciOiJIUzI1NiIs... SLACK=https://hooks.slack.com/services/T02SV75... $ kubectl -n claude-agent rollout status deploy/claude-agent-service deployment "claude-agent-service" successfully rolled out ``` Next step: fire one synthetic DIUN webhook to confirm the agent reaches Slack + lands a commit + exits cleanly, completing code-3o3. Refs: bd code-3o3 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-19 13:23:12 +00:00
..
main.tf	[claude-agent-service] Add WOODPECKER_API_TOKEN + SLACK_WEBHOOK_URL env vars	2026-04-19 13:23:12 +00:00

Viktor Barzin 26ef97d294 [claude-agent-service] Add WOODPECKER_API_TOKEN + SLACK_WEBHOOK_URL env vars

## Context
Companion fix to 2026-04-19's service-upgrade spec refactor. The agent
pod has no Vault CLI auth (no VAULT_TOKEN, port 8200 refused), so every
`vault kv get` in the spec returned empty:
  - `WOODPECKER_TOKEN=""` → 401 on /api/repos/1/pipelines → agent can't
    find its pipeline → 15m poll timeout → rollback loop → >30m cap.
  - `SLACK_WEBHOOK=""` → webhook POST to empty URL → no Slack messages
    for 3+ days (the surface symptom that kicked off bd code-3o3).

## This change
Extends the `claude-agent-secrets` ExternalSecret with two more keys,
making them available to the agent via `envFrom`:
  - `WOODPECKER_API_TOKEN` ← `secret/ci/global.woodpecker_api_token`
    (already used by the vault-woodpecker-sync CronJob, same key)
  - `SLACK_WEBHOOK_URL` ← `secret/viktor.alertmanager_slack_api_url`
    (shared webhook also consumed by Alertmanager)

Pairs with commit a5963169 which refactored service-upgrade.md to read
these env vars directly instead of shelling out to `vault kv get`.

## What is NOT in this change
- REGISTRY_USER / REGISTRY_PASSWORD — not needed on the agent side.
  The separate `.woodpecker/build-cli.yml` fix (bd code-3o3 fix C)
  will add those to `secret/ci/global` for the vault-woodpecker-sync
  CronJob to publish as Woodpecker secrets, not here.

## Test Plan
### Automated
`terraform plan` reported `Plan: 0 to add, 2 to change, 0 to destroy`
(ExternalSecret + a cosmetic `tier` label drop on the Deployment).
Applied cleanly.

### Manual Verification
```
$ kubectl -n claude-agent get externalsecret claude-agent-secrets \
    -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}'
secret synced

$ kubectl -n claude-agent exec deploy/claude-agent-service -- sh -c \
    'echo "WP=${WOODPECKER_API_TOKEN:0:20}... SLACK=${SLACK_WEBHOOK_URL:0:40}..."'
WP=eyJhbGciOiJIUzI1NiIs... SLACK=https://hooks.slack.com/services/T02SV75...

$ kubectl -n claude-agent rollout status deploy/claude-agent-service
deployment "claude-agent-service" successfully rolled out
```

Next step: fire one synthetic DIUN webhook to confirm the agent reaches
Slack + lands a commit + exits cleanly, completing code-3o3.

Refs: bd code-3o3

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-19 13:23:12 +00:00

main.tf [claude-agent-service] Add WOODPECKER_API_TOKEN + SLACK_WEBHOOK_URL env vars 2026-04-19 13:23:12 +00:00