viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/n8n/main.tf
Viktor Barzin 99180bec42 [n8n] Fix broken DIUN auto-upgrade pipeline — missing auth token to claude-agent-service 
## Context

DIUN has been detecting image updates and firing Slack + webhook
notifications for weeks, but zero automated upgrades ran because the
handoff from n8n to claude-agent-service was silently 401-ing.

The pipeline (DIUN → n8n webhook → claude-agent-service /execute →
service-upgrade agent) was migrated from DevVM SSH to K8s HTTP in
42f1c3cf. The migration wired `claude-agent-service` (API_BEARER_TOKEN
env set), updated the n8n workflow JSON to POST with `Authorization:
Bearer $env.CLAUDE_AGENT_API_TOKEN`, but missed two things on the n8n
side:

1. The deployment didn't expose `CLAUDE_AGENT_API_TOKEN` to the n8n
   container — workflow sent `Authorization: Bearer ` (empty).
2. The workflow header expression used JS concat (`='Bearer ' + $env.X`)
   which n8n 1.x does NOT evaluate in HTTP Request node header params.
   It needs template-literal form: `=Bearer {{ $env.X }}`.

Evidence: `claude-agent-service` logs showed only `/health` probes —
zero `/execute` calls over 12h despite DIUN firing webhooks. n8n PG
execution 2250 returned `401 Missing bearer token`.

## This change

- Adds ExternalSecret `claude-agent-token` in the `n8n` namespace that
  pulls `api_bearer_token` from Vault `secret/claude-agent-service`
  (same source as the receiving service's token).
- Wires the token into the n8n container as env var
  `CLAUDE_AGENT_API_TOKEN` via `secret_key_ref`.
- Sets `N8N_BLOCK_ENV_ACCESS_IN_NODE=false` so expressions CAN read
  `$env.*` at all (default in 1.x is false already, but setting
  explicitly guards against upstream default flips).
- Fixes the workflow JSON backup (`workflows/diun-upgrade.json`) header
  expression to use `{{ $env.X }}` template syntax.

The live workflow in n8n's PG DB was also patched in place (one-time
`UPDATE workflow_entity SET nodes = REPLACE(...)` — workflows are not
TF-managed; they were imported once).

## What is NOT in this change

- No retroactive re-run of skipped DIUN events. They'll be rediscovered
  in future scans.
- No change to the `claude-agent-service` side — its token and endpoint
  were already correct.
- No Slack alert on n8n HTTP-node failures — future work; right now a
  broken workflow fails silently unless you check Execution History.

## End-to-end verification

```
$ curl -X POST n8n.viktorbarzin.me/webhook/30805ab6-... \
    -d '{"diun_entry_status":"update","diun_entry_image":"docker.io/library/httpd","diun_entry_imagetag":"2.4.66",...}'
{"message":"Workflow was started"}  HTTP 200

# n8n PG: execution_entity latest row  → status=success
# claude-agent-service logs           → "POST /execute HTTP/1.1" 202 Accepted
```

## Reproduce locally

```
1. vault login -method=oidc
2. cd stacks/n8n && ../../scripts/tg apply
3. kubectl -n n8n exec deploy/n8n -- printenv CLAUDE_AGENT_API_TOKEN
   (should print 64-char hex)
4. Fire synthetic webhook with non-critical image (httpd / alpine)
5. Check n8n execution is success, claude-agent-service shows 202
```

Closes: code-ekz
Related: code-bck

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 10:41:09 +00:00

315 lines
7.3 KiB
HCL
Raw Blame History

variable "tls_secret_name" {
type = string
sensitive = true
}
variable "nfs_server" { type = string }
variable "postgresql_host" { type = string }
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.n8n.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "kubernetes_namespace" "n8n" {
metadata {
name = "n8n"
labels = {
tier = local.tiers.aux
}
}
}
resource "kubernetes_manifest" "external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "n8n-secrets"
namespace = "n8n"
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-kv"
kind = "ClusterSecretStore"
}
target = {
name = "n8n-secrets"
}
dataFrom = [{
extract = {
key = "n8n"
}
}]
}
}
depends_on = [kubernetes_namespace.n8n]
}
resource "kubernetes_manifest" "external_secret_claude_agent" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "claude-agent-token"
namespace = "n8n"
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-kv"
kind = "ClusterSecretStore"
}
target = {
name = "claude-agent-token"
}
data = [{
secretKey = "api_bearer_token"
remoteRef = {
key = "claude-agent-service"
property = "api_bearer_token"
}
}]
}
}
depends_on = [kubernetes_namespace.n8n]
}
resource "kubernetes_persistent_volume_claim" "data_encrypted" {
wait_until_bound = false
metadata {
name = "n8n-data-encrypted"
namespace = kubernetes_namespace.n8n.metadata[0].name
annotations = {
"resize.topolvm.io/threshold" = "80%"
"resize.topolvm.io/increase" = "100%"
"resize.topolvm.io/storage_limit" = "5Gi"
}
}
spec {
access_modes = ["ReadWriteOnce"]
storage_class_name = "proxmox-lvm-encrypted"
resources {
requests = {
storage = "1Gi"
}
}
}
}
# --- RBAC: Allow n8n to exec into OpenClaw pods for task execution ---
resource "kubernetes_service_account" "n8n" {
metadata {
name = "n8n"
namespace = kubernetes_namespace.n8n.metadata[0].name
}
}
resource "kubernetes_role" "n8n_openclaw_exec" {
metadata {
name = "n8n-openclaw-exec"
namespace = "openclaw"
}
rule {
api_groups = [""]
resources = ["pods"]
verbs = ["get", "list"]
}
rule {
api_groups = [""]
resources = ["pods/exec"]
verbs = ["create"]
}
}
resource "kubernetes_role_binding" "n8n_openclaw_exec" {
metadata {
name = "n8n-openclaw-exec"
namespace = "openclaw"
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.n8n.metadata[0].name
namespace = kubernetes_namespace.n8n.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.n8n_openclaw_exec.metadata[0].name
}
}
resource "kubernetes_deployment" "n8n" {
metadata {
name = "n8n"
namespace = kubernetes_namespace.n8n.metadata[0].name
labels = {
app = "n8n"
tier = local.tiers.aux
}
annotations = {
"reloader.stakater.com/auto" = "true"
}
}
spec {
replicas = 1
strategy {
type = "Recreate"
}
selector {
match_labels = {
app = "n8n"
}
}
template {
metadata {
labels = {
app = "n8n"
}
annotations = {
"diun.enable" = "true"
"diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$"
"dependency.kyverno.io/wait-for" = "postgresql.dbaas:5432"
}
}
spec {
service_account_name = kubernetes_service_account.n8n.metadata[0].name
container {
name = "n8n"
image = "docker.n8n.io/n8nio/n8n:1.80.0"
env {
name = "N8N_PORT"
value = "5678"
}
env {
name = "DB_TYPE"
value = "postgresdb"
}
env {
name = "DB_POSTGRESDB_DATABASE"
value = "n8n"
}
env {
name = "DB_POSTGRESDB_HOST"
value = var.postgresql_host
}
env {
name = "DB_POSTGRESDB_PORT"
value = "5432"
}
env {
name = "DB_POSTGRESDB_USER"
value = "n8n"
}
env {
name = "DB_POSTGRESDB_PASSWORD"
value_from {
secret_key_ref {
name = "n8n-secrets"
key = "db_password"
}
}
}
env {
name = "GENERIC_TIMEZONE"
value = "Europe/Sofia"
}
env {
name = "TZ"
value = "Europe/Sofia"
}
env {
name = "DOMAIN_NAME"
value = "viktorbarzin.me"
}
env {
name = "DOMAIN_NAME"
value = "n8n"
}
env {
name = "N8N_EDITOR_BASE_URL"
value = "https://n8n.viktorbarzin.me"
}
env {
name = "WEBHOOK_URL"
value = "https://n8n.viktorbarzin.me"
}
env {
name = "CLAUDE_AGENT_API_TOKEN"
value_from {
secret_key_ref {
name = "claude-agent-token"
key = "api_bearer_token"
}
}
}
env {
name = "N8N_BLOCK_ENV_ACCESS_IN_NODE"
value = "false"
}
volume_mount {
name = "data"
mount_path = "/home/node/.n8n"
}
port {
name = "http"
container_port = 5678
protocol = "TCP"
}
resources {
requests = {
cpu = "25m"
memory = "1Gi"
}
limits = {
memory = "1Gi"
}
}
}
volume {
name = "data"
persistent_volume_claim {
claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name
}
}
}
}
}
}
resource "kubernetes_service" "n8n" {
metadata {
name = "n8n"
namespace = kubernetes_namespace.n8n.metadata[0].name
labels = {
"app" = "n8n"
}
}
spec {
selector = {
app = "n8n"
}
port {
port = "80"
target_port = "5678"
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
dns_type = "proxied"
namespace = kubernetes_namespace.n8n.metadata[0].name
name = "n8n"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "n8n"
"gethomepage.dev/description" = "Workflow automation"
"gethomepage.dev/icon" = "n8n.png"
"gethomepage.dev/group" = "Automation"
"gethomepage.dev/pod-selector" = ""
}
}
Reference in a new issue View git blame Copy permalink