infra/.woodpecker/renew-tls.yml
Viktor Barzin 88c86e2109
All checks were successful
ci/woodpecker/push/default Pipeline was successful
ci: Slack-notify failed pipeline runs only
Viktor doesn't want a Slack message for every CI run — only failures.
The infra apply pipeline posted a status line to #general on every push,
and the renew-tls / postmortem-todos / registry-config-sync /
pve-nfs-exports-sync crons posted on every scheduled run (~30+ routine
messages a week). Now: the apply pipeline's success post is gone
(notify-failure already covers failures), all cron notifies are
status:[failure] with explicit FAILED texts, and drift-detection is
silent when all stacks are clean (still posts drift findings and errors,
and gains a hard-failure catch step it previously lacked). Kept:
notify-nonadmin-push (org audit feed) and the actionable provision-user
post. Per-app deploy template in ci-cd.md updated to match.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 07:27:43 +00:00

81 lines
3 KiB
YAML

when:
event: cron
cron: renew-tls-certificate
clone:
git:
image: woodpeckerci/plugin-git
settings:
partial: false
attempts: 5
backoff: 10s
steps:
- name: prepare
image: alpine
commands:
- "apk update && apk add jq curl git git-crypt"
- |
curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
- "git-crypt unlock /tmp/key && rm /tmp/key"
- name: renew-tls
image: alpine
environment:
TECHNITIUM_API_KEY:
from_secret: TECHNITIUM_API_KEY
CLOUDFLARE_TOKEN:
from_secret: CLOUDFLARE_TOKEN
CLOUDFLARE_ZONE_ID:
from_secret: CLOUDFLARE_ZONE_ID
commands:
- "apk update && apk add certbot curl jq"
- "./modules/kubernetes/setup_tls_secret/renew2.sh"
- name: commit-certs
image: alpine
commands:
- "apk update && apk add openssh-client git git-crypt"
- "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
- "chmod 400 secrets/deploy_key"
# Only add specific paths — never git add .
- "git add secrets/ state/ || true"
- "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
- "git commit -m 'Woodpecker CI Update TLS Certificates Commit' || echo 'No changes'"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
- name: verify-cert
image: alpine
commands:
- "apk update && apk add openssl"
- "openssl x509 -checkend 604800 -noout -in secrets/fullchain.pem"
- "echo 'Certificate is valid for at least 7 more days'"
- name: update-tls-source-secret
image: alpine
commands:
- "apk update && apk add curl"
- "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
- |
SECRET_YAML=$(kubectl create secret tls tls-secret \
--cert=secrets/fullchain.pem --key=secrets/privkey.pem \
--namespace=placeholder --dry-run=client -o yaml)
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep -v '^kube-'); do
echo "$SECRET_YAML" | sed "s/namespace: placeholder/namespace: $ns/" | kubectl apply -f - 2>/dev/null || true
done
- "echo 'TLS secret updated in all namespaces'"
- name: slack
image: curlimages/curl
commands:
- |
curl -s -X POST -H 'Content-type: application/json' \
--data "{\"channel\":\"general\",\"text\":\":red_circle: Woodpecker CI: TLS certificate renewal FAILED\"}" \
"$SLACK_WEBHOOK" || true
environment:
SLACK_WEBHOOK:
from_secret: slack_webhook
when:
# Failure-only (Viktor 2026-07-02): successful renewals are routine.
status: [failure]