feat: wire WOODPECKER_ENCRYPTION_KEY through Terraform #102

Merged

forgejo_admin merged 1 commit from 99-feat-wire-woodpecker-encryption-key-thro into main 2026-03-17 04:12:12 +00:00

Conversation 1 Commits 1 Files changed 4 +18 -1

forgejo_admin commented 2026-03-17 04:04:15 +00:00

Owner

Copy link

Summary

• Add woodpecker_encryption_key as a terraform-managed sensitive variable so the Woodpecker encryption key survives CNPG database migrations
• Wire it to the Woodpecker server via set_sensitive in the Helm release, matching existing secret patterns
• Add to Makefile TF_SECRET_VARS and Woodpecker CI pipeline environment for plan/apply steps

Changes

• terraform/variables.tf: add woodpecker_encryption_key variable (sensitive string)
• terraform/main.tf: add set_sensitive block for server.env.WOODPECKER_ENCRYPTION_KEY in the Woodpecker helm_release
• Makefile: add woodpecker_encryption_key to TF_SECRET_VARS for Salt pillar rendering
• .woodpecker.yaml: add TF_VAR_woodpecker_encryption_key to both plan and apply step environments

Test Plan

• tofu fmt -check -recursive passes
• tofu validate passes (no syntax errors)
• After pillar secret is added: tofu plan shows only Woodpecker helm_release changing
• After apply: Woodpecker server restarts cleanly with encryption key set

Note: The actual secret value must be added to Salt pillar (salt/pillar/secrets/platform.sls) separately by the operator.

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related

• Closes #99
• todo-woodpecker-secrets-terraform

## Summary - Add `woodpecker_encryption_key` as a terraform-managed sensitive variable so the Woodpecker encryption key survives CNPG database migrations - Wire it to the Woodpecker server via `set_sensitive` in the Helm release, matching existing secret patterns - Add to Makefile `TF_SECRET_VARS` and Woodpecker CI pipeline environment for plan/apply steps ## Changes - `terraform/variables.tf`: add `woodpecker_encryption_key` variable (sensitive string) - `terraform/main.tf`: add `set_sensitive` block for `server.env.WOODPECKER_ENCRYPTION_KEY` in the Woodpecker helm_release - `Makefile`: add `woodpecker_encryption_key` to `TF_SECRET_VARS` for Salt pillar rendering - `.woodpecker.yaml`: add `TF_VAR_woodpecker_encryption_key` to both plan and apply step environments ## Test Plan - [x] `tofu fmt -check -recursive` passes - [x] `tofu validate` passes (no syntax errors) - [ ] After pillar secret is added: `tofu plan` shows only Woodpecker helm_release changing - [ ] After apply: Woodpecker server restarts cleanly with encryption key set **Note:** The actual secret value must be added to Salt pillar (`salt/pillar/secrets/platform.sls`) separately by the operator. ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related - Closes #99 - `todo-woodpecker-secrets-terraform`

forgejo_admin added 1 commit 2026-03-17 04:04:15 +00:00

feat: wire WOODPECKER_ENCRYPTION_KEY through Terraform ... 8ae54dc10c

Add woodpecker_encryption_key variable and pass it to the Woodpecker
server via set_sensitive in the Helm release. Add to Makefile
TF_SECRET_VARS and Woodpecker CI pipeline environment.

This ensures the encryption key survives CNPG database migrations.
The actual secret value must be added to Salt pillar separately.

Refs: todo-woodpecker-secrets-terraform
Closes #99

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented 2026-03-17 04:04:49 +00:00

Author

Owner

Copy link

Review: LGTM

4 files changed, +18/-1 -- minimal, focused diff.

Verified

• terraform/variables.tf: new woodpecker_encryption_key variable is sensitive, placed logically after woodpecker_agent_secret
• terraform/main.tf: set_sensitive block follows existing pattern (matches lines 755-777), correctly targets server.env.WOODPECKER_ENCRYPTION_KEY
• Makefile: TF_SECRET_VARS extended with proper line continuation
• .woodpecker.yaml: env var added to both plan and apply steps, from_secret format matches all existing entries
• tofu fmt -check passes
• tofu validate passes (no syntax errors)
• No secrets committed
• No unrelated changes

Operator Action Required Post-Merge

Add woodpecker_encryption_key to Salt pillar (salt/pillar/secrets/platform.sls) and create the Woodpecker CI secret tf_var_woodpecker_encryption_key before the next CI run.

## Review: LGTM **4 files changed, +18/-1** -- minimal, focused diff. ### Verified - `terraform/variables.tf`: new `woodpecker_encryption_key` variable is sensitive, placed logically after `woodpecker_agent_secret` - `terraform/main.tf`: `set_sensitive` block follows existing pattern (matches lines 755-777), correctly targets `server.env.WOODPECKER_ENCRYPTION_KEY` - `Makefile`: `TF_SECRET_VARS` extended with proper line continuation - `.woodpecker.yaml`: env var added to both plan and apply steps, `from_secret` format matches all existing entries - `tofu fmt -check` passes - `tofu validate` passes (no syntax errors) - No secrets committed - No unrelated changes ### Operator Action Required Post-Merge Add `woodpecker_encryption_key` to Salt pillar (`salt/pillar/secrets/platform.sls`) and create the Woodpecker CI secret `tf_var_woodpecker_encryption_key` before the next CI run.

forgejo_admin merged commit 874d2b349f into main 2026-03-17 04:12:12 +00:00

forgejo_admin deleted branch 99-feat-wire-woodpecker-encryption-key-thro 2026-03-17 04:12:12 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-17 04:12:13 +00:00

feat: wire WOODPECKER_ENCRYPTION_KEY through Terraform (#102)

forgejo_admin referenced this pull request 2026-03-18 19:49:51 +00:00

fix: override clone step to use internal Forgejo URL #118

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform!102

No description provided.