feat: secrets pillar validation gate + missing Woodpecker secrets

forgejo_admin commented

2026-03-21 21:24:43 +00:00

Owner

Type

Feature

Lineage

plan-pal-e-platform → Platform Hardening → discovered scope from Keycloak theme apply (PR #130)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want all required Terraform secrets present in the Salt pillar with a validation gate
So that make tofu-plan never fails due to pillar/variable drift

Context

During tofu apply for PR #130 (Keycloak theme), make tofu-plan failed because two required Terraform variables (woodpecker_db_password, woodpecker_encryption_key) are not in the Salt pillar. The variables exist in variables.tf, the Makefile's TF_SECRET_VARS list, and Woodpecker CI's from_secret references — but were never GPG-encrypted into salt/pillar/secrets/platform.sls.

CI works because Woodpecker has its own secret store. Local apply fails because it depends on Salt as the single source of truth.

Additionally, a stale state lock from 2026-03-17 (ffc8634f-0b8d-8062-f4e2-bad7ece5b393) blocks tofu plan without -lock=false.

File Targets

Files the agent should modify:

salt/pillar/secrets/platform.sls — add GPG-encrypted woodpecker_db_password and woodpecker_encryption_key
Makefile — add tofu-validate-secrets target that checks all TF_SECRET_VARS keys exist in rendered secrets.auto.tfvars

Files the agent should NOT touch:

terraform/variables.tf — declarations are correct
.woodpecker.yaml — CI secret refs are correct

Acceptance Criteria

woodpecker_db_password and woodpecker_encryption_key present in Salt pillar
make tofu-secrets renders 17 vars (currently 15)
make tofu-plan succeeds without -lock=false workaround
New make tofu-validate-secrets target catches missing vars before plan
Stale state lock cleared

Test Expectations

make tofu-secrets && wc -l terraform/secrets.auto.tfvars outputs 17
make tofu-plan completes without error
make tofu-validate-secrets passes when all vars present, fails when one is removed
Run command: make tofu-plan

Constraints

GPG encryption must use the same key as existing pillar entries
Secrets must be read from running k8s cluster (source of truth for current values)
State lock force-unlock requires confirmation that no other apply is running

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-platform — platform hardening
PR #130 — triggered discovery of this gap
Issue #131 — Keycloak theme polish (also blocked by this)

### Type Feature ### Lineage `plan-pal-e-platform` → Platform Hardening → discovered scope from Keycloak theme apply (PR #130) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want all required Terraform secrets present in the Salt pillar with a validation gate So that `make tofu-plan` never fails due to pillar/variable drift ### Context During `tofu apply` for PR #130 (Keycloak theme), `make tofu-plan` failed because two required Terraform variables (`woodpecker_db_password`, `woodpecker_encryption_key`) are not in the Salt pillar. The variables exist in `variables.tf`, the Makefile's `TF_SECRET_VARS` list, and Woodpecker CI's `from_secret` references — but were never GPG-encrypted into `salt/pillar/secrets/platform.sls`. CI works because Woodpecker has its own secret store. Local apply fails because it depends on Salt as the single source of truth. Additionally, a stale state lock from 2026-03-17 (`ffc8634f-0b8d-8062-f4e2-bad7ece5b393`) blocks `tofu plan` without `-lock=false`. ### File Targets Files the agent should modify: - `salt/pillar/secrets/platform.sls` — add GPG-encrypted `woodpecker_db_password` and `woodpecker_encryption_key` - `Makefile` — add `tofu-validate-secrets` target that checks all `TF_SECRET_VARS` keys exist in rendered `secrets.auto.tfvars` Files the agent should NOT touch: - `terraform/variables.tf` — declarations are correct - `.woodpecker.yaml` — CI secret refs are correct ### Acceptance Criteria - [ ] `woodpecker_db_password` and `woodpecker_encryption_key` present in Salt pillar - [ ] `make tofu-secrets` renders 17 vars (currently 15) - [ ] `make tofu-plan` succeeds without `-lock=false` workaround - [ ] New `make tofu-validate-secrets` target catches missing vars before plan - [ ] Stale state lock cleared ### Test Expectations - [ ] `make tofu-secrets && wc -l terraform/secrets.auto.tfvars` outputs 17 - [ ] `make tofu-plan` completes without error - [ ] `make tofu-validate-secrets` passes when all vars present, fails when one is removed - Run command: `make tofu-plan` ### Constraints - GPG encryption must use the same key as existing pillar entries - Secrets must be read from running k8s cluster (source of truth for current values) - State lock force-unlock requires confirmation that no other apply is running ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform hardening - PR #130 — triggered discovery of this gap - Issue #131 — Keycloak theme polish (also blocked by this)