Add Woodpecker gRPC Tailscale funnel for external Mac agent

forgejo_admin commented

2026-03-26 15:39:33 +00:00

Owner

Type

Infra

Lineage

project-capacitor-mobile → Board item (discovered scope from #166 Mac CI agent)

Repo

forgejo_admin/pal-e-platform

User Story

As the Mac Woodpecker agent
I want to connect to the Woodpecker server via gRPC over Tailscale
So that iOS build jobs can be dispatched to the Mac

Context

The Mac agent connects to Woodpecker server via gRPC on port 9000. The existing Tailscale funnel (woodpecker-funnel) only routes to port 80 (HTTP web UI). The in-cluster Linux agent connects directly to woodpecker-server:9000 inside the cluster, so this was never needed before. External agents need a separate funnel for gRPC.

Discovered during Mac CI agent setup (#166) — agent starts but gets 502 Bad Gateway because gRPC traffic hits the HTTP-only funnel.

File Targets

Files to modify:

terraform/main.tf — add kubernetes_ingress_v1.woodpecker_grpc_funnel resource

Files NOT to touch:

Existing woodpecker_funnel resource (HTTP web UI, unchanged)
Helm values
Any other infrastructure

Acceptance Criteria

tofu plan shows 1 to add (new ingress), 0 to destroy
tofu apply creates woodpecker-grpc.tail5b443a.ts.net
Mac agent logs show successful connection (no more 502)
Woodpecker admin UI shows Mac agent as connected
Existing web UI at woodpecker.tail5b443a.ts.net unaffected

Test Expectations

tofu validate passes
curl https://woodpecker-grpc.tail5b443a.ts.net returns something (even an error) proving the hostname resolves
Mac agent tail /tmp/woodpecker-agent.log shows connected state

Constraints

Must use tofu plan -lock=false per SOP
Tailscale funnel annotation required for external access
Port 9000 is the Woodpecker gRPC port (confirmed from service definition)

Checklist

PR opened
tofu plan output included in PR
Tests pass
No unrelated changes

pal-e-platform #166 — Mac CI agent setup (blocked by this)
project-capacitor-mobile — arch:mac-agent

### Type Infra ### Lineage `project-capacitor-mobile` → Board item (discovered scope from #166 Mac CI agent) ### Repo `forgejo_admin/pal-e-platform` ### User Story As the Mac Woodpecker agent I want to connect to the Woodpecker server via gRPC over Tailscale So that iOS build jobs can be dispatched to the Mac ### Context The Mac agent connects to Woodpecker server via gRPC on port 9000. The existing Tailscale funnel (`woodpecker-funnel`) only routes to port 80 (HTTP web UI). The in-cluster Linux agent connects directly to `woodpecker-server:9000` inside the cluster, so this was never needed before. External agents need a separate funnel for gRPC. Discovered during Mac CI agent setup (#166) — agent starts but gets 502 Bad Gateway because gRPC traffic hits the HTTP-only funnel. ### File Targets Files to modify: - `terraform/main.tf` — add `kubernetes_ingress_v1.woodpecker_grpc_funnel` resource Files NOT to touch: - Existing `woodpecker_funnel` resource (HTTP web UI, unchanged) - Helm values - Any other infrastructure ### Acceptance Criteria - [ ] `tofu plan` shows 1 to add (new ingress), 0 to destroy - [ ] `tofu apply` creates `woodpecker-grpc.tail5b443a.ts.net` - [ ] Mac agent logs show successful connection (no more 502) - [ ] Woodpecker admin UI shows Mac agent as connected - [ ] Existing web UI at `woodpecker.tail5b443a.ts.net` unaffected ### Test Expectations - [ ] `tofu validate` passes - [ ] `curl https://woodpecker-grpc.tail5b443a.ts.net` returns something (even an error) proving the hostname resolves - [ ] Mac agent `tail /tmp/woodpecker-agent.log` shows connected state ### Constraints - Must use `tofu plan -lock=false` per SOP - Tailscale funnel annotation required for external access - Port 9000 is the Woodpecker gRPC port (confirmed from service definition) ### Checklist - [ ] PR opened - [ ] `tofu plan` output included in PR - [ ] Tests pass - [ ] No unrelated changes ### Related - pal-e-platform #166 — Mac CI agent setup (blocked by this) - `project-capacitor-mobile` — arch:mac-agent