forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 38 Pull requests Projects Releases Packages Wiki Activity Actions

Automate Woodpecker secret sync after Harbor robot rotation #245

New issue
Open
opened 2026-03-28 23:26:55 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-28 23:26:55 +00:00
Owner
Copy link

Type

Feature

Lineage

  • Board: board-pal-e-platform
  • Story: story:superuser-deploy
  • Arch: arch:ci-pipeline
  • Discovered from: #234 (pal-e-docs-app ImagePullBackOff → Harbor 401)

Repo

forgejo_admin/pal-e-services (terraform manages Harbor robots) + Woodpecker API (secrets target)

User Story

As the platform operator, I need Woodpecker CI secrets to stay in sync with Harbor robot accounts so that tofu apply doesn't silently stale all downstream CI pipelines.

Context

Harbor robot accounts are terraform-managed (harbor_robot_account.service_ci). Woodpecker secrets are manually set per SERVICE_ONBOARDING.md Step 4. When tofu apply recreates a robot (new credentials), the Woodpecker secrets become stale, causing 401 Unauthorized on image push. This broke pal-e-docs-app (#234) — the robot was created by terraform but Woodpecker still had old creds.

File Targets

  • ~/pal-e-services/main.tf or modules/ — add Woodpecker secret provisioning via terraform or post-apply script
  • Alternative: scripts/sync-harbor-creds.sh — post-apply script that reads tofu output and updates Woodpecker secrets via API

Acceptance Criteria

  • After tofu apply that rotates Harbor robots, Woodpecker secrets are automatically updated
  • No manual SERVICE_ONBOARDING.md Step 4 needed for existing services
  • New service onboarding still works

Test Expectations

  • tofu apply on a test service → Woodpecker secret matches new robot credentials
  • Pipeline pushes to Harbor successfully with synced credentials

Constraints

  • Woodpecker API requires admin token for secret management
  • Must handle the case where tofu doesn't change robot (no-op apply)
  • Don't break existing manual secret workflow during transition

Checklist

  • Design approach (terraform resource vs post-apply script)
  • Implement sync mechanism
  • Test with one service
  • Roll out to all services

Related

  • #234 — pal-e-docs-app ImagePullBackOff (the incident that exposed this)
  • service-onboarding-sop — Step 4 (manual secret setup)
### Type Feature ### Lineage - Board: board-pal-e-platform - Story: story:superuser-deploy - Arch: arch:ci-pipeline - Discovered from: #234 (pal-e-docs-app ImagePullBackOff → Harbor 401) ### Repo `forgejo_admin/pal-e-services` (terraform manages Harbor robots) + Woodpecker API (secrets target) ### User Story As the platform operator, I need Woodpecker CI secrets to stay in sync with Harbor robot accounts so that `tofu apply` doesn't silently stale all downstream CI pipelines. ### Context Harbor robot accounts are terraform-managed (`harbor_robot_account.service_ci`). Woodpecker secrets are manually set per SERVICE_ONBOARDING.md Step 4. When `tofu apply` recreates a robot (new credentials), the Woodpecker secrets become stale, causing 401 Unauthorized on image push. This broke pal-e-docs-app (#234) — the robot was created by terraform but Woodpecker still had old creds. ### File Targets - `~/pal-e-services/main.tf` or `modules/` — add Woodpecker secret provisioning via terraform or post-apply script - Alternative: `scripts/sync-harbor-creds.sh` — post-apply script that reads `tofu output` and updates Woodpecker secrets via API ### Acceptance Criteria - [ ] After `tofu apply` that rotates Harbor robots, Woodpecker secrets are automatically updated - [ ] No manual SERVICE_ONBOARDING.md Step 4 needed for existing services - [ ] New service onboarding still works ### Test Expectations - [ ] `tofu apply` on a test service → Woodpecker secret matches new robot credentials - [ ] Pipeline pushes to Harbor successfully with synced credentials ### Constraints - Woodpecker API requires admin token for secret management - Must handle the case where tofu doesn't change robot (no-op apply) - Don't break existing manual secret workflow during transition ### Checklist - [ ] Design approach (terraform resource vs post-apply script) - [ ] Implement sync mechanism - [ ] Test with one service - [ ] Roll out to all services ### Related - #234 — pal-e-docs-app ImagePullBackOff (the incident that exposed this) - `service-onboarding-sop` — Step 4 (manual secret setup)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#245
No description provided.