Fix: Salt pillar fails to decrypt slack_webhook_url (empty string GPG block) #46

New issue

Closed

opened 2026-03-14 16:18:43 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-14 16:18:43 +00:00

Owner

Lineage

plan-pal-e-platform → secrets pipeline hotfix

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want make tofu-secrets to render all 15 secrets
So that tofu plan/apply works without errors

Context

PR #45 encrypted an empty string for slack_webhook_url (dormant — Slack not in use). Salt GPG renderer treats PLAINTEXT_LENGTH 0 as a decryption failure, causing the entire secrets:platform pillar to return empty. This breaks make tofu-secrets (returns 0 vars instead of 15).

File Targets

salt/pillar/secrets/platform.sls — replace empty-string GPG block with 'unused' placeholder

Acceptance Criteria

sudo salt-call pillar.get secrets:platform --out=json returns 16 secrets
make tofu-secrets renders 15 TF vars

Test Expectations

Pillar decryption returns all 16 keys with non-empty values
Run: sudo salt-call pillar.get secrets:platform --out=json | python3 -c "import sys,json; d=json.load(sys.stdin)['local']; print(len(d))"

Constraints

Never encrypt empty strings into Salt pillar — use a placeholder like 'unused'
GPG key: 81A03D1CF874DC90

Checklist

PR opened with Closes #N
Pillar decryption verified locally

PR #45 — introduced the empty-string GPG block
sop-secrets-management — needs update: document empty-string gotcha

### Lineage `plan-pal-e-platform` → secrets pipeline hotfix ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want `make tofu-secrets` to render all 15 secrets So that `tofu plan/apply` works without errors ### Context PR #45 encrypted an empty string for `slack_webhook_url` (dormant — Slack not in use). Salt GPG renderer treats `PLAINTEXT_LENGTH 0` as a decryption failure, causing the entire `secrets:platform` pillar to return empty. This breaks `make tofu-secrets` (returns 0 vars instead of 15). ### File Targets - `salt/pillar/secrets/platform.sls` — replace empty-string GPG block with `'unused'` placeholder ### Acceptance Criteria - [ ] `sudo salt-call pillar.get secrets:platform --out=json` returns 16 secrets - [ ] `make tofu-secrets` renders 15 TF vars ### Test Expectations - [ ] Pillar decryption returns all 16 keys with non-empty values - Run: `sudo salt-call pillar.get secrets:platform --out=json | python3 -c "import sys,json; d=json.load(sys.stdin)['local']; print(len(d))"` ### Constraints - Never encrypt empty strings into Salt pillar — use a placeholder like `'unused'` - GPG key: `81A03D1CF874DC90` ### Checklist - [ ] PR opened with `Closes #N` - [ ] Pillar decryption verified locally ### Related - PR #45 — introduced the empty-string GPG block - `sop-secrets-management` — needs update: document empty-string gotcha