Hotfix: Woodpecker OAuth login broken — FORGEJO_URL uses internal DNS #64

New issue

Closed

opened 2026-03-14 20:22:22 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-14 20:22:22 +00:00

Owner

Lineage

plan-pal-e-platform → ad-hoc hotfix (discovered during PR #59 migration)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want to log into Woodpecker via Forgejo OAuth
So that I can manage CI repos and secrets

Context

PR #56 changed WOODPECKER_FORGEJO_URL to the internal service URL (http://forgejo-http.forgejo.svc.cluster.local:80) to fix TLS clone errors. This fixed server-side clone operations but broke browser-side OAuth — the OAuth redirect sends the browser to the internal DNS name which can't be resolved outside the cluster. Woodpecker supports WOODPECKER_FORGEJO_CLONE_URL as a separate setting for clone operations, allowing the main URL to remain external for OAuth.

File Targets

Files the agent should modify:

terraform/main.tf — split WOODPECKER_FORGEJO_URL into external (OAuth) + WOODPECKER_FORGEJO_CLONE_URL (internal, clones)

Files the agent should NOT touch:

Everything else

Acceptance Criteria

WOODPECKER_FORGEJO_URL uses external Tailscale URL for OAuth redirects
WOODPECKER_FORGEJO_CLONE_URL uses internal service URL for clone operations
OAuth login works via browser

Test Expectations

tofu validate passes
OAuth login verified via Playwright
Run command: cd terraform && tofu validate

Constraints

Already applied live via local tofu apply — this PR codifies the fix in main

Checklist

PR opened
Tests pass
No unrelated changes

PR #59 — Woodpecker Postgres migration that surfaced this issue
plan-pal-e-platform

### Lineage `plan-pal-e-platform` → ad-hoc hotfix (discovered during PR #59 migration) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want to log into Woodpecker via Forgejo OAuth So that I can manage CI repos and secrets ### Context PR #56 changed `WOODPECKER_FORGEJO_URL` to the internal service URL (`http://forgejo-http.forgejo.svc.cluster.local:80`) to fix TLS clone errors. This fixed server-side clone operations but broke browser-side OAuth — the OAuth redirect sends the browser to the internal DNS name which can't be resolved outside the cluster. Woodpecker supports `WOODPECKER_FORGEJO_CLONE_URL` as a separate setting for clone operations, allowing the main URL to remain external for OAuth. ### File Targets Files the agent should modify: - `terraform/main.tf` — split WOODPECKER_FORGEJO_URL into external (OAuth) + WOODPECKER_FORGEJO_CLONE_URL (internal, clones) Files the agent should NOT touch: - Everything else ### Acceptance Criteria - [ ] `WOODPECKER_FORGEJO_URL` uses external Tailscale URL for OAuth redirects - [ ] `WOODPECKER_FORGEJO_CLONE_URL` uses internal service URL for clone operations - [ ] OAuth login works via browser ### Test Expectations - [ ] `tofu validate` passes - [ ] OAuth login verified via Playwright - Run command: `cd terraform && tofu validate` ### Constraints - Already applied live via local `tofu apply` — this PR codifies the fix in main ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - PR #59 — Woodpecker Postgres migration that surfaced this issue - `plan-pal-e-platform`