forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 33 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: rotate Woodpecker API token in Salt pillar + all consumers #86

New issue
Closed
opened 2026-03-16 00:55:50 +00:00 by forgejo_admin · 2 comments
forgejo_admin commented 2026-03-16 00:55:50 +00:00
Owner
Copy link

Lineage

plan-pal-e-platform → Phase 17a → 17a-6 (token rotation)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want the Woodpecker API token updated in Salt pillar and all consumers
So that the DORA exporter can fetch deployment data and the MCP server authenticates

Type

Task

Context

The dora-exporter k8s secret had a stale token that returned 401 against the Woodpecker API. The valid token was obtained from the Woodpecker UI. This updates the canonical source (Salt pillar, GPG-encrypted) and all downstream consumers.

File Targets

Files to modify:

  • salt/pillar/secrets/platform.sls — replace woodpecker_api_token PGP block with new encrypted value
  • terraform/k3s.tfvars — update woodpecker_api_token value

Manual updates (not in PR):

  • ~/.mcp.json — update WOODPECKER_TOKEN
  • dora-exporter k8s secret — kubectl patch
  • Woodpecker CI repo secret tf_var_woodpecker_api_token

Acceptance Criteria

  • Salt pillar decrypts to the correct token value
  • make tofu-secrets renders the token into secrets.auto.tfvars
  • DORA exporter returns Woodpecker deployment data (no 401)

Test Expectations

  • salt-call pillar.get secrets:platform:woodpecker_api_token returns the token
  • curl Woodpecker API with token returns 200

Constraints

  • GPG key: 81A03D1CF874DC90
  • Do not commit plaintext token anywhere

Checklist

  • Salt pillar updated
  • k3s.tfvars updated
  • ~/.mcp.json updated
  • dora-exporter secret updated
  • Woodpecker CI secret updated
  • DORA exporter verified

Related

  • phase-platform-17a-woodpecker-secrets — parent phase
  • sop-secrets-management — the SOP this follows
### Lineage `plan-pal-e-platform` → Phase 17a → 17a-6 (token rotation) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want the Woodpecker API token updated in Salt pillar and all consumers So that the DORA exporter can fetch deployment data and the MCP server authenticates ### Type Task ### Context The dora-exporter k8s secret had a stale token that returned 401 against the Woodpecker API. The valid token was obtained from the Woodpecker UI. This updates the canonical source (Salt pillar, GPG-encrypted) and all downstream consumers. ### File Targets Files to modify: - `salt/pillar/secrets/platform.sls` — replace `woodpecker_api_token` PGP block with new encrypted value - `terraform/k3s.tfvars` — update `woodpecker_api_token` value Manual updates (not in PR): - `~/.mcp.json` — update `WOODPECKER_TOKEN` - `dora-exporter` k8s secret — kubectl patch - Woodpecker CI repo secret `tf_var_woodpecker_api_token` ### Acceptance Criteria - [ ] Salt pillar decrypts to the correct token value - [ ] `make tofu-secrets` renders the token into secrets.auto.tfvars - [ ] DORA exporter returns Woodpecker deployment data (no 401) ### Test Expectations - [ ] `salt-call pillar.get secrets:platform:woodpecker_api_token` returns the token - [ ] curl Woodpecker API with token returns 200 ### Constraints - GPG key: `81A03D1CF874DC90` - Do not commit plaintext token anywhere ### Checklist - [ ] Salt pillar updated - [ ] k3s.tfvars updated - [ ] ~/.mcp.json updated - [ ] dora-exporter secret updated - [ ] Woodpecker CI secret updated - [ ] DORA exporter verified ### Related - `phase-platform-17a-woodpecker-secrets` — parent phase - `sop-secrets-management` — the SOP this follows
forgejo_admin commented 2026-03-27 21:32:27 +00:00
Author
Owner
Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-333-2026-03-27
Ticket is well-scoped with all file targets verified, all consumers identified, and no blocking dependencies. Two minor gaps before moving to next_up:

  • Missing ### Type header (should be Task)
  • Missing story:superuser-deploy label on board item for traceability consistency with related items (#137, #179)
## Scope Review: NEEDS_REFINEMENT Review note: `review-333-2026-03-27` Ticket is well-scoped with all file targets verified, all consumers identified, and no blocking dependencies. Two minor gaps before moving to `next_up`: - Missing `### Type` header (should be `Task`) - Missing `story:superuser-deploy` label on board item for traceability consistency with related items (#137, #179)
forgejo_admin commented 2026-03-27 22:04:28 +00:00
Author
Owner
Copy link

Issue body updated per scope review corrections.

Issue body updated per scope review corrections.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
3-westside-ai-assistant-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#86
No description provided.