forgejo_admin/pal-e-platform
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

fix: remove non-functional Woodpecker gRPC funnel (#182) #207

Merged
forgejo_admin merged 1 commit from 182-remove-grpc-funnel into main 2026-03-27 21:37:08 +00:00
Conversation 1 Commits 1 Files changed 2 -36
forgejo_admin commented 2026-03-27 21:35:47 +00:00
Owner
Copy link

Summary

Removes the non-functional Woodpecker gRPC Tailscale funnel. Funnels terminate TLS and proxy as HTTP/1.1, which breaks gRPC's HTTP/2 binary framing. The funnel pod was running but serving no purpose -- all agent traffic now goes through the Tailscale subnet router (#175).

Changes

  • terraform/modules/networking/main.tf -- Removed kubernetes_ingress_v1.woodpecker_grpc_funnel resource (31 lines including comment, resource block, and depends_on)
  • terraform/main.tf -- Removed the corresponding moved block that relocated this resource into the networking module (5 lines)

tofu plan Output

tofu fmt and tofu validate both pass. tofu plan requires salt pillar secrets only available on the k3s host. Expected plan output on apply:

# module.networking.kubernetes_ingress_v1.woodpecker_grpc_funnel will be destroyed

The moved block removal is safe because the resource itself is being destroyed -- there is nothing left to move.

Test Plan

  • tofu apply destroys the funnel pod
  • kubectl get pods -n tailscale | grep woodpecker-grpc returns nothing
  • No woodpecker-grpc node in tailscale status
  • Mac agent still connected via subnet router (unaffected)

Review Checklist

  • tofu fmt -- no formatting changes needed
  • tofu validate -- configuration is valid
  • No new variables or secrets introduced
  • Removal is purely subtractive -- no risk of breaking other resources

Related Notes

Closes #182

  • PR #173 -- the PR that created the non-functional funnel
  • Issue #175 -- subnet router that replaced it
## Summary Removes the non-functional Woodpecker gRPC Tailscale funnel. Funnels terminate TLS and proxy as HTTP/1.1, which breaks gRPC's HTTP/2 binary framing. The funnel pod was running but serving no purpose -- all agent traffic now goes through the Tailscale subnet router (#175). ## Changes - `terraform/modules/networking/main.tf` -- Removed `kubernetes_ingress_v1.woodpecker_grpc_funnel` resource (31 lines including comment, resource block, and depends_on) - `terraform/main.tf` -- Removed the corresponding `moved` block that relocated this resource into the networking module (5 lines) ## tofu plan Output `tofu fmt` and `tofu validate` both pass. `tofu plan` requires salt pillar secrets only available on the k3s host. Expected plan output on apply: ``` # module.networking.kubernetes_ingress_v1.woodpecker_grpc_funnel will be destroyed ``` The `moved` block removal is safe because the resource itself is being destroyed -- there is nothing left to move. ## Test Plan - [ ] `tofu apply` destroys the funnel pod - [ ] `kubectl get pods -n tailscale | grep woodpecker-grpc` returns nothing - [ ] No `woodpecker-grpc` node in `tailscale status` - [ ] Mac agent still connected via subnet router (unaffected) ## Review Checklist - [x] `tofu fmt` -- no formatting changes needed - [x] `tofu validate` -- configuration is valid - [x] No new variables or secrets introduced - [x] Removal is purely subtractive -- no risk of breaking other resources ## Related Notes Closes #182 - PR #173 -- the PR that created the non-functional funnel - Issue #175 -- subnet router that replaced it
fix: remove non-functional Woodpecker gRPC funnel
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
7c8e69aeb8 
Funnels terminate TLS and proxy as HTTP/1.1, which breaks gRPC's HTTP/2
binary framing. The funnel pod runs but serves no purpose -- all agent
traffic now goes through the Tailscale subnet router (#175).

Removes the kubernetes_ingress_v1.woodpecker_grpc_funnel resource from
the networking module and its corresponding moved block from main.tf.

Closes #182

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-27 21:36:22 +00:00
Author
Owner
Copy link

QA Review

Scope: 2 files changed, 0 additions, 36 deletions. Purely subtractive.

Diff Analysis

  1. terraform/modules/networking/main.tf -- Removes the kubernetes_ingress_v1.woodpecker_grpc_funnel resource block entirely (comment + resource + depends_on). Clean removal, no orphaned references.

  2. terraform/main.tf -- Removes the moved block that relocated woodpecker_grpc_funnel into the networking module. Correct -- the moved block serves no purpose when the destination resource is being destroyed.

Verification

  • Searched entire terraform/ directory for woodpecker_grpc and woodpecker-grpc -- zero remaining references. No dangling outputs, variables, or module references.
  • tofu fmt -- clean (no formatting changes).
  • tofu validate -- passes.
  • No new resources, variables, or secrets introduced.

Observations

  • The PR correctly identifies that Tailscale funnels terminate TLS as HTTP/1.1, which is incompatible with gRPC's HTTP/2 requirement.
  • Agent connectivity is unaffected since #175 (subnet router) handles all agent traffic.
  • The tofu plan note about requiring salt pillar secrets on the k3s host is accurate and expected for this repo.

Nits

None.

VERDICT: APPROVE

## QA Review **Scope:** 2 files changed, 0 additions, 36 deletions. Purely subtractive. ### Diff Analysis 1. **`terraform/modules/networking/main.tf`** -- Removes the `kubernetes_ingress_v1.woodpecker_grpc_funnel` resource block entirely (comment + resource + depends_on). Clean removal, no orphaned references. 2. **`terraform/main.tf`** -- Removes the `moved` block that relocated `woodpecker_grpc_funnel` into the networking module. Correct -- the moved block serves no purpose when the destination resource is being destroyed. ### Verification - Searched entire `terraform/` directory for `woodpecker_grpc` and `woodpecker-grpc` -- **zero remaining references**. No dangling outputs, variables, or module references. - `tofu fmt` -- clean (no formatting changes). - `tofu validate` -- passes. - No new resources, variables, or secrets introduced. ### Observations - The PR correctly identifies that Tailscale funnels terminate TLS as HTTP/1.1, which is incompatible with gRPC's HTTP/2 requirement. - Agent connectivity is unaffected since #175 (subnet router) handles all agent traffic. - The `tofu plan` note about requiring salt pillar secrets on the k3s host is accurate and expected for this repo. ### Nits None. --- **VERDICT: APPROVE**
forgejo_admin deleted branch 182-remove-grpc-funnel 2026-03-27 21:37:08 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform!207
No description provided.