ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

Wire forgejo and harbor OIDC secrets through Salt GPG pillar #423

Merged
ldraney merged 1 commit from wire-missing-secrets into main 2026-06-13 08:55:42 +00:00
Conversation 1 Commits 1 Files changed 2 +40 -1
ldraney commented 2026-06-13 08:52:59 +00:00
Owner
Copy link

Summary

  • Add last 2 missing OIDC secrets to unblock tofu plan
  • Sources: k8s forgejo-oidc secret, Keycloak admin API for harbor client

Changes

  • salt/pillar/secrets/platform.sls — add GPG-encrypted entries for forgejo_oidc_client_secret and harbor_oidc_client_secret
  • Makefile — add both to TF_SECRET_VARS allowlist (now 26 total)

Test Plan

  • make tofu-validate-secrets passes (26/26 vars)
  • tofu plan succeeds: 10 to add, 2 to change, 0 to destroy
  • Hetzner edge resources in plan: server, firewall, SSH key, tailscale key

Review Checklist

  • No secrets committed in plaintext
  • GPG encryption uses correct Salt Master key
  • Commit messages are descriptive

Related Notes

  • Fixes #419 (completes secrets pipeline for tofu plan/apply)
  • Companion to PR #422 which wired the first 4 missing secrets
## Summary - Add last 2 missing OIDC secrets to unblock `tofu plan` - Sources: k8s forgejo-oidc secret, Keycloak admin API for harbor client ## Changes - `salt/pillar/secrets/platform.sls` — add GPG-encrypted entries for `forgejo_oidc_client_secret` and `harbor_oidc_client_secret` - `Makefile` — add both to `TF_SECRET_VARS` allowlist (now 26 total) ## Test Plan - [x] `make tofu-validate-secrets` passes (26/26 vars) - [x] `tofu plan` succeeds: 10 to add, 2 to change, 0 to destroy - [x] Hetzner edge resources in plan: server, firewall, SSH key, tailscale key ## Review Checklist - [ ] No secrets committed in plaintext - [ ] GPG encryption uses correct Salt Master key - [ ] Commit messages are descriptive ## Related Notes - Fixes #419 (completes secrets pipeline for tofu plan/apply) - Companion to PR #422 which wired the first 4 missing secrets
Wire forgejo and harbor OIDC secrets through Salt GPG pillar
All checks were successful
ci/woodpecker/push/terraform Pipeline was successful
Details
ci/woodpecker/pr/terraform Pipeline was successful
Details
ci/woodpecker/pull_request_closed/terraform Pipeline was successful
Details
af347d0e6a 
Add forgejo_oidc_client_secret and harbor_oidc_client_secret to pillar
and Makefile TF_SECRET_VARS. Completes the secrets pipeline — tofu plan
now succeeds with all 26 vars.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ldraney commented 2026-06-13 08:54:59 +00:00
Author
Owner
Copy link

PR #423 Review

DOMAIN REVIEW

Tech stack: Salt SLS (GPG pillar), Makefile (GNU Make). Infra/secrets pipeline domain.

Salt pillar (platform.sls):

  • Both forgejo_oidc_client_secret and harbor_oidc_client_secret are properly GPG-encrypted PGP MESSAGE blocks
  • GPG key ID (hQIMA4GgPRz4dNyQAQ) matches all other entries in the file -- correct Salt Master key
  • YAML indentation is consistent with existing entries (6-space indent under secrets:)
  • Block scalar style (|) matches the existing pattern
  • Blank line separator between the two entries matches existing convention

Makefile (TF_SECRET_VARS):

  • Line continuation (\) correctly added to the admin_auth_secret line (previously the terminal line)
  • New line adds both vars on a single line, no trailing \ (correct -- this is now the terminal line)
  • Tab indentation matches existing entries
  • Variable names match the pillar keys exactly

Secrets pipeline consistency:

  • The PILLAR_TO_TFVARS Python script filters by whitelist -- adding to TF_SECRET_VARS is the correct and only step needed to flow these through to terraform/secrets.auto.tfvars
  • make tofu-validate-secrets reported 26/26 vars (per test plan), confirming end-to-end pipeline integrity

BLOCKERS

None.

NITS

  1. secrets_registry.sls entries missing for both forgejo_oidc_client_secret and harbor_oidc_client_secret. This is acknowledged tech debt from the PR #422 review cycle -- all 5 OIDC secrets added across both PRs lack registry entries. The registry tracks origin, rotation schedule, and backup locations. Recommend filing a follow-up ticket to backfill these entries for all 5 OIDC secrets at once. Not a blocker since the registry is advisory metadata, not part of the functional pipeline.

  2. PR body says "Fixes #419" in Related Notes but does not use Closes #419 syntax, which Forgejo uses to auto-close issues on merge. Minor -- can be closed manually.

SOP COMPLIANCE

  • PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related Notes all present)
  • No secrets committed in plaintext -- all values are GPG-encrypted PGP blocks
  • No unnecessary file changes -- exactly 2 files, both directly related to the task
  • Commit messages are descriptive (PR title is clear)
  • Test plan includes validation evidence (26/26 vars, tofu plan output)
  • Closes #419 not present (nit -- "Fixes #419" in prose but not in auto-close syntax)

PROCESS OBSERVATIONS

  • Clean companion PR pattern: #422 wired the first 4 secrets, #423 adds the final 2. Together they complete the pipeline for tofu plan/apply. This split keeps each PR reviewable in isolation.
  • Change failure risk is low: adding to an allowlist and appending encrypted entries are additive-only operations with no risk to existing secrets.
  • Tech debt note: 5 secrets across PRs #422 and #423 need secrets_registry.sls entries. Recommend a single cleanup ticket.

VERDICT: APPROVED

## PR #423 Review ### DOMAIN REVIEW **Tech stack:** Salt SLS (GPG pillar), Makefile (GNU Make). Infra/secrets pipeline domain. **Salt pillar (platform.sls):** - Both `forgejo_oidc_client_secret` and `harbor_oidc_client_secret` are properly GPG-encrypted PGP MESSAGE blocks - GPG key ID (`hQIMA4GgPRz4dNyQAQ`) matches all other entries in the file -- correct Salt Master key - YAML indentation is consistent with existing entries (6-space indent under `secrets:`) - Block scalar style (`|`) matches the existing pattern - Blank line separator between the two entries matches existing convention **Makefile (TF_SECRET_VARS):** - Line continuation (`\`) correctly added to the `admin_auth_secret` line (previously the terminal line) - New line adds both vars on a single line, no trailing `\` (correct -- this is now the terminal line) - Tab indentation matches existing entries - Variable names match the pillar keys exactly **Secrets pipeline consistency:** - The `PILLAR_TO_TFVARS` Python script filters by whitelist -- adding to `TF_SECRET_VARS` is the correct and only step needed to flow these through to `terraform/secrets.auto.tfvars` - `make tofu-validate-secrets` reported 26/26 vars (per test plan), confirming end-to-end pipeline integrity ### BLOCKERS None. ### NITS 1. **secrets_registry.sls entries missing** for both `forgejo_oidc_client_secret` and `harbor_oidc_client_secret`. This is acknowledged tech debt from the PR #422 review cycle -- all 5 OIDC secrets added across both PRs lack registry entries. The registry tracks origin, rotation schedule, and backup locations. Recommend filing a follow-up ticket to backfill these entries for all 5 OIDC secrets at once. Not a blocker since the registry is advisory metadata, not part of the functional pipeline. 2. **PR body says "Fixes #419"** in Related Notes but does not use `Closes #419` syntax, which Forgejo uses to auto-close issues on merge. Minor -- can be closed manually. ### SOP COMPLIANCE - [x] PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related Notes all present) - [x] No secrets committed in plaintext -- all values are GPG-encrypted PGP blocks - [x] No unnecessary file changes -- exactly 2 files, both directly related to the task - [x] Commit messages are descriptive (PR title is clear) - [x] Test plan includes validation evidence (26/26 vars, tofu plan output) - [ ] `Closes #419` not present (nit -- "Fixes #419" in prose but not in auto-close syntax) ### PROCESS OBSERVATIONS - Clean companion PR pattern: #422 wired the first 4 secrets, #423 adds the final 2. Together they complete the pipeline for tofu plan/apply. This split keeps each PR reviewable in isolation. - Change failure risk is low: adding to an allowlist and appending encrypted entries are additive-only operations with no risk to existing secrets. - Tech debt note: 5 secrets across PRs #422 and #423 need `secrets_registry.sls` entries. Recommend a single cleanup ticket. ### VERDICT: APPROVED
ldraney deleted branch wire-missing-secrets 2026-06-13 08:55:42 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform!423
No description provided.