Allow hostPath volumes for Woodpecker CI bundle caching

ldraney commented

2026-06-04 05:41:05 +00:00

Owner

Summary

Adds WOODPECKER_BACKEND_K8S_VOLUME_HOSTPATH_ALLOW = "/var/lib/woodpecker-cache" to the Woodpecker agent env. Pipeline #191 on landscaping-assistant failed because the k8s backend silently dropped the hostPath volume mount — this unblocks the bundle caching from PR #81.

Changes

terraform/modules/ci/main.tf — one env var added to agent config, scoped to /var/lib/woodpecker-cache

Test Plan

tofu plan shows only the agent env change
After apply, re-run landscaping-assistant pipeline — save-bundle-cache step succeeds
Second pipeline run shows cache hit in restore-bundle-cache step

Review Checklist

Single env var addition, minimal blast radius
Path scoped narrowly — only /var/lib/woodpecker-cache allowed
No new variables or module interface changes

Follow-up to PR #405 (agent scaling). Fixes landscaping-assistant pipeline #191.

Closes ldraney/landscaping-assistant#60

## Summary Adds `WOODPECKER_BACKEND_K8S_VOLUME_HOSTPATH_ALLOW = "/var/lib/woodpecker-cache"` to the Woodpecker agent env. Pipeline #191 on landscaping-assistant failed because the k8s backend silently dropped the hostPath volume mount — this unblocks the bundle caching from PR #81. ## Changes - `terraform/modules/ci/main.tf` — one env var added to agent config, scoped to `/var/lib/woodpecker-cache` ## Test Plan - [ ] `tofu plan` shows only the agent env change - [ ] After apply, re-run landscaping-assistant pipeline — `save-bundle-cache` step succeeds - [ ] Second pipeline run shows cache hit in `restore-bundle-cache` step ## Review Checklist - [x] Single env var addition, minimal blast radius - [x] Path scoped narrowly — only `/var/lib/woodpecker-cache` allowed - [x] No new variables or module interface changes ## Related Notes Follow-up to PR #405 (agent scaling). Fixes landscaping-assistant pipeline #191. Closes ldraney/landscaping-assistant#60

ldraney added 1 commit

2026-06-04 05:41:05 +00:00

Allow hostPath volumes for Woodpecker CI bundle caching

ci/woodpecker/push/terraform Pipeline was successful

Details

ci/woodpecker/pr/terraform Pipeline failed

Details

d52c05f216

Pipeline #191 failed because the k8s backend blocks hostPath mounts
by default. Adding WOODPECKER_BACKEND_K8S_VOLUME_HOSTPATH_ALLOW for
/var/lib/woodpecker-cache enables the bundle cache volume from PR #81.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldraney commented

2026-06-04 05:42:42 +00:00

Author

Owner

PR #406 Review

DOMAIN REVIEW

Tech Stack: Terraform (Helm release values for Woodpecker CI on Kubernetes)

Change Analysis:
This PR adds a single environment variable WOODPECKER_BACKEND_K8S_VOLUME_HOSTPATH_ALLOW = "/var/lib/woodpecker-cache" to the Woodpecker agent configuration in terraform/modules/ci/main.tf. The remaining diff is whitespace realignment for column consistency.

Terraform/k8s Assessment:

Correctness: The env var is the documented Woodpecker mechanism to allowlist hostPath volumes in the k8s backend. Without it, the backend silently drops hostPath mounts -- which is exactly what pipeline #191 experienced. The fix is correct.
Security (hostPath scope): The path is narrowly scoped to /var/lib/woodpecker-cache -- this is appropriate for a build cache. HostPath volumes are a known security surface in k8s, but scoping to a single purpose-built directory (not /, /etc, or /var/run) is the accepted pattern for CI caching. No escalation risk.
State safety: This is a Helm values change (env var addition). It will trigger a Helm release update on tofu apply but does not modify Terraform state structure. No migration plan needed.
tofu fmt compliance: The alignment reformatting uses consistent padding. The new key is the longest, and all values are column-aligned. Acceptable.
Blast radius: Single env var addition to one resource. Minimal.
Correlation with consumer: Verified against /home/ldraney/landscaping-assistant/.woodpecker.yaml -- the pipeline uses host_path.path: /var/lib/woodpecker-cache/bundle which falls under the allowed prefix /var/lib/woodpecker-cache. The allow path correctly covers subpaths.

BLOCKERS

None.

NITS

Branch naming: Branch is fix-woodpecker-hostpath-allow -- since this closes a cross-repo issue (landscaping-assistant#60), the convention {issue-number}-{purpose} is loosely applicable. A name like 60-woodpecker-hostpath-allow would be stricter, but cross-repo references make this a grey area. Non-blocking.
Test plan checkbox format: The test plan uses - [ ] (unchecked) items. Consider checking them off or noting they will be validated post-merge. Non-blocking.

SOP COMPLIANCE

Branch named purposefully (cross-repo issue makes strict convention less applicable)
PR body has Summary, Changes, Test Plan, Related sections
Related section does not reference a plan slug (references PR #405 and pipeline #191 instead)
No secrets committed (sensitive values remain in set_sensitive blocks)
No unnecessary file changes (single file, single logical change + alignment)
Commit message is descriptive (implied by PR title)

PROCESS OBSERVATIONS

Deployment frequency: This unblocks CI caching that was merged in PR #81 but non-functional. Once applied, subsequent pipelines will benefit from bundle cache hits, reducing build times and improving deployment frequency.
Change failure risk: Very low. The env var is additive and only enables a capability that pipelines already attempt to use. If the path were wrong, the worst case is continued cache misses (status quo), not a failure.
Documentation: The PR body clearly explains the causal chain (PR #81 added caching, pipeline #191 failed because hostPath was silently dropped, this PR allows the path).

VERDICT: APPROVED

## PR #406 Review ### DOMAIN REVIEW **Tech Stack:** Terraform (Helm release values for Woodpecker CI on Kubernetes) **Change Analysis:** This PR adds a single environment variable `WOODPECKER_BACKEND_K8S_VOLUME_HOSTPATH_ALLOW = "/var/lib/woodpecker-cache"` to the Woodpecker agent configuration in `terraform/modules/ci/main.tf`. The remaining diff is whitespace realignment for column consistency. **Terraform/k8s Assessment:** 1. **Correctness:** The env var is the documented Woodpecker mechanism to allowlist hostPath volumes in the k8s backend. Without it, the backend silently drops hostPath mounts -- which is exactly what pipeline #191 experienced. The fix is correct. 2. **Security (hostPath scope):** The path is narrowly scoped to `/var/lib/woodpecker-cache` -- this is appropriate for a build cache. HostPath volumes are a known security surface in k8s, but scoping to a single purpose-built directory (not `/`, `/etc`, or `/var/run`) is the accepted pattern for CI caching. No escalation risk. 3. **State safety:** This is a Helm values change (env var addition). It will trigger a Helm release update on `tofu apply` but does not modify Terraform state structure. No migration plan needed. 4. **`tofu fmt` compliance:** The alignment reformatting uses consistent padding. The new key is the longest, and all values are column-aligned. Acceptable. 5. **Blast radius:** Single env var addition to one resource. Minimal. 6. **Correlation with consumer:** Verified against `/home/ldraney/landscaping-assistant/.woodpecker.yaml` -- the pipeline uses `host_path.path: /var/lib/woodpecker-cache/bundle` which falls under the allowed prefix `/var/lib/woodpecker-cache`. The allow path correctly covers subpaths. ### BLOCKERS None. ### NITS 1. **Branch naming:** Branch is `fix-woodpecker-hostpath-allow` -- since this closes a cross-repo issue (`landscaping-assistant#60`), the convention `{issue-number}-{purpose}` is loosely applicable. A name like `60-woodpecker-hostpath-allow` would be stricter, but cross-repo references make this a grey area. Non-blocking. 2. **Test plan checkbox format:** The test plan uses `- [ ]` (unchecked) items. Consider checking them off or noting they will be validated post-merge. Non-blocking. ### SOP COMPLIANCE - [x] Branch named purposefully (cross-repo issue makes strict convention less applicable) - [x] PR body has Summary, Changes, Test Plan, Related sections - [ ] Related section does not reference a plan slug (references PR #405 and pipeline #191 instead) - [x] No secrets committed (sensitive values remain in `set_sensitive` blocks) - [x] No unnecessary file changes (single file, single logical change + alignment) - [x] Commit message is descriptive (implied by PR title) ### PROCESS OBSERVATIONS - **Deployment frequency:** This unblocks CI caching that was merged in PR #81 but non-functional. Once applied, subsequent pipelines will benefit from bundle cache hits, reducing build times and improving deployment frequency. - **Change failure risk:** Very low. The env var is additive and only enables a capability that pipelines already attempt to use. If the path were wrong, the worst case is continued cache misses (status quo), not a failure. - **Documentation:** The PR body clearly explains the causal chain (PR #81 added caching, pipeline #191 failed because hostPath was silently dropped, this PR allows the path). ### VERDICT: APPROVED

ldraney added 1 commit

2026-06-04 05:43:36 +00:00

Run tofu fmt on CI module

ci/woodpecker/push/terraform Pipeline was successful

Details

ci/woodpecker/pr/terraform Pipeline was successful

Details

ci/woodpecker/pull_request_closed/terraform Pipeline was successful

Details

ce0c55f7d1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ldraney merged commit e1b546f1ed into main

2026-06-04 05:45:33 +00:00

ldraney deleted branch fix-woodpecker-hostpath-allow

2026-06-04 05:45:33 +00:00

ldraney referenced this pull request from a commit

2026-06-04 05:45:35 +00:00

Allow hostPath volumes for Woodpecker CI bundle caching (#406)

Rows
Columns

Allow hostPath volumes for Woodpecker CI bundle caching #406

Summary

Changes

Test Plan

Review Checklist

Related Notes

PR #406 Review

DOMAIN REVIEW

BLOCKERS

NITS

SOP COMPLIANCE

PROCESS OBSERVATIONS

VERDICT: APPROVED