admin/stonks-oracle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: bake Woodpecker OAuth2 + agent secret into Helm values

Browse Source 
Permanent fix for cluster rebuilds:
- OAuth2 client_id/secret baked into woodpecker/values.yaml
- WOODPECKER_AGENT_SECRET shared between server and agents
- runmefirst.sh uses baked creds if present, creates fresh ones only
  if values.yaml still has placeholders
- Agents survive DB wipes since they auth via shared secret
This commit is contained in:
Celes Renata
2026-04-21 02:12:58 +00:00
parent 26e20484c8
commit 7efdddd794
2 changed files with 33 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pipelines/runmefirst.sh
+29 -20
View File
@@ -140,39 +140,48 @@ echo "--- Step 5: Installing Woodpecker CI ---"
WOODPECKER_EXISTS=$(helm list -n woodpecker -q 2>/dev/null | grep -c woodpecker || true) WOODPECKER_EXISTS=$(helm list -n woodpecker -q 2>/dev/null | grep -c woodpecker || true)
if [ "${WOODPECKER_EXISTS:-0}" -gt 0 ]; then if [ "${WOODPECKER_EXISTS:-0}" -gt 0 ]; then
echo " Woodpecker already installed — upgrading (preserving OAuth2 grants)..." echo " Woodpecker already installed — upgrading..."
helm upgrade woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \ helm upgrade woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
--namespace woodpecker \ --namespace woodpecker \
--values woodpecker/values.yaml \ --values woodpecker/values.yaml \
--timeout 5m --timeout 5m
else else
echo " Fresh Woodpecker install..." echo " Fresh Woodpecker install..."
# Delete stale OAuth2 app in Gitea (if any) # Delete stale OAuth2 app in Gitea (if any) and create fresh one
EXISTING_APP_ID=$(curl -s -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2" | python3 -c ' # only if the values.yaml still has placeholders
CURRENT_CLIENT=$(grep WOODPECKER_GITEA_CLIENT woodpecker/values.yaml | head -1 | awk -F'"' '{print $2}')
if [ "$CURRENT_CLIENT" = "<GITEA_CLIENT_ID>" ] || [ -z "$CURRENT_CLIENT" ]; then
EXISTING_APP_ID=$(curl -s -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2" | python3 -c '
import sys, json import sys, json
for app in json.loads(sys.stdin.read()): for app in json.loads(sys.stdin.read()):
if app.get("name") == "woodpecker-ci": if app.get("name") == "woodpecker-ci":
print(app["id"]) print(app["id"])
break break
' 2>/dev/null || echo "") ' 2>/dev/null || echo "")
if [ -n "$EXISTING_APP_ID" ]; then if [ -n "$EXISTING_APP_ID" ]; then
curl -s -X DELETE -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2/$EXISTING_APP_ID" > /dev/null curl -s -X DELETE -H "$GITEA_AUTH" "$GITEA_API/user/applications/oauth2/$EXISTING_APP_ID" > /dev/null
echo " Deleted stale OAuth2 app (id=$EXISTING_APP_ID)" echo " Deleted stale OAuth2 app (id=$EXISTING_APP_ID)"
fi fi
# Create fresh OAuth2 app OAUTH2_RESP=$(curl -s -X POST "$GITEA_API/user/applications/oauth2" \
OAUTH2_RESP=$(curl -s -X POST "$GITEA_API/user/applications/oauth2" \ -H "$GITEA_AUTH" -H "Content-Type: application/json" \
-H "$GITEA_AUTH" -H "Content-Type: application/json" \ -d '{"name":"woodpecker-ci","redirect_uris":["https://stonks-ci.celestium.life/authorize"],"confidential_client":true}')
-d '{"name":"woodpecker-ci","redirect_uris":["https://stonks-ci.celestium.life/authorize"],"confidential_client":true}') GITEA_CLIENT_ID=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
GITEA_CLIENT_ID=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])") GITEA_CLIENT_SECRET=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")
GITEA_CLIENT_SECRET=$(echo "$OAUTH2_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])") echo " ✓ OAuth2 app created (client_id: $GITEA_CLIENT_ID)"
echo " ✓ OAuth2 app created (client_id: $GITEA_CLIENT_ID)"
helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \ helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
--namespace woodpecker \ --namespace woodpecker \
--values woodpecker/values.yaml \ --values woodpecker/values.yaml \
--set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \ --set server.env.WOODPECKER_GITEA_CLIENT="${GITEA_CLIENT_ID}" \
--set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \ --set server.env.WOODPECKER_GITEA_SECRET="${GITEA_CLIENT_SECRET}" \
--timeout 5m --timeout 5m
else
echo " ✓ OAuth2 creds baked into values.yaml — using those"
helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker \
--namespace woodpecker \
--values woodpecker/values.yaml \
--timeout 5m
fi
fi fi
# Wait for server to be ready (don't use --wait, agents may take longer) # Wait for server to be ready (don't use --wait, agents may take longer)
pipelines/woodpecker/values.yaml
+4 -2
View File
@@ -14,8 +14,9 @@ server:
WOODPECKER_GRPC_ADDR: "0.0.0.0:9000" WOODPECKER_GRPC_ADDR: "0.0.0.0:9000"
WOODPECKER_GITEA: "true" WOODPECKER_GITEA: "true"
WOODPECKER_GITEA_URL: "http://gitea-service.git-server.svc.cluster.local:3000" WOODPECKER_GITEA_URL: "http://gitea-service.git-server.svc.cluster.local:3000"
WOODPECKER_GITEA_CLIENT: "<GITEA_CLIENT_ID>" WOODPECKER_GITEA_CLIENT: "8fb7fc0f-98f6-42b5-b066-6cc4d745de4f"
WOODPECKER_GITEA_SECRET: "<GITEA_CLIENT_SECRET>" WOODPECKER_GITEA_SECRET: "gto_izanujbxlcxzc23znan56m3uie6s4ta2lgvro2yhgmuwvw3vutkq"
WOODPECKER_AGENT_SECRET: "01eede973f522dbea9c1f09afc020ed0934a6f946d5832be5fecacb0da04ce23"
WOODPECKER_ADMIN: "admin" WOODPECKER_ADMIN: "admin"
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx" WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx"
@@ -55,6 +56,7 @@ agent:
env: env:
WOODPECKER_SERVER: "woodpecker-server:9000" WOODPECKER_SERVER: "woodpecker-server:9000"
WOODPECKER_AGENT_SECRET: "01eede973f522dbea9c1f09afc020ed0934a6f946d5832be5fecacb0da04ce23"
WOODPECKER_BACKEND: kubernetes WOODPECKER_BACKEND: kubernetes
WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker
WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5Gi WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 5Gi