Document reuse-surface runtime secrets and Forgejo org webhook
All checks were successful
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s

Add runbook coverage for REUSE_SURFACE_TOKEN and
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET in reuse-surface-env, plus an
idempotent make reuse-forgejo-webhook target that wires the coulomb org
push webhook to the hub receiver.
This commit is contained in:
tegwick 2026-07-07 21:28:46 +02:00
parent 8f4486f978
commit 9b31f229e8
4 changed files with 177 additions and 14 deletions

View file

@ -44,7 +44,74 @@ export REUSE_SURFACE_URL=http://127.0.0.1:18001
| Values | `helm/reuse-surface-values.yaml` |
| Image | `gitea.coulomb.social/coulomb/reuse-surface:<tag>` |
| Landing image | `nginxinc/nginx-unprivileged:1.27-alpine` |
| Secret | `reuse-surface-env` (`REUSE_SURFACE_TOKEN`) |
| Secret | `reuse-surface-env` (see [Runtime secrets](#runtime-secrets)) |
## Runtime secrets
Custody is the Kubernetes Secret `reuse-surface-env` in namespace `reuse` on
Railiance01. This is **not** an OpenBao KV path today — see
**RAILIANCE-WP-0011** for a planned OpenBao + External Secrets migration.
| Key | Required | Purpose |
| --- | --- | --- |
| `REUSE_SURFACE_TOKEN` | yes | Bearer token for hub write API (`POST /v1/repos`, compose, etc.) |
| `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` | for webhooks | HMAC secret for `POST /v1/webhooks/forgejo` (REUSE-WP-0019-T02) |
The chart injects both keys via `envFrom.secretRef` on the `reuse-surface`
Deployment. After patching the Secret, restart the Deployment so new values
are picked up:
```bash
kubectl --kubeconfig ~/.kube/config-hosteurope rollout restart deployment/reuse-surface -n reuse
kubectl --kubeconfig ~/.kube/config-hosteurope rollout status deployment/reuse-surface -n reuse
```
**Create or rotate** (generate values locally — never commit or paste into chat):
```bash
kubectl create namespace reuse --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic reuse-surface-env \
--namespace reuse \
--from-literal=REUSE_SURFACE_TOKEN="$(openssl rand -hex 32)" \
--from-literal=REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET="$(openssl rand -hex 32)" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl --kubeconfig ~/.kube/config-hosteurope rollout restart deployment/reuse-surface -n reuse
```
**Export for a shell session** (streams to your terminal only):
```bash
export REUSE_SURFACE_TOKEN=$(
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
)
```
Or proxy via ops-warden: `warden access reuse-surface-hub-write-token --fetch`.
## Forgejo org webhook
Org-level push webhook on Forgejo (`coulomb`) triggers hub recompose when any
repo changes paths under `registry/indexes/`. The HMAC secret must match
`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` in `reuse-surface-env`.
Requires a Forgejo admin API token at `/tmp/forgejo-tegwick-api-token` (or
`FORGEJO_ADMIN_TOKEN`). Idempotent setup:
```bash
make reuse-forgejo-webhook
```
Manual verification (unsigned body should return `401`, not `503`):
```bash
curl -fsS -o /dev/null -w "%{http_code}\n" -X POST \
https://reuse.coulomb.social/v1/webhooks/forgejo \
-H "Content-Type: application/json" -d '{}'
```
Live status (2026-07-07): org webhook id `1` on `coulomb`
`https://reuse.coulomb.social/v1/webhooks/forgejo`, push events only.
## Browser landing page
@ -71,15 +138,10 @@ the API service.
```bash
# 1. Pin image tag in helm/reuse-surface-values.yaml
# 2. Create secret (example — use SOPS handoff in production)
kubectl create namespace reuse --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic reuse-surface-env \
--namespace reuse \
--from-literal=REUSE_SURFACE_TOKEN='<token>' \
--dry-run=client -o yaml | kubectl apply -f -
# Production (Railiance01, defaults to ~/.kube/config-hosteurope)
# 2. Ensure reuse-surface-env has both keys (see Runtime secrets above)
# 3. Production (Railiance01, defaults to ~/.kube/config-hosteurope)
make reuse-deploy
make reuse-forgejo-webhook # after webhook secret is in the cluster Secret
make reuse-status
# Restore kubeconfig from the node if missing: