Document reuse-surface runtime secrets and Forgejo org webhook
Add runbook coverage for REUSE_SURFACE_TOKEN and REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET in reuse-surface-env, plus an idempotent make reuse-forgejo-webhook target that wires the coulomb org push webhook to the hub receiver.
This commit is contained in:
parent
8f4486f978
commit
9b31f229e8
4 changed files with 177 additions and 14 deletions
|
|
@ -44,7 +44,74 @@ export REUSE_SURFACE_URL=http://127.0.0.1:18001
|
|||
| Values | `helm/reuse-surface-values.yaml` |
|
||||
| Image | `gitea.coulomb.social/coulomb/reuse-surface:<tag>` |
|
||||
| Landing image | `nginxinc/nginx-unprivileged:1.27-alpine` |
|
||||
| Secret | `reuse-surface-env` (`REUSE_SURFACE_TOKEN`) |
|
||||
| Secret | `reuse-surface-env` (see [Runtime secrets](#runtime-secrets)) |
|
||||
|
||||
## Runtime secrets
|
||||
|
||||
Custody is the Kubernetes Secret `reuse-surface-env` in namespace `reuse` on
|
||||
Railiance01. This is **not** an OpenBao KV path today — see
|
||||
**RAILIANCE-WP-0011** for a planned OpenBao + External Secrets migration.
|
||||
|
||||
| Key | Required | Purpose |
|
||||
| --- | --- | --- |
|
||||
| `REUSE_SURFACE_TOKEN` | yes | Bearer token for hub write API (`POST /v1/repos`, compose, etc.) |
|
||||
| `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` | for webhooks | HMAC secret for `POST /v1/webhooks/forgejo` (REUSE-WP-0019-T02) |
|
||||
|
||||
The chart injects both keys via `envFrom.secretRef` on the `reuse-surface`
|
||||
Deployment. After patching the Secret, restart the Deployment so new values
|
||||
are picked up:
|
||||
|
||||
```bash
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope rollout restart deployment/reuse-surface -n reuse
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope rollout status deployment/reuse-surface -n reuse
|
||||
```
|
||||
|
||||
**Create or rotate** (generate values locally — never commit or paste into chat):
|
||||
|
||||
```bash
|
||||
kubectl create namespace reuse --dry-run=client -o yaml | kubectl apply -f -
|
||||
kubectl create secret generic reuse-surface-env \
|
||||
--namespace reuse \
|
||||
--from-literal=REUSE_SURFACE_TOKEN="$(openssl rand -hex 32)" \
|
||||
--from-literal=REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET="$(openssl rand -hex 32)" \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope rollout restart deployment/reuse-surface -n reuse
|
||||
```
|
||||
|
||||
**Export for a shell session** (streams to your terminal only):
|
||||
|
||||
```bash
|
||||
export REUSE_SURFACE_TOKEN=$(
|
||||
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
|
||||
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
|
||||
)
|
||||
```
|
||||
|
||||
Or proxy via ops-warden: `warden access reuse-surface-hub-write-token --fetch`.
|
||||
|
||||
## Forgejo org webhook
|
||||
|
||||
Org-level push webhook on Forgejo (`coulomb`) triggers hub recompose when any
|
||||
repo changes paths under `registry/indexes/`. The HMAC secret must match
|
||||
`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` in `reuse-surface-env`.
|
||||
|
||||
Requires a Forgejo admin API token at `/tmp/forgejo-tegwick-api-token` (or
|
||||
`FORGEJO_ADMIN_TOKEN`). Idempotent setup:
|
||||
|
||||
```bash
|
||||
make reuse-forgejo-webhook
|
||||
```
|
||||
|
||||
Manual verification (unsigned body should return `401`, not `503`):
|
||||
|
||||
```bash
|
||||
curl -fsS -o /dev/null -w "%{http_code}\n" -X POST \
|
||||
https://reuse.coulomb.social/v1/webhooks/forgejo \
|
||||
-H "Content-Type: application/json" -d '{}'
|
||||
```
|
||||
|
||||
Live status (2026-07-07): org webhook id `1` on `coulomb` →
|
||||
`https://reuse.coulomb.social/v1/webhooks/forgejo`, push events only.
|
||||
|
||||
## Browser landing page
|
||||
|
||||
|
|
@ -71,15 +138,10 @@ the API service.
|
|||
|
||||
```bash
|
||||
# 1. Pin image tag in helm/reuse-surface-values.yaml
|
||||
# 2. Create secret (example — use SOPS handoff in production)
|
||||
kubectl create namespace reuse --dry-run=client -o yaml | kubectl apply -f -
|
||||
kubectl create secret generic reuse-surface-env \
|
||||
--namespace reuse \
|
||||
--from-literal=REUSE_SURFACE_TOKEN='<token>' \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
# Production (Railiance01, defaults to ~/.kube/config-hosteurope)
|
||||
# 2. Ensure reuse-surface-env has both keys (see Runtime secrets above)
|
||||
# 3. Production (Railiance01, defaults to ~/.kube/config-hosteurope)
|
||||
make reuse-deploy
|
||||
make reuse-forgejo-webhook # after webhook secret is in the cluster Secret
|
||||
make reuse-status
|
||||
|
||||
# Restore kubeconfig from the node if missing:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue