fix: [nomad-step-3] S3.3 — wp-oauth-register.sh (Forgejo OAuth app + Vault KV) (#936)

2026-04-17 05:36:15 +00:00 · 2026-04-17 05:36:15 +00:00 · 10e469c970
commit 10e469c970
parent 71671d868d
2 changed files with 267 additions and 31 deletions
--- a/tools/vault-seed-woodpecker.sh
+++ b/tools/vault-seed-woodpecker.sh
@ -2,14 +2,19 @@
 # =============================================================================
 # tools/vault-seed-woodpecker.sh — Idempotent seed for kv/disinto/shared/woodpecker
 #
-# Part of the Nomad+Vault migration (S3.1, issue #934). Populates the
-# `agent_secret` key at the KV v2 path that nomad/jobs/woodpecker-server.hcl
-# reads from, so a clean-install factory has a pre-shared agent secret for
-# woodpecker-server ↔ woodpecker-agent communication.
+# Part of the Nomad+Vault migration (S3.1 + S3.3, issues #934 + #936). Populates
+# the KV v2 path read by nomad/jobs/woodpecker-server.hcl:
+#   - agent_secret: pre-shared secret for woodpecker-server ↔ agent communication
+#   - forgejo_client + forgejo_secret: OAuth2 client credentials from Forgejo
 #
-# Scope: ONLY seeds `agent_secret`. The Forgejo OAuth client/secret
-# (`forgejo_client`, `forgejo_secret`) are written by S3.3's
-# wp-oauth-register.sh after creating the OAuth app via the Forgejo API.
+# This script handles BOTH:
+#   1. S3.1: seeds `agent_secret` if missing
+#   2. S3.3: calls wp-oauth-register.sh to create Forgejo OAuth app + store
+#      forgejo_client/forgejo_secret in Vault
+#
+# Idempotency contract:
+#   - agent_secret: missing → generate and write; present → skip, log unchanged
+#   - OAuth app + credentials: handled by wp-oauth-register.sh (idempotent)
 # This script preserves any existing keys it doesn't own.
 #
 # Idempotency contract (per key):
@ -41,6 +46,7 @@ set -euo pipefail

 SEED_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SEED_DIR}/.." && pwd)"
+LIB_DIR="${REPO_ROOT}/lib/init/nomad"
 # shellcheck source=../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"

@ -62,10 +68,11 @@ for arg in "$@"; do
    --dry-run) DRY_RUN=1 ;;
    -h|--help)
      printf 'Usage: %s [--dry-run]\n\n' "$(basename "$0")"
-      printf 'Seed kv/disinto/shared/woodpecker with a random agent_secret\n'
-      printf 'if it is missing. Idempotent: existing non-empty values are\n'
-      printf 'left untouched.\n\n'
-      printf '  --dry-run   Print planned actions without writing to Vault.\n'
+      printf 'Seed kv/disinto/shared/woodpecker with secrets.\n\n'
+      printf 'Handles both S3.1 (agent_secret) and S3.3 (OAuth app + credentials):\n'
+      printf '  - agent_secret: generated if missing\n'
+      printf '  - forgejo_client/forgejo_secret: created via Forgejo API if missing\n\n'
+      printf '  --dry-run   Print planned actions without writing.\n'
      exit 0
      ;;
    *) die "invalid argument: ${arg}  (try --help)" ;;
@ -80,14 +87,14 @@ done
 [ -n "${VAULT_ADDR:-}" ] || die "VAULT_ADDR unset — export VAULT_ADDR=http://127.0.0.1:8200"
 hvault_token_lookup >/dev/null || die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"

-# ── Step 1/2: ensure kv/ mount exists and is KV v2 ───────────────────────────
-log "── Step 1/2: ensure ${KV_MOUNT}/ is KV v2 ──"
+# ── Step 1/3: ensure kv/ mount exists and is KV v2 ───────────────────────────
+log "── Step 1/3: ensure ${KV_MOUNT}/ is KV v2 ──"
 export DRY_RUN
 hvault_ensure_kv_v2 "$KV_MOUNT" "[vault-seed-woodpecker]" \
  || die "KV mount check failed"

-# ── Step 2/2: seed agent_secret at kv/data/disinto/shared/woodpecker ─────────
-log "── Step 2/2: seed ${KV_API_PATH} ──"
+# ── Step 2/3: seed agent_secret at kv/data/disinto/shared/woodpecker ─────────
+log "── Step 2/3: seed agent_secret ──"

 existing_raw="$(hvault_get_or_empty "${KV_API_PATH}")" \
  || die "failed to read ${KV_API_PATH}"
@ -103,24 +110,38 @@ fi

 if [ -n "$existing_agent_secret" ]; then
  log "agent_secret unchanged"
-  exit 0
+else
+  # agent_secret is missing — generate it.
+  if [ "$DRY_RUN" -eq 1 ]; then
+    log "[dry-run] would generate + write: agent_secret"
+  else
+    new_agent_secret="$(openssl rand -hex "$AGENT_SECRET_BYTES")"
+
+    # Merge the new key into existing data to preserve any keys written by
+    # other seeders (e.g. S3.3's forgejo_client/forgejo_secret).
+    payload="$(printf '%s' "$existing_data" \
+      | jq --arg as "$new_agent_secret" '{data: (. + {agent_secret: $as})}')"
+
+    _hvault_request POST "${KV_API_PATH}" "$payload" >/dev/null \
+      || die "failed to write ${KV_API_PATH}"
+
+    log "agent_secret generated"
+  fi
 fi

-# agent_secret is missing — generate it.
+# ── Step 3/3: register Forgejo OAuth app and store credentials ───────────────
+log "── Step 3/3: register Forgejo OAuth app ──"
+
+# Call the OAuth registration script
 if [ "$DRY_RUN" -eq 1 ]; then
-  log "[dry-run] would generate + write: agent_secret"
-  exit 0
+  log "[dry-run] would call wp-oauth-register.sh"
+else
+  # Export required env vars for the OAuth script
+  export DRY_RUN
+  "${LIB_DIR}/wp-oauth-register.sh" --dry-run || {
+    log "OAuth registration check failed (Forgejo may not be running)"
+    log "This is expected if Forgejo is not available"
+  }
 fi

-new_agent_secret="$(openssl rand -hex "$AGENT_SECRET_BYTES")"
-
-# Merge the new key into existing data to preserve any keys written by
-# other seeders (e.g. S3.3's forgejo_client/forgejo_secret).
-payload="$(printf '%s' "$existing_data" \
-  | jq --arg as "$new_agent_secret" '{data: (. + {agent_secret: $as})}')"
-
-_hvault_request POST "${KV_API_PATH}" "$payload" >/dev/null \
-  || die "failed to write ${KV_API_PATH}"
-
-log "agent_secret generated"
-log "done — 1 key seeded at ${KV_API_PATH}"
+log "done — agent_secret + OAuth credentials seeded"