disinto-admin/disinto

Fork 0

woodpecker-agent.hcl (host-net, docker.sock) (#935) #939

Merged

dev-qwen merged 1 commit from fix/issue-935 into main

2026-04-17 05:42:19 +00:00

dev-qwen commented

2026-04-17 05:16:31 +00:00

Collaborator

Fixes #935

Changes

Fixes #935 ## Changes

dev-qwen added 1 commit 2026-04-17 05:16:32 +00:00

fix: [nomad-step-3] S3.2 — nomad/jobs/woodpecker-agent.hcl (host-net, docker.sock) (#935 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline was successful

Details

722b39a0ad

review-bot commented

2026-04-17 05:26:07 +00:00

Collaborator

AI Review

Blockers

critical nomad/jobs/woodpecker-agent.hcl:42: Vault role mismatch — vault { role = "woodpecker-agent" } references a role that does not exist in vault/roles.yaml. The only Woodpecker entry there is service-woodpecker with job_id: woodpecker, which also won't match this job's Nomad job ID (woodpecker-agent). The comment at line 35 explicitly claims "role = 'woodpecker-agent' is defined in vault/roles.yaml" — it is not. At deployment, the Vault JWT exchange will fail with "role not found" and the alloc will refuse to place. Fix: add a new entry to vault/roles.yaml (e.g. name: service-woodpecker-agent, policy: service-woodpecker, namespace: default, job_id: woodpecker-agent) and change the jobspec's vault stanza to role = "service-woodpecker-agent".
critical nomad/jobs/woodpecker-agent.hcl:50: port = "healthz" in the service stanza references an undefined port label. There is no network { port "healthz" { ... } } stanza in this job group. Nomad job registration will reject this with a validation error. The forgejo.hcl sibling shows the required pattern: a group-level network { port "http" { static = 3000, to = 3000 } } stanza paired with ports = ["http"] in the docker config. Add an equivalent network { port "healthz" { static = 3333 } } stanza and reference it in the task docker config as ports = ["healthz"].

Notes (non-blocking)

info nomad/jobs/woodpecker-agent.hcl:20: Header comment says policy is in vault/policies/woodpecker-agent.hcl — the actual file is vault/policies/service-woodpecker.hcl. Update the comment when fixing the role name.
info nomad/jobs/woodpecker-agent.hcl:21: tools/vault-seed-woodpecker.sh is referenced in comments but does not exist (a vault-seed-forgejo.sh exists as the template). The empty-Vault fallback handles fresh boxes safely, so this can be a follow-up, but should be tracked.
info nomad/jobs/woodpecker-agent.hcl:71: privileged = true is broader than the docker.sock mount requires (privileged grants all Linux capabilities + host device access). If the compose setup does not use privileged: true, remove it — docker.sock access only requires the group socket permission, not full privilege. Worth confirming against compose before cutover.

Verdict

REQUEST_CHANGES — Vault role name doesn't exist in roles.yaml; service port label undefined

Reviewed at 722b39a | AGENTS.md

## AI Review  ### Blockers - **critical** `nomad/jobs/woodpecker-agent.hcl:42`: Vault role mismatch — `vault { role = "woodpecker-agent" }` references a role that does not exist in `vault/roles.yaml`. The only Woodpecker entry there is `service-woodpecker` with `job_id: woodpecker`, which also won't match this job's Nomad job ID (`woodpecker-agent`). The comment at line 35 explicitly claims "role = 'woodpecker-agent' is defined in vault/roles.yaml" — it is not. At deployment, the Vault JWT exchange will fail with "role not found" and the alloc will refuse to place. Fix: add a new entry to `vault/roles.yaml` (e.g. `name: service-woodpecker-agent`, `policy: service-woodpecker`, `namespace: default`, `job_id: woodpecker-agent`) and change the jobspec's vault stanza to `role = "service-woodpecker-agent"`. - **critical** `nomad/jobs/woodpecker-agent.hcl:50`: `port = "healthz"` in the service stanza references an undefined port label. There is no `network { port "healthz" { ... } }` stanza in this job group. Nomad job registration will reject this with a validation error. The forgejo.hcl sibling shows the required pattern: a group-level `network { port "http" { static = 3000, to = 3000 } }` stanza paired with `ports = ["http"]` in the docker config. Add an equivalent `network { port "healthz" { static = 3333 } }` stanza and reference it in the task docker config as `ports = ["healthz"]`. ### Notes (non-blocking) - **info** `nomad/jobs/woodpecker-agent.hcl:20`: Header comment says policy is in `vault/policies/woodpecker-agent.hcl` — the actual file is `vault/policies/service-woodpecker.hcl`. Update the comment when fixing the role name. - **info** `nomad/jobs/woodpecker-agent.hcl:21`: `tools/vault-seed-woodpecker.sh` is referenced in comments but does not exist (a `vault-seed-forgejo.sh` exists as the template). The empty-Vault fallback handles fresh boxes safely, so this can be a follow-up, but should be tracked. - **info** `nomad/jobs/woodpecker-agent.hcl:71`: `privileged = true` is broader than the `docker.sock` mount requires (privileged grants all Linux capabilities + host device access). If the compose setup does not use `privileged: true`, remove it — `docker.sock` access only requires the group socket permission, not full privilege. Worth confirming against compose before cutover. ### Verdict **REQUEST_CHANGES** — Vault role name doesn't exist in roles.yaml; service port label undefined --- *Reviewed at `722b39a` | [AGENTS.md](AGENTS.md)*

review-bot requested changes 2026-04-17 05:26:07 +00:00

Dismissed

review-bot left a comment

Collaborator

AI Review: REQUEST_CHANGES — Vault role name doesn't exist in roles.yaml; service port label undefined

AI Review: **REQUEST_CHANGES** — Vault role name doesn't exist in roles.yaml; service port label undefined

dev-qwen force-pushed fix/issue-935 from 722b39a0ad to 5d76cc96fb

2026-04-17 05:35:12 +00:00

Compare

review-bot commented

2026-04-17 05:42:02 +00:00

Collaborator

AI Re-review (round 2)

Previous Findings

Vault role mismatch vault/roles.yaml + woodpecker-agent.hcl:42 → FIXED: role renamed to service-woodpecker-agent in the jobspec; matching entry added to vault/roles.yaml (lines 60-63) with policy: service-woodpecker, job_id: woodpecker-agent. JWT exchange will succeed.
Undefined port label woodpecker-agent.hcl:50 → FIXED: network { port "healthz" { static = 3333 } } stanza added at group scope; service { port = "healthz" } now resolves.
info — comment policy path → FIXED: header now reads vault/policies/service-woodpecker.hcl.
info — vault-seed-woodpecker.sh missing → FIXED: script added at tools/vault-seed-woodpecker.sh with correct idempotency contract, using the newly extracted hvault_ensure_kv_v2 helper.
info — privileged = true → still present and advisory-only; unchanged from prior review, no new concern.

New Issues

info nomad/jobs/woodpecker-server.hcl:50-52: The comment says "the job_id in vault/roles.yaml is 'woodpecker'" but the same PR updated it to 'woodpecker-server'. The comment is now stale. Non-blocking — the code is correct; the comment is just misleading for the next reader.

Verdict

APPROVE — Both blockers from prior review are fixed: role name corrected and network port stanza added

Reviewed at 5d76cc9 | Previous: 722b39a | AGENTS.md

## AI Re-review (round 2)  ### Previous Findings - **Vault role mismatch** `vault/roles.yaml` + `woodpecker-agent.hcl:42` → **FIXED**: role renamed to `service-woodpecker-agent` in the jobspec; matching entry added to `vault/roles.yaml` (lines 60-63) with `policy: service-woodpecker`, `job_id: woodpecker-agent`. JWT exchange will succeed. - **Undefined port label** `woodpecker-agent.hcl:50` → **FIXED**: `network { port "healthz" { static = 3333 } }` stanza added at group scope; `service { port = "healthz" }` now resolves. - **info — comment policy path** → **FIXED**: header now reads `vault/policies/service-woodpecker.hcl`. - **info — vault-seed-woodpecker.sh missing** → **FIXED**: script added at `tools/vault-seed-woodpecker.sh` with correct idempotency contract, using the newly extracted `hvault_ensure_kv_v2` helper. - **info — privileged = true** → still present and advisory-only; unchanged from prior review, no new concern. ### New Issues - **info** `nomad/jobs/woodpecker-server.hcl:50-52`: The comment says "the job_id in vault/roles.yaml is 'woodpecker'" but the same PR updated it to 'woodpecker-server'. The comment is now stale. Non-blocking — the code is correct; the comment is just misleading for the next reader. ### Verdict **APPROVE** — Both blockers from prior review are fixed: role name corrected and network port stanza added --- *Reviewed at `5d76cc9` | Previous: `722b39a` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-17 05:42:02 +00:00

review-bot left a comment

Collaborator

AI Re-review (round 2): APPROVE — Both blockers from prior review are fixed: role name corrected and network port stanza added

AI Re-review (round 2): **APPROVE** — Both blockers from prior review are fixed: role name corrected and network port stanza added