Skip to content

feat(db-bootstrap): reconcile service-DB sealed secrets via GitOps + seed script (#228)#229

Merged
izzywdev merged 1 commit into
mainfrom
claude/issue-228-20260709-1748
Jul 9, 2026
Merged

feat(db-bootstrap): reconcile service-DB sealed secrets via GitOps + seed script (#228)#229
izzywdev merged 1 commit into
mainfrom
claude/issue-228-20260709-1748

Conversation

@izzywdev

@izzywdev izzywdev commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Auto-opened — work completed by @claude on branch claude/issue-228-20260709-1748.

Closes #228

…seed script (#228)

The per-service DB password SealedSecrets (fuzesales/fuzecontact/fuzeservice/
mendys-db-credentials, key `password`, ns `fuzeinfra`) were already committed to
deploy/sealed-secrets/ in 7f25587 — but NOTHING reconciled that directory onto
the cluster. fuzeinfra-prod only syncs helm/fuzeinfra and terraform cherry-picks
specific Argo apps, so the live Secrets were ad-hoc `kubectl create secret`. On a
namespace delete / from-scratch reprovision the provisioning Job would wedge
again (x26k CreateContainerConfigError). Files-in-git were necessary but not
sufficient. This closes the loop durably:

- Add argocd/applications/fuzeinfra-sealed-secrets.yaml — a directory-type Argo
  Application (path deploy/sealed-secrets, recurse) into ns fuzeinfra, project
  fuzeinfra, automated prune+selfHeal. Self-heals the SealedSecrets onto the
  cluster; the controller decrypts them before the provisioning Job needs them,
  including after a full namespace re-create.
- Wire that app into terraform/contabo/provisioning.tf (both null_resource
  blocks + a filesha256 trigger) so a from-scratch VPS reprovision registers it.
- Add scripts/seed-service-db.sh — idempotent bootstrap that generates a 32-char
  alphanumeric password, seals it offline via seal-secret.sh into
  deploy/sealed-secrets/<svc>-db-credentials.yaml, and prints the enable-in-the-
  same-PR next steps. Refuses to clobber an existing manifest (--force to reseal).
- Document the canonical two-secret DB provisioning flow + the never-flip-
  enabled-without-the-secret invariant in
  docs/CONSUMER_ONBOARDING_SHARED_CLUSTER.md §4.

Co-authored-by: Israel Weinberg <99821070+izzywdev@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

terraform planterraform/contabo

Merging this PR applies exactly this saved plan (-out=tfplan). Review it as the apply approval.

Show plan
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

CI Failure Analysis — test-infrastructure

Root cause: The test-infrastructure job runs on the staging ARC runner, which does not expose a Docker daemon. Every Docker command fails immediately:

```
docker info
failed to connect to the docker API at unix:///var/run/docker.sock;
dial unix /var/run/docker.sock: connect: no such file or directory
```

The Docker CLI binary is present (version 29.5.3 shown), but the daemon is not running — /var/run/docker.sock does not exist on the ARC runner pod. PR #227 fixed the EnricoMi Publish Test Results step (which also needed /var/run/docker.sock), but the core job remains broken because it requires Docker daemon to start containers.

The changes introduced by this PR (ArgoCD app YAML, seed script, Terraform, docs) are unrelated — this is a pre-existing CI infrastructure issue.

Fix needed — change one line in .github/workflows/infrastructure-tests.yml:

```diff
jobs:
test-infrastructure:

  • runs-on: staging
  • runs-on: ubuntu-latest
    ```

GitHub-hosted ubuntu-latest runners have the Docker daemon pre-configured. The workflow already accounts for this (the "Free up disk space" step strips Android/dotnet/GHC to reclaim RAM for containers).

Why I could not push the fix: This bot's GitHub App token lacks the workflows permission required to push changes to .github/workflows/ files. A human with write access (or a token with workflows scope) needs to apply the one-line change above and push to the PR branch.

@izzywdev
izzywdev marked this pull request as ready for review July 9, 2026 18:42
@izzywdev
izzywdev merged commit fce839e into main Jul 9, 2026
14 of 17 checks passed
@izzywdev
izzywdev deleted the claude/issue-228-20260709-1748 branch July 9, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(db-bootstrap): service DB credentials must be sealed in fuzeinfra namespace + bootstrap script

1 participant