make application run in ske-starter-kit

.gitignore

@@ -20,6 +20,8 @@ yarn-error.log*
 *tfvars*
 .terraform.lock.hcl
 .env
+__pycache__/
+*.pyc
 
 # Generated assets
 website/public/assets/building-block-logos/

modules/ske/forgejo-connector/buildingblock/README.md

@@ -45,7 +45,9 @@ the backplane module's `config_tf` output.
 
 | Name | Version |
 |------|---------|
+| <a name="requirement_external"></a> [external](#requirement\_external) | ~> 2.3.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | 2.35.1 |
+| <a name="requirement_restapi"></a> [restapi](#requirement\_restapi) | 3.0.0 |
 
 ## Modules
 
@@ -55,27 +57,32 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [forgejo_repository_action_secret.additional](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
-| [forgejo_repository_action_secret.container_registry](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
-| [forgejo_repository_action_secret.kubeconfig](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
+| [forgejo_repository_action_secret.this](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/resources/repository_action_secret) | resource |
+| [kubernetes_cluster_role.clusterissuer_reader](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role_binding.forgejo_actions_clusterissuer_access](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/cluster_role_binding) | resource |
+| [kubernetes_default_service_account.namespace_default](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/default_service_account) | resource |
 | [kubernetes_role_binding.forgejo_actions](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/role_binding) | resource |
+| [kubernetes_secret.additional](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/secret) | resource |
 | [kubernetes_secret.forgejo_actions](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/secret) | resource |
 | [kubernetes_secret.image_pull](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/secret) | resource |
 | [kubernetes_service_account.forgejo_actions](https://registry.terraform.io/providers/hashicorp/kubernetes/2.35.1/docs/resources/service_account) | resource |
-| [forgejo_repository.this](https://registry.terraform.io/providers/svalabs/forgejo/latest/docs/data-sources/repository) | data source |
+| [random_string.clusterissuer_reader_name_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [restapi_object.action_variable](https://registry.terraform.io/providers/Mastercard/restapi/3.0.0/docs/resources/object) | resource |
+| [terraform_data.await_pipeline_workflow](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
+| [external_external.repository_context](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_environment_variables"></a> [additional\_environment\_variables](#input\_additional\_environment\_variables) | Map of additional environment variable key/value pairs to set as Forgejo repository action secrets. | `map(string)` | `{}` | no |
-| <a name="input_forgejo_repository_name"></a> [forgejo\_repository\_name](#input\_forgejo\_repository\_name) | The name of the Forgejo repository. | `string` | n/a | yes |
-| <a name="input_forgejo_repository_owner"></a> [forgejo\_repository\_owner](#input\_forgejo\_repository\_owner) | The owner of the Forgejo repository. | `string` | n/a | yes |
+| <a name="input_additional_kubernetes_secrets"></a> [additional\_kubernetes\_secrets](#input\_additional\_kubernetes\_secrets) | Additional Kubernetes secrets to create in the tenant namespace. Map keys are secret names, values are secret data maps. | `map(map(string))` | `{}` | no |
+| <a name="input_app_hostname"></a> [app\_hostname](#input\_app\_hostname) | Public application hostname for this stage (used by deploy workflow and ingress). | `string` | n/a | yes |
 | <a name="input_harbor_host"></a> [harbor\_host](#input\_harbor\_host) | The URL of the Harbor registry. | `string` | `"https://registry.onstackit.cloud"` | no |
 | <a name="input_harbor_password"></a> [harbor\_password](#input\_harbor\_password) | The password for the Harbor registry. | `string` | n/a | yes |
 | <a name="input_harbor_username"></a> [harbor\_username](#input\_harbor\_username) | The username for the Harbor registry. | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Associated namespace in kubernetes cluster. | `string` | n/a | yes |
+| <a name="input_repository_id"></a> [repository\_id](#input\_repository\_id) | The ID of the Forgejo repository. | `number` | n/a | yes |
+| <a name="input_stage"></a> [stage](#input\_stage) | Deployment stage used for Forgejo workflow dispatch and action secret naming. | `string` | n/a | yes |
 
 ## Outputs
 

modules/ske/forgejo-connector/buildingblock/forgejo.tf

@@ -1,55 +1,111 @@
+provider "forgejo" {
+  # configured via env variables FORGEJO_HOST, FORGEJO_API_TOKEN
+}
+
+provider "restapi" {
+  uri                  = data.external.repository_context.result.forgejo_host
+  write_returns_object = false
+
+  headers = {
+    Authorization = "token ${data.external.repository_context.result.forgejo_api_token}"
+    Content-Type  = "application/json"
+  }
+}
+
+data "external" "repository_context" {
+  program = ["python3", "${path.module}/get_forgejo_repository_context.py"]
+
+  query = {
+    FORGEJO_REPOSITORY_ID = tostring(var.repository_id)
+  }
+}
+
 locals {
-  kubeconfig_user = {
-    users = [
-      {
-        name = kubernetes_service_account.forgejo_actions.metadata[0].name
-        user = {
-          "token" = kubernetes_secret.forgejo_actions.data.token
+  repository_owner = data.external.repository_context.result.owner
+  repository_name  = data.external.repository_context.result.name
+
+  action_secret = {
+    "KUBECONFIG_${upper(var.stage)}" = yamlencode(merge(local.kubeconfig, {
+      current-context = local.kubeconfig_cluster_name
+
+      users = [
+        {
+          name = kubernetes_service_account.forgejo_actions.metadata[0].name
+          user = {
+            "token" = kubernetes_secret.forgejo_actions.data.token
+          }
         }
-      }
-    ]
-
-    contexts = [
-      {
-        name = "stackit_k8s"
-        context = {
-          cluster   = "stackit_k8s"
-          namespace = var.namespace
-          user      = kubernetes_service_account.forgejo_actions.metadata[0].name
+      ]
+
+      contexts = [
+        {
+          name = local.kubeconfig_cluster_name
+          context = {
+            cluster   = local.kubeconfig_cluster_name
+            namespace = var.namespace
+            user      = kubernetes_service_account.forgejo_actions.metadata[0].name
+          }
         }
-      }
-    ]
+      ]
+    }))
+  }
+
+  action_variable = {
+    "K8S_NAMESPACE_${upper(var.stage)}" = var.namespace
+    "APP_HOSTNAME_${upper(var.stage)}"  = var.app_hostname
   }
-  kubeconfig = merge(local.stackit_kubeconfig_stub, local.kubeconfig_user)
 }
 
-data "forgejo_repository" "this" {
-  name  = var.forgejo_repository_name
-  owner = var.forgejo_repository_owner
+resource "forgejo_repository_action_secret" "this" {
+  for_each = local.action_secret
+
+  repository_id = var.repository_id
+  name          = each.key
+  data          = each.value
 }
 
-resource "forgejo_repository_action_secret" "kubeconfig" {
-  repository_id = data.forgejo_repository.this.id
-  name          = "KUBECONFIG"
-  data          = yamlencode(local.kubeconfig)
+resource "restapi_object" "action_variable" {
+  for_each = local.action_variable
+
+  path          = "/api/v1/repos/${local.repository_owner}/${local.repository_name}/actions/variables/${each.key}"
+  id_attribute  = "name"
+  object_id     = each.key
+  update_method = "PUT"
+  data = jsonencode({
+    value = each.value
+  })
+  ignore_server_additions = true
 }
 
-resource "forgejo_repository_action_secret" "container_registry" {
-  for_each = {
-    HOST     = var.harbor_host
-    USERNAME = var.harbor_username
-    PASSWORD = var.harbor_password
-  }
+resource "terraform_data" "await_pipeline_workflow" {
+  depends_on = [
+    forgejo_repository_action_secret.this,
+    restapi_object.action_variable,
+  ]
 
-  repository_id = data.forgejo_repository.this.id
-  name          = "STACKIT_HARBOR_${each.key}"
-  data          = each.value
+  triggers_replace = [
+    sha256(file("${path.module}/trigger_and_await_forgejo_workflow.py")),
+    nonsensitive(sha256(jsonencode(local.action_secret))),
+    sha256(jsonencode(local.action_variable)),
+  ]
+
+  provisioner "local-exec" {
+    command = "${path.module}/trigger_and_await_forgejo_workflow.py"
+    environment = {
+      REPOSITORY_ID               = tostring(var.repository_id)
+      WORKFLOW_NAME               = "pipeline.yaml"
+      WORKFLOW_ONLY_STAGE         = var.stage
+      EXPECTED_WORKFLOW_TASK_NAME = "deploy_${var.stage}"
+    }
+  }
 }
 
-resource "forgejo_repository_action_secret" "additional" {
-  for_each = var.additional_environment_variables
+moved {
+  from = forgejo_repository_action_secret.action_secrets
+  to   = forgejo_repository_action_secret.this
+}
 
-  repository_id = data.forgejo_repository.this.id
-  name          = each.key
-  data          = each.value
-}
+moved {
+  from = restapi_object.action_variables
+  to   = restapi_object.action_variable
+}

modules/ske/forgejo-connector/buildingblock/get_forgejo_repository_context.py

@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+
+import json
+import os
+import sys
+import urllib.request
+
+
+def normalize_host(raw_host: str) -> str:
+    host = raw_host.strip()
+    if not host.startswith(("https://", "http://")):
+        host = f"https://{host}"
+    return host.rstrip("/")
+
+
+def main() -> None:
+    query = json.loads(sys.stdin.read())
+
+    forgejo_host = normalize_host(os.environ["FORGEJO_HOST"])
+    forgejo_api_token = os.environ["FORGEJO_API_TOKEN"]
+    repository_id = query["FORGEJO_REPOSITORY_ID"]
+
+    req = urllib.request.Request(
+        f"{forgejo_host}/api/v1/repositories/{repository_id}",
+        headers={"Authorization": f"token {forgejo_api_token}", "Content-Type": "application/json"},
+        method="GET",
+    )
+    with urllib.request.urlopen(req, timeout=30) as resp:
+        payload = json.loads(resp.read().decode("utf-8"))
+
+    print(
+        json.dumps(
+            {
+                "forgejo_host": forgejo_host,
+                "forgejo_api_token": forgejo_api_token,
+                "owner": payload["owner"]["username"],
+                "name": payload["name"],
+                "default_branch": payload.get("default_branch", "main"),
+            }
+        )
+    )
+
+
+if __name__ == "__main__":
+    main()