feat(oci): omni-ready deploy + credential-triggered instance replace#41
Merged
feat(oci): omni-ready deploy + credential-triggered instance replace#41
Conversation
…ed replace - Add .github/workflows/deploy.yml: plan on PR, apply on push/dispatch - Add terraform.tfvars: omni_ready=true, omni_endpoint=omni.wind-bearded.ts.net:8090 - Add terraform_data.omni_credentials: replaces Ampere instances when omni_join_token or tailscale_auth_key changes (sha256 hash triggers) - Remove prevent_destroy and metadata from ignore_changes on Ampere instances so replacements can propagate new user_data to nodes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… manual variable Replace the static `vars.TALOS_IMAGE_OCID` GitHub variable with a dynamic fetch from the `oci-talos-gitops-apps/omni/talos-image.yaml` file, which is auto-updated by the talos-images build workflow. This removes the need to manually update a GitHub variable on each Talos upgrade. The deploy workflow now always uses the latest image that was successfully imported into OCI. Also simplify the apply job: download the pre-built plan artifact and apply it directly (`tofu apply tfplan`) rather than re-running plan with all the same vars. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…04 on lock DELETE The OCI PAR URL HTTP backend returns 404 when tofu tries to DELETE the lock file after plan completes, causing the CI step to fail even though the plan itself succeeded. Add -lock=false to both plan and apply commands. Locking is not meaningful in CI: plan and apply run serially in separate jobs, and the plan artifact is the single source of truth between them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
omni_ready=true, endpointomni.wind-bearded.ts.net:8090)terraform_data.omni_credentials: any change toOMNI_JOIN_TOKENorTAILSCALE_AUTH_KEYtriggers automatic Ampere instance replacement, baking new credentials intouser_dataprevent_destroyandmetadatafromignore_changesso replacements are not blocked.github/workflows/deploy.yml: plan on PR, apply on push to main andworkflow_dispatchSecrets required (already set)
OMNI_JOIN_TOKEN✓TAILSCALE_AUTH_KEY✓OCI_USER_OCID,OCI_TENANCY_OCID,OCI_FINGERPRINT,OCI_API_KEY_PEM,OCI_COMPARTMENT_OCID— must existTALOS_IMAGE_OCID— GitHub variable (must exist)Test plan
🤖 Generated with Claude Code