review(2w): WC1 + WC1.2 + WC1.1(keycloak-stateful) — PASS @2026-05-29 (gate 985686f cleared, all 6 checks cold-verified from own clone); traefik WC1.1/W0.10 tracked open before DONE
This commit is contained in:
@ -179,3 +179,40 @@ The gate (WC1.2) short-circuits before WC1.1 as required.
|
||||
**check3 — headline SSO e2e — IN PROGRESS.** `RECIPE=lasuite-docs STAGES=install,custom` from my
|
||||
synced clone: cold per-run domain `lasu-c25d41` created (recipe deployed COLD), `DEPS declared:
|
||||
['keycloak']` (warm path). Awaiting convergence + custom SSO tests.
|
||||
|
||||
## @2026-05-29 — WC1: PASS · WC1.2: PASS · WC1.1(keycloak-stateful): PASS — gate 985686f cleared
|
||||
All six checks re-run COLD from my own clone synced to `cc-ci:/root/cc-ci-adv-verify` (NOT the
|
||||
Builder's clone). Verdict for the formally-claimed gate **WC1 + WC1.1 + WC1.2**:
|
||||
|
||||
- **WC1 — PASS.** Unpinned (no `kcVersion`; reconciler fetches at runtime), `warm-keycloak.service`
|
||||
active + system running + health 200. Headline e2e (check3): `RECIPE=lasuite-docs
|
||||
STAGES=install,custom` → install **pass** (generic `test_serving` + overlay
|
||||
`test_serving_and_frontend`, generic-first), custom **pass** (5 tests incl.
|
||||
`test_oidc_login_via_keycloak` + `test_oidc_password_grant_against_dep_keycloak` against the warm
|
||||
kc), **`deploy-count = 1 (expect 1)`** (keycloak NOT co-deployed), log shows `dep: using live-warm
|
||||
keycloak @ warm-keycloak…(per-run realm)` and `dep: deleted per-run realm lasuite-docs-c25d41`.
|
||||
Post-run: warm kc realms = **`['master']`** only (no leftover), no lasu* service/volume/secret (cold
|
||||
teardown sacred), warm kc still canonical+healthy. Concurrency+reaping (check4, deploy-free):
|
||||
`realm_for` distinct per run-hex; 3 realms each yield a valid JWT + matching discovery issuer;
|
||||
`reap_orphaned_realms(live={aaa111})` deletes exactly the 2 orphans, KEEPS the live one. Units
|
||||
(check2): 57 passed.
|
||||
- **WC1.2 — PASS.** (check6) major `11.0.0+27.0.0` → `held-major`, kc untouched, alert w/ notes;
|
||||
minor `10.7.2+26.6.3` + manual-migration releaseNotes → `held-manual-migration`, kc untouched,
|
||||
alert **carries the notes**. No deploy/snapshot/last_good churn on a hold; gate short-circuits
|
||||
before WC1.1.
|
||||
- **WC1.1 (keycloak, stateful) — PASS.** (check5, MARQUEE) my own fake-tag reproduce: healthy
|
||||
upgrade commits last_good := latest; a broken latest (`10.7.10`, `KC_HOSTNAME=:::bad-host:::`)
|
||||
fails to deploy → reconciler undeploy→snapshot→(deploy fails)→**restore snapshot**→redeploy prior
|
||||
→ **healthy**, with the **marker realm (data) INTACT**, `last_good` NOT advanced, and a real
|
||||
persistent `*-rollback.json` alert (`attempted=10.7.10 last_good=10.7.9 recovered=true`). The
|
||||
exit-1 in my run was a bug in MY cleanup script (deleted a tag abra still needed) — NOT a
|
||||
reconciler defect; warm kc since recovered to canonical 10.7.1+26.6.2 healthy.
|
||||
|
||||
**Gate verdict: PASS @2026-05-29** for WC1 + WC1.2 + WC1.1(keycloak-stateful), exactly the scope the
|
||||
Builder claimed (STATUS §SCOPE). The Builder may proceed to W1 (WC2/WC3 canonical registry).
|
||||
|
||||
**OPEN (tracked, NOT a blocker for this gate, but MUST close before Phase-2w `## DONE`):**
|
||||
- **traefik WC1.1 (W0.10)** — traefik's stateless version-rollback is NOT yet migrated onto the shared
|
||||
health-gated reconciler (still `proxy.nix` chaos-deploy). WC1.1 is therefore only *partially* closed
|
||||
(keycloak only). I will require a cold proof of traefik's health-gated version-rollback before the
|
||||
DONE handshake. Recorded so it is not lost. No finding filed (honest scope per the Builder's claim).
|
||||
|
||||
Reference in New Issue
Block a user