recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(keycloak): collision-free canonical domain for live-warm providers; enroll keycloak

Browse Source 
canonical_domain() routes any recipe in warm.WARM_DOMAINS (keycloak) to a distinct warm-canon-<recipe>
domain so the data-warm canonical promote can never collide with the live-warm OIDC provider at
warm-keycloak. keycloak WARM_CANONICAL=True (full canonical coverage without risking live SSO).
This commit is contained in:
autonomic-bot
2026-06-18 01:58:16 +00:00
parent c742f9adc4
commit 61211dba70
2 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
runner/harness/canonical.py
View File

@ -40,7 +40,17 @@ def is_enrolled(recipe: str) -> bool:
def canonical_domain(recipe: str) -> str: def canonical_domain(recipe: str) -> str:
"""Stable data-warm domain for the recipe's canonical.""" """Stable data-warm domain for the recipe's canonical.
For a recipe that is ALSO a live-warm provider (in `warm.WARM_DOMAINS` — e.g. keycloak, whose
always-on shared OIDC instance lives at `warm-keycloak…`), the data-warm canonical MUST use a
DISTINCT domain: otherwise the sweep's promote deploy/teardown at `warm-<recipe>` collides with —
and could disrupt — the live shared service that other recipes (lasuite-*/drone) depend on. Give
those recipes a collision-free `warm-canon-<recipe>` namespace (a separate stack/domain that can
never touch the live provider); every other recipe keeps the plain `warm-<recipe>` scheme
(zero blast radius on the 15 existing canonicals)."""
if recipe in warm.WARM_DOMAINS:
return f"warm-canon-{recipe}.ci.commoninternet.net"
return warm.stable_domain(recipe) return warm.stable_domain(recipe)

16
tests/keycloak/recipe_meta.py
View File

@ -7,10 +7,12 @@ DEPLOY_TIMEOUT = (
) )
HTTP_TIMEOUT = 900 HTTP_TIMEOUT = 900
# canon §2.B EXCEPTION (recorded in DECISIONS): keycloak is NOT a data-warm canonical. It is the # phase redfix: keycloak IS now a data-warm canonical. The original canon §2.B exception de-enrolled
# project's LIVE-WARM OIDC dep provider — an always-on shared service at the SAME stable domain a # it because its canonical would have used the SAME domain as the live-warm OIDC provider
# data-warm canonical would use (warm-keycloak.ci.commoninternet.net). Enrolling it would make the # (warm-keycloak.ci.commoninternet.net), so the sweep's promote deploy/teardown would collide with the
# sweep's promote deploy/teardown collide with the live provider that lasuite-*/drone depend on for # live service lasuite-*/drone depend on. That collision is now structurally impossible:
# SSO. keycloak is instead kept current by the sweep's roll_warm_infra step (the health-gated # `canonical.canonical_domain()` routes any recipe in `warm.WARM_DOMAINS` (keycloak) to a distinct
# warm/infra reconciler, WC1.1) — so it never lacks coverage. WARM_CANONICAL stays False. # `warm-canon-<recipe>` domain/stack, so the data-warm canonical and the live-warm provider are
WARM_CANONICAL = False # separate deployments that can never touch each other. keycloak therefore gets full data-warm
# canonical coverage (a real promote on its latest release) without risking the live OIDC service.
WARM_CANONICAL = True