From d072d7e2c2ed114b26be5a5a4f30d35e76b4cbc4 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 10:54:14 +0000 Subject: [PATCH] =?UTF-8?q?fix(canon):=20de-enroll=20keycloak=20(live-warm?= =?UTF-8?q?=20OIDC=20provider)=20=E2=80=94=20=C2=A72.B=20exception?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit keycloak is the always-on shared OIDC dep provider at warm-keycloak.ci..., the SAME stable domain a data-warm canonical would use → the sweep's promote would collide with the live provider that lasuite-*/drone depend on. keycloak is kept current by roll_warm_infra (WC1.1) instead. WARM_CANONICAL=False; exception recorded in DECISIONS. Enrolled set now 20. Co-Authored-By: Claude Opus 4.8 --- machine-docs/DECISIONS.md | 13 +++++++++++++ tests/keycloak/recipe_meta.py | 10 +++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/machine-docs/DECISIONS.md b/machine-docs/DECISIONS.md index 5372426..5b7f15c 100644 --- a/machine-docs/DECISIONS.md +++ b/machine-docs/DECISIONS.md @@ -1490,3 +1490,16 @@ but stays well within the ≤90 s budget. Acceptable. nixos-rebuild. Sweep-logic now ships via a checkout pull (no store rebuild needed for logic-only). - **All 21 used-recipes enrolled (§2.B); cadence weekly (§2.F).** The enroll set is exactly `cc-ci-plan/used-recipes.md`; test fixtures stay unenrolled. + +## Phase canon (2026-06-17) — enrollment exception: keycloak + +**keycloak is NOT enrolled as a data-warm canonical (WARM_CANONICAL=False), by exception (§2.B).** +keycloak is the project's LIVE-WARM OIDC dep provider: an always-on shared service at +`warm-keycloak.ci.commoninternet.net` (warm_reconcile SPECS["keycloak"]) that lasuite-docs/-drive/ +-meet and drone consume for SSO. A data-warm canonical uses that SAME stable warm domain, so the +sweep's promote (deploy/teardown at warm-keycloak) would collide with — and could disrupt — the live +provider. keycloak is instead kept at latest by the sweep's **roll_warm_infra** step (the health-gated +warm/infra reconciler, WC1.1, run before the per-recipe loop), so it has full coverage without a +data-warm canonical. Verified live: a sweep keycloak-promote attempt FAILed cleanly (recipe compose +mismatch) and left the running live keycloak healthy (200 on /realms/master) — no disruption — but the +collision is structural, so keycloak is de-enrolled rather than relying on the promote failing safely. diff --git a/tests/keycloak/recipe_meta.py b/tests/keycloak/recipe_meta.py index b9eefa7..afd1bf8 100644 --- a/tests/keycloak/recipe_meta.py +++ b/tests/keycloak/recipe_meta.py @@ -7,6 +7,10 @@ DEPLOY_TIMEOUT = ( ) HTTP_TIMEOUT = 900 -# canon §2.B: enroll as a DATA-WARM canonical (all recipes enrolled — operator 2026-06-17). -# The weekly sweep promotes this recipe's canonical to its latest green RELEASE TAG. -WARM_CANONICAL = True +# canon §2.B EXCEPTION (recorded in DECISIONS): keycloak is NOT a data-warm canonical. It is the +# project's LIVE-WARM OIDC dep provider — an always-on shared service at the SAME stable domain a +# data-warm canonical would use (warm-keycloak.ci.commoninternet.net). Enrolling it would make the +# sweep's promote deploy/teardown collide with the live provider that lasuite-*/drone depend on for +# SSO. keycloak is instead kept current by the sweep's roll_warm_infra step (the health-gated +# warm/infra reconciler, WC1.1) — so it never lacks coverage. WARM_CANONICAL stays False. +WARM_CANONICAL = False