fix(canon): de-enroll keycloak (live-warm OIDC provider) — §2.B exception
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
keycloak is the always-on shared OIDC dep provider at warm-keycloak.ci..., the SAME stable domain a data-warm canonical would use → the sweep's promote would collide with the live provider that lasuite-*/drone depend on. keycloak is kept current by roll_warm_infra (WC1.1) instead. WARM_CANONICAL=False; exception recorded in DECISIONS. Enrolled set now 20. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
@ -1490,3 +1490,16 @@ but stays well within the ≤90 s budget. Acceptable.
|
|||||||
nixos-rebuild. Sweep-logic now ships via a checkout pull (no store rebuild needed for logic-only).
|
nixos-rebuild. Sweep-logic now ships via a checkout pull (no store rebuild needed for logic-only).
|
||||||
- **All 21 used-recipes enrolled (§2.B); cadence weekly (§2.F).** The enroll set is exactly
|
- **All 21 used-recipes enrolled (§2.B); cadence weekly (§2.F).** The enroll set is exactly
|
||||||
`cc-ci-plan/used-recipes.md`; test fixtures stay unenrolled.
|
`cc-ci-plan/used-recipes.md`; test fixtures stay unenrolled.
|
||||||
|
|
||||||
|
## Phase canon (2026-06-17) — enrollment exception: keycloak
|
||||||
|
|
||||||
|
**keycloak is NOT enrolled as a data-warm canonical (WARM_CANONICAL=False), by exception (§2.B).**
|
||||||
|
keycloak is the project's LIVE-WARM OIDC dep provider: an always-on shared service at
|
||||||
|
`warm-keycloak.ci.commoninternet.net` (warm_reconcile SPECS["keycloak"]) that lasuite-docs/-drive/
|
||||||
|
-meet and drone consume for SSO. A data-warm canonical uses that SAME stable warm domain, so the
|
||||||
|
sweep's promote (deploy/teardown at warm-keycloak) would collide with — and could disrupt — the live
|
||||||
|
provider. keycloak is instead kept at latest by the sweep's **roll_warm_infra** step (the health-gated
|
||||||
|
warm/infra reconciler, WC1.1, run before the per-recipe loop), so it has full coverage without a
|
||||||
|
data-warm canonical. Verified live: a sweep keycloak-promote attempt FAILed cleanly (recipe compose
|
||||||
|
mismatch) and left the running live keycloak healthy (200 on /realms/master) — no disruption — but the
|
||||||
|
collision is structural, so keycloak is de-enrolled rather than relying on the promote failing safely.
|
||||||
|
|||||||
@ -7,6 +7,10 @@ DEPLOY_TIMEOUT = (
|
|||||||
)
|
)
|
||||||
HTTP_TIMEOUT = 900
|
HTTP_TIMEOUT = 900
|
||||||
|
|
||||||
# canon §2.B: enroll as a DATA-WARM canonical (all recipes enrolled — operator 2026-06-17).
|
# canon §2.B EXCEPTION (recorded in DECISIONS): keycloak is NOT a data-warm canonical. It is the
|
||||||
# The weekly sweep promotes this recipe's canonical to its latest green RELEASE TAG.
|
# project's LIVE-WARM OIDC dep provider — an always-on shared service at the SAME stable domain a
|
||||||
WARM_CANONICAL = True
|
# data-warm canonical would use (warm-keycloak.ci.commoninternet.net). Enrolling it would make the
|
||||||
|
# sweep's promote deploy/teardown collide with the live provider that lasuite-*/drone depend on for
|
||||||
|
# SSO. keycloak is instead kept current by the sweep's roll_warm_infra step (the health-gated
|
||||||
|
# warm/infra reconciler, WC1.1) — so it never lacks coverage. WARM_CANONICAL stays False.
|
||||||
|
WARM_CANONICAL = False
|
||||||
|
|||||||
Reference in New Issue
Block a user