recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2f5900a5a9f30436bce312bc7fa0bcd14078a775
cc-ci/tests/lasuite-docs/recipe_meta.py
autonomic-bot 9e88741864 feat(2): Q2.4 acceptance — lasuite-docs + keycloak dep + OIDC password grant (cold green) 
- tests/lasuite-docs/recipe_meta.py: DEPS = ['keycloak'] declares the SSO provider dep.
  Orchestrator deploys a per-run keycloak BEFORE lasuite-docs (Q2.3 dep resolver) and tears it
  down AFTER in finally.
- tests/lasuite-docs/functional/test_oidc_with_keycloak.py: Q2 gate acceptance test.
  - Asserts deps_apps['keycloak'] is the per-run dep domain.
  - Calls harness.sso.setup_keycloak_realm to create realm/client/test-user idempotently.
  - GET /.well-known/openid-configuration; asserts issuer = https://<kc>/realms/lasuite-docs.
  - harness.sso.oidc_password_grant: password-grant flow; asserts the JWT iss/azp/typ/exp.
  - Non-vacuous: each step uses real per-run-generated creds (class-B per §4.4-B), would fail
    on broken admin API / token endpoint / wrong claims.

Cold-verifiable on cc-ci (log /root/ccci-q24-lasuite-keycloak.log):
  RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py
  ===== DEPS: ['keycloak'] =====
    dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
    dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
  ===== TIER: install =====   2 PASS (generic + cc-ci overlay)
  ===== TIER: custom =====    1 PASS (test_oidc_password_grant_against_dep_keycloak)
  ===== DEPS teardown =====
  ===== RUN SUMMARY =====
  deploy-count = 2 (expect 2)   # 1 parent + 1 dep

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 08:08:11 +01:00

24 lines
1.4 KiB
Python
Raw Blame History

# Per-recipe harness config for lasuite-docs (recipe #5 — multi-service + object-storage/S3).
# Stack: app(frontend) + backend(Django/impress) + celery + y-provider + docspec + db(postgres) +
# redis + minio(S3) + web(nginx). OIDC settings are config-only (validated by `manage.py check`, not
# fetched at boot), so the stack starts healthy with placeholder OIDC; login isn't exercised in CI.
# Many services -> generous timeouts.
HEALTH_PATH = "/"
HEALTH_OK = (200, 301, 302)
DEPLOY_TIMEOUT = 900
HTTP_TIMEOUT = 600
# Phase 2 Q2.3 deps: lasuite-docs's recipe-maintainer corpus declares `requires = ["keycloak"]`.
# Declaring it here makes the orchestrator deploy a per-run keycloak BEFORE lasuite-docs so the
# OIDC-flow functional test (`functional/test_oidc_with_keycloak.py`) can run against a real
# provider in the same run. The dep is undeployed AFTER the parent in the orchestrator's `finally`.
DEPS = ["keycloak"]
def EXTRA_ENV(domain):
# abra's internal per-deploy convergence timeout (the recipe's TIMEOUT env, default 300s) is too
# short for this 9-service stack on a COLD image cache (~9 large images: impress frontend/backend,
# minio, postgres18, redis, docspec, y-provider). Cold pulls exceed 300s -> "deploy timed out 🟠".
# Bump it so the harness deploy waits long enough; verified the stack converges 9/9 once pulled.
return {"TIMEOUT": "900"}
Reference in New Issue View Git Blame Copy Permalink