autonomic-bot
6557197858
- recipe_meta: DEPS=[keycloak] enabled (base proven cold-green). - setup_custom_tests.sh: wire OIDC env (explicit keycloak realm endpoints) + insert oidc_rpcs secret at bumped version + clear FranceConnect eidas1 acr + in-place redeploy (adapted from the proven lasuite-docs hook). - functional/test_oidc_with_keycloak.py: SSO discovery + password grant + JWT claims vs dep keycloak realm 'lasuite-drive' (@requires_deps; F2-11 fails run on skip). - functional/test_minio_storage.py: §4.3 specific — drive-media-storage bucket present + real upload->list->download round-trip via mc inside the minio container. - PARITY.md: OIDC + MinIO rows landed; backup data-integrity (ci_marker) already real. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
46 lines
2.9 KiB
Python
46 lines
2.9 KiB
Python
# Per-recipe harness config for lasuite-drive (Phase 2 Q3.2 — multi-service + object-storage/S3 +
|
|
# WOPI office, OIDC-dependent). Sibling of lasuite-docs (same La Suite / impress lineage).
|
|
#
|
|
# Stack: app(frontend SPA) + backend(Django/drive) + celery + celery-beat + db(postgres) + redis +
|
|
# mailcatcher + minio(S3) + minio-createbuckets(one-shot) + collabora(WOPI office). ~10 services →
|
|
# generous timeouts.
|
|
#
|
|
# Health: the React SPA is served at `/` by the `app` service and returns 200 unauthenticated
|
|
# (login is OIDC-gated, exercised by the SSO functional tests, not by the install health check).
|
|
HEALTH_PATH = "/"
|
|
HEALTH_OK = (200, 301, 302)
|
|
# This is the heaviest stack in the Phase-2 set: 12 services incl. BOTH office backends
|
|
# (collabora/code ~1GB + onlyoffice/documentserver ~2GB) plus impress front/backend, postgres,
|
|
# minio, redis, nginx. Cold image pull + onlyoffice's multi-minute internal boot exceed the
|
|
# default abra TIMEOUT (300s) and even 900s, so allow a wide window (abra TIMEOUT below stays
|
|
# under DEPLOY_TIMEOUT so the Python subprocess never kills abra mid-wait).
|
|
DEPLOY_TIMEOUT = 1800
|
|
HTTP_TIMEOUT = 900
|
|
|
|
# Base deploy/lifecycle proven cold-green @2026-05-28 (install: pass; 12 services incl.
|
|
# onlyoffice+collabora) once the Docker Hub rate limit was fixed. The keycloak SSO dep is now
|
|
# enabled: declaring DEPS triggers the orchestrator's setup_custom_tests step (deploy keycloak +
|
|
# provision realm/client/user + run tests/lasuite-drive/setup_custom_tests.sh to wire OIDC env +
|
|
# in-place redeploy). functional/test_oidc_with_keycloak.py then exercises the SSO flow.
|
|
DEPS = ["keycloak"]
|
|
|
|
|
|
def EXTRA_ENV(domain):
|
|
# Two of lasuite-drive's services route on DOMAIN-DERIVED **nested** subdomains —
|
|
# `MINIO_DOMAIN="minio.${DOMAIN}"` and `COLLABORA_DOMAIN="collabora.${DOMAIN}"`. The cc-ci
|
|
# wildcard TLS cert is `*.ci.commoninternet.net` (single label only), so a 2-label name like
|
|
# `minio.lasuite-drive-pr0-abc.ci.commoninternet.net` is NOT covered → TLS failure on those
|
|
# routers. Flatten each to a single-label SIBLING under the wildcard (`minio-<domain>`,
|
|
# `collabora-<domain>`) so the existing wildcard cert covers them and Traefik routes them with
|
|
# no cert/gateway change. See DECISIONS.md "Phase 2 — nested DOMAIN-derived subdomains".
|
|
# `AWS_S3_DOMAIN_REPLACE` derives from MINIO_DOMAIN in-compose, so setting MINIO_DOMAIN is enough.
|
|
return {
|
|
"MINIO_DOMAIN": f"minio-{domain}",
|
|
"COLLABORA_DOMAIN": f"collabora-{domain}",
|
|
# abra's internal per-deploy convergence timeout (recipe TIMEOUT env, default 300s) is too
|
|
# short for this 12-service stack on a cold image cache (impress frontend/backend, minio,
|
|
# postgres, redis, collabora ~1GB, onlyoffice ~2GB). Bump so abra waits long enough for
|
|
# convergence; kept under DEPLOY_TIMEOUT (1800) so Python never kills abra mid-wait.
|
|
"TIMEOUT": "1500",
|
|
}
|