autonomic-bot
a151489996
Q3.2a / plan-lasuite-drive-oidc-robustness.md Part A. The old setup_custom_tests.sh did a post-deploy in-place `abra app deploy --force --chaos` of the heavy 12-service stack to apply the OIDC env — flaky (collabora WOPI-discovery race + gunicorn-perms; JOURNAL Step 0). Since the OIDC env only affects backend/app and keycloak is live-warm, provision the per-run realm BEFORE the single deploy and wire OIDC into the .env at install time (no reconverge). - runner/run_recipe_ci.py: new _provision_deps() helper (warm/cold split + SSO enrich + write $CCCI_DEPS_FILE), used by both paths. New per-recipe OIDC_AT_INSTALL meta flag (added to _load_meta whitelist). When set + deps live-warm: provision BEFORE deploy_app; the install tier's install_steps.sh wires OIDC into the single deploy; post-deploy step runs only the MinIO bucket one-shot — no re-provision, no redeploy. Legacy post-deploy path unchanged for all other dep recipes (gated on `not oidc_at_install`). - tests/lasuite-drive/install_steps.sh (NEW): install-time OIDC env + secret wiring; no-ops on empty deps file (recipe still boots, OIDC test skips → F2-11 RED). - tests/lasuite-drive/setup_custom_tests.sh: trimmed to MinIO-bucket-only (OIDC moved out). - tests/lasuite-drive/recipe_meta.py: OIDC_AT_INSTALL = True. - JOURNAL-2: Step-0 root-cause failure logs captured before the fix. NOT a claim — validating 3x green (incl. now-required upgrade tier) before claiming Q3.2. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
40 lines
2.3 KiB
Bash
Executable File
40 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# lasuite-drive — POST-DEPLOY setup hook (Phase 2 Q3.2a).
|
|
#
|
|
# As of Q3.2a (plan-lasuite-drive-oidc-robustness.md Part A) OIDC is wired at INSTALL time by
|
|
# tests/lasuite-drive/install_steps.sh (before the single `abra app deploy`), so this hook NO LONGER
|
|
# does any OIDC env wiring or in-place redeploy — that eliminated the flaky 12-service reconverge
|
|
# (collabora WOPI race; see JOURNAL Step 0). What remains here is the ONE post-deploy step that
|
|
# genuinely needs the live stack: triggering the MinIO bucket-creation one-shot. The orchestrator
|
|
# runs this only on the install-time path AFTER the deploy is healthy (deps already provisioned).
|
|
#
|
|
# Env supplied by the orchestrator:
|
|
# CCCI_APP_DOMAIN — the running per-run lasuite-drive app domain
|
|
# CCCI_DEPS_FILE — JSON deps creds dict (unused here now; OIDC handled at install)
|
|
set -euo pipefail
|
|
|
|
: "${CCCI_APP_DOMAIN:?missing}"
|
|
|
|
# The deploy alone does NOT create the MinIO bucket — `minio-createbuckets` is a `replicas:0`
|
|
# one-shot (restart_policy: none) that must be triggered. The MinIO storage test asserts the bucket
|
|
# exists, so create it here. `--detach` is REQUIRED: the job creates the bucket then EXITS 0, so it
|
|
# never holds a steady 1/1 replica; a blocking `docker service scale ...=1` would wait forever and
|
|
# hang the run. With `--detach` the scale just submits the one-run and returns; the poll loop below
|
|
# confirms the bucket was actually created.
|
|
STACK=$(printf '%s' "$CCCI_APP_DOMAIN" | tr '.' '_')
|
|
echo " setup: creating MinIO bucket via the minio-createbuckets one-shot (scale 0->1)"
|
|
docker service scale --detach "${STACK}_minio-createbuckets=1" >/dev/null 2>&1 || true
|
|
# Wait up to 90s for the one-shot to create the bucket (mc mb drive/drive-media-storage; exit 0).
|
|
# Poll by checking the bucket directly from the running minio replica container.
|
|
for i in $(seq 1 30); do
|
|
MC_CID=$(docker ps -q -f "name=${STACK}_minio.1" | head -1)
|
|
if [ -n "$MC_CID" ] && docker exec "$MC_CID" sh -c \
|
|
'mc alias set _c http://localhost:9000 "$(cat /run/secrets/minio_ru)" "$(cat /run/secrets/minio_rp)" >/dev/null 2>&1 && mc ls _c/drive-media-storage >/dev/null 2>&1'; then
|
|
echo " setup: bucket drive-media-storage present after ${i} poll(s)"
|
|
break
|
|
fi
|
|
sleep 3
|
|
done
|
|
|
|
echo " lasuite-drive setup_custom_tests: post-deploy MinIO bucket step complete (OIDC wired at install)"
|