-
Notifications
You must be signed in to change notification settings - Fork 139
fix(helm): Harden setup.sh Temporal namespace creation, generate Site UUID if not specified #2546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,45 +38,3 @@ nico-rest-workflow: | |
| replicaCount: 3 | ||
| siteWorker: | ||
| replicaCount: 3 | ||
|
|
||
| # Site-agent config — v1.0.4 binary reads DB config from env vars. | ||
| # NICo postgres uses the 'nico' user and 'elektratest' database. | ||
| # CLUSTER_ID and TEMPORAL_SUBSCRIBE_* are set via --set in setup.sh | ||
| # using the NICO_SITE_UUID variable (default: a1b2c3d4-e5f6-4000-8000-000000000001). | ||
| nico-rest-site-agent: | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why is the site agent config is being removed?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I couldn't find a usage/reference for it. |
||
| replicaCount: 3 | ||
| bootstrap: | ||
| enabled: true | ||
| siteManager: | ||
| address: "nico-rest-site-manager.nico-rest:8100" | ||
| certificate: | ||
| # Service identifier must match "elektra-site-agent" for nico-api's SiteAgent RBAC role. | ||
| # The base path /nico-system/sa/ is one of nico-api's recognized spiffe_service_base_paths. | ||
| uris: | ||
| - "spiffe://nico.local/nico-system/sa/elektra-site-agent" | ||
| envConfig: | ||
| # DEV ONLY — these values match the dev postgres instance deployed by setup.sh. | ||
| # DB_USER and DB_PASSWORD are injected from the db-creds Secret (secrets.dbCreds). | ||
| DB_ADDR: "postgres.postgres.svc.cluster.local" | ||
| DB_DATABASE: "elektratest" | ||
| DB_PORT: "5432" | ||
| ESA_PORT: "8080" | ||
| METRICS_PORT: "2112" | ||
| DEV_MODE: "true" | ||
| ENABLE_DEBUG: "true" | ||
| ENABLE_TLS: "true" | ||
| # mTLS to nico-api (NICO_SEC_OPT=2). Cert issued from vault-nico-issuer | ||
| # so nico-api trusts it (same Vault PKI CA as nico-api's own cert). | ||
| NICO_ADDRESS: "nico-api.nico-system.svc.cluster.local:1079" | ||
| NICO_SEC_OPT: "2" | ||
| CLUSTER_ID: "a1b2c3d4-e5f6-4000-8000-000000000001" | ||
| TEMPORAL_HOST: "temporal-frontend.temporal" | ||
| TEMPORAL_PORT: "7233" | ||
| TEMPORAL_SERVER: "interservice.server.temporal.local" | ||
| TEMPORAL_PUBLISH_NAMESPACE: "site" | ||
| TEMPORAL_PUBLISH_QUEUE: "site" | ||
| TEMPORAL_SUBSCRIBE_NAMESPACE: "a1b2c3d4-e5f6-4000-8000-000000000001" | ||
| TEMPORAL_SUBSCRIBE_QUEUE: "site" | ||
| TEMPORAL_INVENTORY_SCHEDULE: "@every 3m" | ||
| TEMPORAL_CERT_PATH: "/etc/temporal-certs" | ||
| TEMPORAL_CERT: "temporal-client-site-agent-certs" | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift
Persist the generated site UUID across reruns.
When
NICO_SITE_UUIDis unset, this branch mints a fresh UUID on everysetup.shinvocation. That value is later wired into the site-agent as bothCLUSTER_IDandTEMPORAL_SUBSCRIBE_NAMESPACE, so a routine rerun changes the site's identity, leaves the old Temporal namespace orphaned, and forces site-agent re-registration even though no rotation was requested. Please reuse the existing deployed UUID on reruns and only generate a new one on first install.As per path instructions,
helm-prereqs/**: review prerequisite Helm resources and scripts for install ordering, cluster-scope permissions, secret handling, idempotency, and clear failure messages.🤖 Prompt for AI Agents
Source: Path instructions