alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deployer): wire pre-deploy backup into the unified dispatch path

Browse Source 
auto_backup_before_deploy silently did nothing — MaybeBackupBeforeDeploy's
only caller was the legacy executeDeploy pipeline, removed in the
workload-first cutover. Reconnect it as maybeBackupBeforeDeploy(), invoked
from DispatchPlugin after the source resolves and before it runs, so the
setting fires for every source kind. Fail-open: a nil backuper, a
settings-load error, or a backup failure skips the snapshot without
blocking the deploy. Adds predeploy_backup_test.go asserting the wiring.
This commit is contained in:
Admin
2026-06-08 16:13:30 +03:00
parent ec8c0cd891
commit c2ca6c0b73
4 changed files with 143 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/deployer/deployer.go
+22 -8
View File
@@ -100,20 +100,34 @@ func (d *Deployer) SetPreDeployBackuper(b PreDeployBackuper) {
d.backuper = b d.backuper = b
} }
// MaybeBackupBeforeDeploy creates a "pre-deploy" Tinyforge DB snapshot when // maybeBackupBeforeDeploy takes a "pre-deploy" Tinyforge DB snapshot before a
// the setting is enabled. Failures are logged but do not abort the deploy: // deploy when the operator enabled auto_backup_before_deploy. It is called on
// missing a backup is preferable to refusing to ship a fix. Exposed so // the unified deploy path (DispatchPlugin) so the setting actually fires — its
// Source plugins can opt into the same behaviour. // predecessor was orphaned when the legacy executeDeploy pipeline (its only
func (d *Deployer) MaybeBackupBeforeDeploy(deployID string, settings store.Settings) { // caller) was removed in the workload-first cutover, silently disabling the
if !settings.AutoBackupBeforeDeploy || d.backuper == nil { // setting.
//
// Fail-open: a nil backuper, a settings-load error, or a backup failure all
// skip the snapshot without blocking the deploy — missing a backup is
// preferable to refusing to ship a fix.
func (d *Deployer) maybeBackupBeforeDeploy(workloadID string) {
if d.backuper == nil {
return
}
settings, err := d.store.GetSettings()
if err != nil {
slog.Warn("pre-deploy backup: load settings", "workload", workloadID, "error", err)
return
}
if !settings.AutoBackupBeforeDeploy {
return return
} }
backup, err := d.backuper.CreateBackup("pre-deploy") backup, err := d.backuper.CreateBackup("pre-deploy")
if err != nil { if err != nil {
slog.Warn("pre-deploy backup failed", "deploy_id", deployID, "error", err) slog.Warn("pre-deploy backup failed", "workload", workloadID, "error", err)
return return
} }
slog.Info("pre-deploy backup created", "deploy_id", deployID, "backup_id", backup.ID, "filename", backup.Filename) slog.Info("pre-deploy backup created", "workload", workloadID, "backup_id", backup.ID, "filename", backup.Filename)
} }
// SetDNSProvider sets the DNS provider for managing DNS records during deployments. // SetDNSProvider sets the DNS provider for managing DNS records during deployments.
internal/deployer/dispatch.go
+9 -5
View File
@@ -9,11 +9,10 @@ import (
) )
// DispatchPlugin routes a DeploymentIntent for w to the matching Source // DispatchPlugin routes a DeploymentIntent for w to the matching Source
// plugin. This is the new unified deploy path; the legacy executeDeploy // plugin. This is the unified deploy path for every source kind (the legacy
// remains in place until Phase 6 ports image-deploy logic into // executeDeploy pipeline was removed in the workload-first cutover). When the
// source/image. While both exist, callers must pick: webhook/registry // operator enables auto_backup_before_deploy, a pre-deploy Tinyforge DB
// triggers + image deploys still go through the legacy path, while // snapshot is taken here, after the source resolves and before it runs.
// /api/hooks/generic + the unified webhook ingress go through here.
func (d *Deployer) DispatchPlugin(ctx context.Context, w plugin.Workload, intent plugin.DeploymentIntent) error { func (d *Deployer) DispatchPlugin(ctx context.Context, w plugin.Workload, intent plugin.DeploymentIntent) error {
if err := d.beginDispatch(); err != nil { if err := d.beginDispatch(); err != nil {
metrics.DeploysTotal.Inc(w.SourceKind, "rejected_draining") metrics.DeploysTotal.Inc(w.SourceKind, "rejected_draining")
@@ -29,6 +28,11 @@ func (d *Deployer) DispatchPlugin(ctx context.Context, w plugin.Workload, intent
metrics.DeploysTotal.Inc("unknown", "unknown_source") metrics.DeploysTotal.Inc("unknown", "unknown_source")
return fmt.Errorf("dispatch %s: %w", w.Name, err) return fmt.Errorf("dispatch %s: %w", w.Name, err)
} }
// Optional operator-enabled pre-deploy DB snapshot. Fail-open: never
// blocks shipping a deploy. Runs before any source-internal idempotency
// check (e.g. the image source's same-tag short-circuit), so a same-tag
// redeploy still snapshots — "backup before every deploy attempt".
d.maybeBackupBeforeDeploy(w.ID)
err = src.Deploy(ctx, d.PluginDeps(), w, intent) err = src.Deploy(ctx, d.PluginDeps(), w, intent)
outcome := "success" outcome := "success"
if err != nil { if err != nil {
internal/deployer/dispatch_test.go
+5 -5
View File
@@ -21,9 +21,9 @@ import (
type fakeSource struct { type fakeSource struct {
kind string kind string
mu sync.Mutex mu sync.Mutex
deployErr error deployErr error
teardownErr error teardownErr error
reconcileErr error reconcileErr error
deployCount atomic.Int32 deployCount atomic.Int32
@@ -34,8 +34,8 @@ type fakeSource struct {
lastDeps plugin.Deps lastDeps plugin.Deps
} }
func (f *fakeSource) Kind() string { return f.kind } func (f *fakeSource) Kind() string { return f.kind }
func (f *fakeSource) SchemaSample() any { return struct{}{} } func (f *fakeSource) SchemaSample() any { return struct{}{} }
func (f *fakeSource) Validate(json.RawMessage) error { return nil } func (f *fakeSource) Validate(json.RawMessage) error { return nil }
func (f *fakeSource) Deploy(_ context.Context, deps plugin.Deps, _ plugin.Workload, intent plugin.DeploymentIntent) error { func (f *fakeSource) Deploy(_ context.Context, deps plugin.Deps, _ plugin.Workload, intent plugin.DeploymentIntent) error {
internal/deployer/predeploy_backup_test.go
+107
View File
@@ -0,0 +1,107 @@
package deployer
import (
"context"
"errors"
"sync/atomic"
"testing"
"github.com/alexei/tinyforge/internal/store"
"github.com/alexei/tinyforge/internal/workload/plugin"
)
// fakeBackuper records pre-deploy backup calls so the dispatch wiring can be
// asserted. err (when set) simulates a backup failure.
type fakeBackuper struct {
count atomic.Int32
lastType atomic.Value // string
err error
}
func (f *fakeBackuper) CreateBackup(backupType string) (store.Backup, error) {
f.count.Add(1)
f.lastType.Store(backupType)
if f.err != nil {
return store.Backup{}, f.err
}
return store.Backup{ID: "b1", Filename: "tinyforge-pre-deploy.db"}, nil
}
func setAutoBackup(t *testing.T, d *Deployer, enabled bool) {
t.Helper()
s, err := d.store.GetSettings()
if err != nil {
t.Fatalf("get settings: %v", err)
}
s.AutoBackupBeforeDeploy = enabled
if err := d.store.UpdateSettings(s); err != nil {
t.Fatalf("update settings: %v", err)
}
}
// Regression: the pre-deploy backup hook was orphaned after the cutover (no
// caller on DispatchPlugin), making auto_backup_before_deploy a silent no-op.
func TestDispatchPlugin_PreDeployBackup_FiresWhenEnabled(t *testing.T) {
resetFake(t)
d := newTestDeployer(t)
b := &fakeBackuper{}
d.SetPreDeployBackuper(b)
setAutoBackup(t, d, true)
if err := d.DispatchPlugin(context.Background(), sampleWorkload(), plugin.DeploymentIntent{}); err != nil {
t.Fatalf("dispatch: %v", err)
}
if got := b.count.Load(); got != 1 {
t.Fatalf("CreateBackup called %d times, want 1", got)
}
if bt, _ := b.lastType.Load().(string); bt != "pre-deploy" {
t.Fatalf("backup type = %q, want pre-deploy", bt)
}
if got := dispatchTestSource.deployCount.Load(); got != 1 {
t.Fatalf("Deploy ran %d times, want 1", got)
}
}
func TestDispatchPlugin_PreDeployBackup_SkippedWhenDisabled(t *testing.T) {
resetFake(t)
d := newTestDeployer(t)
b := &fakeBackuper{}
d.SetPreDeployBackuper(b)
setAutoBackup(t, d, false)
if err := d.DispatchPlugin(context.Background(), sampleWorkload(), plugin.DeploymentIntent{}); err != nil {
t.Fatalf("dispatch: %v", err)
}
if got := b.count.Load(); got != 0 {
t.Fatalf("CreateBackup called %d times, want 0 (setting off)", got)
}
}
func TestDispatchPlugin_PreDeployBackup_NilBackuperNoPanic(t *testing.T) {
resetFake(t)
d := newTestDeployer(t)
setAutoBackup(t, d, true) // enabled, but no backuper wired
if err := d.DispatchPlugin(context.Background(), sampleWorkload(), plugin.DeploymentIntent{}); err != nil {
t.Fatalf("dispatch must not panic/fail with a nil backuper: %v", err)
}
if got := dispatchTestSource.deployCount.Load(); got != 1 {
t.Fatalf("Deploy ran %d times, want 1", got)
}
}
func TestDispatchPlugin_PreDeployBackup_FailOpen(t *testing.T) {
resetFake(t)
d := newTestDeployer(t)
b := &fakeBackuper{err: errors.New("disk full")}
d.SetPreDeployBackuper(b)
setAutoBackup(t, d, true)
// A failed backup is logged but must NOT block the deploy.
if err := d.DispatchPlugin(context.Background(), sampleWorkload(), plugin.DeploymentIntent{}); err != nil {
t.Fatalf("deploy must succeed when backup fails (fail-open): %v", err)
}
if got := dispatchTestSource.deployCount.Load(); got != 1 {
t.Fatalf("Deploy ran %d times, want 1 (despite backup failure)", got)
}
}