refactor(workload): finalize containers index + post-review hardening
Wraps up the workload refactor with the fixes that came out of the multi-agent code review (see docs/plans/workload-refactor.md "What actually shipped"). Backend: - store.ReconcileContainer: separate write path so the 30s reconciler tick no longer overwrites deployer-owned fields (subdomain, proxy_route_id, npm_proxy_id, image_tag). - Container.stage_id column + index; ListProxyRoutes / ListContainersByStageID join via stage_id (survives stage rename), with legacy fallback to (project_id, role=stage_name). - Reconciler: workload-existence check (rejects forged tinyforge.workload.id labels), skips inventing project-kind rows, child-context cancel before wg.Wait() on shutdown. - Transactional CRUD across projects / stacks / static_sites: parent UPDATE and workload sync land in one transaction so secret rotations are durable. - Webhook routing reads exclusively through workloads.webhook_secret; legacy GetProjectByWebhookSecret / GetStaticSiteByWebhookSecret fallback removed. - store.GetStackByComposeProjectName + indexed lookup (no more full-table stack scan per compose container per tick). - store.ListMissingSweepRows: filtered query for the missing-sweep. - /api/instances/* handlers verify (workload_id, role) match URL (project_id, stage_name) before mutating — closes the cross-project hijack the security review flagged. - extra_json no longer referenced from Go (column kept on disk for now). Frontend: - WorkloadContainers.svelte: generic detail-page panel reusable by stack and site detail pages. - Containers page polish: client-side kind/state filters over an unfiltered fetch, URL-synced filters, race-safe loads via sequence number, EN+RU i18n, sidebar counter via navCounts.containers. Misc: - scripts/dev-server.sh: tolerate empty netstat grep result. - .gitignore: ignore docker-watcher binaries, .claude/worktrees/, .facts-sync.json.
This commit is contained in:
@@ -188,6 +188,122 @@ func TestReconcileIgnoresUnmanagedContainers(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestReconcileDoesNotClobberDeployerFields guards against the regression where
|
||||
// the reconciler's upsert wiped subdomain / proxy_route_id / npm_proxy_id /
|
||||
// image_tag / stage_id on every tick because those columns were included in
|
||||
// the ON CONFLICT DO UPDATE SET clause but never populated by the reconciler.
|
||||
func TestReconcileDoesNotClobberDeployerFields(t *testing.T) {
|
||||
st := newTestStore(t)
|
||||
|
||||
// Project workload — exercises the path most affected by the regression
|
||||
// (proxies, blue-green slots, image-tag-based stale detection).
|
||||
project, err := st.CreateProject(store.Project{Name: "p", Image: "nginx"})
|
||||
if err != nil {
|
||||
t.Fatalf("CreateProject: %v", err)
|
||||
}
|
||||
w, _ := st.GetWorkloadByRef(store.WorkloadKindProject, project.ID)
|
||||
|
||||
// Deployer wrote the row with proxy / subdomain / image_tag / stage_id.
|
||||
deployerRow := store.Container{
|
||||
ID: "deploy-uuid-1", WorkloadID: w.ID, WorkloadKind: "project",
|
||||
Role: "prod", StageID: "stage-prod-id", ContainerID: "docker-aaa",
|
||||
ImageRef: "nginx:1.27", ImageTag: "1.27", State: "running", Port: 8080,
|
||||
Subdomain: "prod-p", ProxyRouteID: "route-42", NpmProxyID: 7,
|
||||
}
|
||||
if err := st.UpsertContainer(deployerRow); err != nil {
|
||||
t.Fatalf("seed deployer row: %v", err)
|
||||
}
|
||||
|
||||
// Reconciler sees the same docker container — no proxy fields in labels.
|
||||
fake := &fakeDocker{items: []docker.ReconcileItem{{
|
||||
ID: "docker-aaa", Image: "nginx:1.27", State: "running",
|
||||
Labels: map[string]string{
|
||||
docker.LabelManaged: "true",
|
||||
docker.LabelWorkloadID: w.ID,
|
||||
docker.LabelWorkloadKind: "project",
|
||||
docker.LabelRole: "prod",
|
||||
},
|
||||
Ports: []uint16{8080},
|
||||
}}}
|
||||
r := New(st, fake, 0)
|
||||
if err := r.ReconcileOnce(context.Background()); err != nil {
|
||||
t.Fatalf("ReconcileOnce: %v", err)
|
||||
}
|
||||
|
||||
got, _ := st.GetContainerByID("deploy-uuid-1")
|
||||
if got.Subdomain != "prod-p" {
|
||||
t.Fatalf("subdomain wiped: %q", got.Subdomain)
|
||||
}
|
||||
if got.ProxyRouteID != "route-42" {
|
||||
t.Fatalf("proxy_route_id wiped: %q", got.ProxyRouteID)
|
||||
}
|
||||
if got.NpmProxyID != 7 {
|
||||
t.Fatalf("npm_proxy_id wiped: %d", got.NpmProxyID)
|
||||
}
|
||||
if got.ImageTag != "1.27" {
|
||||
t.Fatalf("image_tag wiped: %q", got.ImageTag)
|
||||
}
|
||||
if got.StageID != "stage-prod-id" {
|
||||
t.Fatalf("stage_id wiped: %q", got.StageID)
|
||||
}
|
||||
}
|
||||
|
||||
// TestReconcileRejectsForgedWorkloadLabel guards C2 — a Docker container
|
||||
// claiming a non-existent workload_id must be ignored, not adopted into the
|
||||
// containers index.
|
||||
func TestReconcileRejectsForgedWorkloadLabel(t *testing.T) {
|
||||
st := newTestStore(t)
|
||||
fake := &fakeDocker{items: []docker.ReconcileItem{{
|
||||
ID: "docker-evil",
|
||||
Labels: map[string]string{
|
||||
docker.LabelManaged: "true",
|
||||
docker.LabelWorkloadID: "wl-does-not-exist",
|
||||
docker.LabelWorkloadKind: "project",
|
||||
docker.LabelRole: "prod",
|
||||
},
|
||||
}}}
|
||||
r := New(st, fake, 0)
|
||||
if err := r.ReconcileOnce(context.Background()); err != nil {
|
||||
t.Fatalf("ReconcileOnce: %v", err)
|
||||
}
|
||||
rows, _ := st.ListContainers(store.ContainerFilter{})
|
||||
if len(rows) != 0 {
|
||||
t.Fatalf("forged label should produce no row, got %d", len(rows))
|
||||
}
|
||||
}
|
||||
|
||||
// TestReconcileSkipsProjectInsertWithoutDeployerRow guards H3 — the reconciler
|
||||
// must not invent a project container row, since the deployer is the
|
||||
// authoritative writer and inventing rows races with MaxInstances > 1 deploys.
|
||||
func TestReconcileSkipsProjectInsertWithoutDeployerRow(t *testing.T) {
|
||||
st := newTestStore(t)
|
||||
project, err := st.CreateProject(store.Project{Name: "p2", Image: "nginx"})
|
||||
if err != nil {
|
||||
t.Fatalf("CreateProject: %v", err)
|
||||
}
|
||||
w, _ := st.GetWorkloadByRef(store.WorkloadKindProject, project.ID)
|
||||
|
||||
// Reconciler sees a real container with project labels but no deployer
|
||||
// row exists yet (race during deploy).
|
||||
fake := &fakeDocker{items: []docker.ReconcileItem{{
|
||||
ID: "docker-race", Image: "nginx", State: "running",
|
||||
Labels: map[string]string{
|
||||
docker.LabelManaged: "true",
|
||||
docker.LabelWorkloadID: w.ID,
|
||||
docker.LabelWorkloadKind: "project",
|
||||
docker.LabelRole: "prod",
|
||||
},
|
||||
}}}
|
||||
r := New(st, fake, 0)
|
||||
if err := r.ReconcileOnce(context.Background()); err != nil {
|
||||
t.Fatalf("ReconcileOnce: %v", err)
|
||||
}
|
||||
rows, _ := st.ListContainersByWorkload(w.ID)
|
||||
if len(rows) != 0 {
|
||||
t.Fatalf("project insert without deployer row should be skipped, got %d rows", len(rows))
|
||||
}
|
||||
}
|
||||
|
||||
func TestReconcileNormalizesState(t *testing.T) {
|
||||
st := newTestStore(t)
|
||||
stack, _ := st.CreateStack(store.Stack{
|
||||
|
||||
Reference in New Issue
Block a user