alexei.dolgolyov
7733e64b08
A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.
Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.
Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
deep merge + validate-the-merged-result-then-commit — never a partial
config), declared-only Drift with normalization, and Fetch with
ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
per-workload locked read->merge->validate->write, audited to event_log).
Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
.tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).
Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.
36 lines
1.8 KiB
Markdown
36 lines
1.8 KiB
Markdown
# Phase 2 — Store + API (manual sync, explicit-action)
|
|
|
|
## Tasks
|
|
|
|
- [ ] **Store setters** (`internal/store/workloads.go` or a new `gitops.go`):
|
|
- `SetWorkloadGitOps(id string, enabled bool, path string) error` — gated to
|
|
dockerfile/static at the API layer.
|
|
- `RecordGitOpsSync(id, commitSHA, syncedAt string) error`.
|
|
- All writes re-read the row first / use targeted column updates (avoid full-row
|
|
clobber races — review S5).
|
|
- [ ] **Sync audit** (NOT deploy_history): a small `gitops_sync_audit` table
|
|
(`id, workload_id, outcome, commit_sha, drift_count, error, created_at`) with an insert
|
|
helper. Errors stored as generic markers only (secret-safe). _(Or reuse the event log if
|
|
cleaner — pick one and note it.)_
|
|
- [ ] **API handlers** (`internal/api/gitops.go`, wired in `internal/api/router.go`):
|
|
- `GET /api/workloads/{id}/gitops` → `{ enabled, path, status, raw, parsed, commit_sha,
|
|
last_sync_at, drift_count }` (calls `gitops.Fetch` + `gitops.Drift`).
|
|
- `GET /api/workloads/{id}/gitops/drift` → `[]DriftEntry`.
|
|
- `POST /api/workloads/{id}/gitops/sync` (`auth.AdminOnly`) → `Fetch` →
|
|
`MergeAndValidate` → `UpdateWorkload` (single txn) → `RecordGitOpsSync` + audit.
|
|
Returns the applied summary. Secret-safe errors.
|
|
- `PUT /api/workloads/{id}/gitops` (`auth.AdminOnly`) → enable/disable + path; **reject
|
|
if source_kind ∉ {dockerfile, static}** with a clear 400.
|
|
- [ ] **Validation**: path must be a repo-relative file (no `..`, no leading `/`, sane
|
|
length); `enabled` only when the source is git-backed and has repo coords.
|
|
|
|
## Verify
|
|
|
|
- `go build ./...`, `go vet ./internal/...`, `go test ./internal/...` green.
|
|
- Handler tests: admin-gate on sync/put, no_file path, secret-safe error on a failed
|
|
fetch, drift_count surfaced, non-git source rejected by PUT.
|
|
|
|
## Handoff notes
|
|
|
|
_(filled after implementation)_
|