fix: keep hwlab runtime gitops guard on manual refresh

This commit is contained in:
Codex
2026-07-04 12:42:27 +00:00
parent d588ee258e
commit 82439833b4
6 changed files with 279 additions and 2 deletions
+2 -1
View File
@@ -203,7 +203,8 @@ export function renderControllerManifests(registry: BranchFollowerRegistry): Rec
kind: "ClusterRole",
metadata: { name: registry.controller.serviceAccountName, labels },
rules: [
{ apiGroups: [""], resources: ["pods", "pods/log", "configmaps", "events"], verbs: ["get", "list", "watch"] },
{ apiGroups: [""], resources: ["pods", "pods/log", "events"], verbs: ["get", "list", "watch"] },
{ apiGroups: [""], resources: ["configmaps"], verbs: ["get", "list", "watch", "create", "update", "patch"] },
{ apiGroups: [""], resources: ["pods/exec"], verbs: ["create"] },
{ apiGroups: ["batch"], resources: ["jobs"], verbs: ["get", "list", "watch", "create", "delete"] },
{ apiGroups: ["apps"], resources: ["deployments", "statefulsets"], verbs: ["get", "list", "watch"] },
+1 -1
View File
@@ -83,7 +83,7 @@ export function nativeHwlabControlPlaneRefreshJobManifest(
{ name: "FIELD_MANAGER", value: spec.controlPlaneFieldManager },
{ name: "TEKTON_NAMESPACE", value: tektonNamespace },
{ name: "KUBE_REQUEST_TIMEOUT_SECONDS", value: String(timeoutSeconds) },
{ name: "RUNTIME_GITOPS_CONFIGMAP_NAME", value: registry.controller.configMapName },
{ name: "RUNTIME_GITOPS_CONFIGMAP_NAME", value: `${spec.pipeline}-runtime-gitops-scripts` },
{ name: "HWLAB_RENDER_OVERLAY_B64", value: overlay },
],
}],
+32
View File
@@ -41,6 +41,9 @@ import { webObserveShort, webObserveText } from "./web-probe-observe";
import { hwlabRuntimeActiveExternalPostgres } from "../hwlab-node-lanes";
const runtimeGitopsObservabilityNativeScript = readFileSync(rootPath("scripts/native/hwlab/runtime-gitops-observability.mjs"), "utf8").trimEnd();
const runtimeGitopsPipelineGuardNativeScript = readFileSync(rootPath("scripts/native/hwlab/runtime-gitops-pipeline-guard.mjs"), "utf8").trimEnd();
const runtimeGitopsPostprocessNativeScript = readFileSync(rootPath("scripts/native/hwlab/runtime-gitops-postprocess.mjs"), "utf8").trimEnd();
const runtimeGitopsVerifyNativeScript = readFileSync(rootPath("scripts/native/hwlab/runtime-gitops-verify.mjs"), "utf8").trimEnd();
export function nodeRuntimeGitMirrorJobName(mirror: NodeRuntimeGitMirrorTargetSpec, action: "sync" | "flush"): string {
const prefix = action === "sync" ? mirror.syncJobPrefix : mirror.flushJobPrefix;
@@ -2648,5 +2651,34 @@ export function nodeRuntimePipelinePostprocessScript(): string[] {
"patchArgoYaml(path.join(renderDir, 'argocd', 'project.yaml'));",
"patchArgoYaml(path.join(renderDir, 'argocd', overlay.argoApplicationFile));",
"NODE",
...runtimeGitopsPipelineGuardScript(),
];
}
function runtimeGitopsPipelineGuardScript(): string[] {
return [
"runtime_gitops_guard_dir=\"$render_dir/.unidesk-runtime-gitops\"",
"mkdir -p \"$runtime_gitops_guard_dir\"",
...writeRuntimeGitopsNativeScript("runtime-gitops-pipeline-guard.mjs", runtimeGitopsPipelineGuardNativeScript, "UNIDESK_RUNTIME_GITOPS_PIPELINE_GUARD_MJS"),
...writeRuntimeGitopsNativeScript("runtime-gitops-observability.mjs", runtimeGitopsObservabilityNativeScript, "UNIDESK_RUNTIME_GITOPS_OBSERVABILITY_MJS"),
...writeRuntimeGitopsNativeScript("runtime-gitops-postprocess.mjs", runtimeGitopsPostprocessNativeScript, "UNIDESK_RUNTIME_GITOPS_POSTPROCESS_MJS"),
...writeRuntimeGitopsNativeScript("runtime-gitops-verify.mjs", runtimeGitopsVerifyNativeScript, "UNIDESK_RUNTIME_GITOPS_VERIFY_MJS"),
[
"UNIDESK_RUNTIME_GITOPS_OVERLAY_B64=\"$overlay_b64\"",
"node \"$runtime_gitops_guard_dir/runtime-gitops-pipeline-guard.mjs\"",
"--pipeline \"$render_dir/$(node -e 'const o=JSON.parse(Buffer.from(process.argv[1],\"base64\").toString(\"utf8\")); process.stdout.write(o.tektonDir)' \"$overlay_b64\")/pipeline.yaml\"",
"--scripts-configmap \"$render_dir/$(node -e 'const o=JSON.parse(Buffer.from(process.argv[1],\"base64\").toString(\"utf8\")); process.stdout.write(o.tektonDir)' \"$overlay_b64\")/runtime-gitops-scripts.yaml\"",
`--namespace ${shellQuote(HWLAB_CI_NAMESPACE)}`,
"--scripts-dir \"$runtime_gitops_guard_dir\"",
].join(" "),
];
}
function writeRuntimeGitopsNativeScript(name: string, content: string, marker: string): string[] {
return [
`cat > "$runtime_gitops_guard_dir/${name}" <<'${marker}'`,
content,
marker,
`chmod 0755 "$runtime_gitops_guard_dir/${name}"`,
];
}
+1
View File
@@ -178,6 +178,7 @@ export function nodeRuntimeControlPlaneFiles(spec: HwlabRuntimeLaneSpec, renderD
return [
`${renderDir}/${spec.runtimeRenderDir}/namespace.yaml`,
`${renderDir}/${spec.tektonDir}/rbac.yaml`,
`${renderDir}/${spec.tektonDir}/runtime-gitops-scripts.yaml`,
`${renderDir}/${spec.tektonDir}/pipeline.yaml`,
`${renderDir}/argocd/project.yaml`,
`${renderDir}/argocd/${spec.argoApplicationFile}`,