fix: expose frontend auth pod fingerprint
This commit is contained in:
@@ -272,9 +272,11 @@ kubectl -n ${sh(auth.target.namespace)} get secret ${sh(auth.target.secretName)}
|
||||
secret_rc=$?
|
||||
kubectl -n ${sh(auth.target.namespace)} get deployment ${sh(auth.target.rolloutDeployment)} -o json >"$tmp/deploy.json" 2>"$tmp/deploy.err"
|
||||
deploy_rc=$?
|
||||
python3 - "$tmp" "$cm_rc" "$secret_rc" "$deploy_rc" <<'PY'
|
||||
kubectl -n ${sh(auth.target.namespace)} exec deployment/${sh(auth.target.rolloutDeployment)} -- sh -c 'printf "%s\\n%s" "$AUTH_USERNAME" "$AUTH_PASSWORD" | sha256sum | awk "{print \\$1}"' >"$tmp/pod-fingerprint.out" 2>"$tmp/pod-fingerprint.err"
|
||||
pod_fp_rc=$?
|
||||
python3 - "$tmp" "$cm_rc" "$secret_rc" "$deploy_rc" "$pod_fp_rc" <<'PY'
|
||||
import json, os, sys
|
||||
tmp, cm_rc, secret_rc, deploy_rc = sys.argv[1], int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4])
|
||||
tmp, cm_rc, secret_rc, deploy_rc, pod_fp_rc = sys.argv[1], int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]), int(sys.argv[5])
|
||||
def load(name):
|
||||
try:
|
||||
return json.load(open(os.path.join(tmp, name), encoding="utf-8"))
|
||||
@@ -292,13 +294,22 @@ observed_cm_fp = cm_ann.get("unidesk.ai/frontend-auth-fingerprint")
|
||||
observed_secret_fp = secret_ann.get("unidesk.ai/frontend-auth-fingerprint")
|
||||
available = int(((deploy.get("status") or {}).get("availableReplicas") or 0))
|
||||
replicas = int(((deploy.get("status") or {}).get("replicas") or 0))
|
||||
updated = int(((deploy.get("status") or {}).get("updatedReplicas") or 0))
|
||||
generation = int((deploy.get("metadata") or {}).get("generation") or 0)
|
||||
observed_generation = int(((deploy.get("status") or {}).get("observedGeneration") or 0))
|
||||
try:
|
||||
pod_fp_full = open(os.path.join(tmp, "pod-fingerprint.out"), encoding="utf-8").read().strip().split()[0]
|
||||
except Exception:
|
||||
pod_fp_full = None
|
||||
pod_fp = pod_fp_full[:16] if pod_fp_full else None
|
||||
checks = [
|
||||
{"name": "configmap", "ok": cm_rc == 0, "detail": "${auth.target.configMapName}"},
|
||||
{"name": "username-key", "ok": "${auth.target.usernameKey}" in cm_data, "detail": "${auth.target.usernameKey}"},
|
||||
{"name": "secret", "ok": secret_rc == 0, "detail": "${auth.target.secretName}"},
|
||||
{"name": "password-key", "ok": "${auth.target.passwordKey}" in secret_data, "detail": "${auth.target.passwordKey}"},
|
||||
{"name": "fingerprint", "ok": bool(desired) and observed_cm_fp == desired and observed_secret_fp == desired, "detail": observed_secret_fp or "-"},
|
||||
{"name": "deployment", "ok": deploy_rc == 0 and replicas > 0 and available >= 1, "detail": "${auth.target.rolloutDeployment}"},
|
||||
{"name": "deployment", "ok": deploy_rc == 0 and replicas > 0 and updated == replicas and available >= replicas and observed_generation >= generation, "detail": "${auth.target.rolloutDeployment}"},
|
||||
{"name": "pod-env", "ok": pod_fp_rc == 0 and bool(desired) and pod_fp == desired, "detail": pod_fp or "-"},
|
||||
]
|
||||
payload = {
|
||||
"ok": all(item["ok"] for item in checks),
|
||||
@@ -310,6 +321,7 @@ payload = {
|
||||
"rolloutDeployment": "${auth.target.rolloutDeployment}",
|
||||
"expectedFingerprint": desired or None,
|
||||
"observedFingerprint": observed_secret_fp,
|
||||
"podEnvFingerprint": pod_fp,
|
||||
"checks": checks,
|
||||
"valuesPrinted": False,
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user