fix: expose frontend auth pod fingerprint

This commit is contained in:
Codex
2026-07-09 15:44:25 +02:00
parent 34b2b119ba
commit 9915f28da9
+15 -3
View File
@@ -272,9 +272,11 @@ kubectl -n ${sh(auth.target.namespace)} get secret ${sh(auth.target.secretName)}
secret_rc=$?
kubectl -n ${sh(auth.target.namespace)} get deployment ${sh(auth.target.rolloutDeployment)} -o json >"$tmp/deploy.json" 2>"$tmp/deploy.err"
deploy_rc=$?
python3 - "$tmp" "$cm_rc" "$secret_rc" "$deploy_rc" <<'PY'
kubectl -n ${sh(auth.target.namespace)} exec deployment/${sh(auth.target.rolloutDeployment)} -- sh -c 'printf "%s\\n%s" "$AUTH_USERNAME" "$AUTH_PASSWORD" | sha256sum | awk "{print \\$1}"' >"$tmp/pod-fingerprint.out" 2>"$tmp/pod-fingerprint.err"
pod_fp_rc=$?
python3 - "$tmp" "$cm_rc" "$secret_rc" "$deploy_rc" "$pod_fp_rc" <<'PY'
import json, os, sys
tmp, cm_rc, secret_rc, deploy_rc = sys.argv[1], int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4])
tmp, cm_rc, secret_rc, deploy_rc, pod_fp_rc = sys.argv[1], int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]), int(sys.argv[5])
def load(name):
try:
return json.load(open(os.path.join(tmp, name), encoding="utf-8"))
@@ -292,13 +294,22 @@ observed_cm_fp = cm_ann.get("unidesk.ai/frontend-auth-fingerprint")
observed_secret_fp = secret_ann.get("unidesk.ai/frontend-auth-fingerprint")
available = int(((deploy.get("status") or {}).get("availableReplicas") or 0))
replicas = int(((deploy.get("status") or {}).get("replicas") or 0))
updated = int(((deploy.get("status") or {}).get("updatedReplicas") or 0))
generation = int((deploy.get("metadata") or {}).get("generation") or 0)
observed_generation = int(((deploy.get("status") or {}).get("observedGeneration") or 0))
try:
pod_fp_full = open(os.path.join(tmp, "pod-fingerprint.out"), encoding="utf-8").read().strip().split()[0]
except Exception:
pod_fp_full = None
pod_fp = pod_fp_full[:16] if pod_fp_full else None
checks = [
{"name": "configmap", "ok": cm_rc == 0, "detail": "${auth.target.configMapName}"},
{"name": "username-key", "ok": "${auth.target.usernameKey}" in cm_data, "detail": "${auth.target.usernameKey}"},
{"name": "secret", "ok": secret_rc == 0, "detail": "${auth.target.secretName}"},
{"name": "password-key", "ok": "${auth.target.passwordKey}" in secret_data, "detail": "${auth.target.passwordKey}"},
{"name": "fingerprint", "ok": bool(desired) and observed_cm_fp == desired and observed_secret_fp == desired, "detail": observed_secret_fp or "-"},
{"name": "deployment", "ok": deploy_rc == 0 and replicas > 0 and available >= 1, "detail": "${auth.target.rolloutDeployment}"},
{"name": "deployment", "ok": deploy_rc == 0 and replicas > 0 and updated == replicas and available >= replicas and observed_generation >= generation, "detail": "${auth.target.rolloutDeployment}"},
{"name": "pod-env", "ok": pod_fp_rc == 0 and bool(desired) and pod_fp == desired, "detail": pod_fp or "-"},
]
payload = {
"ok": all(item["ok"] for item in checks),
@@ -310,6 +321,7 @@ payload = {
"rolloutDeployment": "${auth.target.rolloutDeployment}",
"expectedFingerprint": desired or None,
"observedFingerprint": observed_secret_fp,
"podEnvFingerprint": pod_fp,
"checks": checks,
"valuesPrinted": False,
}