fix: guard code queue hostpath source rollout

This commit is contained in:
Codex
2026-05-20 10:37:44 +00:00
parent ba8bdc828e
commit dd92e42918
6 changed files with 350 additions and 5 deletions
+24
View File
@@ -199,6 +199,30 @@ MDTODO and ClaudeQQ are standard `k3sctl-managed` artifact consumers in the same
Code Queue is explicitly narrower. Only `--env dev --service code-queue` is a supported artifact consumer target, and it may mutate only `unidesk-dev` Code Queue execution objects. Production Code Queue artifact deploy, production rollout and production manifest mutation are unsupported and must fail visibly.
## Code Queue Production HostPath Guard
生产 Code Queue 仍处在 hostPath source 过渡边界。生产 scheduler/read/write Pod 会把 D601 `/home/ubuntu/cq-deploy` 同时挂载为 `/app``/root/unidesk`,因此 Bun 进程启动时解析的是 hostPath repo,而不是镜像内已 COPY 的源码。即使 Docker build 或 `unidesk-code-queue:d601` 导入成功,只要 `/home/ubuntu/cq-deploy` 部分同步,运行态仍会失败。必须防住的具体故障类是:`index.ts` 已导入 `./runtime-preflight`,但 `/home/ubuntu/cq-deploy/src/components/microservices/code-queue/src/runtime-preflight.ts` 缺失;该状态必须视为 deploy-degraded,并阻止任何 scheduler restart 或 rollout。
任何仍会修改生产 `/home/ubuntu/cq-deploy` 的部署或恢复路径,都必须在 source sync 之后、Kubernetes rollout 之前运行 Code Queue source import guard
```bash
bun scripts/code-queue-source-guard.ts --root /home/ubuntu/cq-deploy
# or from a local controller worktree:
bun scripts/cli.ts deploy guard code-queue-source --root /home/ubuntu/cq-deploy
```
guard 必须返回 JSON,并在失败时以非零退出码给出 `degradedReason=source-root-missing``degradedReason=missing-relative-import-target`;部署编排必须透出该 reason,并在 `kubectl rollout restart` 或任何会迫使 scheduler 重新导入脏 hostPath source 的 Pod 删除之前停止。当前 guard 覆盖 `src/components/microservices/code-queue/src/**/*.ts` 下的相对 `import``export ... from``import(...)` 目标,包括 `runtime-preflight.ts` 这类缺文件故障。
路径所有权必须保持显式。`/home/ubuntu/cq-deploy``src/components/microservices/k3sctl-adapter/k3s/code-queue.k8s.yaml` 使用的生产 k3s hostPath repo。`/home/ubuntu/unidesk-code-queue-deploy` 是历史/开发 worktree 名称;除非 manifest、部署代码和文档一起修改,否则不得假设它是生产 scheduler source。迁移期如果两者通过软链接关联,guard 仍必须对实际挂载进 `/app` 的路径运行。
D601 k3s 验证必须始终设置原生 kubeconfig
```bash
KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl -n unidesk get deploy,svc,pod,endpoints
```
D601 默认 `kubectl` context 可能指向 Docker Desktop、kind 或其他本地集群,因此不能作为 UniDesk production Code Queue ready 的证据。长期目标是完全移除生产 hostPath source 覆盖,让 Code Queue production 收敛到 commit-pinned artifact/image CD,并像其他已审查 artifact consumer 一样验证 live commit。
## CI Separation
Continuous integration is intentionally separate from this deploy reconciler. D601 k3s hosts Tekton CI resources described in `docs/reference/ci.md`; PipelineRuns may clone, check, run read-only performance gates, create temporary CI-owned namespaces for dev manifest smoke e2e, or publish commit-pinned backend-core/user-service image artifacts to the D601 artifact registry. They must not call `deploy apply`, `codex deploy`, `kubectl rollout restart` for production services, mutate `deploy.json`, or write production namespaces.