Skip to content

fix(setup): seed the REST site record and fix the worker DB target (release/v2.0)#3340

Merged
nv-dmendoza merged 1 commit into
NVIDIA:release/v2.0from
shayan1995:cherry-pick-3284-release-v2.0
Jul 10, 2026
Merged

fix(setup): seed the REST site record and fix the worker DB target (release/v2.0)#3340
nv-dmendoza merged 1 commit into
NVIDIA:release/v2.0from
shayan1995:cherry-pick-3284-release-v2.0

Conversation

@shayan1995

Copy link
Copy Markdown
Contributor

Cherry-pick of #3284 (7b35d52) onto release/v2.0, following the same process as #3182.

Bind the site-agent to a REST-created site and fix the workflow-worker DB target. Two defects left a fresh site with an empty nicocli site list despite a healthy, handshaked site-agent: the site UUID was minted without any REST database record behind it (the bootstrap Job's POST /v1/site creates only the Site CR + OTP), and the workflow workers missed the nico-pg-cluster consolidation (#3081), failing every DB activity with SQLSTATE 42P01 so no site could ever leave Pending.

Changes

  • setup.sh: resolve the site UUID instead of blindly minting — explicit NICO_SITE_UUID (bind to a pre-existing site), else the prior install's CLUSTER_ID (site-agent ConfigMap), else adopt an existing REST site with the same name, else mint. Then seed the REST DB directly (same record shape as forged's per-env site.sql): a default infrastructure_provider for the org plus a Pending site row named after siteName, with the v2 networking capabilities (native_networking, network_security_group, flow) enabled and the status_detail row the REST create handler writes. All inserts idempotent (WHERE NOT EXISTS); waits up to 120 s for the REST migrations. IdP-agnostic — no API token needed. The bootstrap Job's existing POST /v1/site flow is untouched and runs after the DB row exists, under the same UUID.
  • setup.sh: inject workflow-worker DB values at install time via the existing REST creds temp file — nico-rest-workflow now targets nico-pg-cluster/nico_rest as nico-rest.nico with the db-creds secret, aligned with nico-rest-api.
  • setup.sh: delete a site-registration secret bound to a stale UUID so rebinding CLUSTER_ID re-bootstraps; input validation (UUID format, site-name/org charset) before SQL interpolation; quoting-agnostic siteName parsing.
  • Docs (quick-start.md, helm-prereqs/README.md, configurability.md): NICO_SITE_UUID resolution behavior documented consistently.

Related Issues

N/A

Type of Change

Fix - Bug fixes

Breaking Changes

None.

Testing

Manual end-to-end validation on dev6

@shayan1995 shayan1995 requested a review from a team July 9, 2026 23:14
@shayan1995 shayan1995 requested review from a team and polarweasel as code owners July 9, 2026 23:14
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1825f7e3-6791-4859-8db5-faff64a8aeb0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔐 TruffleHog Secret Scan

No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

🕐 Last updated: 2026-07-09 23:19:33 UTC | Commit: ea486b6

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔍 Container Scan Summary

Service Total Critical High Medium Low Other
boot-artifacts-aarch64 3 0 0 3 0 0
boot-artifacts-x86_64 3 0 0 3 0 0
forge-admin-cli-x86_64 271 13 34 91 7 126
machine-validation-runner 800 37 234 291 43 195
machine_validation 800 37 234 291 43 195
machine_validation-aarch64 800 37 234 291 43 195
nvmetal-carbide 800 37 234 291 43 195
TOTAL 3477 161 970 1261 179 906

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

…VIDIA#3284)

<!-- Describe what this PR does -->
Two defects left a fresh site with an empty `nicocli site list` despite
a healthy, handshaked site-agent:

1. setup.sh minted a site UUID and the site-agent bootstrap Job POSTed
/v1/site to site-manager, which creates the Site CR + OTP — but never
the site row in the REST database. The agent handshakes under an
identity no REST site matches, so its inventory is dropped.
2. The nico-pg-cluster consolidation (NVIDIA#3081) missed the workflow
subchart: site/cloud workers stayed on the legacy postgres.postgres/nico
database (zero tables) and failed every DB activity with SQLSTATE 42P01
(relation "site" does not exist), so no site could leave Pending.

Both fixes are contained in setup.sh — the bootstrap Job's existing POST
/v1/site flow (Site CR + OTP + temporal certs) is untouched and simply
runs after the DB row exists, under the same UUID:

- Resolve the site UUID instead of blindly minting: explicit
NICO_SITE_UUID (bind to a pre-existing site) -> CLUSTER_ID from a prior
install's site-agent StatefulSet (stable reruns) -> an existing REST
site row with our name (adopt; idempotent reprovision) -> mint. Then
seed the REST DB directly with the same record shape as forged's per-env
envs/*/carbide-rest/site.sql: a 'default' infrastructure_provider for
the org (NICO_ORG, default ncx) plus a Pending site row named after
NICO_SITE_NAME / values.yaml siteName, id = created_by = the resolved
UUID. All inserts are guarded (WHERE NOT EXISTS) and the seed waits for
the REST migrations to have created the tables. IdP-agnostic: no API
token required.
- Delete a site-registration secret bound to a stale UUID so rebinding
CLUSTER_ID re-bootstraps instead of silently keeping the old identity.
- Inject worker DB values at install time via the existing REST creds
temp file: nico-rest-workflow now targets nico-pg-cluster/nico_rest as
nico-rest.nico with the db-creds secret, aligned with nico-rest-api.

## Related issues
<!-- Refer to existing GitHub issues here -->

## Type of Change
<!-- Check one that best describes this PR -->
- [ ] **Add** - New feature or capability
- [ ] **Change** - Changes in existing functionality
- [X] **Fix** - Bug fixes
- [ ] **Remove** - Removed features or deprecated functionality
- [ ] **Internal** - Internal changes (refactoring, tests, docs, etc.)

## Breaking Changes
<!-- If checked, describe the breaking changes and migration steps -->
<!-- Breaking changes are not generally permitted, please discuss on a
GitHub discussion or with the development team if you believe you need
to break a backward compatibility guarantee -->
- [ ] **This PR contains breaking changes**

## Testing
<!-- How was this tested? Check all that apply -->
- [ ] Unit tests added/updated
- [ ] Integration tests added/updated
- [X] Manual testing performed
- [ ] No testing required (docs, internal refactor, etc.)

tested this end to end on dev6

## Additional Notes
<!-- Any additional context, deployment notes, or reviewer guidance -->
@shayan1995 shayan1995 force-pushed the cherry-pick-3284-release-v2.0 branch from ea486b6 to 13afa48 Compare July 9, 2026 23:51
@nv-dmendoza nv-dmendoza merged commit df01454 into NVIDIA:release/v2.0 Jul 10, 2026
119 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants