Context
Main CI is green, but stage-3 step 21 (the config worker's live cap_data_class_mismatch rejection over HTTPS) is currently allow-skipped on the test env via config-worker-unreachable (added in #205 / 765af13, .github/workflows/harness-ci.yml). The config worker is built + running on the test broker, but config-test.litentry.org has no TLS cert — its DNS A record was never provisioned, and certbot can't issue a cert until the host resolves. This is the same operator one-shot as the already-tolerated config-role-missing (the test config bucket + IAM role).
prod config.litentry.org is already fully provisioned; only the test env is pending.
What to do (operator, AWS)
bash scripts/setup-cloud.sh --ci — provisions the config-test.litentry.org DNS A record (via dns-upsert-workers.sh, which already includes $WORKER_CONFIG_HOST) → test broker EIP (tag agentkeys-broker-eip-test).- Next CI broker deploy (
setup-broker-host.sh --test) → certbot issues the cert for config-test.litentry.org.
- Verify:
curl -sS https://config-test.litentry.org/healthz → HTTP 200.
Then (code)
Drop config-worker-unreachable (and config-role-missing once the role/bucket are provisioned) from the stage-3 allow-skip in .github/workflows/harness-ci.yml so step 21 becomes a live gate again. The comment there already says "Drop BOTH allowances once config-test is provisioned."
Acceptance
Context
Main CI is green, but stage-3 step 21 (the config worker's live
cap_data_class_mismatchrejection over HTTPS) is currently allow-skipped on the test env viaconfig-worker-unreachable(added in #205 /765af13,.github/workflows/harness-ci.yml). The config worker is built + running on the test broker, butconfig-test.litentry.orghas no TLS cert — its DNS A record was never provisioned, and certbot can't issue a cert until the host resolves. This is the same operator one-shot as the already-toleratedconfig-role-missing(the test config bucket + IAM role).prodconfig.litentry.orgis already fully provisioned; only the test env is pending.What to do (operator, AWS)
bash scripts/setup-cloud.sh --ci— provisions theconfig-test.litentry.orgDNS A record (viadns-upsert-workers.sh, which already includes$WORKER_CONFIG_HOST) → test broker EIP (tagagentkeys-broker-eip-test).setup-broker-host.sh --test) → certbot issues the cert forconfig-test.litentry.org.curl -sS https://config-test.litentry.org/healthz→ HTTP 200.Then (code)
Drop
config-worker-unreachable(andconfig-role-missingonce the role/bucket are provisioned) from the stage-3 allow-skip in.github/workflows/harness-ci.ymlso step 21 becomes a live gate again. The comment there already says "Drop BOTH allowances once config-test is provisioned."Acceptance
config-test.litentry.orgresolves + serves a valid cert (healthz 200).cap_data_class_mismatch403).config-worker-unreachableremoved from the harness-ci stage-3--allow-skip.