Skip to content

fix(installer): restore Step-5 credential verify for minted creds (revert #293 → v1.8.4)#295

Merged
saadqbal merged 1 commit into
developfrom
fix/restore-minted-verify-canary
Jul 2, 2026
Merged

fix(installer): restore Step-5 credential verify for minted creds (revert #293 → v1.8.4)#295
saadqbal merged 1 commit into
developfrom
fix/restore-minted-verify-canary

Conversation

@saadqbal

@saadqbal saadqbal commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Draft — gated on tracebloc/cli#126 (v0.5.1). Do not merge/release until that CLI fix ships as the latest release.

Why

#293 skipped verify_credentials for freshly-minted credentials, on the premise that a minted client is "set to enroll" and the api-token-auth pre-verify would 400 on a still-valid credential.

That premise was wrong. The verify 400'd because of a CLI bug (cli#125): client create wrote the numeric dashboard id — not the UUID username — as TRACEBLOC_CLIENT_ID, which is the auth username the pod sends to api-token-auth. The credential was genuinely invalid. verify_credentials was a correct canary; #293 masked it, so the install reported success while the jobs-manager pod crash-looped on Unable to log in with provided credentials.

What

With cli#126 fixed, a minted credential carries the UUID username and verify passes. Restore the canary so a bad credential fails loudly at install time (Step 5), not silently at pod runtime:

provision.bats 12/12 and install-client-helm.bats green locally.

Sequencing

  1. Merge cli#126 → cli develop → main → release v0.5.1.
  2. Un-draft + merge this → client develop → release v1.8.4.
  3. Re-run installer e2e on dev: Step 5 verify should pass and the pod should authenticate.

Refs: RFC-0001 backend#830, installer credential handoff #838.


Note

Medium Risk
Changes install-time auth validation for all minted credential paths; wrong timing vs CLI v0.5.1 could fail good installs until the CLI fix ships.

Overview
Reverts the installer behavior that skipped verify_credentials for freshly minted clients (TRACEBLOC_CLIENT_MINTED). Step 5 now always calls api-token-auth verification for env-supplied credentials—including after browser client create—so bad usernames/passwords fail at install time instead of leaving jobs-manager crash-looping.

provision.sh no longer sets or clears the mint marker; tests drop the mint-skip case and manifest.sha256 is updated. Helm chart version bumps 1.8.3 → 1.8.4.

Reviewed by Cursor Bugbot for commit d9e2227. Bugbot is set up for automated code reviews on this repo. Configure here.

…vert #293 → v1.8.4)

#293 skipped verify_credentials for freshly-minted credentials on the premise
that a minted client is "set to enroll" and only goes active once the pod
connects, so the api-token-auth pre-verify would 400 on a valid credential.
That premise was wrong. The real reason verify 400'd was a CLI bug
(tracebloc/cli#125): `client create` wrote the numeric dashboard id — not the
UUID username — as TRACEBLOC_CLIENT_ID, which is the auth username. The
credential was genuinely invalid; verify_credentials was a correct canary that
#293 masked, letting the install "succeed" while the pod crash-looped on
"Unable to log in with provided credentials".

With cli#125 fixed (v0.5.1), a minted credential is valid and verify passes.
Restore the canary so a bad credential fails loudly at install time (Step 5)
instead of silently at pod runtime:

- install-client-helm.sh: drop the TRACEBLOC_CLIENT_MINTED skip branch; always
  verify_credentials in Step 5 (mint, adopt, and dual-mode alike).
- provision.sh: drop the TRACEBLOC_CLIENT_MINTED marker (now unused).
- tests + manifest.sha256: reverted to the pre-#293 state.
- Chart: 1.8.3 → 1.8.4 (forward; not a version rollback).

DEPENDS ON tracebloc/cli#125 (v0.5.1) being the latest CLI release — the
installer fetches the CLI fresh, so the canary only passes once v0.5.1 mints
the correct UUID username. Do not release this chart before v0.5.1 is out.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@LukasWodka

Copy link
Copy Markdown
Contributor

👋 Heads-up — Code review queue is at 31 / 30

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

saadqbal added a commit that referenced this pull request Jul 2, 2026
…d client in place (RFC-0001 §7.2 / #838)

Re-running the installer on an already-connected client did not behave per
RFC-0001 §7.2. provision_client (Step 3) correctly adopts the existing client
(get-or-create keyed on the cluster) and writes TRACEBLOC_CLIENT_ADOPTED=1 + the
UUID + namespace to the credential file — but install-client-helm.sh had NO adopt
handling. Its non-interactive path is gated on ID *and* PASSWORD both being set;
adopt issues no password (the existing one stands, write-only on the backend), so
Step 5 fell through to the manual "Client ID:" prompt, defaulting to the stale
clientId in the previous values.yaml — a numeric dashboard id on any cluster first
installed during the cli#125 window — which verify_credentials then rejected.

Teach Step 5 an adopt branch: on TRACEBLOC_CLIENT_ADOPTED=1, find the live client
release and `helm upgrade` it in place, reusing its stored credential (no prompt,
no verify, no duplicate) and healing the stored clientId to the adopted UUID so a
cli#125-era install self-corrects. Prefer --reset-then-reuse-values (Helm >= 3.14),
fall back to --reuse-values. Falls through to the normal connect flow only when no
live release is found. The "previous settings?" prompt is skipped on adopt.

Extracted _resolve_chart_ref (shared by the fresh-install and adopt paths). bats:
3 new adopt tests (reconcile-in-place + heal, older-Helm fallback, no-release
fallback); full suite green (47).

No Chart.yaml bump here — ships with #295 as v1.8.4 (avoids a version conflict).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@saadqbal saadqbal marked this pull request as ready for review July 2, 2026 09:37
@LukasWodka

Copy link
Copy Markdown
Contributor

👋 Heads-up — Code review queue is at 35 / 30

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

@saadqbal saadqbal merged commit 1b826e4 into develop Jul 2, 2026
42 checks passed
saadqbal added a commit that referenced this pull request Jul 2, 2026
…d client in place (RFC-0001 §7.2 / #838)

Re-running the installer on an already-connected client did not behave per
RFC-0001 §7.2. provision_client (Step 3) correctly adopts the existing client
(get-or-create keyed on the cluster) and writes TRACEBLOC_CLIENT_ADOPTED=1 + the
UUID + namespace to the credential file — but install-client-helm.sh had NO adopt
handling. Its non-interactive path is gated on ID *and* PASSWORD both being set;
adopt issues no password (the existing one stands, write-only on the backend), so
Step 5 fell through to the manual "Client ID:" prompt, defaulting to the stale
clientId in the previous values.yaml — a numeric dashboard id on any cluster first
installed during the cli#125 window — which verify_credentials then rejected.

Teach Step 5 an adopt branch: on TRACEBLOC_CLIENT_ADOPTED=1, find the live client
release and `helm upgrade` it in place, reusing its stored credential (no prompt,
no verify, no duplicate) and healing the stored clientId to the adopted UUID so a
cli#125-era install self-corrects. Prefer --reset-then-reuse-values (Helm >= 3.14),
fall back to --reuse-values. Falls through to the normal connect flow only when no
live release is found. The "previous settings?" prompt is skipped on adopt.

Extracted _resolve_chart_ref (shared by the fresh-install and adopt paths). bats:
3 new adopt tests (reconcile-in-place + heal, older-Helm fallback, no-release
fallback); full suite green (47).

No Chart.yaml bump here — ships with #295 as v1.8.4 (avoids a version conflict).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
saadqbal added a commit that referenced this pull request Jul 2, 2026
…d client in place (RFC-0001 §7.2 / #838) (#298)

* fix(installer): honor TRACEBLOC_CLIENT_ADOPTED — reconcile a connected client in place (RFC-0001 §7.2 / #838)

Re-running the installer on an already-connected client did not behave per
RFC-0001 §7.2. provision_client (Step 3) correctly adopts the existing client
(get-or-create keyed on the cluster) and writes TRACEBLOC_CLIENT_ADOPTED=1 + the
UUID + namespace to the credential file — but install-client-helm.sh had NO adopt
handling. Its non-interactive path is gated on ID *and* PASSWORD both being set;
adopt issues no password (the existing one stands, write-only on the backend), so
Step 5 fell through to the manual "Client ID:" prompt, defaulting to the stale
clientId in the previous values.yaml — a numeric dashboard id on any cluster first
installed during the cli#125 window — which verify_credentials then rejected.

Teach Step 5 an adopt branch: on TRACEBLOC_CLIENT_ADOPTED=1, find the live client
release and `helm upgrade` it in place, reusing its stored credential (no prompt,
no verify, no duplicate) and healing the stored clientId to the adopted UUID so a
cli#125-era install self-corrects. Prefer --reset-then-reuse-values (Helm >= 3.14),
fall back to --reuse-values. Falls through to the normal connect flow only when no
live release is found. The "previous settings?" prompt is skipped on adopt.

Extracted _resolve_chart_ref (shared by the fresh-install and adopt paths). bats:
3 new adopt tests (reconcile-in-place + heal, older-Helm fallback, no-release
fallback); full suite green (47).

No Chart.yaml bump here — ships with #295 as v1.8.4 (avoids a version conflict).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(installer): adopt-reconcile must not depend on TRACEBLOC_CLIENT_ID (Bugbot)

Bugbot (High): _reconcile_adopted_client read the adopted UUID from
TRACEBLOC_CLIENT_ID for --set clientId, but provision_client CLEARS
TRACEBLOC_CLIENT_ID on a real adopt (keeping only TB_NAMESPACE +
TRACEBLOC_CLIENT_ADOPTED=1 — "let install_client_helm reconcile the existing
release from the local values.yaml"). So reconcile always bailed on the empty id
and fell through to the interactive prompt — exactly what this PR set out to fix.
The bats tests masked it by exporting TRACEBLOC_CLIENT_ID directly.

Reconcile the discovered live release in place with --reset-then-reuse-values
(fallback --reuse-values), reusing its stored credential — no dependency on
TRACEBLOC_CLIENT_ID, no --set clientId heal (which fought provision's design and
couldn't work anyway). Tests now export ONLY TRACEBLOC_CLIENT_ADOPTED=1, matching
what provision_client actually leaves in the env. Manifest regenerated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(installer): heal clientId on adopt via provision handoff (Bugbot ×2)

Resolves both Bugbot findings on the adopt path, which were in tension:
  • High  — reconcile read the UUID from TRACEBLOC_CLIENT_ID for --set clientId,
            but provision_client cleared it on adopt → reconcile bailed on the
            empty id and fell through to the interactive prompt.
  • Medium — the interim fix reconciled with --reuse-values only, so a cli#125-era
            numeric clientId was preserved and the workload still couldn't auth.

provision_client now KEEPS + exports the adopted client id (its UUID username) on
the adopt path (dropping only the absent password), so install_client_helm can:
  • heal the stored clientId to the UUID via `--set clientId=<uuid>` when present
    (reused values keep the correct stored password) — fixes cli#125-era installs;
  • reconcile WITHOUT a heal (no bail to a prompt) when no id was handed over
    (rebuilt host / R7 orphan) — the existing credential stands.

Optional --set built as an args array (bash-3.2 safe). Tests: heal-with-UUID +
no-id-reconcile-fallback for Step 5; provision adopt test asserts the id is kept.
provision.bats 12/12, install-client-helm.bats green; manifest regenerated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants