feat(iwooos): enable wazuh readonly metadata flag
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m15s
CD Pipeline / build-and-deploy (push) Failing after 7m49s
CD Pipeline / post-deploy-checks (push) Has been skipped
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m15s
CD Pipeline / build-and-deploy (push) Failing after 7m49s
CD Pipeline / post-deploy-checks (push) Has been skipped
This commit is contained in:
@@ -442,6 +442,8 @@ jobs:
|
||||
;;
|
||||
apps/api/tests/test_iwooos_security_operating_system.py)
|
||||
;;
|
||||
apps/api/tests/test_iwooos_wazuh_prod_manifest.py)
|
||||
;;
|
||||
apps/api/tests/test_awoooi_production_deploy_readback_blocker.py)
|
||||
;;
|
||||
apps/api/tests/test_awoooi_priority_work_order_readback_api.py)
|
||||
|
||||
41
apps/api/tests/test_iwooos_wazuh_prod_manifest.py
Normal file
41
apps/api/tests/test_iwooos_wazuh_prod_manifest.py
Normal file
@@ -0,0 +1,41 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from pathlib import Path
|
||||
|
||||
import yaml
|
||||
|
||||
|
||||
REPO_ROOT = Path(__file__).resolve().parents[3]
|
||||
DEPLOYMENT_PATH = REPO_ROOT / "k8s" / "awoooi-prod" / "06-deployment-api.yaml"
|
||||
|
||||
|
||||
def _api_env() -> dict[str, dict[str, object]]:
|
||||
docs = list(yaml.safe_load_all(DEPLOYMENT_PATH.read_text(encoding="utf-8")))
|
||||
deployment = next(
|
||||
doc
|
||||
for doc in docs
|
||||
if isinstance(doc, dict)
|
||||
and doc.get("kind") == "Deployment"
|
||||
and doc.get("metadata", {}).get("name") == "awoooi-api"
|
||||
)
|
||||
containers = deployment["spec"]["template"]["spec"]["containers"]
|
||||
api = next(container for container in containers if container["name"] == "api")
|
||||
return {
|
||||
item["name"]: item
|
||||
for item in api["env"]
|
||||
if isinstance(item, dict) and isinstance(item.get("name"), str)
|
||||
}
|
||||
|
||||
|
||||
def test_iwooos_wazuh_readonly_live_metadata_enabled_by_gitops_flag_only() -> None:
|
||||
env = _api_env()
|
||||
|
||||
assert env["IWOOOS_WAZUH_READONLY_ENABLED"]["value"] == "true"
|
||||
assert env["IWOOOS_WAZUH_EXPECTED_MIN_AGENT_COUNT"]["value"] == "6"
|
||||
|
||||
|
||||
def test_iwooos_wazuh_prod_manifest_does_not_inline_secret_values() -> None:
|
||||
env = _api_env()
|
||||
|
||||
for name in ("WAZUH_API_BASE_URL", "WAZUH_API_USERNAME", "WAZUH_API_PASSWORD"):
|
||||
assert name not in env
|
||||
@@ -85,6 +85,14 @@ spec:
|
||||
# Production readback compares runtime image truth against this
|
||||
# GitOps desired tag instead of doing a slow Gitea raw fetch.
|
||||
value: "a4abc00d2592f7c344862ed2b46e44996e223dc6"
|
||||
- name: IWOOOS_WAZUH_READONLY_ENABLED
|
||||
# 2026-06-30 Codex: controlled GitOps enablement after owner
|
||||
# metadata, manager registry acceptance, dry-run, rollback, and
|
||||
# post-enable verifier refs are committed. Secret values remain
|
||||
# injected only through awoooi-secrets via envFrom above.
|
||||
value: "true"
|
||||
- name: IWOOOS_WAZUH_EXPECTED_MIN_AGENT_COUNT
|
||||
value: "6"
|
||||
- name: USE_AI_ROUTER
|
||||
value: "true"
|
||||
- name: ENABLE_NEMOTRON_COLLABORATION
|
||||
|
||||
@@ -131,6 +131,7 @@ def test_iwooos_security_operation_api_stays_on_controlled_runtime_profile() ->
|
||||
"apps/api/src/api/v1/iwooos.py)",
|
||||
"apps/api/src/services/iwooos_security_operating_system.py)",
|
||||
"apps/api/tests/test_iwooos_security_operating_system.py)",
|
||||
"apps/api/tests/test_iwooos_wazuh_prod_manifest.py)",
|
||||
"src/api/v1/iwooos.py",
|
||||
"src/services/iwooos_security_operating_system.py",
|
||||
"tests/test_iwooos_security_operating_system.py",
|
||||
|
||||
Reference in New Issue
Block a user