feat(iwooos): enable wazuh readonly metadata flag
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m15s
CD Pipeline / build-and-deploy (push) Failing after 7m49s
CD Pipeline / post-deploy-checks (push) Has been skipped

This commit is contained in:
Your Name
2026-06-30 09:52:04 +08:00
parent b4a8dfbb03
commit 3580b7600f
4 changed files with 52 additions and 0 deletions

View File

@@ -442,6 +442,8 @@ jobs:
;;
apps/api/tests/test_iwooos_security_operating_system.py)
;;
apps/api/tests/test_iwooos_wazuh_prod_manifest.py)
;;
apps/api/tests/test_awoooi_production_deploy_readback_blocker.py)
;;
apps/api/tests/test_awoooi_priority_work_order_readback_api.py)

View File

@@ -0,0 +1,41 @@
from __future__ import annotations
from pathlib import Path
import yaml
REPO_ROOT = Path(__file__).resolve().parents[3]
DEPLOYMENT_PATH = REPO_ROOT / "k8s" / "awoooi-prod" / "06-deployment-api.yaml"
def _api_env() -> dict[str, dict[str, object]]:
docs = list(yaml.safe_load_all(DEPLOYMENT_PATH.read_text(encoding="utf-8")))
deployment = next(
doc
for doc in docs
if isinstance(doc, dict)
and doc.get("kind") == "Deployment"
and doc.get("metadata", {}).get("name") == "awoooi-api"
)
containers = deployment["spec"]["template"]["spec"]["containers"]
api = next(container for container in containers if container["name"] == "api")
return {
item["name"]: item
for item in api["env"]
if isinstance(item, dict) and isinstance(item.get("name"), str)
}
def test_iwooos_wazuh_readonly_live_metadata_enabled_by_gitops_flag_only() -> None:
env = _api_env()
assert env["IWOOOS_WAZUH_READONLY_ENABLED"]["value"] == "true"
assert env["IWOOOS_WAZUH_EXPECTED_MIN_AGENT_COUNT"]["value"] == "6"
def test_iwooos_wazuh_prod_manifest_does_not_inline_secret_values() -> None:
env = _api_env()
for name in ("WAZUH_API_BASE_URL", "WAZUH_API_USERNAME", "WAZUH_API_PASSWORD"):
assert name not in env

View File

@@ -85,6 +85,14 @@ spec:
# Production readback compares runtime image truth against this
# GitOps desired tag instead of doing a slow Gitea raw fetch.
value: "a4abc00d2592f7c344862ed2b46e44996e223dc6"
- name: IWOOOS_WAZUH_READONLY_ENABLED
# 2026-06-30 Codex: controlled GitOps enablement after owner
# metadata, manager registry acceptance, dry-run, rollback, and
# post-enable verifier refs are committed. Secret values remain
# injected only through awoooi-secrets via envFrom above.
value: "true"
- name: IWOOOS_WAZUH_EXPECTED_MIN_AGENT_COUNT
value: "6"
- name: USE_AI_ROUTER
value: "true"
- name: ENABLE_NEMOTRON_COLLABORATION

View File

@@ -131,6 +131,7 @@ def test_iwooos_security_operation_api_stays_on_controlled_runtime_profile() ->
"apps/api/src/api/v1/iwooos.py)",
"apps/api/src/services/iwooos_security_operating_system.py)",
"apps/api/tests/test_iwooos_security_operating_system.py)",
"apps/api/tests/test_iwooos_wazuh_prod_manifest.py)",
"src/api/v1/iwooos.py",
"src/services/iwooos_security_operating_system.py",
"tests/test_iwooos_security_operating_system.py",