From 3580b7600fbf58012a060b7af7f8871560a98671 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 30 Jun 2026 09:52:04 +0800 Subject: [PATCH] feat(iwooos): enable wazuh readonly metadata flag --- .gitea/workflows/cd.yaml | 2 + .../tests/test_iwooos_wazuh_prod_manifest.py | 41 +++++++++++++++++++ k8s/awoooi-prod/06-deployment-api.yaml | 8 ++++ .../test_cd_controlled_runtime_profile.py | 1 + 4 files changed, 52 insertions(+) create mode 100644 apps/api/tests/test_iwooos_wazuh_prod_manifest.py diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 66a9be7c..bbf36f09 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -442,6 +442,8 @@ jobs: ;; apps/api/tests/test_iwooos_security_operating_system.py) ;; + apps/api/tests/test_iwooos_wazuh_prod_manifest.py) + ;; apps/api/tests/test_awoooi_production_deploy_readback_blocker.py) ;; apps/api/tests/test_awoooi_priority_work_order_readback_api.py) diff --git a/apps/api/tests/test_iwooos_wazuh_prod_manifest.py b/apps/api/tests/test_iwooos_wazuh_prod_manifest.py new file mode 100644 index 00000000..427447eb --- /dev/null +++ b/apps/api/tests/test_iwooos_wazuh_prod_manifest.py @@ -0,0 +1,41 @@ +from __future__ import annotations + +from pathlib import Path + +import yaml + + +REPO_ROOT = Path(__file__).resolve().parents[3] +DEPLOYMENT_PATH = REPO_ROOT / "k8s" / "awoooi-prod" / "06-deployment-api.yaml" + + +def _api_env() -> dict[str, dict[str, object]]: + docs = list(yaml.safe_load_all(DEPLOYMENT_PATH.read_text(encoding="utf-8"))) + deployment = next( + doc + for doc in docs + if isinstance(doc, dict) + and doc.get("kind") == "Deployment" + and doc.get("metadata", {}).get("name") == "awoooi-api" + ) + containers = deployment["spec"]["template"]["spec"]["containers"] + api = next(container for container in containers if container["name"] == "api") + return { + item["name"]: item + for item in api["env"] + if isinstance(item, dict) and isinstance(item.get("name"), str) + } + + +def test_iwooos_wazuh_readonly_live_metadata_enabled_by_gitops_flag_only() -> None: + env = _api_env() + + assert env["IWOOOS_WAZUH_READONLY_ENABLED"]["value"] == "true" + assert env["IWOOOS_WAZUH_EXPECTED_MIN_AGENT_COUNT"]["value"] == "6" + + +def test_iwooos_wazuh_prod_manifest_does_not_inline_secret_values() -> None: + env = _api_env() + + for name in ("WAZUH_API_BASE_URL", "WAZUH_API_USERNAME", "WAZUH_API_PASSWORD"): + assert name not in env diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml index 96ed54a9..b9c50b71 100644 --- a/k8s/awoooi-prod/06-deployment-api.yaml +++ b/k8s/awoooi-prod/06-deployment-api.yaml @@ -85,6 +85,14 @@ spec: # Production readback compares runtime image truth against this # GitOps desired tag instead of doing a slow Gitea raw fetch. value: "a4abc00d2592f7c344862ed2b46e44996e223dc6" + - name: IWOOOS_WAZUH_READONLY_ENABLED + # 2026-06-30 Codex: controlled GitOps enablement after owner + # metadata, manager registry acceptance, dry-run, rollback, and + # post-enable verifier refs are committed. Secret values remain + # injected only through awoooi-secrets via envFrom above. + value: "true" + - name: IWOOOS_WAZUH_EXPECTED_MIN_AGENT_COUNT + value: "6" - name: USE_AI_ROUTER value: "true" - name: ENABLE_NEMOTRON_COLLABORATION diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py index cbcae247..77dabd07 100644 --- a/ops/runner/test_cd_controlled_runtime_profile.py +++ b/ops/runner/test_cd_controlled_runtime_profile.py @@ -131,6 +131,7 @@ def test_iwooos_security_operation_api_stays_on_controlled_runtime_profile() -> "apps/api/src/api/v1/iwooos.py)", "apps/api/src/services/iwooos_security_operating_system.py)", "apps/api/tests/test_iwooos_security_operating_system.py)", + "apps/api/tests/test_iwooos_wazuh_prod_manifest.py)", "src/api/v1/iwooos.py", "src/services/iwooos_security_operating_system.py", "tests/test_iwooos_security_operating_system.py",