fix(provisioner): inject ADMIN_TOKEN into workspace container env (core#831)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 26s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
Harness Replays / detect-changes (pull_request) Successful in 20s
CI / Detect changes (pull_request) Successful in 1m1s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m0s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 56s
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 50s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 51s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 21s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 49s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m20s
qa-review / approved (pull_request) Failing after 30s
gate-check-v3 / gate-check (pull_request) Successful in 54s
security-review / approved (pull_request) Failing after 30s
sop-checklist-gate / gate (pull_request) Successful in 38s
sop-tier-check / tier-check (pull_request) Successful in 32s
Harness Replays / Harness Replays (pull_request) Successful in 8s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
CI / Canvas (Next.js) (pull_request) Successful in 13s
CI / Python Lint & Test (pull_request) Successful in 10s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 13s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 15s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m31s
CI / Platform (Go) (pull_request) Failing after 5m47s
CI / all-required (pull_request) Successful in 6s
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 26s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
Harness Replays / detect-changes (pull_request) Successful in 20s
CI / Detect changes (pull_request) Successful in 1m1s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m0s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 56s
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 50s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 51s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 21s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 49s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m20s
qa-review / approved (pull_request) Failing after 30s
gate-check-v3 / gate-check (pull_request) Successful in 54s
security-review / approved (pull_request) Failing after 30s
sop-checklist-gate / gate (pull_request) Successful in 38s
sop-tier-check / tier-check (pull_request) Successful in 32s
Harness Replays / Harness Replays (pull_request) Successful in 8s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
CI / Canvas (Next.js) (pull_request) Successful in 13s
CI / Python Lint & Test (pull_request) Successful in 10s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 13s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 15s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 11s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m31s
CI / Platform (Go) (pull_request) Failing after 5m47s
CI / all-required (pull_request) Successful in 6s
sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: comprehensive-testing, local-postgres-e2
CPProvisioner.Start() reads ADMIN_TOKEN from os.Getenv() and uses it for
CP→platform HTTP auth, but never passes it to the workspace container's
runtime env. Without ADMIN_TOKEN in the container, the integration-tester
workspace (ID: 33bb2f71) gets 401 from /admin/liveness, blocking Gate 5
and the release promotion cycle.
Fix (CP/SaaS mode): inject p.adminToken into the Env map sent to the
control plane so it reaches the EC2 instance's container env.
Fix (Docker/local mode): inject os.Getenv("ADMIN_TOKEN") from the
platform server into the Docker container env via buildContainerEnv. This
mirrors the SaaS path so any workspace in any mode can reach
/admin/liveness.
Safe: both paths only inject when ADMIN_TOKEN is non-empty (Docker/local
dev without ADMIN_TOKEN set is unaffected; the platform server's env
carries it in SaaS/prod).
Refs: core#831
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
6526521055
commit
e2c2071898
@ -167,13 +167,25 @@ type cpProvisionResponse struct {
|
||||
|
||||
// Start provisions a workspace by calling the control plane → EC2.
|
||||
func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string, error) {
|
||||
// Inject ADMIN_TOKEN into the workspace container env so the agent can call
|
||||
// /admin/liveness and other admin-gated platform endpoints (core#831).
|
||||
// p.adminToken is read from os.Getenv("ADMIN_TOKEN") at provisioner creation;
|
||||
// it is also used for CP→platform HTTP auth but those are separate concerns.
|
||||
env := cfg.EnvVars
|
||||
if p.adminToken != "" {
|
||||
env = make(map[string]string, len(cfg.EnvVars)+1)
|
||||
for k, v := range cfg.EnvVars {
|
||||
env[k] = v
|
||||
}
|
||||
env["ADMIN_TOKEN"] = p.adminToken
|
||||
}
|
||||
req := cpProvisionRequest{
|
||||
OrgID: p.orgID,
|
||||
WorkspaceID: cfg.WorkspaceID,
|
||||
Runtime: cfg.Runtime,
|
||||
Tier: cfg.Tier,
|
||||
PlatformURL: cfg.PlatformURL,
|
||||
Env: cfg.EnvVars,
|
||||
Env: env,
|
||||
}
|
||||
|
||||
body, err := json.Marshal(req)
|
||||
|
||||
@ -627,6 +627,12 @@ func buildContainerEnv(cfg WorkspaceConfig) []string {
|
||||
for k, v := range cfg.EnvVars {
|
||||
env = append(env, fmt.Sprintf("%s=%s", k, v))
|
||||
}
|
||||
// Inject ADMIN_TOKEN from the platform server's environment so workspace
|
||||
// containers can call /admin/liveness and other admin-gated endpoints
|
||||
// (core#831). cp_provisioner.go handles this separately for SaaS tenants.
|
||||
if adminToken := os.Getenv("ADMIN_TOKEN"); adminToken != "" {
|
||||
env = append(env, fmt.Sprintf("ADMIN_TOKEN=%s", adminToken))
|
||||
}
|
||||
return env
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user