fix(orchestrator): render manifest certs on the adopted-running reconcile path

WS-F #10: a netbird reinstall that adopts a leftover running container
skipped ensure_manifest_certs, so when its data dir was wiped the self-
signed tls.crt/key were never regenerated; the next nginx.conf rewrite +
restart then died on the missing cert (proxy 502, login broken). The
Running branch of ensure_running_with_mode now calls ensure_manifest_certs
before ensure_manifest_files, mirroring prepare_for_start's certs-before-
files ordering. Idempotent: a no-op when crt+key already exist.

Live-validated on .228: deleted netbird tls.crt/key under a Running
container; reconciler regenerated a fresh CN=<host_ip> self-signed cert
(1000:1000), https :8087 = 200.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
archipelago 2026-06-27 17:49:50 -04:00
parent a38c9d5f29
commit 4519dbf04f

View File

@ -1540,6 +1540,14 @@ impl ProdContainerOrchestrator {
// anything was rewritten, restart the container so nginx
// picks up the new config.
let app_hook = self.run_pre_start_hooks(&app_id).await?;
// Certs before files (mirrors prepare_for_start). A manifest
// file rewrite below can trigger a restart, and the container's
// bind-mounts expect the cert present. Without this, an adopted
// running app whose data dir was wiped on reinstall (netbird:
// tls.crt/key live under the removed /var/lib/archipelago/netbird)
// never regenerates the cert → nginx proxy dies on the restart.
// Idempotent: a no-op when crt+key already exist.
self.ensure_manifest_certs(&resolved_manifest).await?;
let file_hook = self.ensure_manifest_files(&resolved_manifest).await?;
if app_hook == Some(HookOutcome::Rewritten)
|| file_hook == HookOutcome::Rewritten