fix(orchestrator): render manifest certs on the adopted-running reconcile path
WS-F #10: a netbird reinstall that adopts a leftover running container skipped ensure_manifest_certs, so when its data dir was wiped the self- signed tls.crt/key were never regenerated; the next nginx.conf rewrite + restart then died on the missing cert (proxy 502, login broken). The Running branch of ensure_running_with_mode now calls ensure_manifest_certs before ensure_manifest_files, mirroring prepare_for_start's certs-before- files ordering. Idempotent: a no-op when crt+key already exist. Live-validated on .228: deleted netbird tls.crt/key under a Running container; reconciler regenerated a fresh CN=<host_ip> self-signed cert (1000:1000), https :8087 = 200. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
a38c9d5f29
commit
4519dbf04f
@ -1540,6 +1540,14 @@ impl ProdContainerOrchestrator {
|
||||
// anything was rewritten, restart the container so nginx
|
||||
// picks up the new config.
|
||||
let app_hook = self.run_pre_start_hooks(&app_id).await?;
|
||||
// Certs before files (mirrors prepare_for_start). A manifest
|
||||
// file rewrite below can trigger a restart, and the container's
|
||||
// bind-mounts expect the cert present. Without this, an adopted
|
||||
// running app whose data dir was wiped on reinstall (netbird:
|
||||
// tls.crt/key live under the removed /var/lib/archipelago/netbird)
|
||||
// never regenerates the cert → nginx proxy dies on the restart.
|
||||
// Idempotent: a no-op when crt+key already exist.
|
||||
self.ensure_manifest_certs(&resolved_manifest).await?;
|
||||
let file_hook = self.ensure_manifest_files(&resolved_manifest).await?;
|
||||
if app_hook == Some(HookOutcome::Rewritten)
|
||||
|| file_hook == HookOutcome::Rewritten
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user