d75a145d90
Security (4 issues):
1. Remove the 172.* Docker-bridge auth bypass — any bridge container inherited
tag:admin (incl /unlock, /progress/reset). Bridge callers now need Tailscale
identity or bearer token. (kua-mcp-core unaffected — reaches engine via
docker exec localhost.)
2. Validate request-supplied source_branch/target_branch on /release (400 on bad
input) before they reach the shell in release().
3. Check .ok on previously-ignored runOnServer results: post_deploy hook
(→partial), no-health-url docker compose ps (→unhealthy); add a catch to
rollback() so a failed rollback records failure instead of hanging 'running'.
4. Replace hardcoded bruno/gal Tailscale IP map with runtime resolution via the
tailscaled LocalAPI over the mounted socket (cached per host).
Regression fix (ensure-checkout):
- ensureCheckout now probes/clones the GIT ROOT (registry repo_dir), not deploy_dir.
They differ for sub-monorepo apps (coder-core: repo_dir=/root/apps/coder-core,
deploy_dir=.../services/production). Probing deploy_dir/.git falsely reported
MISSING and broke coder-core deploys (
|
||
|---|---|---|
| Dockerfile | ||
| NOTES-image-digest-pinning.md | ||
| README.md | ||
| docker-compose.yml | ||
| kua.json | ||
| package-lock.json | ||
| package.json | ||
| server.js | ||
README.md
kua-deploy
Authoritative deploy orchestrator for the Kua infrastructure fleet. Receives release triggers (admin API and Forgejo webhooks), runs git-pull → migration gate → docker build → recreate → SHA-verify on managed apps.
Split out of coder-core/services/kua-deploy/ on 2026-05-21 to break the self-rebuild loop that ran every coder-core release through this service as a side-effect.
Layout
server.js— Fastify app exposing/api/v1/apps/:app/deploy,/progress,/runtime-status,/webhook/forgejo.Dockerfile— node:22-alpine + docker-cli + ssh + git + kua-vault binary (mounted at runtime).docker-compose.yml— single-service compose project. Joinskua-services+production_proxynetworks.kua.json— release-app manifest (mode: direct,server: bruno).NOTES-image-digest-pinning.md— design notes for deferred prevention #4.
Registry
deploy-registry.json lives in coder-core/services/kua-deploy/deploy-registry.json and is bind-mounted in at /app/deploy-registry.json. This is a transitional arrangement; a future change can migrate the registry into this repo.
Deploying kua-deploy
Via release-app:
release-app kua-deploy
Which goes through kua-deploy's own admin POST /api/v1/apps/kua-deploy/deploy and uses the transient-container recreate pattern (Phase A) so the service can replace its own running container without false-success.
See also
services/kua-deploy/NOTES-image-digest-pinning.mdin this repoinfra-docs/docs/04-operations/deploy-listener.mdin coder-core (current-state callout + deploy_mode reference)