Update journey notes: topology steps 1-4 working, plan for next phases
- Topology wizard steps 1-4 all succeed on fresh install - Step 5 (Agent) is a natural blocker — no agents on fresh compose setup - Updated fix count: 16 fixed, 5 remaining - Added detailed journey resumption plan covering 4 phases: Phase 1 (immediate): skip agent, verify audit, honest registry search Phase 2: real deployment with Zot registry + scanner Phase 3: policy & evidence testing Phase 4: operational testing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -36,14 +36,17 @@
|
||||
- "Generate immediately" checkbox triggers a 503 → **silent failure, no user feedback**
|
||||
- Mirror domain created but bundle not generated
|
||||
|
||||
### 6. Topology Wizard (BLOCKED — auth passthrough)
|
||||
### 6. Topology Wizard (STEPS 1-4 WORK, STEP 5 NATURAL BLOCKER)
|
||||
- 8-step wizard loads correctly: Region → Environment → Stage Order → Target → Agent → Infrastructure → Validate → Done
|
||||
- **Step 1 (Region)**: Form renders, Create Region button works, BUT:
|
||||
- POST /api/v1/regions returns 500 → ROOT CAUSE: missing auth policies → FIXED
|
||||
- After fix: returns 401 → ROOT CAUSE: ReverseProxy doesn't forward identity envelope
|
||||
- Concelier expects gateway-signed identity, not raw bearer tokens
|
||||
- This is an **architecture-level issue**: ReverseProxy vs Microservice transport
|
||||
- **Step 2 (Environment)**: POST /api/v1/environments → routes to JobEngine, also needs auth passthrough fix
|
||||
- **Step 1 (Region)**: WORKS — identity envelope pre-auth middleware on Concelier
|
||||
- **Step 2 (Environment)**: WORKS — added environment CRUD endpoints to Concelier
|
||||
- **Step 3 (Stage Order)**: WORKS — pass-through step
|
||||
- **Step 4 (Target)**: WORKS — added target CRUD endpoints to Concelier
|
||||
- **Step 5 (Agent)**: BLOCKED — no agents deployed on fresh install, wizard requires agent assignment
|
||||
- This is an expected blocker for fresh installs
|
||||
- Should allow "Skip agent" or "Deploy agent later"
|
||||
- Agent deployment requires an actual Docker host target which isn't available in pure compose setup
|
||||
- Steps 6-8 (Infrastructure, Validate, Done): not reached yet (blocked by step 5)
|
||||
|
||||
---
|
||||
|
||||
@@ -110,7 +113,7 @@
|
||||
|
||||
## Issues Found (All Iterations)
|
||||
|
||||
### FIXED (12)
|
||||
### FIXED (16)
|
||||
| # | Issue | Fix |
|
||||
|---|-------|-----|
|
||||
| 1 | Dashboard 100% hardcoded | Removed all fake data, setup guide |
|
||||
@@ -125,11 +128,14 @@
|
||||
| 10 | Topology 503 (no routes) | Added 6 ReverseProxy routes |
|
||||
| 11 | Envs route wrong service | Route to JobEngine |
|
||||
| 12 | Topology auth policies missing | Registered Topology.Read/Manage/Admin |
|
||||
| 13 | Topology wizard 401 (ReverseProxy auth) | Pre-auth middleware reads identity envelope |
|
||||
| 14-env | Environment CRUD on wrong service | Added env CRUD endpoints to Concelier |
|
||||
| 14-tgt | Target CRUD missing | Added target CRUD endpoints to Concelier |
|
||||
| 14-agt | Agent list missing | Added agents list endpoint to Concelier |
|
||||
|
||||
### NOT FIXED (7)
|
||||
### NOT FIXED (5)
|
||||
| # | Issue | Severity | Root Cause |
|
||||
|---|-------|----------|-----------|
|
||||
| 13 | Topology wizard 401 (auth passthrough) | CRITICAL | ReverseProxy doesn't forward identity envelope to Concelier |
|
||||
| 14 | "Created by" raw user ID hash | MEDIUM | No user ID → display name resolution |
|
||||
| 15 | Mirror generate-immediately fails silently | MEDIUM | 503 from Concelier exports, no user feedback |
|
||||
| 16 | v2 context API console errors | LOW | /api/v2/context/regions, /preferences, /approvals return errors |
|
||||
@@ -139,7 +145,39 @@
|
||||
|
||||
---
|
||||
|
||||
## Architecture Issue: Gateway Auth for Topology
|
||||
## Journey Resumption Plan
|
||||
|
||||
### Immediate Next (this session or next):
|
||||
1. **Skip agent step** — make wizard step 5 optional or allow skipping when no agents exist
|
||||
2. **Verify audit log** — with JobEngine audit endpoints now wired, check if events appear
|
||||
3. **Test release creation with honest registry search** — confirm mock data is gone
|
||||
4. **Push through wizard steps 6-8** — Infrastructure, Validate, Done
|
||||
|
||||
### Phase 2: Real Deployment (next session)
|
||||
1. Push a real Docker image to the Zot registry (stellaops-registry)
|
||||
2. Implement the registry image search backend (connect to Harbor integration)
|
||||
3. Scan the image (trigger scanner)
|
||||
4. Verify findings in Security Posture
|
||||
5. Create a release with the real scanned image
|
||||
6. Promote through Dev → Stage → Prod
|
||||
7. Check evidence/decision capsules generation
|
||||
|
||||
### Phase 3: Policy & Evidence
|
||||
1. Create a custom policy pack
|
||||
2. Run simulation against a release
|
||||
3. Test policy gate blocking a promotion
|
||||
4. Export an audit bundle
|
||||
5. Test replay/verify
|
||||
|
||||
### Phase 4: Operational
|
||||
1. Test notification channels
|
||||
2. Run full Doctor check
|
||||
3. Test offline kit
|
||||
4. Test tenant switching
|
||||
|
||||
---
|
||||
|
||||
## Architecture Issue: Gateway Auth for Topology (RESOLVED)
|
||||
|
||||
The core blocker is **issue #13**. The gateway has two transport types:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user