refactor(wfe): decompose steps into atomic config-driven primitives

Replace big-bag steps with 10 atomic primitives that each do one thing and read config from step_config: - ApplyManifest (replaces 12 identical apply structs) - WaitForRollout (replaces WaitForCore loop) - CreatePGRole, CreatePGDatabase (replaces EnsurePGRolesAndDatabases) - EnsureNamespace, CreateK8sSecret (replaces CreateK8sSecrets) - SeedKVPath, WriteKVPath, CollectCredentials (replaces SeedAllKVPaths + WriteDirtyKVPaths) - EnableVaultAuth, WriteVaultAuthConfig, WriteVaultPolicy, WriteVaultRole (replaces ConfigureKubernetesAuth) Workflow definitions now use parallel branches for independent operations (infra, KV seeding, PG roles, platform manifests, K8s secrets, rollout waits).
2026-04-05 18:23:36 +01:00
parent 9cd3c641da
commit 3cfa0fe755
16 changed files with 1430 additions and 612 deletions
--- a/src/workflows/primitives/ensure_namespace.rs
+++ b/src/workflows/primitives/ensure_namespace.rs
@@ -0,0 +1,45 @@
+//! EnsureNamespace — atomic step that ensures a Kubernetes namespace exists.
+
+use wfe_core::models::ExecutionResult;
+use wfe_core::traits::{StepBody, StepExecutionContext};
+
+use crate::kube as k;
+
+fn step_err(msg: impl Into<String>) -> wfe_core::WfeError {
+    wfe_core::WfeError::StepExecution(msg.into())
+}
+
+/// Ensure a single Kubernetes namespace exists (idempotent).
+///
+/// **step_config:** `{"namespace": "ory"}`
+#[derive(Default)]
+pub struct EnsureNamespace;
+
+#[async_trait::async_trait]
+impl StepBody for EnsureNamespace {
+    async fn run(
+        &mut self,
+        ctx: &StepExecutionContext<'_>,
+    ) -> wfe_core::Result<ExecutionResult> {
+        let config = ctx.step.step_config.as_ref()
+            .ok_or_else(|| step_err("EnsureNamespace: missing step_config"))?;
+        let namespace = config.get("namespace")
+            .and_then(|v| v.as_str())
+            .ok_or_else(|| step_err("EnsureNamespace: missing namespace in step_config"))?;
+
+        k::ensure_ns(namespace).await
+            .map_err(|e| step_err(format!("EnsureNamespace({namespace}): {e}")))?;
+
+        Ok(ExecutionResult::next())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn ensure_namespace_is_default() {
+        let _ = EnsureNamespace::default();
+    }
+}