fix: sunbeam apply and bootstrap reliability

manifests.py: fix REPO_ROOT parents index (was 3, needed 2) which caused kustomize overlay lookup to resolve against the wrong directory. tools.py: call ensure_tool("helm") before running kustomize so the bundled helm v3.17.1 is on PATH; system helm v4 dropped the -c flag that kustomize 5.6.0 uses for version detection. gitea.py: pass --must-change-password=false to gitea admin user change-password, removing the separate Postgres UPDATE workaround that was fragile and required a second exec into the CNPG pod.
2026-03-03 00:57:39 +00:00
parent 0acbf66673
commit fb3fd93f0f
3 changed files with 4 additions and 18 deletions
--- a/sunbeam/gitea.py
+++ b/sunbeam/gitea.py
@@ -146,30 +146,15 @@ def cmd_bootstrap(domain: str = "", gitea_admin_pass: str = ""):
            capture_output=True, text=True,
        )

-    # Ensure admin has the generated password
+    # Ensure admin has the generated password and no forced-change flag.
    r = gitea_exec("gitea", "admin", "user", "change-password",
                   "--username", GITEA_ADMIN_USER, "--password",
-                   gitea_admin_pass)
+                   gitea_admin_pass, "--must-change-password=false")
    if r.returncode == 0 or "password" in (r.stdout + r.stderr).lower():
        ok(f"Admin '{GITEA_ADMIN_USER}' password set.")
    else:
        warn(f"change-password: {r.stderr.strip()}")

-    # Clear must_change_password via Postgres
-    pg_pod = kube_out("-n", "data", "get", "pods",
-                      "-l=cnpg.io/cluster=postgres,role=primary",
-                      "-o=jsonpath={.items[0].metadata.name}")
-    if pg_pod:
-        kube("exec", "-n", "data", pg_pod, "-c", "postgres", "--",
-             "psql", "-U", "postgres", "-d", "gitea_db", "-c",
-             f'UPDATE "user" SET must_change_password = false'
-             f" WHERE lower_name = '{GITEA_ADMIN_USER.lower()}';",
-             check=False)
-        ok("Cleared must-change-password flag.")
-    else:
-        warn("Postgres pod not found -- must-change-password may block API "
-             "calls.")
-
    def api(method, path, data=None):
        args = [
            "curl", "-s", "-X", method,
--- a/sunbeam/manifests.py
+++ b/sunbeam/manifests.py
@@ -4,7 +4,7 @@ from pathlib import Path
 from sunbeam.kube import kube, kube_out, kube_ok, kube_apply, kustomize_build, get_lima_ip
 from sunbeam.output import step, ok, warn

-REPO_ROOT = Path(__file__).parents[3] / "infrastructure"
+REPO_ROOT = Path(__file__).parents[2] / "infrastructure"
 MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "ory", "storage",
              "vault-secrets-operator"]

--- a/sunbeam/tools.py
+++ b/sunbeam/tools.py
@@ -102,5 +102,6 @@ def run_tool(name: str, *args, **kwargs) -> subprocess.CompletedProcess:
        env = os.environ.copy()
    # kustomize needs helm on PATH for helm chart rendering
    if name == "kustomize":
+        ensure_tool("helm")  # ensure bundled helm is present before kustomize runs
        env["PATH"] = str(CACHE_DIR) + os.pathsep + env.get("PATH", "")
    return subprocess.run([str(bin_path), *args], env=env, **kwargs)