From fb3fd93f0f617c7837e884f2b05c4aa28ffe6241 Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@r3t.io>
Date: Tue, 3 Mar 2026 00:57:39 +0000
Subject: [PATCH] fix: sunbeam apply and bootstrap reliability

manifests.py: fix REPO_ROOT parents index (was 3, needed 2) which
caused kustomize overlay lookup to resolve against the wrong directory.

tools.py: call ensure_tool("helm") before running kustomize so the
bundled helm v3.17.1 is on PATH; system helm v4 dropped the -c flag
that kustomize 5.6.0 uses for version detection.

gitea.py: pass --must-change-password=false to gitea admin user
change-password, removing the separate Postgres UPDATE workaround that
was fragile and required a second exec into the CNPG pod.
---
 sunbeam/gitea.py     | 19 ++-----------------
 sunbeam/manifests.py |  2 +-
 sunbeam/tools.py     |  1 +
 3 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/sunbeam/gitea.py b/sunbeam/gitea.py
index 1ba68c8..16ffd5d 100644
--- a/sunbeam/gitea.py
+++ b/sunbeam/gitea.py
@@ -146,30 +146,15 @@ def cmd_bootstrap(domain: str = "", gitea_admin_pass: str = ""):
             capture_output=True, text=True,
         )
 
-    # Ensure admin has the generated password
+    # Ensure admin has the generated password and no forced-change flag.
     r = gitea_exec("gitea", "admin", "user", "change-password",
                    "--username", GITEA_ADMIN_USER, "--password",
-                   gitea_admin_pass)
+                   gitea_admin_pass, "--must-change-password=false")
     if r.returncode == 0 or "password" in (r.stdout + r.stderr).lower():
         ok(f"Admin '{GITEA_ADMIN_USER}' password set.")
     else:
         warn(f"change-password: {r.stderr.strip()}")
 
-    # Clear must_change_password via Postgres
-    pg_pod = kube_out("-n", "data", "get", "pods",
-                      "-l=cnpg.io/cluster=postgres,role=primary",
-                      "-o=jsonpath={.items[0].metadata.name}")
-    if pg_pod:
-        kube("exec", "-n", "data", pg_pod, "-c", "postgres", "--",
-             "psql", "-U", "postgres", "-d", "gitea_db", "-c",
-             f'UPDATE "user" SET must_change_password = false'
-             f" WHERE lower_name = '{GITEA_ADMIN_USER.lower()}';",
-             check=False)
-        ok("Cleared must-change-password flag.")
-    else:
-        warn("Postgres pod not found -- must-change-password may block API "
-             "calls.")
-
     def api(method, path, data=None):
         args = [
             "curl", "-s", "-X", method,
diff --git a/sunbeam/manifests.py b/sunbeam/manifests.py
index a2e9668..df062cd 100644
--- a/sunbeam/manifests.py
+++ b/sunbeam/manifests.py
@@ -4,7 +4,7 @@ from pathlib import Path
 from sunbeam.kube import kube, kube_out, kube_ok, kube_apply, kustomize_build, get_lima_ip
 from sunbeam.output import step, ok, warn
 
-REPO_ROOT = Path(__file__).parents[3] / "infrastructure"
+REPO_ROOT = Path(__file__).parents[2] / "infrastructure"
 MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "ory", "storage",
               "vault-secrets-operator"]
 
diff --git a/sunbeam/tools.py b/sunbeam/tools.py
index b28e62d..2bb924e 100644
--- a/sunbeam/tools.py
+++ b/sunbeam/tools.py
@@ -102,5 +102,6 @@ def run_tool(name: str, *args, **kwargs) -> subprocess.CompletedProcess:
         env = os.environ.copy()
     # kustomize needs helm on PATH for helm chart rendering
     if name == "kustomize":
+        ensure_tool("helm")  # ensure bundled helm is present before kustomize runs
         env["PATH"] = str(CACHE_DIR) + os.pathsep + env.get("PATH", "")
     return subprocess.run([str(bin_path), *args], env=env, **kwargs)