From b1aa0f49d964a023c7f0e3dc6f2a900d0841ed50 Mon Sep 17 00:00:00 2001 From: sjat Date: Thu, 18 Jun 2026 16:57:47 +0200 Subject: [PATCH] fix(integration): verify probes :80 without following redirects Accept caddy's 308 on :80 as proof the DNAT+forward path is alive; don't follow into https (tls internal has no cert for a bare-IP request). This load-bearing end-to-end check is what caught the br-+/br-* nftables-wildcard bug that the string-presence assert missed. Co-Authored-By: Claude Opus 4.8 (1M context) --- tests/integration/verify.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tests/integration/verify.yml b/tests/integration/verify.yml index 7d834f6..e6c99b8 100644 --- a/tests/integration/verify.yml +++ b/tests/integration/verify.yml @@ -1,6 +1,6 @@ --- # Integration verify (ADR-025). Outcome-based: proves Docker forwarding survives the -# reboot. The load-bearing check probes the VM's published :443 FROM the controller +# reboot. The load-bearing check probes the VM's published :80 FROM the controller # (ubongo) — if base's forward-drop killed DNAT, this times out (the FRICTION #1 bug). - name: Verify the rebooted host hosts: all @@ -27,13 +27,16 @@ forward chain is pure drop — container forwarding will die on reboot (FRICTION 2026-06-17 #1). docker_host container-forward drop-in missing. - - name: Published HTTPS port answers from the controller (DNAT + forward alive) + - name: Published port answers from the controller (DNAT + forward alive) delegate_to: localhost become: false ansible.builtin.uri: - url: "https://{{ ansible_host }}/" - validate_certs: false - status_code: [200, 308, 404, 502, 503] + # Probe :80 (plain HTTP) — any answer proves the published-port DNAT + forward path + # is alive. Don't follow caddy's HTTP->HTTPS redirect (its `tls internal` has no + # cert for a bare-IP HTTPS request); the 308 itself proves the path works. + url: "http://{{ ansible_host }}/" + follow_redirects: none + status_code: [200, 301, 308, 404, 502, 503] timeout: 10 register: _probe retries: 5