boma/roles/reverse_proxy/molecule/default/verify.yml
sjat 3a31b8e6f4 fix(reverse_proxy): bind-mount the Caddy config dir so reload sees changes
The Caddyfile was bind-mounted as a single file. ansible.builtin.template writes
atomically (temp + rename), so a re-render swaps the file's inode while the running
container keeps the old one — `caddy reload` then re-read stale config and silently
no-op'd ("config is unchanged"), so new routes never loaded. Surfaced deploying the
NetBird route: Caddy never requested its cert. Fix: render to ./caddy/Caddyfile and
mount the ./caddy DIRECTORY at /etc/caddy — directory mounts reflect inode swaps, so
graceful `caddy reload` works. Proven on askari: atomic replace in the host dir is
visible inside the running container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 07:44:45 +02:00

21 lines
866 B
YAML

---
- name: Verify
hosts: all
gather_facts: false
tasks:
- name: Slurp the rendered Caddyfile
ansible.builtin.slurp:
src: /opt/services/reverse_proxy/caddy/Caddyfile
register: _caddyfile
- name: Assert Caddyfile exists and contains expected content
ansible.builtin.assert:
that:
- _caddyfile.content | b64decode | length > 0
- "'app.example.test' in (_caddyfile.content | b64decode)"
- "'reverse_proxy app:80' in (_caddyfile.content | b64decode)"
- "'respond \"ok\" 200' in (_caddyfile.content | b64decode)"
- "'grpc.example.test' in (_caddyfile.content | b64decode)"
- "'reverse_proxy @grpc h2c://backend:80' in (_caddyfile.content | b64decode)"
fail_msg: "Caddyfile is missing expected content"
success_msg: "Caddyfile rendered correctly"