marcel/familienarchiv
1
0
Fork 0
Code Issues 105 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(ci): resolve smoke test host via bridge gateway, not 127.0.0.1
Some checks failed
CI / OCR Service Tests (push) Has been cancelled
Details
CI / Backend Unit Tests (push) Has been cancelled
Details
CI / fail2ban Regex (push) Has been cancelled
Details
CI / Compose Bucket Idempotency (push) Has been cancelled
Details
CI / Unit & Component Tests (push) Has been cancelled
Details
CI / Unit & Component Tests (pull_request) Failing after 2m49s
Details
CI / OCR Service Tests (pull_request) Successful in 17s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m3s
Details
CI / fail2ban Regex (pull_request) Successful in 38s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 56s
Details

Browse Source 
Job containers run in bridge network mode (runner-config.yaml). Inside
a bridge-networked container 127.0.0.1 is the container's own loopback;
Caddy on the host is unreachable there, causing an immediate ECONNREFUSED.

Use the Docker bridge gateway IP instead — the host's docker0 interface
where Caddy (bound on 0.0.0.0:443) is reachable from the container.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-12 09:08:20 +02:00
parent 08c7dbcaa2
commit e6893ae67e
2 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.gitea/workflows/nightly.yml
View File

@@ -135,16 +135,20 @@ jobs:
# public surface works. This step catches: Caddy not reloaded, HSTS # public surface works. This step catches: Caddy not reloaded, HSTS
# header dropped, /actuator block bypassed. # header dropped, /actuator block bypassed.
# #
# --resolve pins staging.raddatz.cloud to the runner's loopback so we # --resolve pins staging.raddatz.cloud to the Docker bridge gateway IP
# do NOT depend on the host router doing hairpin NAT (many SOHO # (the host) so we do NOT depend on hairpin NAT on the host router.
# routers do not, or do so only after a firmware update). SNI still # 127.0.0.1 cannot be used: job containers run in bridge network mode
# uses the public hostname so the cert validates correctly. # (runner-config.yaml), so 127.0.0.1 is the container's loopback, not
# the host's. The bridge gateway IS the host; Caddy binds 0.0.0.0:443
# and is therefore reachable from the container via that IP.
# SNI still uses the public hostname so the TLS cert validates correctly.
run: | run: |
set -e set -e
HOST="staging.raddatz.cloud" HOST="staging.raddatz.cloud"
URL="https://$HOST" URL="https://$HOST"
RESOLVE="--resolve $HOST:443:127.0.0.1" HOST_IP=$(ip route show default | awk '/default/ {print $3}')
echo "Smoke test: $URL (pinned to 127.0.0.1)" RESOLVE="--resolve $HOST:443:$HOST_IP"
echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
# Pin the preload-list-eligible HSTS value, not just header presence: # Pin the preload-list-eligible HSTS value, not just header presence:
# a degraded `max-age=1` or a dropped `includeSubDomains; preload` must # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must

9
.gitea/workflows/release.yml
View File

@@ -106,14 +106,15 @@ jobs:
- name: Smoke test deployed environment - name: Smoke test deployed environment
# See nightly.yml — same three checks, against the prod vhost. # See nightly.yml — same three checks, against the prod vhost.
# --resolve pins archiv.raddatz.cloud to the runner's loopback so # --resolve pins to the bridge gateway IP (the host), not 127.0.0.1
# the smoke test does NOT depend on hairpin NAT on the host router. # — see nightly.yml for the full network topology explanation.
run: | run: |
set -e set -e
HOST="archiv.raddatz.cloud" HOST="archiv.raddatz.cloud"
URL="https://$HOST" URL="https://$HOST"
RESOLVE="--resolve $HOST:443:127.0.0.1" HOST_IP=$(ip route show default | awk '/default/ {print $3}')
echo "Smoke test: $URL (pinned to 127.0.0.1)" RESOLVE="--resolve $HOST:443:$HOST_IP"
echo "Smoke test: $URL (pinned to $HOST_IP via bridge gateway)"
curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null
# Pin the preload-list-eligible HSTS value, not just header presence: # Pin the preload-list-eligible HSTS value, not just header presence:
# a degraded `max-age=1` or a dropped `includeSubDomains; preload` must # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must