stack/caucase: Disable always failing promise

 The principle of deployment on slapos is once the instance is read to use the
 all the promises must work and buildout would stop to run for a while. This
 Promise is been disable because it assumes the user must use the instance first
 them the promise will be green, which can cause endless failure.

 This fail until user do something makes tests and resilience fail, as there is
 no automation to emulate a user take some action.

 This problem MUST be reimplemented on the current way, and not assume user will
 do any action. Others promises can be added into monitor (but not this one like this).

stack/caucase/buildout.hash.cfg

@@ -28,7 +28,7 @@ md5sum = a317d2f948cd3d16c860d05cc07ecf42
 
 [template-caucase]
 filename = instance-caucase.cfg.jinja2.in
-md5sum = b801dfe4212ff97dc29191e4610df3a3
+md5sum = 1988d9c98c2331f49335a1b9a4c26026
 
 [instance-caucase]
 filename = instance.cfg.in

stack/caucase/instance-caucase.cfg.jinja2.in

@@ -163,12 +163,14 @@ url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port}
 http-url = ${ca-parameters:crl-external-url}
 depends = 
   ${nginx-certificate-request:wrapper-path}
-  ${caucase-server-promise:filename}
   ${caucase-https-server-promise:filename}
   ${ca-nginx-graceful:output}
   ${ca-certificate-renew-cron-entry:name}
   ${logrotate-ca-nginx:name}
 
+# Disabled to be re-implemented.
+#  ${caucase-server-promise:filename}
+
 [ca-certificate-renew-cron-entry]
 recipe = slapos.cookbook:cron.d
 cron-entries = ${cron:cron-entries}
@@ -184,14 +186,17 @@ name = caucase-nginx-server
 log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
 post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
 
-[caucase-server-promise]
-recipe = slapos.cookbook:check_url_available
-path = ${directory:promises}/${:filename}
-filename = caucase-server-listening-on-tcp
-url = http://[${ca-parameters:ipv6}]:${ca-parameters:server-port}
-dash_path = {{ dash_executable_location }}
-curl_path = {{ curl_executable_location }}
-
+# This promise is disabled as it requires user to take action so the buildout
+# will fail for way too long, and overload master. Please reimplement on a 
+# better way
+#[caucase-server-promise]
+#recipe = slapos.cookbook:check_url_available
+#path = ${directory:promises}/${:filename}
+#filename = caucase-server-listening-on-tcp
+#url = http://[${ca-parameters:ipv6}]:${ca-parameters:server-port}
+#dash_path = {{ dash_executable_location }}
+#curl_path = {{ curl_executable_location }}
+#
 [caucase-https-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}

[Vincent Pelletier]

I do not understand why this promise requires user action to work. Both http and https are supposed to become available without user intervention, with https only becomming available "shortly" after http as the former requires the latter to work to bootstrap its own certificate. So I also do not understand why you would only disable http promise but leave https promise enabled.

/cc @alain.takoudjou

[Alain Takoudjou]

@vpelletier the promise don't require user action to work. This is a bug caused by the fact that the first login redirect to the configuration page which allow to set the password. But the page is disalowed in HTTP (only HTTPS is used for user interface with password). So went the password is not set promise in http redirect to admin/configure and return 404. See: https://lab.nexedi.com/nexedi/slapos/blob/master/stack/caucase/ca-nginx.conf.in#L74

I wouldn't say that the promise require user action. Yes, user must set the password on first login but the promise is not supposed to fail because the password is not set. I'm thinking how to solve, a simpler solution is to change promise http url from http:[IPv6]:port -> http://[IPv6]:port/crt/ca.crt.pem so that there will be no redirection.

[Vincent Pelletier]

I like the idea of fetching the ca.crt, indeed.