[dns] readiness gate — reject all-zero zone counts as probe failure

The zone-count parity check was trivially passing when the ephemeral curl pod failed to reach the Technitium web API: all three counts came back as 0, UNIQ=1, gate claimed "PASSED". This happened during today's DNS hardening apply when CoreDNS was in CrashLoopBackOff and the curl pod couldn't resolve service names. Added a MIN > 0 sanity check. Technitium always has built-in zones (localhost, standard reverse PTRs), so a zero count means the probe didn't reach the API, not that the instance truly has zero zones. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 15:23:07 +00:00 · 2026-04-19 15:23:07 +00:00 · 91aa39ef96
commit 91aa39ef96
parent 150f196095
1 changed files with 7 additions and 0 deletions
--- a/stacks/technitium/modules/technitium/readiness.tf
+++ b/stacks/technitium/modules/technitium/readiness.tf
@ -91,6 +91,13 @@ resource "null_resource" "technitium_readiness_gate" {
        echo "ERROR: zone-count probe returned no valid counts"
        exit 1
      fi
+      # Sanity: Technitium always has built-in zones (localhost, reverse ptrs).
+      # All-zeros means the probe failed to reach the API, not a true parity pass.
+      MIN=$(echo "$COUNTS" | sort -n | head -1)
+      if [ "$MIN" -eq 0 ]; then
+        echo "ERROR: zone-count probe returned 0 for at least one instance — probe likely failed to reach API"
+        exit 1
+      fi
      UNIQ=$(echo "$COUNTS" | sort -u | wc -l)
      if [ "$UNIQ" -gt 1 ]; then
        echo "ERROR: zone counts differ across instances"