infra

viktor/infra

Fork 0

History

Viktor Barzin 7a649ce7eb Some checks failed ci/woodpecker/push/build-cli Pipeline failed Details ci/woodpecker/push/default Pipeline was successful Details crowdsec: pin image to v1.7.8 + remove ENROLL_KEY, CAPI restored Root cause of today's CAPI 403 crashloop: chart 0.21.0 pins appVersion to v1.7.3, but Keel had auto-bumped the running pods to v1.7.8 on 2026-05-16 and they ran fine with CAPI for 8 days. Today's TF apply (`b59acbc1` agent memory bump) re-rendered the deployment from chart defaults, reverting the image to v1.7.3 — and v1.7.3 has a CAPI watcher-auth bug against the current api.crowdsec.net behaviour, so every fresh replica started 403'ing on startup. Fix: set `image.tag: "v1.7.8"` in values.yaml so the image survives future TF applies independently of the chart's appVersion. Verified CAPI auth succeeds on all 3 fresh pods with v1.7.8. Also dropped the ENROLL_KEY env block — the existing key `cmey5e636…` is single-shot and was already consumed by the first replica; subsequent pods hit 403 on `cscli console enroll`. CAPI works WITHOUT console enrollment (separate flows). Re-enable console reporting by generating a fresh enroll key at app.crowdsec.net (procedure documented in the values.yaml comment block). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-24 11:11:29 +00:00
..
crowdsec	crowdsec: pin image to v1.7.8 + remove ENROLL_KEY, CAPI restored	2026-05-24 11:11:29 +00:00

Viktor Barzin 7a649ce7eb

ci/woodpecker/push/build-cli Pipeline failed

Details

ci/woodpecker/push/default Pipeline was successful

Details

crowdsec: pin image to v1.7.8 + remove ENROLL_KEY, CAPI restored

Root cause of today's CAPI 403 crashloop: chart 0.21.0 pins appVersion
to v1.7.3, but Keel had auto-bumped the running pods to v1.7.8 on
2026-05-16 and they ran fine with CAPI for 8 days. Today's TF apply
(b59acbc1 agent memory bump) re-rendered the deployment from chart
defaults, reverting the image to v1.7.3 — and v1.7.3 has a CAPI
watcher-auth bug against the current api.crowdsec.net behaviour, so
every fresh replica started 403'ing on startup.

Fix: set `image.tag: "v1.7.8"` in values.yaml so the image survives
future TF applies independently of the chart's appVersion. Verified
CAPI auth succeeds on all 3 fresh pods with v1.7.8.

Also dropped the ENROLL_KEY env block — the existing key `cmey5e636…`
is single-shot and was already consumed by the first replica;
subsequent pods hit 403 on `cscli console enroll`. CAPI works WITHOUT
console enrollment (separate flows). Re-enable console reporting by
generating a fresh enroll key at app.crowdsec.net (procedure
documented in the values.yaml comment block).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-24 11:11:29 +00:00

crowdsec crowdsec: pin image to v1.7.8 + remove ENROLL_KEY, CAPI restored 2026-05-24 11:11:29 +00:00