fix(agents-login): drop the broken K8s lease that failed credential finalize#736
Merged
Merged
Conversation
Credential finalize captured the Claude OAuth token, then wrapped the agents-api persist call in a coordination.k8s.io lease acquired via the worker's K8sLeaseLock. That lock reached the kube-apiserver over HTTPS using the global fetch with no cluster-CA trust, so the lease GET threw `fetch failed`; finalize aborted before the captured token was posted to agents-api. The login surfaced "fetch failed" and the credentials page stayed "Not connected" even though the token had been minted. The lease only ever guarded the old Vault CAS write. Credentials now persist as a per-(user, provider) Postgres upsert through agents-api, and the worker runs as a single replica with at most one session per provider, so concurrent writers cannot collide. The worker now wires NoopLeaseLock and posts the captured credential directly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What was broken
Submitting the authorization code on the credentials page minted the Claude OAuth token but the login then failed with
fetch failed, and the page stayed "Not connected — No credentials stored yet".Worker logs showed the token was captured, then finalize died immediately:
Note the absence of any
posting credentials to agents-apiline — the failure happened before the persist call.Root cause
finalize()wrapped the agents-api persist inlease.withLock(…), whereleasewas aK8sLeaseLock. Acquiring the lock issues aGETto the kube-apiserver over HTTPS (https://$KUBERNETES_SERVICE_HOST/apis/coordination.k8s.io/v1/…) using the globalfetch. Nothing wired the in-cluster CA into that request —DEFAULT_CA/caCertPathexist inlease.tsbut are never applied, andNODE_EXTRA_CA_CERTSis not set on the deployment. undici therefore could not verify the k3s API-server certificate and threwTypeError: fetch failedintryAcquire(), aborting finalize before the token reached agents-api.Fix
The lease only ever guarded the old Vault CAS write. Credentials now persist as a per-
(user, provider)Postgres upsert through agents-api, and the worker runs as a single replica with at most one session per provider, so concurrent writers cannot collide. The distributed lock guards nothing and was the sole broken apiserver call, so the worker now wiresNoopLeaseLockand posts the captured credential directly.K8sLeaseLockand its now-unusedcoordination.k8s.ioRBAC/NetworkPolicy egress are left in place for a separate follow-up rather than expanding this fix.Validation
tsc --noEmitclean;vitest rungreen (91/91). The session tests already drive finalize throughNoopLeaseLockand assert it posts to agents-api, so they now match production wiring.