From 3882dcbc0e47f9e2301ff3283d131d4502f64bcc Mon Sep 17 00:00:00 2001 From: Agents Agent Date: Fri, 26 Jun 2026 13:12:58 +0200 Subject: [PATCH] fix(agents-login): drop the broken K8s lease from credential finalize Credential finalize captured the Claude OAuth token, then wrapped the agents-api persist call in a coordination.k8s.io lease acquired via the worker's K8sLeaseLock. That lock reached the kube-apiserver over HTTPS using the global fetch with no cluster-CA trust, so the lease GET threw `fetch failed`; finalize aborted before the captured token was posted to agents-api. The login surfaced "fetch failed" and the credentials page stayed "Not connected" even though the token had been minted. The lease only ever guarded the old Vault CAS write. Credentials now persist as a per-(user, provider) Postgres upsert through agents-api, and the worker runs as a single replica with at most one session per provider, so concurrent writers cannot collide. The worker now wires NoopLeaseLock and posts the captured credential directly. --- services/agents-login/src/worker/index.ts | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/services/agents-login/src/worker/index.ts b/services/agents-login/src/worker/index.ts index 6d5cf1da..4de1425e 100644 --- a/services/agents-login/src/worker/index.ts +++ b/services/agents-login/src/worker/index.ts @@ -1,6 +1,6 @@ import { createLogger } from '../shared/log.js' import { loadWorkerConfig } from '../shared/config.js' -import { K8sLeaseLock } from './lease.js' +import { NoopLeaseLock } from './lease.js' import { createNodePtySpawner } from './pty.js' import { buildWorkerServer } from './server.js' import { SessionManager } from './session.js' @@ -16,12 +16,14 @@ export async function runWorker(): Promise { logger, }) - const lease = new K8sLeaseLock({ - name: cfg.leaseName, - namespace: cfg.leaseNamespace, - holderIdentity: `${process.env.HOSTNAME ?? 'agents-login-worker'}-${process.pid}`, - saTokenPath: cfg.saTokenPath, - }) + // Credentials are persisted by agents-api as a per-(user, provider) Postgres + // upsert, and this worker runs as a single replica with at most one session + // per provider, so concurrent writers cannot collide. The previous + // coordination.k8s.io lease only served the old Vault CAS write; it reached + // the kube-apiserver over HTTPS without the cluster CA, so finalize threw + // "fetch failed" before the captured token was ever posted. No distributed + // lock is needed now. + const lease = new NoopLeaseLock() const spawner = await createNodePtySpawner(logger)