From 337c0e2733f9ab6462313687621c788a2b79c147 Mon Sep 17 00:00:00 2001 From: Paperclip Date: Mon, 1 Jun 2026 15:30:34 +0000 Subject: [PATCH] docs(UAT_PLAYBOOK): document canonical source-of-truth for UAT seed passwords (GRO-2000) The 'Source of truth for UAT passwords' subsection under Pre-conditions records: - The seed-uat-passwords Secret in groombook-uat is the live source. - The Bitnami SealedSecret apps/overlays/uat/ss-seed-uat-passwords.yaml in groombook/infra is the single upstream source of truth. - A kubectl recipe to pull the current values for SUPER / GROOMER / TESTER / CUSTOMER at the start of every UAT run. - The 'captured env var from a previous rotation produces 401' failure mode that GRO-2000 hit, and the manual-reseed escape hatch if the login still 401s after pulling the live value. Refs: GRO-2000, GRO-1977 (idempotent re-hash), GRO-1999 (enum fix that allowed the seed Job to run cleanly again). Co-Authored-By: Claude Opus 4.8 --- UAT_PLAYBOOK.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md index c5bdf04..f0e1037 100644 --- a/UAT_PLAYBOOK.md +++ b/UAT_PLAYBOOK.md @@ -19,6 +19,27 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet - OIDC authentication provider configured - Seed data present (clients, pets, services, staff) +### Source of truth for UAT passwords (GRO-2000) + +The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation. + +**Canonical recipe** (works from any host with `kubectl` + cluster credentials): + +```bash +SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \ + -o jsonpath='{.data.super-password}' | base64 -d) +GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \ + -o jsonpath='{.data.groomer-password}' | base64 -d) +TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \ + -o jsonpath='{.data.tester-password}' | base64 -d) +CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \ + -o jsonpath='{.data.customer-password}' | base64 -d) +``` + +**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry. + +**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request. + ## Test Cases ### 4.0 Health Check