Merged
Conversation
Architecture §8.3 H4-Fix requires -j none when running as non-root. Without it, varnish tries chroot jail setup which needs root. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Readiness probe on agent /health (port 9090) ensures pods are only marked Ready when the agent can reach varnishd. preStop sleep(5) gives the endpoints controller time to remove the pod from routing before varnish stops (architecture §3.3 K3-Fix). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pods are not ready (readiness probe fails) until the operator successfully pushes real VCL. The 'boot' VCL (varnish default) triggers a 503 response from /health. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
VCL name is now <namespace>-<name>-<hash[:8]>. Each VCL generation gets a unique name, preventing 'Already a VCL named ...' errors when the operator pushes updated VCL. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Operator creates a ConfigMap with placeholder VCL that returns 503 'Cache initializing'. Mounted as /etc/varnish/default.vcl so varnish starts cleanly. Combined with the readiness probe, pods are not marked Ready until the operator pushes real VCL. This replaces the need for a vinyl-init container (architecture §3.3 — simpler approach with same result). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the critical missing components for production use, as identified in #12.
Changes
-j noneflag — disables chroot jail for non-root operation (§8.3 H4-Fix)/health— pods not Ready until VCL pushedsleep 5for graceful shutdown (§3.3 K3-Fix)<ns>-<name>-<hash[:8]>prevents collisionStartup flow
Operator creates ConfigMap → StatefulSet → varnish starts with bootstrap VCL (503) → agent /health returns 503 → pod NOT Ready → operator pushes real VCL → agent /health returns 200 → pod Ready → traffic routed
Tests