From 13d4fa5589a8b4bfa96fa10a59fd8671063df64f Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 30 Apr 2026 23:05:25 +0000 Subject: [PATCH] =?UTF-8?q?fix(deploy/test):=20f5-mock-icontrol=20host-por?= =?UTF-8?q?t=20collision=20(20443=20=E2=86=92=2020449)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI run 25192994486 (deploy-vendor-e2e job) failed with: Error response from daemon: failed to set up container networking: driver failed programming external connectivity on endpoint certctl-test-f5-mock: Bind for 0.0.0.0:20443 failed: port is already allocated apache-test (compose line 491) and f5-mock-icontrol (compose line 619) both bound host port 20443. The pre-Phase-5 per-vendor matrix only ran one sidecar at a time, so the collision was structurally hidden. The ci-pipeline-cleanup Phase 5 collapse brings all 11 sidecars up simultaneously — the bug surfaces. This was a pre-existing latent bug in the deploy-hardening II Phase 1 (commit 47af4db) sidecar-matrix design that the matrix collapse surfaced. Same pattern as the gofmt drift + libest build issues — the new gates are doing their job, exposing real debt. Fix: move f5-mock-icontrol from host port 20443 to 20449 (next free in the 204xx range; 20448 is windows-iis-test, 20443-20447 occupied by apache/haproxy/traefik/caddy/envoy). Touched: deploy/docker-compose.test.yml — f5-mock-icontrol ports: 20449:443 deploy/test/vendor_e2e_helpers.go — sidecarMap["f5-mock"].hostPort: 20449 Verified: every host port in deploy/docker-compose.test.yml is now unique (per-port count == 1 across all 17 mappings). --- deploy/docker-compose.test.yml | 7 ++++++- deploy/test/vendor_e2e_helpers.go | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/deploy/docker-compose.test.yml b/deploy/docker-compose.test.yml index 9881591..8225f28 100644 --- a/deploy/docker-compose.test.yml +++ b/deploy/docker-compose.test.yml @@ -616,7 +616,12 @@ services: dockerfile: deploy/test/f5-mock-icontrol/Dockerfile container_name: certctl-test-f5-mock ports: - - "20443:443" + # Host port 20449 (NOT 20443 — apache-test owns 20443). The + # ci-pipeline-cleanup Phase 5 vendor-matrix collapse brings up + # all sidecars simultaneously; the original Phase 1 design + # accidentally double-bound 20443 because the per-vendor matrix + # only ever ran one sidecar at a time, hiding the collision. + - "20449:443" networks: certctl-test: ipv4_address: 10.30.50.28 diff --git a/deploy/test/vendor_e2e_helpers.go b/deploy/test/vendor_e2e_helpers.go index 769704d..f6b3b98 100644 --- a/deploy/test/vendor_e2e_helpers.go +++ b/deploy/test/vendor_e2e_helpers.go @@ -52,7 +52,7 @@ var sidecarMap = map[string]vendorSidecar{ "postfix": {name: "postfix-test", hostPort: "127.0.0.1:20465"}, "dovecot": {name: "dovecot-test", hostPort: "127.0.0.1:20993"}, "openssh": {name: "openssh-test", hostPort: "127.0.0.1:20022"}, - "f5-mock": {name: "f5-mock-icontrol", hostPort: "127.0.0.1:20443"}, + "f5-mock": {name: "f5-mock-icontrol", hostPort: "127.0.0.1:20449"}, "k8s-kind": {name: "k8s-kind-test", hostPort: ""}, "windows-iis": {name: "windows-iis-test", hostPort: "127.0.0.1:20448"}, }