builder: fix cue panic (#212)

Previously CUE paniced when holos tried to unify values originating from
two different cue runtimes.  This patch fixes the problem by
initializaing cue.Value structs from the same cue context.

Log messages are also improved after making one complete pass through
the Try Holos Locally guide.

doc/md/tutorial/local/k3d.mdx

@@ -523,14 +523,29 @@ kubectl apply --server-side=true -f ./deploy/clusters/workload/components/argo-c
 
 ### Cert Manager
 
-Apply the ClusterIssuer which issues Certificate resources using the local ca.
+Apply the cert-manager controller:
 
 ```bash
 kubectl apply --server-side=true -f ./deploy/clusters/workload/components/cert-manager
+```
+
+Apply the ClusterIssuer which issues Certificate resources using the local
+certificate authority.
+
+```bash
 kubectl apply --server-side=true -f deploy/clusters/workload/components/local-ca
 kubectl apply --server-side=true -f deploy/clusters/workload/components/certificates
 ```
 
+:::note
+
+If you get a `no endpoints available for service "cert-manager-webhook"` Error
+from server, retry this command.  The `cert-manager` Deployment may still be
+starting up.
+
+:::
+
+
 ### Istio
 
 ```bash
@@ -546,11 +561,21 @@ kubectl get -n istio-gateways gateway default -o json \
   | jq -r '.status.conditions[].message'
 ```
 
+Resource programmed indicates the Gateway is ready.
+
 ```txt
 Resource accepted
 Resource programmed, assigned to service(s) default-istio.istio-gateways.svc.cluster.local:443
 ```
 
+If you see `Failed to assign` then the Gateway pods are likely still starting
+up.  Check them with `kubectl get pods -n istio-gateways`.
+
+```
+Resource accepted
+Failed to assign to any requested addresses: no instances found for hostname "default-istio.istio-gateways.svc.cluster.local"
+```
+
 ### httpbin
 
 httpbin is a simple backend service useful for end-to-end testing.
@@ -609,6 +634,8 @@ Expect a simple `Authenticated` response.
 :::note
 
 Istio will respond with `no healthy upstream` until the pod becomes ready.
+Check on the progress with `kubectl describe pod --namespace holos-system
+--selector app.kubernetes.io/instance=httpbin`.
 
 :::
 
@@ -665,10 +692,11 @@ tokens with may claims are confined to the cluster.
 Verify unauthenticated requests are blocked:
 
 ```bash
-curl https://httpbin.holos.localhost/dump/request
+curl -I https://httpbin.holos.localhost/dump/request
 ```
 
-Expect a response that redirects to the identity provider.
+You should get back a 302 response that redirects the request to the identity
+provider to authenticate.
 
 Verify authenticated requests are allowed:
 

internal/builder/builder.go

@@ -129,6 +129,9 @@ func (b *Builder) Cluster() string {
 // platform.config.json and user data json files located recursively within the
 // userdata directory at the cue module root.
 func (b *Builder) Unify(ctx context.Context, cfg *client.Config) (bd BuildData, err error) {
+	// Ensure the value is from the same runtime, otherwise cue panics.
+	bd.Value = b.ctx.CompileString("")
+
 	cueModDir, err := b.findCueMod()
 	if err != nil {
 		err = errors.Wrap(err)
@@ -190,6 +193,7 @@ func (b *Builder) Unify(ctx context.Context, cfg *client.Config) (bd BuildData,
 	// Fill in #UserData
 	userData, err := loadUserData(b.ctx, bd.ModuleRoot)
 	if err != nil {
+		err = errors.Wrap(err)
 		return
 	}
 	bd.Value = bd.Value.FillPath(cue.ParsePath("#UserData"), userData)
@@ -199,9 +203,16 @@ func (b *Builder) Unify(ctx context.Context, cfg *client.Config) (bd BuildData,
 
 // loadUserData recursively unifies userdata/**/*.json files into cue.Value val.
 func loadUserData(ctx *cue.Context, moduleRoot string) (val cue.Value, err error) {
-	err = filepath.Walk(filepath.Join(moduleRoot, "userdata"), func(path string, info os.FileInfo, err error) error {
+	// Ensure the value is from the same runtime, otherwise cue panics.
+	val = ctx.CompileString("")
+
+	userdataPath := filepath.Join(moduleRoot, "userdata")
+	if err = os.MkdirAll(userdataPath, 0755); err != nil {
+		return val, errors.Wrap(err)
+	}
+	err = filepath.Walk(userdataPath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
-			return err
+			return errors.Wrap(err)
 		}
 		if !info.IsDir() && filepath.Ext(info.Name()) == ".json" {
 			userData, err := os.ReadFile(path)
@@ -213,7 +224,7 @@ func loadUserData(ctx *cue.Context, moduleRoot string) (val cue.Value, err error
 		return nil
 	})
 
-	return
+	return val, errors.Wrap(err)
 }
 
 // Run builds the cue entrypoint into zero or more Results.  Exactly one CUE

internal/cli/push/push.go

@@ -67,7 +67,7 @@ func NewPlatformForm(cfg *client.Config) *cobra.Command {
 			if err := rpc.UpdateForm(ctx, p.GetId(), form); err != nil {
 				return errors.Wrap(err)
 			}
-			slog.Default().InfoContext(ctx, fmt.Sprintf("browse to form url: %s/ui/platform/%s", cfg.Client().Server(), p.GetId()))
+			slog.Default().InfoContext(ctx, fmt.Sprintf("pushed platform form to: %s/ui/platform/%s", cfg.Client().Server(), p.GetId()))
 		}
 		return nil
 	}

internal/register/register.go

@@ -2,6 +2,7 @@ package register
 
 import (
 	"context"
+	"fmt"
 
 	"connectrpc.com/connect"
 	"github.com/holos-run/holos/internal/client"
@@ -74,7 +75,8 @@ func User(ctx context.Context, cfg *client.Config) error {
 		return errors.Wrap(err)
 	}
 
-	log.InfoContext(ctx, "user", "email", u.GetEmail(), "server", server, "user_id", cc.UserID, "org_id", cc.OrgID)
+	msg := fmt.Sprintf("registered with %s as %s", server, u.GetEmail())
+	log.InfoContext(ctx, msg, "email", u.GetEmail(), "server", server, "user_id", cc.UserID, "org_id", cc.OrgID)
 	return nil
 }
 

version/embedded/patch

@@ -1 +1 @@
-0
+1