2026-07-10 15:46:02 +02:00
|
|
|
# Credential routing for railiance-apps operators
|
|
|
|
|
|
|
|
|
|
Use `warden route find "<need>" --json` before requesting secrets. ops-warden
|
|
|
|
|
issues SSH certificates only; other credentials route to OpenBao, key-cape, or
|
|
|
|
|
platform tooling.
|
|
|
|
|
|
|
|
|
|
## Production cluster access
|
|
|
|
|
|
|
|
|
|
| Host | IP | Kubeconfig | Tunnel |
|
|
|
|
|
| --- | --- | --- | --- |
|
|
|
|
|
| CoulombCore (production apps) | `92.205.130.254` | `~/.kube/config` via `k3s-api-coulombcore` | `bridge up k3s-api-coulombcore` |
|
|
|
|
|
| Railiance01 (Forgejo S5) | `92.205.62.239` | `~/.kube/config-hosteurope` | `bridge up k3s-api-railiance01` if configured |
|
|
|
|
|
|
|
|
|
|
Core Hub, `vergabe-teilnahme`, and `apps-pg` currently run on **CoulombCore**.
|
|
|
|
|
Railiance01 hosts Forgejo and a overlapping subset of platform databases.
|
|
|
|
|
|
|
|
|
|
## Backup lane (Phase 1 — logical pg_dump + age + Nextcloud)
|
|
|
|
|
|
|
|
|
|
| Item | Value |
|
|
|
|
|
| --- | --- |
|
|
|
|
|
| Owner | `railiance-platform` |
|
|
|
|
|
| OpenBao path | `platform/workloads/railiance/backup/offsite-lane` |
|
|
|
|
|
| Fields | `NC_WEBDAV_TOKEN`, `NC_WEBDAV_URL`, `AGE_PRIVATE_KEY` |
|
|
|
|
|
| OIDC role | `railiance-backup-workload-kv-read` on auth mount `netkingdom` |
|
|
|
|
|
| Age key (local) | `~/.config/age/railiance-backup.key` |
|
|
|
|
|
| warden advisory | `warden access "nextcloud backup webdav token railiance"` |
|
|
|
|
|
| Platform tool | `make -C ~/railiance-platform forgejo-backup` / `forgejo-backup-dry-run` |
|
|
|
|
|
| S5 tool | `make apps-pg-backup-dry-run` (encrypt only; upload needs OpenBao) |
|
|
|
|
|
|
|
|
|
|
Login and fetch (operator attended — do not log values):
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
warden access "openbao login oidc netkingdom backup" --fetch --no-policy
|
|
|
|
|
# or after browser OIDC:
|
|
|
|
|
bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read
|
|
|
|
|
export RAILIANCE_BACKUP_NC_TOKEN=$(
|
|
|
|
|
bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane
|
|
|
|
|
)
|
|
|
|
|
```
|
|
|
|
|
|
2026-07-10 21:47:14 +02:00
|
|
|
**OpenBao unsealed 2026-07-10.** KV fetch still requires a valid caller token via
|
|
|
|
|
OIDC (`railiance-backup-workload-kv-read`). Agent sessions cannot complete the
|
|
|
|
|
browser callback to `localhost:8250` — run login in an interactive operator shell,
|
|
|
|
|
then `make apps-pg-backup` or `tools/check-backup-lane-auth.sh`.
|
2026-07-10 15:46:02 +02:00
|
|
|
|
|
|
|
|
## CNPG barman ObjectStore (Phase 2 — deferred)
|
|
|
|
|
|
|
|
|
|
Barman `ObjectStore` + `ScheduledBackup` templates live in
|
|
|
|
|
`manifests/cnpg-backup-readiness.yaml`. Apply only after platform provisions
|
|
|
|
|
object-store credentials at a confirmed path. Coordinate via `railiance-platform`;
|
|
|
|
|
do not invent S3 secrets in this repo.
|
|
|
|
|
|
|
|
|
|
## Core Hub runtime secrets
|
|
|
|
|
|
|
|
|
|
Core Hub production uses the in-cluster Secret `core-hub-prod-env` on CoulombCore
|
|
|
|
|
(keys: `CORE_HUB_DATABASE_URL`, `CORE_HUB_API_TOKEN`). Custody is operator/OpenBao;
|
|
|
|
|
Helm cutover reuses the existing Secret — no secret fetch is required for deploy
|
|
|
|
|
dry-runs when the Secret already exists.
|
|
|
|
|
|
|
|
|
|
warden advisory for new secret material:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
warden access "core hub database url api token"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## SSH certificates
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
warden inventory list
|
|
|
|
|
warden sign <actor> --pubkey <path>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Bridge tunnels (`agt-claude-coulombcore`, `agt-claude-railiance01`) normally
|
|
|
|
|
provide reachability; refresh certs when `warden status` reports EXPIRED.
|