WP-0013/0014: warden credential routing, CoulombCore kubeconfig, apps-pg backup dry-run
Document OpenBao/warden paths for the offsite backup lane and flag the sealed Vault blocker. Point production Makefile targets at CoulombCore, auto-discover CNPG clusters in backup status, add apps-pg pg_dump dry-run tooling, and record Core Hub Helm cutover findings (live gitea image, adopt required).
This commit is contained in:
parent
cd7e7035ce
commit
a689270f18
7 changed files with 229 additions and 41 deletions
|
|
@ -1,13 +1,18 @@
|
|||
# Core Hub on railiance01
|
||||
# Core Hub on CoulombCore (production)
|
||||
|
||||
`hub.coulomb.social` serves Core Hub in production. This repo owns the S5 Helm
|
||||
release path; Core Hub owns the application image, migrations, and API behavior.
|
||||
`hub.coulomb.social` serves Core Hub in production on **CoulombCore**
|
||||
(`92.205.130.254`). This repo owns the S5 Helm release path; Core Hub owns the
|
||||
application image, migrations, and API behavior.
|
||||
|
||||
Railiance01 (`92.205.62.239`) hosts Forgejo and overlapping platform services but
|
||||
not the live Core Hub or `vergabe-teilnahme` releases as of 2026-07-10.
|
||||
|
||||
## Hosts and release surface
|
||||
|
||||
| Server | IP | Role |
|
||||
|---|---|---|
|
||||
| Railiance01 | `92.205.62.239` | Production k3s; deploy S5 apps here |
|
||||
| CoulombCore | `92.205.130.254` | Production k3s for Core Hub and S5 apps |
|
||||
| Railiance01 | `92.205.62.239` | Forgejo and platform overlap |
|
||||
|
||||
| Item | Production | Staging |
|
||||
|---|---|---|
|
||||
|
|
@ -34,8 +39,10 @@ is the only schema path.
|
|||
|
||||
## Deploy
|
||||
|
||||
Use the Railiance01 kubeconfig. The Makefile defaults to
|
||||
`~/.kube/config-hosteurope` and fails fast when it is missing.
|
||||
Use the CoulombCore kubeconfig. The Makefile defaults to `~/.kube/config`
|
||||
(tunnel `bridge up k3s-api-coulombcore`) and fails fast when the API is
|
||||
unreachable. See `docs/credential-routing-railiance-apps.md` for cluster and
|
||||
credential boundaries.
|
||||
|
||||
```bash
|
||||
make core-hub-render-baseline
|
||||
|
|
|
|||
74
docs/credential-routing-railiance-apps.md
Normal file
74
docs/credential-routing-railiance-apps.md
Normal file
|
|
@ -0,0 +1,74 @@
|
|||
# Credential routing for railiance-apps operators
|
||||
|
||||
Use `warden route find "<need>" --json` before requesting secrets. ops-warden
|
||||
issues SSH certificates only; other credentials route to OpenBao, key-cape, or
|
||||
platform tooling.
|
||||
|
||||
## Production cluster access
|
||||
|
||||
| Host | IP | Kubeconfig | Tunnel |
|
||||
| --- | --- | --- | --- |
|
||||
| CoulombCore (production apps) | `92.205.130.254` | `~/.kube/config` via `k3s-api-coulombcore` | `bridge up k3s-api-coulombcore` |
|
||||
| Railiance01 (Forgejo S5) | `92.205.62.239` | `~/.kube/config-hosteurope` | `bridge up k3s-api-railiance01` if configured |
|
||||
|
||||
Core Hub, `vergabe-teilnahme`, and `apps-pg` currently run on **CoulombCore**.
|
||||
Railiance01 hosts Forgejo and a overlapping subset of platform databases.
|
||||
|
||||
## Backup lane (Phase 1 — logical pg_dump + age + Nextcloud)
|
||||
|
||||
| Item | Value |
|
||||
| --- | --- |
|
||||
| Owner | `railiance-platform` |
|
||||
| OpenBao path | `platform/workloads/railiance/backup/offsite-lane` |
|
||||
| Fields | `NC_WEBDAV_TOKEN`, `NC_WEBDAV_URL`, `AGE_PRIVATE_KEY` |
|
||||
| OIDC role | `railiance-backup-workload-kv-read` on auth mount `netkingdom` |
|
||||
| Age key (local) | `~/.config/age/railiance-backup.key` |
|
||||
| warden advisory | `warden access "nextcloud backup webdav token railiance"` |
|
||||
| Platform tool | `make -C ~/railiance-platform forgejo-backup` / `forgejo-backup-dry-run` |
|
||||
| S5 tool | `make apps-pg-backup-dry-run` (encrypt only; upload needs OpenBao) |
|
||||
|
||||
Login and fetch (operator attended — do not log values):
|
||||
|
||||
```bash
|
||||
warden access "openbao login oidc netkingdom backup" --fetch --no-policy
|
||||
# or after browser OIDC:
|
||||
bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read
|
||||
export RAILIANCE_BACKUP_NC_TOKEN=$(
|
||||
bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane
|
||||
)
|
||||
```
|
||||
|
||||
**Blocker observed 2026-07-10:** OpenBao at `https://bao.coulomb.social` reports
|
||||
`Vault is sealed`. `warden access issue-core-ingestion-api-key --fetch --no-policy`
|
||||
reaches the broker but fails with the same sealed error. Unseal requires operator
|
||||
shamir keys before any KV fetch succeeds.
|
||||
|
||||
## CNPG barman ObjectStore (Phase 2 — deferred)
|
||||
|
||||
Barman `ObjectStore` + `ScheduledBackup` templates live in
|
||||
`manifests/cnpg-backup-readiness.yaml`. Apply only after platform provisions
|
||||
object-store credentials at a confirmed path. Coordinate via `railiance-platform`;
|
||||
do not invent S3 secrets in this repo.
|
||||
|
||||
## Core Hub runtime secrets
|
||||
|
||||
Core Hub production uses the in-cluster Secret `core-hub-prod-env` on CoulombCore
|
||||
(keys: `CORE_HUB_DATABASE_URL`, `CORE_HUB_API_TOKEN`). Custody is operator/OpenBao;
|
||||
Helm cutover reuses the existing Secret — no secret fetch is required for deploy
|
||||
dry-runs when the Secret already exists.
|
||||
|
||||
warden advisory for new secret material:
|
||||
|
||||
```bash
|
||||
warden access "core hub database url api token"
|
||||
```
|
||||
|
||||
## SSH certificates
|
||||
|
||||
```bash
|
||||
warden inventory list
|
||||
warden sign <actor> --pubkey <path>
|
||||
```
|
||||
|
||||
Bridge tunnels (`agt-claude-coulombcore`, `agt-claude-railiance01`) normally
|
||||
provide reachability; refresh certs when `warden status` reports EXPIRED.
|
||||
Loading…
Add table
Add a link
Reference in a new issue