WP-0014: Helm adopt and deploy Core Hub on CoulombCore; backup auth tooling
Adopt live Core Hub resources, align prod ConfigMap naming, default production image registry to gitea, and install Helm release core-hub rev 1 (smoke passed). Add apps-pg-backup and check-backup-lane-auth targets; document OIDC login requirement now that OpenBao is unsealed.
This commit is contained in:
parent
871c56692b
commit
e9ee577d03
9 changed files with 101 additions and 31 deletions
|
|
@ -38,10 +38,10 @@ export RAILIANCE_BACKUP_NC_TOKEN=$(
|
|||
)
|
||||
```
|
||||
|
||||
**Blocker observed 2026-07-10:** OpenBao at `https://bao.coulomb.social` reports
|
||||
`Vault is sealed`. `warden access issue-core-ingestion-api-key --fetch --no-policy`
|
||||
reaches the broker but fails with the same sealed error. Unseal requires operator
|
||||
shamir keys before any KV fetch succeeds.
|
||||
**OpenBao unsealed 2026-07-10.** KV fetch still requires a valid caller token via
|
||||
OIDC (`railiance-backup-workload-kv-read`). Agent sessions cannot complete the
|
||||
browser callback to `localhost:8250` — run login in an interactive operator shell,
|
||||
then `make apps-pg-backup` or `tools/check-backup-lane-auth.sh`.
|
||||
|
||||
## CNPG barman ObjectStore (Phase 2 — deferred)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue