WP-0014: Helm adopt and deploy Core Hub on CoulombCore; backup auth tooling
All checks were successful
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 20s

Adopt live Core Hub resources, align prod ConfigMap naming, default production
image registry to gitea, and install Helm release core-hub rev 1 (smoke passed).
Add apps-pg-backup and check-backup-lane-auth targets; document OIDC login
requirement now that OpenBao is unsealed.
This commit is contained in:
tegwick 2026-07-10 21:47:14 +02:00
parent 871c56692b
commit e9ee577d03
9 changed files with 101 additions and 31 deletions

View file

@ -38,10 +38,10 @@ export RAILIANCE_BACKUP_NC_TOKEN=$(
)
```
**Blocker observed 2026-07-10:** OpenBao at `https://bao.coulomb.social` reports
`Vault is sealed`. `warden access issue-core-ingestion-api-key --fetch --no-policy`
reaches the broker but fails with the same sealed error. Unseal requires operator
shamir keys before any KV fetch succeeds.
**OpenBao unsealed 2026-07-10.** KV fetch still requires a valid caller token via
OIDC (`railiance-backup-workload-kv-read`). Agent sessions cannot complete the
browser callback to `localhost:8250` — run login in an interactive operator shell,
then `make apps-pg-backup` or `tools/check-backup-lane-auth.sh`.
## CNPG barman ObjectStore (Phase 2 — deferred)