WP-0014: Helm adopt and deploy Core Hub on CoulombCore; backup auth tooling
All checks were successful
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 20s

Adopt live Core Hub resources, align prod ConfigMap naming, default production
image registry to gitea, and install Helm release core-hub rev 1 (smoke passed).
Add apps-pg-backup and check-backup-lane-auth targets; document OIDC login
requirement now that OpenBao is unsealed.
This commit is contained in:
tegwick 2026-07-10 21:47:14 +02:00
parent 871c56692b
commit e9ee577d03
9 changed files with 101 additions and 31 deletions

31
tools/check-backup-lane-auth.sh Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -euo pipefail
path="${RAILIANCE_BACKUP_BAO_PATH:-platform/workloads/railiance/backup/offsite-lane}"
if ! bao status >/dev/null 2>&1; then
echo "ERROR: cannot reach OpenBao at ${BAO_ADDR:-https://bao.coulomb.social}" >&2
exit 1
fi
sealed="$(bao status -format=json 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin).get('sealed', True))")"
if [[ "$sealed" == "True" ]]; then
echo "ERROR: OpenBao is sealed" >&2
exit 1
fi
echo "ok: OpenBao unsealed"
if bao token lookup >/dev/null 2>&1; then
echo "ok: caller token valid"
else
echo "WARN: no valid caller token — run OIDC login:" >&2
echo " bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read" >&2
exit 1
fi
if bao kv metadata get "$path" >/dev/null 2>&1; then
echo "ok: backup offsite-lane path readable"
else
echo "ERROR: cannot read metadata for ${path}" >&2
exit 1
fi