WP-0014: Helm adopt and deploy Core Hub on CoulombCore; backup auth tooling
Adopt live Core Hub resources, align prod ConfigMap naming, default production image registry to gitea, and install Helm release core-hub rev 1 (smoke passed). Add apps-pg-backup and check-backup-lane-auth targets; document OIDC login requirement now that OpenBao is unsealed.
This commit is contained in:
parent
871c56692b
commit
e9ee577d03
9 changed files with 101 additions and 31 deletions
31
tools/check-backup-lane-auth.sh
Executable file
31
tools/check-backup-lane-auth.sh
Executable file
|
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
path="${RAILIANCE_BACKUP_BAO_PATH:-platform/workloads/railiance/backup/offsite-lane}"
|
||||
|
||||
if ! bao status >/dev/null 2>&1; then
|
||||
echo "ERROR: cannot reach OpenBao at ${BAO_ADDR:-https://bao.coulomb.social}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sealed="$(bao status -format=json 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin).get('sealed', True))")"
|
||||
if [[ "$sealed" == "True" ]]; then
|
||||
echo "ERROR: OpenBao is sealed" >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "ok: OpenBao unsealed"
|
||||
|
||||
if bao token lookup >/dev/null 2>&1; then
|
||||
echo "ok: caller token valid"
|
||||
else
|
||||
echo "WARN: no valid caller token — run OIDC login:" >&2
|
||||
echo " bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if bao kv metadata get "$path" >/dev/null 2>&1; then
|
||||
echo "ok: backup offsite-lane path readable"
|
||||
else
|
||||
echo "ERROR: cannot read metadata for ${path}" >&2
|
||||
exit 1
|
||||
fi
|
||||
Loading…
Add table
Add a link
Reference in a new issue