WP-0014: Helm adopt and deploy Core Hub on CoulombCore; backup auth tooling
All checks were successful
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 20s

Adopt live Core Hub resources, align prod ConfigMap naming, default production
image registry to gitea, and install Helm release core-hub rev 1 (smoke passed).
Add apps-pg-backup and check-backup-lane-auth targets; document OIDC login
requirement now that OpenBao is unsealed.
This commit is contained in:
tegwick 2026-07-10 21:47:14 +02:00
parent 871c56692b
commit e9ee577d03
9 changed files with 101 additions and 31 deletions

View file

@ -34,15 +34,14 @@ id: RAILIANCE-WP-0013-T01
status: progress
priority: high
needs_human: true
intervention_note: "OpenBao sealed at bao.coulomb.social — operator unseal + OIDC login (railiance-backup-workload-kv-read) required"
intervention_note: "OpenBao unsealed; OIDC login required in interactive shell (browser callback localhost:8250) before offsite-lane upload"
state_hub_task_id: "f2051213-0a9f-418e-82ad-9bd7c79fd0dc"
```
Credential routing in `docs/credential-routing-railiance-apps.md`. `warden access`
reaches the platform broker; KV fetch fails while OpenBao is sealed. Phase 1 lane:
`platform/workloads/railiance/backup/offsite-lane`. CoulombCore clusters:
`apps-pg`, `gitea-db`, `net-kingdom-pg`, `state-hub-db`. `make apps-pg-backup-dry-run`
succeeded (pg_dump + age encrypt; upload blocked on offsite-lane).
OpenBao unsealed (2026-07-10). Stale `~/.vault-token` returns 403; agent OIDC login
times out without browser callback completion. Operator command:
`bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read`.
Then `make apps-pg-backup` uploads via offsite-lane. Dry-run path proven.
## Wire apps-pg backup coverage