df7225dd3e
RAILIANCE-WP-0012/0013/0014: Core Hub S5 release, CNPG observability, and follow-up workplans
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 5s
Deliver the inbox-suggestion implementation from WP-0012: Core Hub Helm chart
and Makefile targets, CNPG backup status tooling, and updated backup handoff
docs. Archive the finished WP-0012 workplan and register ready follow-ups
WP-0013 (CNPG backup wiring + restore drill) and WP-0014 (Core Hub Helm
cutover and vergabe-teilnahme image refresh).
2026-07-10 15:14:20 +02:00
04be41621d
Migrate OCI image refs from Gitea to Forgejo registry
...
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 16s
Update charts, helm values, Makefile defaults, and operator docs to use
forgejo.coulomb.social for inter-hub, reuse-surface, and vergabe-teilnahme.
2026-07-09 11:38:14 +02:00
b525faa896
docs(CORE-WP-0007): mark inter-hub railiance01 surface retired
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 17s
2026-07-08 12:48:04 +02:00
0968f1d5d5
Add reuse-webhook-smoke and rotation runbook links
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 2s
RAILIANCE-WP-0011-T04: smoke checks unsigned 401, signed no-op 200, ESO Ready,
and /v1/federated; point operator docs at platform rotation runbook.
2026-07-08 00:01:21 +02:00
85e9163bb0
Point reuse-surface token export handoff at OpenBao path
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 4s
Primary operator fetch is bao kv get per RAILIANCE-WP-0011-T03; kubectl
remains break-glass when OpenBao is unreachable.
2026-07-07 22:38:45 +02:00
40f0cb741d
Deploy reuse-surface runtime secrets via OpenBao External Secrets
...
CI Smoke / host-smoke (push) Successful in 3s
CI Smoke / container-smoke (push) Successful in 48s
Add openbao-reuse ClusterSecretStore handoff, reuse-surface-runtime
ExternalSecret, ESO token bootstrap script, and Makefile targets for
CCR-2026-0005 / RAILIANCE-WP-0011.
2026-07-07 22:34:34 +02:00
3a9236148a
Add Forgejo T05 verify, operator bootstrap, and security hardening
...
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 3s
Introduce forgejo-verify acceptance checks, idempotent operator bootstrap,
runner registration SOPS capture helper, and session/security Helm values.
2026-07-07 22:09:53 +02:00
9b31f229e8
Document reuse-surface runtime secrets and Forgejo org webhook
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 3s
Add runbook coverage for REUSE_SURFACE_TOKEN and
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET in reuse-surface-env, plus an
idempotent make reuse-forgejo-webhook target that wires the coulomb org
push webhook to the hub receiver.
2026-07-07 21:28:46 +02:00
bcb05f5d95
Record e3ae22e deploy and flag /health ingress routing bug
...
CI Smoke / host-smoke (push) Successful in 0s
CI Smoke / container-smoke (push) Successful in 1s
Found while smoke-testing the REUSE-WP-0019-T01/T02 deploy: GET
/v1/federated works (200) but the exact-path /health rule 404s at the
Traefik edge, shadowed by the catch-all / rule to reuse-surface-landing.
Confirmed pod/service-level health is fine (direct port-forward works,
readiness/liveness probes pass, pod is 1/1 Ready) -- this is an ingress
routing config issue affecting external monitoring only, not the API
itself. Not fixed here; needs a Traefik router priority annotation on
charts/reuse-surface/templates/ingress.yaml, a deliberate change to shared
production ingress outside this task's scope.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-07 20:14:29 +02:00
3e211a1cb4
Fix Forgejo IONOS SMTP: STARTTLS on smtp.ionos.de
...
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 3s
Use PROTOCOL=smtp+starttls with the EU relay (smtp.ionos.de). Port 587 with
implicit TLS on smtp.ionos.com failed TLS handshake; .com auth also fails for
EU mailboxes. Document OpenBao PASSWD field mapping in operator docs.
2026-07-07 16:40:12 +02:00
844a3503bb
Add interim coulombcore OpenBao token bootstrap for Forgejo mailer ESO
...
Document two OpenBao instances and add forgejo-openbao-eso-token-apply for
ClusterSecretStore openbao-forgejo on bao.coulomb.social.
2026-07-07 14:35:49 +02:00
d5bb4f66f2
Wire Forgejo SMTP password from OpenBao via External Secrets
...
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 5s
Add forgejo-mailer ExternalSecret, inject GITEA__mailer__PASSWD from the
synced Secret, remove mailer from SOPS overlay, and add ESO bootstrap targets.
2026-07-07 14:30:02 +02:00
24c8882b69
Enable IONOS SMTP mailer for Forgejo on railiance01
...
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 2s
Wire forgejo@coulomb.social via smtp.ionos.com:587 in Helm values and add
SOPS-encrypted mailbox password overlay for forgejo-deploy.
2026-07-07 02:42:46 +02:00
0f0b340754
Add in-cluster Forgejo Actions runner manifests (ADR-004)
...
DinD sidecar + forgejo-runner Deployment with PVC-backed registration
state. Makefile targets for registration secret, deploy, and status.
2026-07-03 22:29:27 +02:00
f49be83f7e
Enable Forgejo Actions and Recreate deployment strategy
...
Actions are required for CI runners. Recreate avoids leveldb queue lock
contention on the shared PVC during Helm upgrades.
2026-07-03 21:44:57 +02:00
75698636c6
Deploy Forgejo on railiance01 using gitea-charts/gitea 12.5.0
...
Pin chart to 12.5.0 because 12.6+ calls `gitea config edit-ini`, which
Forgejo 11 lacks. Ingress targets forgejo-gitea-http (Helm release naming).
Smoke test uses GET for /v2/ registry challenge (HEAD returns 405).
2026-07-03 21:28:37 +02:00
6abf75365b
Harden inter-hub production deploy trigger
2026-06-15 22:44:13 +02:00
c7d49d3102
Handle app deployment guardrail suggestions
2026-06-15 22:07:03 +02:00
b859530fcf
Add reuse service landing page
2026-06-15 15:40:57 +02:00
07ad27176e
Note bootstrap removal and DNS propagation on production IP
2026-06-15 10:31:16 +02:00
7c05877f1e
Correct reuse-surface target: Railiance01 92.205.62.239
...
Document production vs CoulombCore bootstrap IPs and deploy via
config-hosteurope. Public DNS for reuse.coulomb.social still wrong.
2026-06-15 10:24:32 +02:00
77aa0d76f5
Finish RAILIANCE-WP-0007: reuse-surface hub deployed on railiance01
...
Helm revision 3 with image cb7a6e4. Runbook updated with TLS/DNS operator
guidance and smoke-check commands.
2026-06-15 10:15:36 +02:00
37a5c2f690
Record reuse.coulomb.social DNS; add deploy runbook; close T03
2026-06-15 09:45:17 +02:00
2b46f85c55
Close issue-core package blocker
2026-06-05 20:42:31 +02:00
9c2713f9c4
Close S5 app readiness workplan
2026-06-05 17:59:35 +02:00
0ae9bca830
Decommission forge compatibility pointers
2026-06-05 17:33:52 +02:00
a715be6d28
Delegate Gitea operations to forge
2026-06-05 13:19:12 +02:00
c8e50e6e84
Point app registry docs at railiance-forge
2026-06-05 12:07:26 +02:00
934770cb68
Implement app deployment improvements
2026-05-22 22:25:40 +02:00
398b0fe211
RAILIANCE-WP-0002 finished: vergabe-teilnahme T07+T08 done
...
T07 smoke: migrate all apps; /health/ 200, /ausschreibungen/dashboard/ Übersicht, /admin/login/ Anmelden, static assets (Tailwind, Alpine, htmx, Django admin) all 200. Auth-required smoke and createsuperuser deferred to the operator (interactive credentials not safe through this session); seed_dev deliberately skipped (hardcoded dev user). T08 runbook in docs/vergabe-teilnahme.md: identity, secret rotation recipes, day-to-day make targets, image promotion + rollback, troubleshooting, deferred backup posture, cross-refs.
Workplan status: finished. vergabe-teilnahme is the second S5 application on railiance01 (after Gitea).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-19 20:43:04 +02:00
8d7f77ac2a
Finish Gitea container registry workplan
2026-05-19 01:50:22 +02:00
e24568cb40
Gitea container repo activation
2026-05-15 23:02:21 +02:00