# Credential routing for railiance-apps operators Use `warden route find "" --json` before requesting secrets. ops-warden issues SSH certificates only; other credentials route to OpenBao, key-cape, or platform tooling. ## Production cluster access | Host | IP | Kubeconfig | Tunnel | | --- | --- | --- | --- | | CoulombCore (production apps) | `92.205.130.254` | `~/.kube/config` via `k3s-api-coulombcore` | `bridge up k3s-api-coulombcore` | | Railiance01 (Forgejo S5) | `92.205.62.239` | `~/.kube/config-hosteurope` | `bridge up k3s-api-railiance01` if configured | Core Hub, `vergabe-teilnahme`, and `apps-pg` currently run on **CoulombCore**. Railiance01 hosts Forgejo and a overlapping subset of platform databases. ## Backup lane (Phase 1 — logical pg_dump + age + Nextcloud) | Item | Value | | --- | --- | | Owner | `railiance-platform` | | OpenBao path | `platform/workloads/railiance/backup/offsite-lane` | | Fields | `NC_WEBDAV_TOKEN`, `NC_WEBDAV_URL`, `AGE_PRIVATE_KEY` | | OIDC role | `railiance-backup-workload-kv-read` on auth mount `netkingdom` | | Age key (local) | `~/.config/age/railiance-backup.key` | | warden advisory | `warden access "nextcloud backup webdav token railiance"` | | Platform tool | `make -C ~/railiance-platform forgejo-backup` / `forgejo-backup-dry-run` | | S5 tool | `make apps-pg-backup-dry-run` (encrypt only; upload needs OpenBao) | Login and fetch (operator attended — do not log values): ```bash warden access "openbao login oidc netkingdom backup" --fetch --no-policy # or after browser OIDC: bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read export RAILIANCE_BACKUP_NC_TOKEN=$( bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane ) ``` **Blocker observed 2026-07-10:** OpenBao at `https://bao.coulomb.social` reports `Vault is sealed`. `warden access issue-core-ingestion-api-key --fetch --no-policy` reaches the broker but fails with the same sealed error. Unseal requires operator shamir keys before any KV fetch succeeds. ## CNPG barman ObjectStore (Phase 2 — deferred) Barman `ObjectStore` + `ScheduledBackup` templates live in `manifests/cnpg-backup-readiness.yaml`. Apply only after platform provisions object-store credentials at a confirmed path. Coordinate via `railiance-platform`; do not invent S3 secrets in this repo. ## Core Hub runtime secrets Core Hub production uses the in-cluster Secret `core-hub-prod-env` on CoulombCore (keys: `CORE_HUB_DATABASE_URL`, `CORE_HUB_API_TOKEN`). Custody is operator/OpenBao; Helm cutover reuses the existing Secret — no secret fetch is required for deploy dry-runs when the Secret already exists. warden advisory for new secret material: ```bash warden access "core hub database url api token" ``` ## SSH certificates ```bash warden inventory list warden sign --pubkey ``` Bridge tunnels (`agt-claude-coulombcore`, `agt-claude-railiance01`) normally provide reachability; refresh certs when `warden status` reports EXPIRED.