railiance-apps/docs/credential-routing-railiance-apps.md
tegwick a689270f18
All checks were successful
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 13s
WP-0013/0014: warden credential routing, CoulombCore kubeconfig, apps-pg backup dry-run
Document OpenBao/warden paths for the offsite backup lane and flag the sealed
Vault blocker. Point production Makefile targets at CoulombCore, auto-discover
CNPG clusters in backup status, add apps-pg pg_dump dry-run tooling, and
record Core Hub Helm cutover findings (live gitea image, adopt required).
2026-07-10 15:46:02 +02:00

3 KiB

Credential routing for railiance-apps operators

Use warden route find "<need>" --json before requesting secrets. ops-warden issues SSH certificates only; other credentials route to OpenBao, key-cape, or platform tooling.

Production cluster access

Host IP Kubeconfig Tunnel
CoulombCore (production apps) 92.205.130.254 ~/.kube/config via k3s-api-coulombcore bridge up k3s-api-coulombcore
Railiance01 (Forgejo S5) 92.205.62.239 ~/.kube/config-hosteurope bridge up k3s-api-railiance01 if configured

Core Hub, vergabe-teilnahme, and apps-pg currently run on CoulombCore. Railiance01 hosts Forgejo and a overlapping subset of platform databases.

Backup lane (Phase 1 — logical pg_dump + age + Nextcloud)

Item Value
Owner railiance-platform
OpenBao path platform/workloads/railiance/backup/offsite-lane
Fields NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY
OIDC role railiance-backup-workload-kv-read on auth mount netkingdom
Age key (local) ~/.config/age/railiance-backup.key
warden advisory warden access "nextcloud backup webdav token railiance"
Platform tool make -C ~/railiance-platform forgejo-backup / forgejo-backup-dry-run
S5 tool make apps-pg-backup-dry-run (encrypt only; upload needs OpenBao)

Login and fetch (operator attended — do not log values):

warden access "openbao login oidc netkingdom backup" --fetch --no-policy
# or after browser OIDC:
bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read
export RAILIANCE_BACKUP_NC_TOKEN=$(
  bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane
)

Blocker observed 2026-07-10: OpenBao at https://bao.coulomb.social reports Vault is sealed. warden access issue-core-ingestion-api-key --fetch --no-policy reaches the broker but fails with the same sealed error. Unseal requires operator shamir keys before any KV fetch succeeds.

CNPG barman ObjectStore (Phase 2 — deferred)

Barman ObjectStore + ScheduledBackup templates live in manifests/cnpg-backup-readiness.yaml. Apply only after platform provisions object-store credentials at a confirmed path. Coordinate via railiance-platform; do not invent S3 secrets in this repo.

Core Hub runtime secrets

Core Hub production uses the in-cluster Secret core-hub-prod-env on CoulombCore (keys: CORE_HUB_DATABASE_URL, CORE_HUB_API_TOKEN). Custody is operator/OpenBao; Helm cutover reuses the existing Secret — no secret fetch is required for deploy dry-runs when the Secret already exists.

warden advisory for new secret material:

warden access "core hub database url api token" 

SSH certificates

warden inventory list
warden sign <actor> --pubkey <path>

Bridge tunnels (agt-claude-coulombcore, agt-claude-railiance01) normally provide reachability; refresh certs when warden status reports EXPIRED.