Document OpenBao/warden paths for the offsite backup lane and flag the sealed Vault blocker. Point production Makefile targets at CoulombCore, auto-discover CNPG clusters in backup status, add apps-pg pg_dump dry-run tooling, and record Core Hub Helm cutover findings (live gitea image, adopt required).
3 KiB
Credential routing for railiance-apps operators
Use warden route find "<need>" --json before requesting secrets. ops-warden
issues SSH certificates only; other credentials route to OpenBao, key-cape, or
platform tooling.
Production cluster access
| Host | IP | Kubeconfig | Tunnel |
|---|---|---|---|
| CoulombCore (production apps) | 92.205.130.254 |
~/.kube/config via k3s-api-coulombcore |
bridge up k3s-api-coulombcore |
| Railiance01 (Forgejo S5) | 92.205.62.239 |
~/.kube/config-hosteurope |
bridge up k3s-api-railiance01 if configured |
Core Hub, vergabe-teilnahme, and apps-pg currently run on CoulombCore.
Railiance01 hosts Forgejo and a overlapping subset of platform databases.
Backup lane (Phase 1 — logical pg_dump + age + Nextcloud)
| Item | Value |
|---|---|
| Owner | railiance-platform |
| OpenBao path | platform/workloads/railiance/backup/offsite-lane |
| Fields | NC_WEBDAV_TOKEN, NC_WEBDAV_URL, AGE_PRIVATE_KEY |
| OIDC role | railiance-backup-workload-kv-read on auth mount netkingdom |
| Age key (local) | ~/.config/age/railiance-backup.key |
| warden advisory | warden access "nextcloud backup webdav token railiance" |
| Platform tool | make -C ~/railiance-platform forgejo-backup / forgejo-backup-dry-run |
| S5 tool | make apps-pg-backup-dry-run (encrypt only; upload needs OpenBao) |
Login and fetch (operator attended — do not log values):
warden access "openbao login oidc netkingdom backup" --fetch --no-policy
# or after browser OIDC:
bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read
export RAILIANCE_BACKUP_NC_TOKEN=$(
bao kv get -field=NC_WEBDAV_TOKEN platform/workloads/railiance/backup/offsite-lane
)
Blocker observed 2026-07-10: OpenBao at https://bao.coulomb.social reports
Vault is sealed. warden access issue-core-ingestion-api-key --fetch --no-policy
reaches the broker but fails with the same sealed error. Unseal requires operator
shamir keys before any KV fetch succeeds.
CNPG barman ObjectStore (Phase 2 — deferred)
Barman ObjectStore + ScheduledBackup templates live in
manifests/cnpg-backup-readiness.yaml. Apply only after platform provisions
object-store credentials at a confirmed path. Coordinate via railiance-platform;
do not invent S3 secrets in this repo.
Core Hub runtime secrets
Core Hub production uses the in-cluster Secret core-hub-prod-env on CoulombCore
(keys: CORE_HUB_DATABASE_URL, CORE_HUB_API_TOKEN). Custody is operator/OpenBao;
Helm cutover reuses the existing Secret — no secret fetch is required for deploy
dry-runs when the Secret already exists.
warden advisory for new secret material:
warden access "core hub database url api token"
SSH certificates
warden inventory list
warden sign <actor> --pubkey <path>
Bridge tunnels (agt-claude-coulombcore, agt-claude-railiance01) normally
provide reachability; refresh certs when warden status reports EXPIRED.