diff --git a/workplans/IHUB-WP-0018-railiance01-deployment.md b/workplans/IHUB-WP-0018-railiance01-deployment.md index 3259c1c..33385b7 100644 --- a/workplans/IHUB-WP-0018-railiance01-deployment.md +++ b/workplans/IHUB-WP-0018-railiance01-deployment.md @@ -8,7 +8,7 @@ status: active owner: custodian topic_slug: inter_hub created: "2026-04-29" -updated: "2026-06-04" +updated: "2026-06-05" depends_on: IHUB-WP-0015 state_hub_workstream_id: "080d841a-3acd-4adf-b684-2d1890a5e986" --- @@ -68,13 +68,31 @@ no indexed task rows for it. The deployment work is not complete; this file now contains explicit task blocks so the hub can track the remaining Railiance01 deployment work instead of treating the workplan as empty. +## Deployment Review - 2026-06-05 + +Review against the current repo and public Railiance endpoint shows the +deployment scaffold is partially implemented but the live deployment is behind +`origin/main`. + +- `origin/main` is at `a3d980c`, which includes the completed ops-hub bootstrap + API work from `IHUB-WP-0019`. +- `https://hub.coulomb.social/` returns 200 and serves inter-hub. +- The public OpenAPI only lists the older v2 endpoints; it does not include + `/hubs`, `/hub-capability-manifests`, `/api-consumers`, or `/policy-scopes`. +- Unauthenticated `/api/v2/hubs` returns 404 publicly, while current source + should route it and return 401. This means ops-hub bootstrap cannot run + against production until the current image is deployed. +- The registry endpoint returns the expected unauthenticated `/v2/` 401 + challenge, but this workspace does not have `kubectl`, so R3 cluster readiness + cannot be fully verified from here. + ## Tasks -### R1 — Add OCI image build to flake.nix +### R1 - Add OCI image build to flake.nix ```task id: IHUB-WP-0018-T01 -status: todo +status: done priority: high state_hub_task_id: "27420bd7-0f70-4793-8805-393d8d5cacfd" ``` @@ -105,9 +123,14 @@ docker run --rm -p 8000:8000 -e DATABASE_URL=... -e IHP_SESSION_SECRET=... inter ``` **Note:** First build pulls the full Haskell binary closure (~2 GB); subsequent -builds are incremental (layer caching). Build must run on haskelseed — the only +builds are incremental (layer caching). Build must run on haskelseed - the only machine with the Nix store populated for GHC 9.10.3. +**Implementation note (2026-06-05):** `flake.nix` exposes `packages.docker = +config.packages.unoptimized-docker-image`, the IHP-provided production OCI +image used by the Railiance runbook. The original `buildLayeredImage` sketch is +superseded by that IHP image path. + ### R2 — Verify container runs correctly ```task @@ -152,6 +175,12 @@ Also confirm: If any check fails, block here and open the relevant Railiance workstream. Do not proceed until all checks pass. +**Review note (2026-06-05):** Public smoke probes show +`https://hub.coulomb.social/` returning 200 and the Gitea registry `/v2/` +endpoint returning the expected unauthenticated 401 challenge. Full R3 remains +blocked from this workspace because `kubectl` is not available here, and the +live app is not serving the current `origin/main` v2 bootstrap routes. + ### R4 — Provision inter-hub database on railiance-platform ```task @@ -202,7 +231,7 @@ using the age key from a Kubernetes Secret (bootstrapped once manually). ```task id: IHUB-WP-0018-T06 -status: blocked +status: in_progress priority: high state_hub_task_id: "4c4acc98-5773-4289-ad57-03f3fd5c381c" ``` @@ -234,11 +263,17 @@ chart = "railiance-apps/helm/inter-hub" namespace = "inter-hub" ``` +**Implementation note (2026-06-05):** A Helm chart exists in +`deploy/helm/inter-hub/` with Deployment, Service, Ingress, and values for the +current Gitea registry and `hub.coulomb.social`. Remaining gaps: no repo-root +`app.toml`, no committed SOPS secret manifest, and no separate +`railiance-apps/helm/inter-hub` handoff in this repo. + ### R7 — Gitea Actions CI/CD pipeline ```task id: IHUB-WP-0018-T07 -status: blocked +status: in_progress priority: medium state_hub_task_id: "ec25c67c-3cb0-4534-9fb0-9bd6578a2def" ``` @@ -277,6 +312,13 @@ Secrets in Gitea: `REGISTRY`, `SSH_KEY_HASKELSEED`, `SSH_KEY_COULOMBCORE`. **Alternative if self-hosted runner is available on CoulombCore:** run the deploy step directly without the SSH hop to coulombcore. +**Implementation note (2026-06-05):** `.gitea/workflows/deploy.yaml` exists and +builds `.#docker` on a self-hosted `haskelseed` runner, pushes to +`92.205.130.254:32166/coulomb/inter-hub`, deploys with Helm, and smoke-tests +the public endpoint. Remote `main` is already current, but production is still +serving an older API surface, so the workflow needs an attended rerun/inspection +or a new deployment trigger. + ### R8 — Staged deployment and smoke test ```task @@ -311,7 +353,7 @@ Follow the Railiance staged promotion lifecycle: ```task id: IHUB-WP-0018-T09 -status: blocked +status: in_progress priority: medium state_hub_task_id: "4d1e55c7-8dbb-480f-b07b-6c5e39a04218" ``` @@ -319,9 +361,15 @@ state_hub_task_id: "4d1e55c7-8dbb-480f-b07b-6c5e39a04218" secret rotation, rollback (`railiance rollback inter-hub`), log access (`kubectl logs -n inter-hub -l app=inter-hub --tail=100`) - Add progress event to state hub -- Remove haskelseed socat/OpenRC production role note from quickstart — +- Remove haskelseed socat/OpenRC production role note from quickstart - document it as the build machine only, not the production host +**Implementation note (2026-06-05):** `deploy/railiance/RUNBOOK.md` exists and +documents architecture, image build/push, Helm deployment, logs, restart, +rollback, secret rotation, and smoke checks. The deployment record remains +incomplete until current `main` is running and the ops-hub bootstrap smoke test +passes against production. + ## Exit Criteria - `https://hub.coulomb.social/` returns the Landing page (200, no auth)