coulomb/inter-hub
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: record railiance deployment review
Some checks failed
Build and Deploy / build-push-deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-05 22:36:36 +02:00
parent a3d980c8c6
commit ae9e4971d9
1 changed files with 56 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
workplans/IHUB-WP-0018-railiance01-deployment.md
View File

@@ -8,7 +8,7 @@ status: active
owner: custodian
topic_slug: inter_hub
created: "2026-04-29"
updated: "2026-06-04"
updated: "2026-06-05"
depends_on: IHUB-WP-0015
state_hub_workstream_id: "080d841a-3acd-4adf-b684-2d1890a5e986"
---
@@ -68,13 +68,31 @@ no indexed task rows for it. The deployment work is not complete; this file now
contains explicit task blocks so the hub can track the remaining Railiance01
deployment work instead of treating the workplan as empty.
## Deployment Review - 2026-06-05
Review against the current repo and public Railiance endpoint shows the
deployment scaffold is partially implemented but the live deployment is behind
`origin/main`.
- `origin/main` is at `a3d980c`, which includes the completed ops-hub bootstrap
API work from `IHUB-WP-0019`.
- `https://hub.coulomb.social/` returns 200 and serves inter-hub.
- The public OpenAPI only lists the older v2 endpoints; it does not include
`/hubs`, `/hub-capability-manifests`, `/api-consumers`, or `/policy-scopes`.
- Unauthenticated `/api/v2/hubs` returns 404 publicly, while current source
should route it and return 401. This means ops-hub bootstrap cannot run
against production until the current image is deployed.
- The registry endpoint returns the expected unauthenticated `/v2/` 401
challenge, but this workspace does not have `kubectl`, so R3 cluster readiness
cannot be fully verified from here.
## Tasks
### R1 Add OCI image build to flake.nix
### R1 - Add OCI image build to flake.nix
```task
id: IHUB-WP-0018-T01
status: todo
status: done
priority: high
state_hub_task_id: "27420bd7-0f70-4793-8805-393d8d5cacfd"
```
@@ -105,9 +123,14 @@ docker run --rm -p 8000:8000 -e DATABASE_URL=... -e IHP_SESSION_SECRET=... inter
```
**Note:** First build pulls the full Haskell binary closure (~2 GB); subsequent
builds are incremental (layer caching). Build must run on haskelseed the only
builds are incremental (layer caching). Build must run on haskelseed - the only
machine with the Nix store populated for GHC 9.10.3.
**Implementation note (2026-06-05):** `flake.nix` exposes `packages.docker =
config.packages.unoptimized-docker-image`, the IHP-provided production OCI
image used by the Railiance runbook. The original `buildLayeredImage` sketch is
superseded by that IHP image path.
### R2 — Verify container runs correctly
```task
@@ -152,6 +175,12 @@ Also confirm:
If any check fails, block here and open the relevant Railiance workstream.
Do not proceed until all checks pass.
**Review note (2026-06-05):** Public smoke probes show
`https://hub.coulomb.social/` returning 200 and the Gitea registry `/v2/`
endpoint returning the expected unauthenticated 401 challenge. Full R3 remains
blocked from this workspace because `kubectl` is not available here, and the
live app is not serving the current `origin/main` v2 bootstrap routes.
### R4 — Provision inter-hub database on railiance-platform
```task
@@ -202,7 +231,7 @@ using the age key from a Kubernetes Secret (bootstrapped once manually).
```task
id: IHUB-WP-0018-T06
status: blocked
status: in_progress
priority: high
state_hub_task_id: "4c4acc98-5773-4289-ad57-03f3fd5c381c"
```
@@ -234,11 +263,17 @@ chart = "railiance-apps/helm/inter-hub"
namespace = "inter-hub"
```
**Implementation note (2026-06-05):** A Helm chart exists in
`deploy/helm/inter-hub/` with Deployment, Service, Ingress, and values for the
current Gitea registry and `hub.coulomb.social`. Remaining gaps: no repo-root
`app.toml`, no committed SOPS secret manifest, and no separate
`railiance-apps/helm/inter-hub` handoff in this repo.
### R7 — Gitea Actions CI/CD pipeline
```task
id: IHUB-WP-0018-T07
status: blocked
status: in_progress
priority: medium
state_hub_task_id: "ec25c67c-3cb0-4534-9fb0-9bd6578a2def"
```
@@ -277,6 +312,13 @@ Secrets in Gitea: `REGISTRY`, `SSH_KEY_HASKELSEED`, `SSH_KEY_COULOMBCORE`.
**Alternative if self-hosted runner is available on CoulombCore:** run the
deploy step directly without the SSH hop to coulombcore.
**Implementation note (2026-06-05):** `.gitea/workflows/deploy.yaml` exists and
builds `.#docker` on a self-hosted `haskelseed` runner, pushes to
`92.205.130.254:32166/coulomb/inter-hub`, deploys with Helm, and smoke-tests
the public endpoint. Remote `main` is already current, but production is still
serving an older API surface, so the workflow needs an attended rerun/inspection
or a new deployment trigger.
### R8 — Staged deployment and smoke test
```task
@@ -311,7 +353,7 @@ Follow the Railiance staged promotion lifecycle:
```task
id: IHUB-WP-0018-T09
status: blocked
status: in_progress
priority: medium
state_hub_task_id: "4d1e55c7-8dbb-480f-b07b-6c5e39a04218"
```
@@ -319,9 +361,15 @@ state_hub_task_id: "4d1e55c7-8dbb-480f-b07b-6c5e39a04218"
secret rotation, rollback (`railiance rollback inter-hub`), log access
(`kubectl logs -n inter-hub -l app=inter-hub --tail=100`)
- Add progress event to state hub
- Remove haskelseed socat/OpenRC production role note from quickstart
- Remove haskelseed socat/OpenRC production role note from quickstart -
document it as the build machine only, not the production host
**Implementation note (2026-06-05):** `deploy/railiance/RUNBOOK.md` exists and
documents architecture, image build/push, Helm deployment, logs, restart,
rollback, secret rotation, and smoke checks. The deployment record remains
incomplete until current `main` is running and the ops-hub bootstrap smoke test
passes against production.
## Exit Criteria
- `https://hub.coulomb.social/` returns the Landing page (200, no auth)