diff --git a/workplans/IHUB-WP-0018-railiance01-deployment.md b/workplans/IHUB-WP-0018-railiance01-deployment.md index df795bc..53a0b8c 100644 --- a/workplans/IHUB-WP-0018-railiance01-deployment.md +++ b/workplans/IHUB-WP-0018-railiance01-deployment.md @@ -8,7 +8,7 @@ status: active owner: custodian topic_slug: inter_hub created: "2026-04-29" -updated: "2026-06-07" +updated: "2026-06-14" depends_on: IHUB-WP-0015 state_hub_workstream_id: "080d841a-3acd-4adf-b684-2d1890a5e986" --- @@ -135,7 +135,7 @@ superseded by that IHP image path. ```task id: IHUB-WP-0018-T02 -status: todo +status: done priority: high state_hub_task_id: "5ab45e4e-16bc-4feb-8b1b-e8eeb05bf39a" ``` @@ -154,7 +154,7 @@ image via `dockerTools.buildLayeredImage` `contents` or a NixOS module. ```task id: IHUB-WP-0018-T03 -status: blocked +status: done priority: high state_hub_task_id: "79b5cf2c-3a5b-4b4b-8f84-f635cb6891c1" ``` @@ -181,11 +181,18 @@ endpoint returning the expected unauthenticated 401 challenge. Full R3 remains blocked from this workspace because `kubectl` is not available here, and the live app is not serving the current `origin/main` v2 bootstrap routes. +**Recovery note (2026-06-14):** Re-established the haskelseed ops-bridge path +and verified the runner substrate before deployment. `make runner-status` in +`railiance-forge` confirmed `act_runner` is registered to +`https://gitea.coulomb.social`, running under OpenRC, and has the expected +self-hosted labels and build/deploy tools. The K3s API path, Helm deploy path, +and Gitea registry host were exercised successfully by the production rollout. + ### R4 — Provision inter-hub database on railiance-platform ```task id: IHUB-WP-0018-T04 -status: blocked +status: done priority: high state_hub_task_id: "c937cf36-3850-4ab3-aa83-2d846e1a378e" ``` @@ -201,11 +208,16 @@ Run schema migration (IHP migrations) as part of the first deployment via an init container or a manual `migrate` run inside the pod. Document the migration procedure in `deploy/railiance/RUNBOOK.md`. +**Recovery note (2026-06-14):** Bootstrapped the production database manually on +the Railiance PostgreSQL cluster: role `interhub`, database `interhub`, schema +ownership, and privileges were created/updated. The running deployment now uses +that database through the `inter-hub-env` Kubernetes Secret. + ### R5 — SOPS-encrypted secrets ```task id: IHUB-WP-0018-T05 -status: blocked +status: in_progress priority: high state_hub_task_id: "926f82d1-15cd-425d-8a41-3d6b51c07f0b" ``` @@ -227,6 +239,11 @@ sops --encrypt --age $(cat ~/.config/sops/age/keys.txt | grep public | awk '{pri Commit the encrypted file. The Gitea Actions workflow decrypts at deploy time using the age key from a Kubernetes Secret (bootstrapped once manually). +**Recovery note (2026-06-14):** Runtime secrets were bootstrapped manually in +Kubernetes so production could deploy safely. This task remains in progress +until the durable SOPS-encrypted source for `DATABASE_URL`, `IHP_SESSION_SECRET`, +and related runtime env is committed and wired into the deploy path. + ### R6 — Helm chart in railiance-apps ```task @@ -269,11 +286,16 @@ current Gitea registry and `hub.coulomb.social`. Remaining gaps: no repo-root `app.toml`, no committed SOPS secret manifest, and no separate `railiance-apps/helm/inter-hub` handoff in this repo. +**Recovery note (2026-06-14):** The local chart under `deploy/helm/inter-hub/` +successfully deployed the app to Railiance01. This task remains in progress +because the repo-root `app.toml` and railiance-apps handoff are still not +completed. + ### R7 — Gitea Actions CI/CD pipeline ```task id: IHUB-WP-0018-T07 -status: blocked +status: done priority: medium state_hub_task_id: "ec25c67c-3cb0-4534-9fb0-9bd6578a2def" ``` @@ -329,11 +351,18 @@ itself is reachable on SSH and historical port 8080, but this workspace cannot authenticate non-interactively. Treat R7 as blocked on a forge-owned runner prerequisite rather than continuing to push commits as deployment probes. +**Recovery note (2026-06-14):** The runner prerequisite was restored through +the haskelseed ops-bridge path. The workflow now builds the Nix OCI image, +publishes to `gitea.coulomb.social/coulomb/inter-hub` using a registry bearer +token from the repo `REGISTRY_TOKEN` Actions secret, deploys with Helm, and +runs public smoke checks. Gitea Actions run `2913` completed successfully for +commit `5663fab`. + ### R8 — Staged deployment and smoke test ```task id: IHUB-WP-0018-T08 -status: blocked +status: done priority: high state_hub_task_id: "2b02ae5c-47b9-4f09-88f0-a4af7900b38f" ``` @@ -359,6 +388,12 @@ Follow the Railiance staged promotion lifecycle: # Then re-run smoke test ``` +**Recovery note (2026-06-14):** Production is deployed from image +`gitea.coulomb.social/coulomb/inter-hub:5663fab`; Kubernetes reports the +`inter-hub` deployment ready with one replica. Public smoke checks pass: +`/` returns 200 and contains `inter-hub`, `/api/v2/openapi.json` returns 200, +and unauthenticated `/api/v2/widgets` returns 401. + ### R9 — Document and register ```task @@ -380,6 +415,11 @@ rollback, secret rotation, and smoke checks. The deployment record remains incomplete until current `main` is running and the ops-hub bootstrap smoke test passes against production. +**Recovery note (2026-06-14):** Current `main` is running in production and the +deployment evidence has been recorded here. Remaining documentation work is to +capture the durable secret-management and railiance-apps handoff path once R5 +and R6 are completed. + ## Exit Criteria - `https://hub.coulomb.social/` returns the Landing page (200, no auth)