coulomb/inter-hub
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(workplan): record inter-hub deployment recovery [skip ci]

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-14 15:49:30 +02:00
parent 5663fab495
commit c685848af5
1 changed files with 47 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
workplans/IHUB-WP-0018-railiance01-deployment.md
View File

@@ -8,7 +8,7 @@ status: active
owner: custodian
topic_slug: inter_hub
created: "2026-04-29"
updated: "2026-06-07"
updated: "2026-06-14"
depends_on: IHUB-WP-0015
state_hub_workstream_id: "080d841a-3acd-4adf-b684-2d1890a5e986"
---
@@ -135,7 +135,7 @@ superseded by that IHP image path.
```task
id: IHUB-WP-0018-T02
status: todo
status: done
priority: high
state_hub_task_id: "5ab45e4e-16bc-4feb-8b1b-e8eeb05bf39a"
```
@@ -154,7 +154,7 @@ image via `dockerTools.buildLayeredImage` `contents` or a NixOS module.
```task
id: IHUB-WP-0018-T03
status: blocked
status: done
priority: high
state_hub_task_id: "79b5cf2c-3a5b-4b4b-8f84-f635cb6891c1"
```
@@ -181,11 +181,18 @@ endpoint returning the expected unauthenticated 401 challenge. Full R3 remains
blocked from this workspace because `kubectl` is not available here, and the
live app is not serving the current `origin/main` v2 bootstrap routes.
**Recovery note (2026-06-14):** Re-established the haskelseed ops-bridge path
and verified the runner substrate before deployment. `make runner-status` in
`railiance-forge` confirmed `act_runner` is registered to
`https://gitea.coulomb.social`, running under OpenRC, and has the expected
self-hosted labels and build/deploy tools. The K3s API path, Helm deploy path,
and Gitea registry host were exercised successfully by the production rollout.
### R4 — Provision inter-hub database on railiance-platform
```task
id: IHUB-WP-0018-T04
status: blocked
status: done
priority: high
state_hub_task_id: "c937cf36-3850-4ab3-aa83-2d846e1a378e"
```
@@ -201,11 +208,16 @@ Run schema migration (IHP migrations) as part of the first deployment via an
init container or a manual `migrate` run inside the pod. Document the
migration procedure in `deploy/railiance/RUNBOOK.md`.
**Recovery note (2026-06-14):** Bootstrapped the production database manually on
the Railiance PostgreSQL cluster: role `interhub`, database `interhub`, schema
ownership, and privileges were created/updated. The running deployment now uses
that database through the `inter-hub-env` Kubernetes Secret.
### R5 — SOPS-encrypted secrets
```task
id: IHUB-WP-0018-T05
status: blocked
status: in_progress
priority: high
state_hub_task_id: "926f82d1-15cd-425d-8a41-3d6b51c07f0b"
```
@@ -227,6 +239,11 @@ sops --encrypt --age $(cat ~/.config/sops/age/keys.txt | grep public | awk '{pri
Commit the encrypted file. The Gitea Actions workflow decrypts at deploy time
using the age key from a Kubernetes Secret (bootstrapped once manually).
**Recovery note (2026-06-14):** Runtime secrets were bootstrapped manually in
Kubernetes so production could deploy safely. This task remains in progress
until the durable SOPS-encrypted source for `DATABASE_URL`, `IHP_SESSION_SECRET`,
and related runtime env is committed and wired into the deploy path.
### R6 — Helm chart in railiance-apps
```task
@@ -269,11 +286,16 @@ current Gitea registry and `hub.coulomb.social`. Remaining gaps: no repo-root
`app.toml`, no committed SOPS secret manifest, and no separate
`railiance-apps/helm/inter-hub` handoff in this repo.
**Recovery note (2026-06-14):** The local chart under `deploy/helm/inter-hub/`
successfully deployed the app to Railiance01. This task remains in progress
because the repo-root `app.toml` and railiance-apps handoff are still not
completed.
### R7 — Gitea Actions CI/CD pipeline
```task
id: IHUB-WP-0018-T07
status: blocked
status: done
priority: medium
state_hub_task_id: "ec25c67c-3cb0-4534-9fb0-9bd6578a2def"
```
@@ -329,11 +351,18 @@ itself is reachable on SSH and historical port 8080, but this workspace cannot
authenticate non-interactively. Treat R7 as blocked on a forge-owned runner
prerequisite rather than continuing to push commits as deployment probes.
**Recovery note (2026-06-14):** The runner prerequisite was restored through
the haskelseed ops-bridge path. The workflow now builds the Nix OCI image,
publishes to `gitea.coulomb.social/coulomb/inter-hub` using a registry bearer
token from the repo `REGISTRY_TOKEN` Actions secret, deploys with Helm, and
runs public smoke checks. Gitea Actions run `2913` completed successfully for
commit `5663fab`.
### R8 — Staged deployment and smoke test
```task
id: IHUB-WP-0018-T08
status: blocked
status: done
priority: high
state_hub_task_id: "2b02ae5c-47b9-4f09-88f0-a4af7900b38f"
```
@@ -359,6 +388,12 @@ Follow the Railiance staged promotion lifecycle:
# Then re-run smoke test
```
**Recovery note (2026-06-14):** Production is deployed from image
`gitea.coulomb.social/coulomb/inter-hub:5663fab`; Kubernetes reports the
`inter-hub` deployment ready with one replica. Public smoke checks pass:
`/` returns 200 and contains `inter-hub`, `/api/v2/openapi.json` returns 200,
and unauthenticated `/api/v2/widgets` returns 401.
### R9 — Document and register
```task
@@ -380,6 +415,11 @@ rollback, secret rotation, and smoke checks. The deployment record remains
incomplete until current `main` is running and the ops-hub bootstrap smoke test
passes against production.
**Recovery note (2026-06-14):** Current `main` is running in production and the
deployment evidence has been recorded here. Remaining documentation work is to
capture the durable secret-management and railiance-apps handoff path once R5
and R6 are completed.
## Exit Criteria
- `https://hub.coulomb.social/` returns the Landing page (200, no auth)