From 9e460049617bf7be2560f97be59ac902752b1bff Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 25 Jun 2026 19:59:53 +0200 Subject: [PATCH] Update ISSUE-WP-0003 deployment progress --- .../ISSUE-WP-0003-railiance01-deployment.md | 98 +++++++++++-------- 1 file changed, 55 insertions(+), 43 deletions(-) diff --git a/workplans/ISSUE-WP-0003-railiance01-deployment.md b/workplans/ISSUE-WP-0003-railiance01-deployment.md index 20d66a2..d451c40 100644 --- a/workplans/ISSUE-WP-0003-railiance01-deployment.md +++ b/workplans/ISSUE-WP-0003-railiance01-deployment.md @@ -8,7 +8,7 @@ status: active owner: claude topic_slug: custodian created: "2026-06-19" -updated: "2026-06-23" +updated: "2026-06-25" state_hub_workstream_id: "896ace77-21b3-450b-8fb7-254aefc8c570" --- @@ -17,36 +17,34 @@ state_hub_workstream_id: "896ace77-21b3-450b-8fb7-254aefc8c570" `issue-core` is the authoritative task-lifecycle manager and the REST ingestion target for activity-core's `IssueSink`. Deployment artifacts are on `main` (`Dockerfile`, `docker-entrypoint.sh`, `k8s/railiance/`); image -`gitea.coulomb.social/coulomb/issue-core:0.2.0` is built, pushed, and -pullable. The railiance01 cluster still has no `issue-core` workload until -T02 live ArgoCD bootstrap (RAILIANCE-WP-0004-T05) and T04 OpenBao secrets land. +`gitea.coulomb.social/coulomb/issue-core:0.2.1` is built, pushed, and +pullable. The railiance01 cluster now reconciles `issue-core` through ArgoCD; +External Secrets Operator reads the OpenBao-backed runtime Secret and the +Deployment is live on port 8765. This workplan stands up `issue-core` as a first-class in-cluster service on railiance01 **via ArgoCD GitOps** — making issue-core the cluster's first declarative Application and turning on the idle GitOps capability. -## Current state (verified 2026-06-19) +## Current state (verified 2026-06-25) - **Deployment artifacts in-repo:** `Dockerfile`, `docker-entrypoint.sh`, and `k8s/railiance/` (Kustomize: ExternalSecret, ConfigMap, Deployment, Service). Image builds locally; `docker run` + `GET /healthz` returns 200. Image pushed - and pullable as `gitea.coulomb.social/coulomb/issue-core:0.2.0` (digest - `sha256:153fbe43…`). `coulomb` org packages are public — no `imagePullSecret` + and pullable as `gitea.coulomb.social/coulomb/issue-core:0.2.1` (digest + `sha256:729c0e56…`). `coulomb` org packages are public — no `imagePullSecret` required per `railiance-forge/docs/gitea-container-registry.md`. - **Dockerfile fix (2026-06-19):** build arg renamed `GITEA_PYPI_INDEX_URL` — `ARG PIP_INDEX_URL` leaked into the build env and pip used Gitea as the sole index, so dependencies like `click` were not found. -- **railiance01 cluster:** no `issue-core` namespace; no issue-core - Deployment/Service/Pod in any namespace. -- **Dangling reference:** `activity-core/k8s/railiance/20-runtime.yaml` sets - `ISSUE_CORE_URL: http://issue-core.issue-core.svc.cluster.local:8010` — a - service that does not exist, on the **wrong port** (issue-core serves 8765) — - with `ISSUE_SINK_TYPE: "null"` so emission is disabled. It is a placeholder. +- **railiance01 cluster:** `issue-core` namespace, Service, ExternalSecret, + Secret, and Deployment are present. ArgoCD reports the `issue-core` Application + Synced/Healthy at revision `11a0a69`; pod is Ready on image `0.2.1`. +- **activity-core handoff still pending:** `activity-core/k8s/railiance/20-runtime.yaml` still points at port 8010 and keeps `ISSUE_SINK_TYPE: "null"`; T06 tracks switching it to the live issue-core service on port 8765. - **Packaging precursor is done:** `ISSUE-WP-0002` published - `issue-core==0.2.0` to the Coulomb Gitea PyPI index. -- **ArgoCD is installed but unused:** all 7 components healthy (~290d), but - **0 Applications, 0 ApplicationSets, 0 registered git repos**, only the stock - `default` AppProject. No `kind: Application` manifests exist in any infra repo. + `issue-core==0.2.0` to the Coulomb Gitea PyPI index. The live `0.2.1` image + was built from the committed source tree as a deployment hotfix. +- **ArgoCD is active for the pilot:** railiance-platform owns the bootstrap and tenant AppProject; `issue-core` is Synced/Healthy as the pilot workload. - **Existing deploy pattern is imperative** (the path we are *replacing* for this service): local `docker build` → `k3s ctr images import` (side-load, no registry) → `rsync` manifests → `kubectl apply` (see @@ -61,6 +59,20 @@ declarative Application and turning on the idle GitOps capability. traceability string. Event-driven activity-core paths can still send UUIDs; scheduled/cron paths may now send a stable key such as `scheduled`. +## Live progress (2026-06-25) + +- Added railiance-platform ESO/OpenBao plumbing and provisioned the canonical + OpenBao path `platform/workloads/issue-core/issue-core/issue-core-runtime` + with `ISSUE_CORE_API_KEY` and `GITEA_BACKEND_TOKEN` (values not logged). +- Created dedicated Gitea service user `issue-core-svc` and stored a scoped + backend token in OpenBao for issue creation. +- Published and deployed `gitea.coulomb.social/coulomb/issue-core:0.2.1` + (`sha256:729c0e56…`) with the Gitea label-payload fix and numeric UID + securityContext. +- ArgoCD `issue-core` is Synced/Healthy at `11a0a69`; ExternalSecret is Ready; + `/healthz` returns 200; authenticated `POST /issues/` returned 201 and Gitea + issue id `175`. + ## Decisions - **Deployment method = ArgoCD GitOps** (operator decision 2026-06-19). @@ -105,30 +117,28 @@ state_hub_task_id: "3723e896-3ec9-49b8-86f8-403993444da3" **Goal.** A reproducible, registry-hosted image ArgoCD-managed pods can pull. -- [x] Add `Dockerfile` installing `issue-core[api]>=0.2,<0.3` from the Gitea - PyPI index (with explicit PyPI primary index). Entrypoint renders - `backends.json` then `issue serve --host 0.0.0.0 --port 8765`. +- [x] Add `Dockerfile` building the checked-out `issue-core[api]` source. + Entrypoint renders `backends.json` then `issue serve --host 0.0.0.0 --port 8765`. - [x] Local build succeeds; `docker run` + `GET /healthz` returns 200. -- [x] Pushed `gitea.coulomb.social/coulomb/issue-core:0.2.0`; `docker pull` +- [x] Pushed `gitea.coulomb.social/coulomb/issue-core:0.2.1`; `docker pull` succeeds. - [x] No cluster pull secret needed (`coulomb` org packages are public). -- [ ] `POST /issues/` smoke against a running deployment (deferred to T03/T04 - cluster verification). +- [x] `POST /issues/` smoke against a running deployment returned 201. ## ArgoCD bootstrap (railiance-platform dependency) + issue-core Application ```task id: ISSUE-WP-0003-T02 -status: wait +status: done priority: high state_hub_task_id: "9b199b1d-d3c0-4621-b8f8-58c376cbf878" ``` **Owner split.** ArgoCD bootstrap is **railiance-platform's** (operator decision 2026-06-19): repo registration in ArgoCD, AppProject/app-of-apps -convention, and the agreed GitOps source layout. This task is `wait` on that -handoff. issue-core's part is to **contribute** the `Application` manifest + -workload manifests into the layout platform defines. +convention, and the agreed GitOps source layout. This handoff is complete for +the issue-core pilot; issue-core contributes workload manifests and platform owns +the tenant `Application` wrapper. - **(railiance-platform)** Register the GitOps source repo (repository Secret + creds); define AppProject for cluster services; publish the source-repo/path @@ -136,16 +146,17 @@ workload manifests into the layout platform defines. - [x] **(issue-core)** Workload manifests in `k8s/railiance/` on `main` per platform contract (`docs/argocd-gitops.md`). Tenant `Application` lives in `railiance-platform/argocd/applications/issue-core.application.yaml`. -- [ ] **(railiance-platform)** RAILIANCE-WP-0004-T05 live bootstrap: register - repo creds, deploy bootstrap, sync `issue-core` Application. -- [ ] Verify: `kubectl get applications -n argocd` shows `issue-core` - Synced/Healthy; ArgoCD reconciles a trivial manifest change. +- [x] **(railiance-platform)** Live bootstrap deployed; `issue-core` Application + syncs from the issue-core repo through the tenant AppProject. +- [x] Verify: `kubectl get applications -n argocd` shows `issue-core` + Synced/Healthy at revision `11a0a69`; ArgoCD reconciled the `0.2.1` image + manifest change. ## Kubernetes manifests (namespace, Deployment, Service) in GitOps source ```task id: ISSUE-WP-0003-T03 -status: progress +status: done priority: high state_hub_task_id: "38887dd6-0988-4ad1-bc6b-2a1b8839829f" ``` @@ -154,18 +165,18 @@ state_hub_task_id: "38887dd6-0988-4ad1-bc6b-2a1b8839829f" - [x] `k8s/railiance/` Kustomize bundle (namespace via ArgoCD `CreateNamespace=true`). -- [x] Deployment: registry image tag `0.2.0`; port 8765; `/healthz` probes; +- [x] Deployment: registry image tag `0.2.1`; port 8765; `/healthz` probes; resource requests/limits; env from ExternalSecret (T04) and ConfigMap (T05). - [x] Service: ClusterIP on **8765** as `issue-core.issue-core.svc.cluster.local`. -- [ ] Verify: ArgoCD syncs the manifests; Pod Ready; `/healthz` 200 from a debug - pod (blocked on T01 push + T02 bootstrap + T04 secrets). +- [x] Verify: ArgoCD syncs the manifests; pod Ready; `/healthz` returned 200 + from inside the cluster. ## OpenBao secret: ISSUE_CORE_API_KEY ```task id: ISSUE-WP-0003-T04 -status: wait +status: done priority: high state_hub_task_id: "ad52527f-6222-4c11-9284-d8a3ed3b49ad" ``` @@ -180,15 +191,15 @@ state_hub_task_id: "ad52527f-6222-4c11-9284-d8a3ed3b49ad" - Never write the value to Git, manifests, State Hub, or logs. - Verify: both pods resolve a non-empty key; auth round-trip (401 without, 201 with). -- Current wait reason: requires railiance-platform/OpenBao operator action to - confirm/provision the canonical path and `ClusterSecretStore`; - issue-core records only the Secret contract and non-secret verification steps. +- Done 2026-06-25: canonical OpenBao path exists, `ClusterSecretStore/openbao` is + Ready, `ExternalSecret/issue-core-runtime` is Ready, and the Kubernetes Secret + contains the two expected data keys. activity-core consumption remains in T06. ## In-cluster backend config (cluster Gitea / markitect) ```task id: ISSUE-WP-0003-T05 -status: progress +status: done priority: medium state_hub_task_id: "10923f1e-050d-4f3e-980e-b061fef5f33a" ``` @@ -200,8 +211,8 @@ the cluster Gitea (markitect) backend. (`gitea-http.default.svc.cluster.local:3000`); token sentinel `__FROM_ENV__`. - [x] `docker-entrypoint.sh` renders `~/.config/issue-tracker/backends.json` from `BACKENDS_TEMPLATE` + `GITEA_BACKEND_TOKEN` at startup. -- [ ] Verify: a `POST /issues/` creates a real Gitea issue and returns - `issue_url` (blocked on T04 secrets + in-cluster deployment). +- [x] Verify: authenticated `POST /issues/` returned 201 and created Gitea + issue id `175` via the live service. ## Wire activity-core to the live service @@ -239,7 +250,8 @@ state_hub_task_id: "8d853b8e-cfca-441d-b817-0a29e37bd66e" - ArgoCD Application Synced/Healthy; issue-core Pod Ready; Service reachable cluster-internal. -- activity-core → issue-core emission returns 201 and creates a Gitea issue. +- [ ] activity-core -> issue-core emission returns 201 and creates a Gitea issue + (remaining T06 handoff). - [x] Document the GitOps runbook (image build/push, ArgoCD sync, secret contract, smoke, activity-core handoff) in `docs/argocd-gitops.md`. - Emit an `add_progress_event` milestone to the hub on completion.