generated from coulomb/repo-seed
Note the sibling REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET key, Forgejo webhook rollout command, and the RAILIANCE-WP-0011 OpenBao migration backlog item.
86 lines
3.0 KiB
Markdown
86 lines
3.0 KiB
Markdown
# reuse-surface Hub Write Token
|
|
|
|
Date: 2026-07-07
|
|
Catalog: `reuse-surface-hub-write-token` (status `active`, `resolvable: true`)
|
|
Owner: `reuse-surface` (service) · deploy custody `railiance-apps` (K8s secret)
|
|
|
|
Bearer token for authenticated writes to the production federation hub at
|
|
`https://reuse.coulomb.social` (`POST /v1/repos`, `reuse-surface hub register`).
|
|
ops-warden **does not hold this token** — it is a pointer lane to the cluster
|
|
secret that backs the hub Deployment.
|
|
|
|
---
|
|
|
|
## Owner-confirmed lane (no placeholders)
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| Cluster | Railiance01 (`92.205.62.239`) |
|
|
| Namespace | `reuse` |
|
|
| Secret | `reuse-surface-env` |
|
|
| Field | `REUSE_SURFACE_TOKEN` |
|
|
| Kubeconfig | `~/.kube/config-hosteurope` |
|
|
| Deploy runbook | `railiance-apps/docs/reuse-surface-on-railiance01.md` |
|
|
| Hub API spec | `reuse-surface/specs/FederationHubAPI.md` |
|
|
|
|
This is **not** an OpenBao KV path. The token is generated at deploy time and
|
|
stored only in the Kubernetes Secret consumed by the `reuse-surface` workload.
|
|
|
|
### Related key in the same Secret
|
|
|
|
| Field | Purpose |
|
|
| --- | --- |
|
|
| `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` | HMAC for `POST /v1/webhooks/forgejo`; must match the org webhook on Forgejo |
|
|
|
|
Fetch (same kubectl lane — never paste into chat):
|
|
|
|
```bash
|
|
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
|
|
-o jsonpath='{.data.REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET}' | base64 -d
|
|
```
|
|
|
|
Forgejo org webhook rollout: `railiance-apps` `make reuse-forgejo-webhook`
|
|
(runbook `docs/reuse-surface-on-railiance01.md#forgejo-org-webhook`).
|
|
|
|
Planned OpenBao migration: **RAILIANCE-WP-0011** (`railiance-platform`).
|
|
|
|
---
|
|
|
|
## Worker checklist
|
|
|
|
1. **Confirm kubeconfig reachability** (you act as yourself; ops-warden adds no credential):
|
|
```bash
|
|
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse
|
|
```
|
|
|
|
2. **Export for a shell session** (value streams to your terminal — never paste into chat):
|
|
```bash
|
|
export REUSE_SURFACE_URL=https://reuse.coulomb.social
|
|
export REUSE_SURFACE_TOKEN=$(
|
|
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
|
|
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
|
|
)
|
|
```
|
|
|
|
3. **Or proxy via warden access** (same kubectl command, audited metadata only):
|
|
```bash
|
|
warden route show reuse-surface-hub-write-token --json
|
|
warden access reuse-surface-hub-write-token --no-policy --fetch
|
|
```
|
|
|
|
4. **Register a repo** after publish-check passes:
|
|
```bash
|
|
reuse-surface hub status
|
|
reuse-surface hub register --repo <slug> \
|
|
--url <gitea-raw-capabilities-yaml-url> \
|
|
--domain <domain>
|
|
```
|
|
|
|
5. **Verify federated index** picked up the new source:
|
|
```bash
|
|
curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.sources | map(.repo) | index("<slug>")'
|
|
```
|
|
|
|
Never commit the token, paste it into State Hub or agent chat, or store it in a
|
|
workplan. Rotation: regenerate the secret on-cluster and roll the Deployment
|
|
(`reuse-surface/docs/deploy/reuse-kubernetes.md`). |