Files
ops-warden/wiki/playbooks/reuse-surface-hub-write-token.md
tegwick 7d915a2eb5 Add routing catalog entry for reuse-surface hub write token.
REUSE_SURFACE_TOKEN is custody of the Railiance01 K8s secret reuse-surface-env,
not OpenBao. Workers blocked on hub register can now discover the lane via
warden route find and obtain it through the documented kubectl handoff.
2026-07-07 00:52:39 +02:00

68 lines
2.4 KiB
Markdown

# reuse-surface Hub Write Token
Date: 2026-07-07
Catalog: `reuse-surface-hub-write-token` (status `active`, `resolvable: true`)
Owner: `reuse-surface` (service) · deploy custody `railiance-apps` (K8s secret)
Bearer token for authenticated writes to the production federation hub at
`https://reuse.coulomb.social` (`POST /v1/repos`, `reuse-surface hub register`).
ops-warden **does not hold this token** — it is a pointer lane to the cluster
secret that backs the hub Deployment.
---
## Owner-confirmed lane (no placeholders)
| Field | Value |
| --- | --- |
| Cluster | Railiance01 (`92.205.62.239`) |
| Namespace | `reuse` |
| Secret | `reuse-surface-env` |
| Field | `REUSE_SURFACE_TOKEN` |
| Kubeconfig | `~/.kube/config-hosteurope` |
| Deploy runbook | `railiance-apps/docs/reuse-surface-on-railiance01.md` |
| Hub API spec | `reuse-surface/specs/FederationHubAPI.md` |
This is **not** an OpenBao KV path. The token is generated at deploy time and
stored only in the Kubernetes Secret consumed by the `reuse-surface` workload.
---
## Worker checklist
1. **Confirm kubeconfig reachability** (you act as yourself; ops-warden adds no credential):
```bash
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse
```
2. **Export for a shell session** (value streams to your terminal — never paste into chat):
```bash
export REUSE_SURFACE_URL=https://reuse.coulomb.social
export REUSE_SURFACE_TOKEN=$(
kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d
)
```
3. **Or proxy via warden access** (same kubectl command, audited metadata only):
```bash
warden route show reuse-surface-hub-write-token --json
warden access reuse-surface-hub-write-token --no-policy --fetch
```
4. **Register a repo** after publish-check passes:
```bash
reuse-surface hub status
reuse-surface hub register --repo <slug> \
--url <gitea-raw-capabilities-yaml-url> \
--domain <domain>
```
5. **Verify federated index** picked up the new source:
```bash
curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.sources | map(.repo) | index("<slug>")'
```
Never commit the token, paste it into State Hub or agent chat, or store it in a
workplan. Rotation: regenerate the secret on-cluster and roll the Deployment
(`reuse-surface/docs/deploy/reuse-kubernetes.md`).