coulomb/railiance-apps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename reuse deployment to coulomb.social conventions

Browse Source 
Chart charts/reuse-surface, namespace reuse, host reuse.coulomb.social,
image gitea.coulomb.social/coulomb/reuse-surface, secret reuse-surface-env.
Makefile targets reuse-dry-run/deploy/status/logs.
This commit is contained in:
Bernd Worsch
2026-06-15 09:02:02 +02:00
parent 19b65de4bd
commit 25d6a2484e
10 changed files with 100 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
Makefile
View File

@@ -19,10 +19,10 @@ INTER_HUB_NAMESPACE ?= inter-hub
INTER_HUB_CHART ?= charts/inter-hub INTER_HUB_CHART ?= charts/inter-hub
INTER_HUB_VALUES ?= helm/inter-hub-values.yaml INTER_HUB_VALUES ?= helm/inter-hub-values.yaml
REUSE_HUB_RELEASE ?= reuse-surface-hub REUSE_RELEASE ?= reuse
REUSE_HUB_NAMESPACE ?= reuse-surface-hub REUSE_NAMESPACE ?= reuse
REUSE_HUB_CHART ?= charts/reuse-surface-hub REUSE_CHART ?= charts/reuse-surface
REUSE_HUB_VALUES ?= helm/reuse-surface-hub-values.yaml REUSE_VALUES ?= helm/reuse-surface-values.yaml
SOPS_SENTINEL ?= SOPS_SENTINEL ?=
DRY_RUN_CREATE_NAMESPACES ?= false DRY_RUN_CREATE_NAMESPACES ?= false
@@ -105,23 +105,23 @@ inter-hub-status: ## Show inter-hub pod / svc / ingress / cert state
inter-hub-logs: ## Tail inter-hub app logs inter-hub-logs: ## Tail inter-hub app logs
kubectl logs -n $(INTER_HUB_NAMESPACE) -l app.kubernetes.io/instance=$(INTER_HUB_RELEASE) -f --tail=50 kubectl logs -n $(INTER_HUB_NAMESPACE) -l app.kubernetes.io/instance=$(INTER_HUB_RELEASE) -f --tail=50
##@ Reuse Surface Hub ##@ reuse-surface (reuse.coulomb.social)
reuse-hub-dry-run: ## helm template render (no apply) for reuse-surface-hub reuse-dry-run: ## helm template render (no apply) for reuse-surface
helm template $(REUSE_HUB_RELEASE) $(REUSE_HUB_CHART) \ helm template $(REUSE_RELEASE) $(REUSE_CHART) \
--namespace $(REUSE_HUB_NAMESPACE) \ --namespace $(REUSE_NAMESPACE) \
-f $(REUSE_HUB_VALUES) -f $(REUSE_VALUES)
reuse-hub-deploy: ## Deploy / upgrade reuse-surface-hub Helm release reuse-deploy: ## Deploy / upgrade reuse-surface Helm release
helm upgrade --install $(REUSE_HUB_RELEASE) $(REUSE_HUB_CHART) \ helm upgrade --install $(REUSE_RELEASE) $(REUSE_CHART) \
--namespace $(REUSE_HUB_NAMESPACE) --create-namespace \ --namespace $(REUSE_NAMESPACE) --create-namespace \
-f $(REUSE_HUB_VALUES) --wait --timeout 5m -f $(REUSE_VALUES) --wait --timeout 5m
reuse-hub-status: ## Show reuse-surface-hub pod / svc / ingress / cert state reuse-status: ## Show reuse-surface pod / svc / ingress / cert state
kubectl get pods,svc,ingress,pvc,certificate -n $(REUSE_HUB_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_HUB_RELEASE) --ignore-not-found kubectl get pods,svc,ingress,pvc,certificate -n $(REUSE_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_RELEASE) --ignore-not-found
reuse-hub-logs: ## Tail reuse-surface-hub logs reuse-logs: ## Tail reuse-surface service logs
kubectl logs -n $(REUSE_HUB_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_HUB_RELEASE) -f --tail=50 kubectl logs -n $(REUSE_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_RELEASE) -f --tail=50
##@ Help ##@ Help
@@ -130,4 +130,4 @@ help: ## Show this help
/^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \ /^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret inter-hub-dry-run inter-hub-deploy inter-hub-status inter-hub-logs reuse-hub-dry-run reuse-hub-deploy reuse-hub-status reuse-hub-logs help .PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret inter-hub-dry-run inter-hub-deploy inter-hub-status inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-logs help

6
charts/reuse-surface-hub/Chart.yaml → charts/reuse-surface/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2 apiVersion: v2
name: reuse-surface-hub name: reuse-surface
description: | description: |
Federation hub for helix_forge capability registry coordination on Railiance01. Federation service for helix_forge capability registry on Railiance01.
type: application type: application
version: 0.1.0 version: 0.1.0
appVersion: "0.1.0" appVersion: "0.1.0"
@@ -9,7 +9,7 @@ keywords:
- reuse-surface - reuse-surface
- federation - federation
- helix-forge - helix-forge
- railiance - coulomb.social
home: https://gitea.coulomb.social/coulomb/reuse-surface home: https://gitea.coulomb.social/coulomb/reuse-surface
sources: sources:
- https://gitea.coulomb.social/coulomb/reuse-surface - https://gitea.coulomb.social/coulomb/reuse-surface

14
charts/reuse-surface-hub/templates/_helpers.tpl → charts/reuse-surface/templates/_helpers.tpl
View File

@@ -1,10 +1,10 @@
{{- define "reusehub.fullname" -}} {{- define "reuse.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}} {{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}} {{- printf "%s" $name | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{- define "reusehub.labels" -}} {{- define "reuse.labels" -}}
app.kubernetes.io/name: {{ include "reusehub.fullname" . }} app.kubernetes.io/name: {{ include "reuse.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
@@ -12,14 +12,14 @@ app.kubernetes.io/part-of: railiance-apps
helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }} helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }}
{{- end -}} {{- end -}}
{{- define "reusehub.selectorLabels" -}} {{- define "reuse.selectorLabels" -}}
app.kubernetes.io/name: {{ include "reusehub.fullname" . }} app.kubernetes.io/name: {{ include "reuse.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "reusehub.image" -}} {{- define "reuse.image" -}}
{{- if not .Values.image.tag -}} {{- if not .Values.image.tag -}}
{{- fail "image.tag is required - pin it in helm/reuse-surface-hub-values.yaml" -}} {{- fail "image.tag is required - pin it in helm/reuse-surface-values.yaml" -}}
{{- end -}} {{- end -}}
{{- printf "%s:%s" .Values.image.repository .Values.image.tag -}} {{- printf "%s:%s" .Values.image.repository .Values.image.tag -}}
{{- end -}} {{- end -}}

21
charts/reuse-surface-hub/templates/deployment.yaml → charts/reuse-surface/templates/deployment.yaml
View File

@@ -1,12 +1,12 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "reusehub.fullname" . }} name: {{ include "reuse.fullname" . }}
labels: {{- include "reusehub.labels" . | nindent 4 }} labels: {{- include "reuse.labels" . | nindent 4 }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
selector: selector:
matchLabels: {{- include "reusehub.selectorLabels" . | nindent 6 }} matchLabels: {{- include "reuse.selectorLabels" . | nindent 6 }}
strategy: strategy:
type: RollingUpdate type: RollingUpdate
rollingUpdate: rollingUpdate:
@@ -14,13 +14,14 @@ spec:
maxUnavailable: 0 maxUnavailable: 0
template: template:
metadata: metadata:
labels: {{- include "reusehub.selectorLabels" . | nindent 8 }} labels: {{- include "reuse.selectorLabels" . | nindent 8 }}
spec: spec:
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
containers: containers:
- name: reuse-surface-hub - name: reuse-surface
image: {{ include "reusehub.image" . | quote }} image: {{ include "reuse.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["reuse-surface", "serve"]
securityContext: {{- toYaml .Values.securityContext | nindent 12 }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
ports: ports:
- name: http - name: http
@@ -30,9 +31,9 @@ spec:
- secretRef: - secretRef:
name: {{ .Values.envSecretName | quote }} name: {{ .Values.envSecretName | quote }}
env: env:
- name: REUSE_SURFACE_HUB_DB - name: REUSE_SURFACE_DB
value: {{ printf "%s/hub.db" .Values.persistence.mountPath | quote }} value: {{ printf "%s/reuse.db" .Values.persistence.mountPath | quote }}
- name: REUSE_SURFACE_HUB_CACHE_DIR - name: REUSE_SURFACE_CACHE_DIR
value: {{ printf "%s/cache" .Values.persistence.mountPath | quote }} value: {{ printf "%s/cache" .Values.persistence.mountPath | quote }}
{{- if .Values.persistence.enabled }} {{- if .Values.persistence.enabled }}
volumeMounts: volumeMounts:
@@ -62,7 +63,7 @@ spec:
volumes: volumes:
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ include "reusehub.fullname" . }}-data claimName: {{ include "reuse.fullname" . }}-data
{{- end }} {{- end }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }} nodeSelector: {{- toYaml . | nindent 8 }}

8
charts/reuse-surface-hub/templates/ingress.yaml → charts/reuse-surface/templates/ingress.yaml
View File

@@ -2,8 +2,8 @@
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ include "reusehub.fullname" . }} name: {{ include "reuse.fullname" . }}
labels: {{- include "reusehub.labels" . | nindent 4 }} labels: {{- include "reuse.labels" . | nindent 4 }}
annotations: annotations:
{{- toYaml .Values.ingress.annotations | nindent 4 }} {{- toYaml .Values.ingress.annotations | nindent 4 }}
spec: spec:
@@ -12,7 +12,7 @@ spec:
tls: tls:
- hosts: - hosts:
- {{ .Values.ingress.host }} - {{ .Values.ingress.host }}
secretName: {{ include "reusehub.fullname" . }}-tls secretName: {{ include "reuse.fullname" . }}-tls
{{- end }} {{- end }}
rules: rules:
- host: {{ .Values.ingress.host }} - host: {{ .Values.ingress.host }}
@@ -22,7 +22,7 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: {{ include "reusehub.fullname" . }} name: {{ include "reuse.fullname" . }}
port: port:
number: {{ .Values.service.port }} number: {{ .Values.service.port }}
{{- end }} {{- end }}

4
charts/reuse-surface-hub/templates/pvc.yaml → charts/reuse-surface/templates/pvc.yaml
View File

@@ -2,8 +2,8 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "reusehub.fullname" . }}-data name: {{ include "reuse.fullname" . }}-data
labels: {{- include "reusehub.labels" . | nindent 4 }} labels: {{- include "reuse.labels" . | nindent 4 }}
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce

6
charts/reuse-surface-hub/templates/service.yaml → charts/reuse-surface/templates/service.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "reusehub.fullname" . }} name: {{ include "reuse.fullname" . }}
labels: {{- include "reusehub.labels" . | nindent 4 }} labels: {{- include "reuse.labels" . | nindent 4 }}
spec: spec:
type: {{ .Values.service.type }} type: {{ .Values.service.type }}
selector: {{- include "reusehub.selectorLabels" . | nindent 4 }} selector: {{- include "reuse.selectorLabels" . | nindent 4 }}
ports: ports:
- name: http - name: http
port: {{ .Values.service.port }} port: {{ .Values.service.port }}

8
charts/reuse-surface-hub/values.yaml → charts/reuse-surface/values.yaml
View File

@@ -1,5 +1,5 @@
image: image:
repository: gitea.coulomb.social/coulomb/reuse-surface-hub repository: gitea.coulomb.social/coulomb/reuse-surface
tag: "" tag: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@@ -24,12 +24,12 @@ resources:
cpu: 500m cpu: 500m
memory: 512Mi memory: 512Mi
envSecretName: reuse-surface-hub-env envSecretName: reuse-surface-env
ingress: ingress:
enabled: false enabled: true
className: traefik className: traefik
host: reuse-hub.whywhynot.de host: reuse.coulomb.social
tls: true tls: true
annotations: annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: websecure

2
helm/reuse-surface-hub-values.yaml → helm/reuse-surface-values.yaml
View File

@@ -1,5 +1,5 @@
# Production overrides for reuse-surface federation hub. # Production overrides for reuse-surface federation hub.
# REUSE_SURFACE_HUB_TOKEN is supplied via Secret reuse-surface-hub-env. # REUSE_SURFACE_TOKEN is supplied via Secret reuse-surface-env.
image: image:
tag: "pending-first-build" tag: "pending-first-build"

110
workplans/RAILIANCE-WP-0007-reuse-surface-hub-on-railiance01.md
View File

@@ -1,7 +1,7 @@
--- ---
id: RAILIANCE-WP-0007 id: RAILIANCE-WP-0007
type: workplan type: workplan
title: "Deploy reuse-surface federation hub on railiance01" title: "Deploy reuse-surface federation service on railiance01"
domain: railiance domain: railiance
repo: railiance-apps repo: railiance-apps
status: active status: active
@@ -11,105 +11,87 @@ created: "2026-06-15"
updated: "2026-06-15" updated: "2026-06-15"
--- ---
# Deploy reuse-surface federation hub on railiance01 # Deploy reuse-surface federation service on railiance01
Companion to **`reuse-surface` REUSE-WP-0011**. Own the S5 Helm release, Companion to **`reuse-surface` REUSE-WP-0011**. Own the S5 Helm release,
ingress, and operator targets for the federation hub service on production ingress, and operator targets for the federation service on production cluster
cluster node `railiance01` (`92.205.130.254`). node `railiance01` (`92.205.130.254`).
## Goal ## Goal
Expose the helix_forge federation hub API at a stable TLS endpoint so repos can Expose the helix_forge federation API at **`https://reuse.coulomb.social`** so
register capability index URLs via `reuse-surface hub` without per-machine repos can register capability index URLs via `reuse-surface hub` without
`sources.yaml` maintenance. per-machine `sources.yaml` maintenance.
**Default hostname (confirm with operator):** `https://reuse-hub.whywhynot.de` Gitea repo: `coulomb/reuse-surface`
OCI image: `gitea.coulomb.social/coulomb/reuse-surface:<tag>`
## Upstream dependency ## Upstream dependency
| Upstream | Workplan | Required artifact | | Upstream | Workplan | Required artifact |
|---|---|---| |---|---|---|
| Hub service + image | `reuse-surface` REUSE-WP-0011 | Container image `gitea.coulomb.social/coulomb/reuse-surface-hub:<tag>`, `/health` probe path | | Service + image | `reuse-surface` REUSE-WP-0011 | Image `gitea.coulomb.social/coulomb/reuse-surface:<tag>`, `reuse-surface serve`, `/health` |
Do not deploy until REUSE-WP-0011-T04 publishes a buildable image and documents Do not deploy until REUSE-WP-0011-T04 publishes a buildable image.
the required environment variables.
## Placement ## Placement
Follow the established `inter-hub` pattern in this repo: Follow the `inter-hub` pattern:
- `charts/reuse-surface-hub/` — Helm chart (Deployment, Service, Ingress, PVC) - `charts/reuse-surface/` — Helm chart (Deployment, Service, Ingress, PVC)
- `helm/reuse-surface-hub-values.yaml` — non-secret overrides (image tag, host) - `helm/reuse-surface-values.yaml` — non-secret overrides (image tag)
- SOPS secret handoff for `REUSE_SURFACE_HUB_TOKEN` (write token) - Secret `reuse-surface-env` with `REUSE_SURFACE_TOKEN`
- `Makefile` targets: `reuse-hub-dry-run`, `reuse-hub-deploy`, `reuse-hub-status`, `reuse-hub-logs` - `Makefile` targets: `reuse-dry-run`, `reuse-deploy`, `reuse-status`, `reuse-logs`
- Namespace: `reuse`
Cross-repo coordination:
| Concern | Owner |
|---|---|
| Application image and API | `reuse-surface` |
| Helm release and ingress | `railiance-apps` (this workplan) |
| OCI registry push | `railiance-forge` guidance + `reuse-surface` CI/docs |
| DNS A record | DNS owner of `whywhynot.de` |
| Traefik / cert-manager | `railiance-cluster` / `railiance-platform` (reuse) |
## Safety contract ## Safety contract
- Do not commit decrypted SOPS values or hub write tokens. - Do not commit decrypted SOPS values or `REUSE_SURFACE_TOKEN`.
- Pin image tags in `helm/reuse-surface-hub-values.yaml`; no `:latest` in production. - Pin image tags in `helm/reuse-surface-values.yaml`.
- Use a dedicated namespace (default `reuse-surface-hub`). - PVC at `/data` for SQLite (`reuse.db`) and fetch cache.
- PVC for SQLite data; document backup expectation in runbook.
--- ---
## Scaffold Helm Chart For reuse-surface-hub ## Scaffold Helm Chart For reuse-surface
```task ```task
id: RAILIANCE-WP-0007-T01 id: RAILIANCE-WP-0007-T01
status: done status: done
priority: high priority: high
state_hub_task_id: "d296f037-eef6-4bfc-9e00-65d2aefa9338"
``` ```
Create `charts/reuse-surface-hub/` modeled on `charts/inter-hub/` with: Create `charts/reuse-surface/` with Deployment (`reuse-surface serve`), Service,
PVC, Ingress, probes on `/health`.
- Deployment exposing port `8000` ## Add Values, Secret Template, And Makefile Targets
- ClusterIP Service
- Optional PVC mount at `/data` for SQLite persistence
- Ingress (Traefik + cert-manager) disabled by default until hostname confirmed
- Probes targeting `GET /health`
- `envSecretName` for hub token and optional config
## Add Values, SOPS Template, And Makefile Targets
```task ```task
id: RAILIANCE-WP-0007-T02 id: RAILIANCE-WP-0007-T02
status: done status: done
priority: high priority: high
state_hub_task_id: "5050e2fb-07c0-4a06-a64b-f152f8bdb35d"
``` ```
Add: Add `helm/reuse-surface-values.yaml`, document Secret `reuse-surface-env`, and
Makefile `reuse-*` targets.
- `helm/reuse-surface-hub-values.yaml` with image repository ## Configure Ingress For reuse.coulomb.social
`gitea.coulomb.social/coulomb/reuse-surface-hub` and placeholder tag
- Documented SOPS secret template path (mirror `inter-hub-env` pattern)
- Makefile variables and targets: `reuse-hub-dry-run`, `reuse-hub-deploy`,
`reuse-hub-status`, `reuse-hub-logs`
## Configure Ingress And Hostname
```task ```task
id: RAILIANCE-WP-0007-T03 id: RAILIANCE-WP-0007-T03
status: wait status: todo
priority: medium priority: medium
state_hub_task_id: "80dc308a-3c0f-4027-9b40-67df5f17aca7"
``` ```
Enable ingress in values with: Ingress enabled in chart values:
- `ingress.host: reuse-hub.whywhynot.de` (or operator-confirmed host) - `ingress.host: reuse.coulomb.social`
- `cert-manager.io/cluster-issuer: letsencrypt-prod` - `cert-manager.io/cluster-issuer: letsencrypt-prod`
- Traefik annotations matching `vergabe-teilnahme` / `inter-hub` - Traefik annotations matching `inter-hub`
**Blocked on:** DNS A record and hostname approval. Confirm DNS A record in `coulomb.social` zone.
## Deploy Release To railiance01 ## Deploy Release To railiance01
@@ -117,14 +99,15 @@ Enable ingress in values with:
id: RAILIANCE-WP-0007-T04 id: RAILIANCE-WP-0007-T04
status: wait status: wait
priority: medium priority: medium
state_hub_task_id: "14049fd1-7ec1-4762-9a7c-9783f0997016"
``` ```
When REUSE-WP-0011-T04 image is available: When image is available:
1. `make reuse-hub-dry-run` — inspect rendered manifests 1. `make reuse-dry-run`
2. Apply SOPS secret for hub token 2. Apply Secret `reuse-surface-env`
3. `make reuse-hub-deploy` 3. `make reuse-deploy`
4. Confirm certificate issued and `/health` returns 200 4. Verify `https://reuse.coulomb.social/health`
## Post-Deploy Verification And Runbook ## Post-Deploy Verification And Runbook
@@ -132,11 +115,12 @@ When REUSE-WP-0011-T04 image is available:
id: RAILIANCE-WP-0007-T05 id: RAILIANCE-WP-0007-T05
status: todo status: todo
priority: low priority: low
state_hub_task_id: "30b08789-38bb-409a-b5b1-b3c73ff31a96"
``` ```
Add `docs/reuse-surface-hub-on-railiance01.md` with: Add `docs/reuse-surface-on-railiance01.md` with smoke checks:
- Namespace, release name, image promotion steps ```bash
- Secret rotation notes export REUSE_SURFACE_URL=https://reuse.coulomb.social
- Smoke checks: `reuse-surface hub status --hub-url https://reuse-hub.whywhynot.de` reuse-surface hub status
- Link back to `reuse-surface/docs/RegistryFederation.md` ```