Add RAILIANCE-WP-0007: reuse-surface hub Helm chart on railiance01
Companion to reuse-surface REUSE-WP-0011. Scaffold charts/reuse-surface-hub with PVC, ingress template, values file, and Makefile deploy targets.
This commit is contained in:
142
workplans/RAILIANCE-WP-0007-reuse-surface-hub-on-railiance01.md
Normal file
142
workplans/RAILIANCE-WP-0007-reuse-surface-hub-on-railiance01.md
Normal file
@@ -0,0 +1,142 @@
|
||||
---
|
||||
id: RAILIANCE-WP-0007
|
||||
type: workplan
|
||||
title: "Deploy reuse-surface federation hub on railiance01"
|
||||
domain: railiance
|
||||
repo: railiance-apps
|
||||
status: active
|
||||
owner: codex
|
||||
topic_slug: railiance
|
||||
created: "2026-06-15"
|
||||
updated: "2026-06-15"
|
||||
---
|
||||
|
||||
# Deploy reuse-surface federation hub on railiance01
|
||||
|
||||
Companion to **`reuse-surface` REUSE-WP-0011**. Own the S5 Helm release,
|
||||
ingress, and operator targets for the federation hub service on production
|
||||
cluster node `railiance01` (`92.205.130.254`).
|
||||
|
||||
## Goal
|
||||
|
||||
Expose the helix_forge federation hub API at a stable TLS endpoint so repos can
|
||||
register capability index URLs via `reuse-surface hub` without per-machine
|
||||
`sources.yaml` maintenance.
|
||||
|
||||
**Default hostname (confirm with operator):** `https://reuse-hub.whywhynot.de`
|
||||
|
||||
## Upstream dependency
|
||||
|
||||
| Upstream | Workplan | Required artifact |
|
||||
|---|---|---|
|
||||
| Hub service + image | `reuse-surface` REUSE-WP-0011 | Container image `gitea.coulomb.social/coulomb/reuse-surface-hub:<tag>`, `/health` probe path |
|
||||
|
||||
Do not deploy until REUSE-WP-0011-T04 publishes a buildable image and documents
|
||||
the required environment variables.
|
||||
|
||||
## Placement
|
||||
|
||||
Follow the established `inter-hub` pattern in this repo:
|
||||
|
||||
- `charts/reuse-surface-hub/` — Helm chart (Deployment, Service, Ingress, PVC)
|
||||
- `helm/reuse-surface-hub-values.yaml` — non-secret overrides (image tag, host)
|
||||
- SOPS secret handoff for `REUSE_SURFACE_HUB_TOKEN` (write token)
|
||||
- `Makefile` targets: `reuse-hub-dry-run`, `reuse-hub-deploy`, `reuse-hub-status`, `reuse-hub-logs`
|
||||
|
||||
Cross-repo coordination:
|
||||
|
||||
| Concern | Owner |
|
||||
|---|---|
|
||||
| Application image and API | `reuse-surface` |
|
||||
| Helm release and ingress | `railiance-apps` (this workplan) |
|
||||
| OCI registry push | `railiance-forge` guidance + `reuse-surface` CI/docs |
|
||||
| DNS A record | DNS owner of `whywhynot.de` |
|
||||
| Traefik / cert-manager | `railiance-cluster` / `railiance-platform` (reuse) |
|
||||
|
||||
## Safety contract
|
||||
|
||||
- Do not commit decrypted SOPS values or hub write tokens.
|
||||
- Pin image tags in `helm/reuse-surface-hub-values.yaml`; no `:latest` in production.
|
||||
- Use a dedicated namespace (default `reuse-surface-hub`).
|
||||
- PVC for SQLite data; document backup expectation in runbook.
|
||||
|
||||
---
|
||||
|
||||
## Scaffold Helm Chart For reuse-surface-hub
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T01
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
Create `charts/reuse-surface-hub/` modeled on `charts/inter-hub/` with:
|
||||
|
||||
- Deployment exposing port `8000`
|
||||
- ClusterIP Service
|
||||
- Optional PVC mount at `/data` for SQLite persistence
|
||||
- Ingress (Traefik + cert-manager) disabled by default until hostname confirmed
|
||||
- Probes targeting `GET /health`
|
||||
- `envSecretName` for hub token and optional config
|
||||
|
||||
## Add Values, SOPS Template, And Makefile Targets
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T02
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
Add:
|
||||
|
||||
- `helm/reuse-surface-hub-values.yaml` with image repository
|
||||
`gitea.coulomb.social/coulomb/reuse-surface-hub` and placeholder tag
|
||||
- Documented SOPS secret template path (mirror `inter-hub-env` pattern)
|
||||
- Makefile variables and targets: `reuse-hub-dry-run`, `reuse-hub-deploy`,
|
||||
`reuse-hub-status`, `reuse-hub-logs`
|
||||
|
||||
## Configure Ingress And Hostname
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T03
|
||||
status: wait
|
||||
priority: medium
|
||||
```
|
||||
|
||||
Enable ingress in values with:
|
||||
|
||||
- `ingress.host: reuse-hub.whywhynot.de` (or operator-confirmed host)
|
||||
- `cert-manager.io/cluster-issuer: letsencrypt-prod`
|
||||
- Traefik annotations matching `vergabe-teilnahme` / `inter-hub`
|
||||
|
||||
**Blocked on:** DNS A record and hostname approval.
|
||||
|
||||
## Deploy Release To railiance01
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T04
|
||||
status: wait
|
||||
priority: medium
|
||||
```
|
||||
|
||||
When REUSE-WP-0011-T04 image is available:
|
||||
|
||||
1. `make reuse-hub-dry-run` — inspect rendered manifests
|
||||
2. Apply SOPS secret for hub token
|
||||
3. `make reuse-hub-deploy`
|
||||
4. Confirm certificate issued and `/health` returns 200
|
||||
|
||||
## Post-Deploy Verification And Runbook
|
||||
|
||||
```task
|
||||
id: RAILIANCE-WP-0007-T05
|
||||
status: todo
|
||||
priority: low
|
||||
```
|
||||
|
||||
Add `docs/reuse-surface-hub-on-railiance01.md` with:
|
||||
|
||||
- Namespace, release name, image promotion steps
|
||||
- Secret rotation notes
|
||||
- Smoke checks: `reuse-surface hub status --hub-url https://reuse-hub.whywhynot.de`
|
||||
- Link back to `reuse-surface/docs/RegistryFederation.md`
|
||||
Reference in New Issue
Block a user