coulomb/railiance-apps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden inter-hub production deploy trigger

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-15 22:44:13 +02:00
parent 088bc35342
commit 6abf75365b
6 changed files with 380 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
docs/inter-hub-on-railiance01.md
View File

@@ -35,10 +35,15 @@ Read-only checks on 2026-06-15 showed:
target.
- The pod is Running and `certificate/inter-hub-tls` is Ready on Railiance01.
- `GET https://hub.coulomb.social/api/v2/hubs` returned `200` unauthenticated,
proving the route is present but not satisfying the expected `401` auth gate.
- `/openapi.json`, `/api/openapi.json`, `/swagger.json`, and
`/api/swagger.json` returned `404`; the public OpenAPI route still needs to
be confirmed by the upstream inter-hub owner.
matching the public discovery contract.
- `GET https://hub.coulomb.social/api/v2/widgets` and
`GET https://hub.coulomb.social/api/v2/hub-registry` returned `401`
unauthenticated with `invalid_api_key`.
- OpenAPI is published at `/api/v2/openapi.json`; `/openapi.json` is not the
Inter-Hub v2 OpenAPI route.
- `gitea.coulomb.social/coulomb/inter-hub:5101eb5` returned
`manifest unknown` on 2026-06-15, so production deploy must wait for the
image publication gate to pass.
## Deploy
@@ -46,23 +51,54 @@ Use the Railiance01 kubeconfig. The Makefile defaults to
`~/.kube/config-hosteurope` and fails fast when it is missing.
```bash
make inter-hub-dry-run
INTER_HUB_IMAGE_TAG=91037a4 make inter-hub-deploy
make inter-hub-render-baseline
INTER_HUB_IMAGE_TAG=5101eb5 make check-inter-hub-image
INTER_HUB_IMAGE_TAG=5101eb5 make inter-hub-dry-run
INTER_HUB_IMAGE_TAG=5101eb5 make inter-hub-server-dry-run
INTER_HUB_IMAGE_TAG=5101eb5 make inter-hub-deploy
make inter-hub-status
```
Deploy automation should pass the image tag without rewriting
`helm/inter-hub-values.yaml`. The production deploy target requires this
explicit tag:
explicit tag and refuses to continue if the registry manifest does not exist:
```bash
INTER_HUB_IMAGE_TAG=91037a4 make inter-hub-deploy
INTER_HUB_IMAGE_TAG=5101eb5 make inter-hub-deploy
```
Use a tag at or after the commit that contains the required v2 bootstrap API
routes. The upstream inter-hub workplan names `91037a4` as the first expected
tag for the IHUB-WP-0019 route surface; verify the actual registry tag before
announcing rollout.
routes and any required follow-up fix. The upstream inter-hub workplan names
`5101eb5` for the API count-decoding fix needed by the current ops-hub
bootstrap path; verify the actual registry tag before announcing rollout.
`make inter-hub-render-baseline` exists only for chart validation with the
checked-in values file. Production-facing dry-runs and deploys must use an
explicit `INTER_HUB_IMAGE_TAG`.
## Workflow Dispatch
`.gitea/workflows/inter-hub-production-deploy.yaml` provides a manual
production trigger. It requires:
- `image_tag`, the immutable inter-hub image tag to deploy;
- `confirm`, with the exact value `deploy-inter-hub-production`;
- an approved self-hosted runner with Railiance01 kubeconfig access at
`~/.kube/config-hosteurope` or an equivalent `RAILIANCE01_KUBECONFIG`
override;
- registry access through `skopeo`, `crane`, `docker manifest inspect`, or the
registry HTTP API.
The workflow runs the same local targets an attended operator would run:
1. `make check-inter-hub-image`
2. `make inter-hub-server-dry-run`
3. `make inter-hub-deploy`
4. `make inter-hub-status`
5. `make inter-hub-smoke`
If the image manifest is missing, stop and hand back to the inter-hub/forge
image publication path. Do not run Helm against a tag that fails preflight.
## Release verification
@@ -97,7 +133,8 @@ or another committed migration mechanism.
## Smoke checks
After rollout, the unauthenticated v2 API gate should be present:
After rollout, the current v2 public-read/authenticated-write contract should
be present:
```bash
make inter-hub-smoke
@@ -105,6 +142,11 @@ make inter-hub-smoke
Expected results:
- `GET https://hub.coulomb.social/api/v2/hubs` returns `401`, not `404`.
- OpenAPI lists `/hubs`, `/hub-capability-manifests`, `/api-consumers`, and
`/policy-scopes`.
- `GET https://hub.coulomb.social/api/v2/hubs` returns `200` public discovery
JSON.
- `GET https://hub.coulomb.social/api/v2/widgets` returns `401` without a key.
- `GET https://hub.coulomb.social/api/v2/hub-registry` returns `401` without a
key.
- `GET https://hub.coulomb.social/api/v2/openapi.json` returns OpenAPI JSON
listing `/hubs`, `/hub-capability-manifests`, `/api-consumers`,
`/policy-scopes`, `/widgets`, and `/hub-registry`.