coulomb/railiance-apps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement app deployment improvements

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-22 22:25:40 +02:00
parent 60a9e37a86
commit 934770cb68
15 changed files with 552 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
workplans/railiance-apps-WP-0004-app-deployment-improvements.md
View File

@@ -4,12 +4,12 @@ type: workplan
title: "App deployment improvements (lessons from RAILIANCE-WP-0002)"
domain: railiance
repo: railiance-apps
status: backlog
status: active
owner: railiance
topic_slug: railiance
planning_priority: medium
created: "2026-05-19"
updated: "2026-05-19"
updated: "2026-05-22"
state_hub_workstream_id: "b61a9aca-4e43-4b3d-a48b-999e0fa842cf"
---
@@ -18,14 +18,15 @@ state_hub_workstream_id: "b61a9aca-4e43-4b3d-a48b-999e0fa842cf"
This workplan collects concrete follow-ups surfaced while shipping
`vergabe-teilnahme` under `RAILIANCE-WP-0002`. Each item is small,
independent, and can be picked up in isolation when the next S5 app
lands or when the next operator onboards. Status is `backlog`
nothing here is blocking the live deployment.
lands or when the next operator onboards. Activated on 2026-05-22;
local railiance-apps guardrails are implemented, with the package
publication item blocked on sibling-repo release work.
## I01 — URL-encode DB passwords at Secret-build time
```task
id: RAILIANCE-WP-0004-I01
status: todo
status: done
priority: medium
state_hub_task_id: "a05a855a-00a0-4e0e-ba82-27e0a072f777"
```
@@ -47,13 +48,17 @@ parsing is needed at all.
**Where it lives:** new `tools/` script + Makefile target, or chart
helper template.
**Implemented 2026-05-22.** Added `tools/build-database-url-secret.sh`
and `make vergabe-db-url-secret`; updated the app runbook to use the
helper during DB password rotation.
---
## I02 — Document the Django + kube-probe Host-header pattern
```task
id: RAILIANCE-WP-0004-I02
status: todo
status: done
priority: low
state_hub_task_id: "22a212e6-31b1-490a-8d1c-0a33ddc62501"
```
@@ -71,13 +76,16 @@ pattern into a documented "Django-on-Railiance" recipe (short doc in
the gotcha. Also worth a "common chart values" sketch if a second
Django app justifies the abstraction.
**Implemented 2026-05-22.** Added `docs/django-on-railiance.md` and
cross-linked it from the `vergabe-teilnahme` runbook.
---
## I03 — Publish `issue-core` to a Gitea Python package registry
```task
id: RAILIANCE-WP-0004-I03
status: todo
status: blocked
priority: medium
state_hub_task_id: "f412b874-0670-4a4a-89fc-575fe4994646"
```
@@ -98,13 +106,19 @@ drops the `--build-context` and the build becomes portable.
(small Helm values change) and a release pipeline for `issue-core`
(separate repo).
**Local progress 2026-05-22.** `helm/gitea-registry-values.yaml` now
sets `packages.LIMIT_SIZE_PYPI: -1`, and
`docs/gitea-package-registry.md` documents the Gitea PyPI endpoint plus
the `issue-core` migration. The remaining release and dependency change
must happen in the `issue-core` and `vergabe-teilnahme` repos.
---
## I04 — Operator onboarding: install the `kubectl cnpg` plugin
```task
id: RAILIANCE-WP-0004-I04
status: todo
status: done
priority: low
state_hub_task_id: "2f44cad1-b70c-4406-91a9-0c0fa9c75583"
```
@@ -120,13 +134,17 @@ line: `kubectl krew install cnpg` or a direct binary download). Add
a `make check-tools` target that warns when `kubectl cnpg` or `helm`
is missing.
**Implemented 2026-05-22.** Added `make check-tools`,
`docs/operator-setup.md`, and cnpg fallback status output for Gitea and
the shared `apps-pg` cluster.
---
## I05 — Operator onboarding: SOPS / age key bootstrap
```task
id: RAILIANCE-WP-0004-I05
status: todo
status: done
priority: low
state_hub_task_id: "741d8a73-8cb0-40ac-a218-f1d3a74ebef3"
```
@@ -143,13 +161,17 @@ procedure (where to put the key, how to verify, how to rotate). A
decrypt a known sentinel would catch this at the first deploy attempt
rather than at the failing apply.
**Implemented 2026-05-22.** Added `docs/operator-setup.md`,
`tools/check-sops.sh`, and `make check-sops` using
`helm/gitea-values.sops.yaml` as the sentinel by default.
---
## I06 — CI guard against stale committed manifests vs live CRD drift
```task
id: RAILIANCE-WP-0004-I06
status: todo
status: done
priority: medium
state_hub_task_id: "a319c20b-993c-46b7-889a-f0ac738056c4"
```
@@ -172,13 +194,18 @@ releases; strict server-side decoding catches drift that
concern, but mirrored here because every S5 manifest in
`charts/` and `manifests/` carries the same risk.
**Implemented 2026-05-22.** Added `tools/k8s-server-dry-run.sh`,
`make k8s-server-dry-run`, and a `.gitea/workflows/` PR workflow that
runs the guard when charts, Helm values, manifests, or the dry-run tool
change.
---
## I07 — `kubectl run --rm -i` smoke pattern is unreliable
```task
id: RAILIANCE-WP-0004-I07
status: todo
status: done
priority: low
state_hub_task_id: "e3f59b3d-95c8-4cf9-9943-b1597954fd77"
```
@@ -195,13 +222,15 @@ runbook) recommending the persistent-pod-plus-exec pattern for any
service-IP smoke check. Optional: ship `tools/smoke.sh` that
wraps the pattern.
**Implemented 2026-05-22.** Added `docs/operator-recipes.md` and
`tools/smoke-service.sh`.
---
## Notes
- Items are individually `todo`; the workplan status is `backlog` so
they don't show up in active-workstream lists. Promote an item to
`active` (and its tasks to `in_progress`) when you pick it up.
- Items were activated on 2026-05-22. Local railiance-apps pieces are
complete except I03, which is blocked on sibling-repo release work.
- I06 is genuinely cross-repo; the others are local to
`railiance-apps` or its operator workflow.
- The first three items (I01, I02, I03) are the highest-leverage