coulomb/railiance-apps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

RAILIANCE-WP-0002 T05+T06 done: vergabe-teilnahme is live at https://vergabe-teilnahme.whywhynot.de

Browse Source 
Thin Helm chart in charts/vergabe-teilnahme (Deployment + Service), plain values overlay in helm/vergabe-teilnahme-values.yaml, ingress + cert-manager TLS in manifests/vergabe-teilnahme-ingress.yaml. Makefile targets vergabe-dry-run|deploy|ingress-deploy|status|migrate|seed|superuser|logs. Secrets stay in K8s (vergabe-app-credentials + vergabe-teilnahme-env) — no SOPS needed.

Live: pod Running 1/1, /health/ 200 ok, /ausschreibungen/dashboard/ renders Übersicht, /admin/login/ renders Django admin (German). cert-manager issued vergabe-teilnahme-tls in ~35s.

Workplan T07 (migrate+seed+smoke) marked in_progress; migrate completed inline (10+ apps migrated) so the dashboard would render.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-05-19 19:46:49 +02:00
parent 6658d0c7e1
commit 962c5a1b36
9 changed files with 338 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
View File

@@ -394,7 +394,7 @@ credentials — returns `vergabe | vergabe_db | PostgreSQL 16.13`.
```task
id: RAILIANCE-WP-0002-T05
status: todo
status: done
priority: high
state_hub_task_id: "29ba6add-6f23-4053-acb9-9d7efa0b3881"
```
@@ -424,13 +424,40 @@ Deliverables:
**Done when:** `make vergabe-deploy` renders cleanly with `--dry-run`
and produces no plaintext secrets in the rendered manifest source.
**Done (2026-05-19):**
- Chart approach: thin in-repo chart `charts/vergabe-teilnahme/` rather
than SOPS-encrypted values, because the only sensitive material
(`SECRET_KEY`, `DATABASE_URL`) lives in K8s Secrets (cnpg's
`vergabe-app-credentials` + the assembled `vergabe-teilnahme-env`),
not in Helm values. `helm/vergabe-teilnahme-values.yaml` is therefore
plain YAML — image tag, hostnames, no secrets.
- `make vergabe-dry-run` renders 2 objects (Deployment + Service);
`grep -iE 'SECRET_KEY=|DATABASE_URL=|password'` returns empty.
- Deploy revision 2 is live: pod Running 1/1, probes green. The
HTTP-probe `httpGet.httpHeaders[Host]` is set to the public hostname
so Django's `ALLOWED_HOSTS` check passes for kube-probe (the v1
fix took one iteration — earlier attempts failed liveness with HTTP
400 because the probe sent `Host: 10.42.x.x:8000`).
- `Makefile` targets added: `vergabe-dry-run`, `vergabe-deploy`,
`vergabe-ingress-deploy`, `vergabe-status`, `vergabe-migrate`,
`vergabe-seed`, `vergabe-superuser`, `vergabe-logs`.
**Lesson recorded:** the base64-generated bootstrap password contains
`=`, `+`, `/`; embedding it raw in `DATABASE_URL` confuses
`dj-database-url` (it parses `:password@host:5432/db` and the `=`
broke the DB name into 80 characters). The Secret now stores a
URL-encoded password inside `DATABASE_URL` while the raw password
remains in `vergabe-app-credentials.password`. Future apps should
either URL-encode at Secret-build time or use individual env vars.
---
### T06 — DNS, ingress, and TLS for vergabe-teilnahme.whywhynot.de
```task
id: RAILIANCE-WP-0002-T06
status: in_progress
status: done
priority: high
state_hub_task_id: "8e673ee6-5338-4eb5-8973-a1818b4dc7f5"
```
@@ -464,10 +491,14 @@ certificate chain validates from outside the cluster.
(TTL 3600; served authoritatively by `ns1126.ui-dns.*`).
- ✅ Traefik routing reaches the cluster: HTTP probe returns 404 — the
expected pre-state because no Ingress rule matches the host yet.
- `manifests/vergabe-teilnahme-ingress.yaml` — not yet created (waits
on T05's Service to point at; creating the ingress before the backend
Service exists would waste a Let's Encrypt issuance attempt).
- ⏳ `vergabe-teilnahme-tls` Secret — pending ingress.
- `manifests/vergabe-teilnahme-ingress.yaml` committed; Traefik +
cert-manager letsencrypt-prod.
- ✅ `vergabe-teilnahme-tls` issued by cert-manager in ~35s (HTTP-01).
- ✅ External HTTPS probes: `/health/` returns 200 `{"status":"ok"}`;
`/` redirects (302) to `/ausschreibungen/dashboard/` which renders
`<title>Übersicht</title>` (German UI); `/admin/login/` shows the
German Django admin login page. `curl` reports
`SSL verify_result: 0` (trusted chain).
---
@@ -475,7 +506,7 @@ certificate chain validates from outside the cluster.
```task
id: RAILIANCE-WP-0002-T07
status: todo
status: in_progress
priority: high
state_hub_task_id: "be1decb5-b734-4312-b98d-20ed5299d02c"
```