Handle app deployment guardrail suggestions

Makefile

@@ -18,11 +18,20 @@ INTER_HUB_RELEASE   ?= inter-hub
 INTER_HUB_NAMESPACE ?= inter-hub
 INTER_HUB_CHART     ?= charts/inter-hub
 INTER_HUB_VALUES    ?= helm/inter-hub-values.yaml
+INTER_HUB_IMAGE_TAG ?=
+INTER_HUB_BASE_URL  ?= https://hub.coulomb.social
 
 REUSE_RELEASE   ?= reuse
 REUSE_NAMESPACE ?= reuse
 REUSE_CHART     ?= charts/reuse-surface
 REUSE_VALUES    ?= helm/reuse-surface-values.yaml
+REUSE_URL       ?= https://reuse.coulomb.social
+REUSE_CERTIFICATE ?= reuse-surface-tls
+
+RAILIANCE01_KUBECONFIG ?= $(HOME)/.kube/config-hosteurope
+INTER_HUB_KUBECONFIG ?= $(RAILIANCE01_KUBECONFIG)
+REUSE_KUBECONFIG ?= $(RAILIANCE01_KUBECONFIG)
+INTER_HUB_IMAGE_SET_ARG = $(if $(strip $(INTER_HUB_IMAGE_TAG)),--set image.tag=$(INTER_HUB_IMAGE_TAG),)
 
 SOPS_SENTINEL ?=
 DRY_RUN_CREATE_NAMESPACES ?= false
@@ -47,6 +56,21 @@ apps-pg-status: ## Check the shared apps-pg cnpg cluster
 		kubectl get pods -n databases -l cnpg.io/cluster=apps-pg; \
 	fi
 
+check-railiance01-kubeconfig: ## Verify Railiance01 production kubeconfig exists
+	@test -r "$(RAILIANCE01_KUBECONFIG)" || { \
+		echo "Missing Railiance01 kubeconfig: $(RAILIANCE01_KUBECONFIG)" >&2; \
+		echo "Restore it with:" >&2; \
+		echo "  ssh tegwick@92.205.62.239 'sudo cat /etc/rancher/k3s/k3s.yaml' | sed 's|127.0.0.1|92.205.62.239|' > $(RAILIANCE01_KUBECONFIG)" >&2; \
+		exit 1; \
+	}
+
+check-inter-hub-image-tag: ## Require an explicit inter-hub image tag for production deploys
+	@test -n "$(INTER_HUB_IMAGE_TAG)" || { \
+		echo "Set INTER_HUB_IMAGE_TAG=<sha> for inter-hub production deploys." >&2; \
+		echo "Example: INTER_HUB_IMAGE_TAG=91037a4 make inter-hub-deploy" >&2; \
+		exit 1; \
+	}
+
 ##@ Vergabe Teilnahme
 
 vergabe-dry-run: ## helm template render (no apply) for inspection
@@ -89,39 +113,66 @@ vergabe-db-url-secret: ## Rebuild DATABASE_URL with a URL-encoded cnpg password
 
 ##@ Inter-Hub
 
-inter-hub-dry-run: ## helm template render (no apply) for inter-hub
-	helm template $(INTER_HUB_RELEASE) $(INTER_HUB_CHART) \
+inter-hub-dry-run: check-railiance01-kubeconfig ## helm template render (no apply) for inter-hub
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" helm template $(INTER_HUB_RELEASE) $(INTER_HUB_CHART) \
 		--namespace $(INTER_HUB_NAMESPACE) \
-		-f $(INTER_HUB_VALUES)
+		-f $(INTER_HUB_VALUES) $(INTER_HUB_IMAGE_SET_ARG)
 
-inter-hub-deploy: ## Deploy / upgrade inter-hub Helm release
-	helm upgrade --install $(INTER_HUB_RELEASE) $(INTER_HUB_CHART) \
+inter-hub-deploy: check-railiance01-kubeconfig check-inter-hub-image-tag ## Deploy / upgrade inter-hub Helm release on Railiance01
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" helm upgrade --install $(INTER_HUB_RELEASE) $(INTER_HUB_CHART) \
 		--namespace $(INTER_HUB_NAMESPACE) --create-namespace \
-		-f $(INTER_HUB_VALUES) --wait --timeout 5m
+		-f $(INTER_HUB_VALUES) $(INTER_HUB_IMAGE_SET_ARG) --wait --timeout 5m
 
-inter-hub-status: ## Show inter-hub pod / svc / ingress / cert state
-	kubectl get pods,svc,ingress,certificate -n $(INTER_HUB_NAMESPACE) -l app.kubernetes.io/instance=$(INTER_HUB_RELEASE) --ignore-not-found
+inter-hub-status: check-railiance01-kubeconfig ## Show inter-hub pod / svc / ingress / cert state on Railiance01
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" kubectl get pods,svc,ingress,certificate -n $(INTER_HUB_NAMESPACE) -l app=$(INTER_HUB_RELEASE) --ignore-not-found
 
-inter-hub-logs: ## Tail inter-hub app logs
-	kubectl logs -n $(INTER_HUB_NAMESPACE) -l app.kubernetes.io/instance=$(INTER_HUB_RELEASE) -f --tail=50
+inter-hub-release-info: check-railiance01-kubeconfig ## Show inter-hub Helm history, values, deployment, and pods
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" helm history $(INTER_HUB_RELEASE) -n $(INTER_HUB_NAMESPACE)
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" helm get values $(INTER_HUB_RELEASE) -n $(INTER_HUB_NAMESPACE)
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" kubectl describe deploy/$(INTER_HUB_RELEASE) -n $(INTER_HUB_NAMESPACE)
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" kubectl get pods -n $(INTER_HUB_NAMESPACE) -o wide
+
+inter-hub-smoke: ## Verify public inter-hub v2 route and OpenAPI surface after rollout
+	@status="$$(curl -sS -o /tmp/inter-hub-api-v2-hubs.body -w "%{http_code}" "$(INTER_HUB_BASE_URL)/api/v2/hubs")"; \
+	if [ "$$status" != "401" ]; then \
+		echo "expected $(INTER_HUB_BASE_URL)/api/v2/hubs to return 401, got $$status" >&2; \
+		cat /tmp/inter-hub-api-v2-hubs.body >&2; \
+		exit 1; \
+	fi; \
+	echo "ok: /api/v2/hubs returned 401"
+	@tmp="$$(mktemp)"; \
+	trap 'rm -f "$$tmp"' EXIT; \
+	curl -fsS "$(INTER_HUB_BASE_URL)/openapi.json" > "$$tmp"; \
+	for route in /hubs /hub-capability-manifests /api-consumers /policy-scopes; do \
+		grep -q "$$route" "$$tmp" || { echo "missing OpenAPI route: $$route" >&2; exit 1; }; \
+	done; \
+	echo "ok: OpenAPI lists expected v2 resources"
+
+inter-hub-logs: check-railiance01-kubeconfig ## Tail inter-hub app logs from Railiance01
+	KUBECONFIG="$(INTER_HUB_KUBECONFIG)" kubectl logs -n $(INTER_HUB_NAMESPACE) -l app=$(INTER_HUB_RELEASE) -f --tail=50
 
 ##@ reuse-surface (reuse.coulomb.social)
 
-reuse-dry-run: ## helm template render (no apply) for reuse-surface
-	helm template $(REUSE_RELEASE) $(REUSE_CHART) \
+reuse-dry-run: check-railiance01-kubeconfig ## helm template render (no apply) for reuse-surface
+	KUBECONFIG="$(REUSE_KUBECONFIG)" helm template $(REUSE_RELEASE) $(REUSE_CHART) \
 		--namespace $(REUSE_NAMESPACE) \
 		-f $(REUSE_VALUES)
 
-reuse-deploy: ## Deploy / upgrade reuse-surface Helm release
-	helm upgrade --install $(REUSE_RELEASE) $(REUSE_CHART) \
+reuse-deploy: check-railiance01-kubeconfig ## Deploy / upgrade reuse-surface Helm release on Railiance01
+	KUBECONFIG="$(REUSE_KUBECONFIG)" helm upgrade --install $(REUSE_RELEASE) $(REUSE_CHART) \
 		--namespace $(REUSE_NAMESPACE) --create-namespace \
 		-f $(REUSE_VALUES) --wait --timeout 5m
 
-reuse-status: ## Show reuse-surface pod / svc / ingress / cert state
-	kubectl get pods,svc,ingress,pvc,certificate -n $(REUSE_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_RELEASE) --ignore-not-found
+reuse-status: check-railiance01-kubeconfig ## Show reuse-surface pod / svc / ingress / cert state on Railiance01
+	KUBECONFIG="$(REUSE_KUBECONFIG)" kubectl get pods,svc,ingress,pvc,certificate -n $(REUSE_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_RELEASE) --ignore-not-found
 
-reuse-logs: ## Tail reuse-surface service logs
-	kubectl logs -n $(REUSE_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_RELEASE) -f --tail=50
+reuse-smoke: check-railiance01-kubeconfig ## Verify reuse public health, repo list, and TLS certificate readiness
+	curl -fsS "$(REUSE_URL)/health"
+	curl -fsS "$(REUSE_URL)/v1/repos"
+	KUBECONFIG="$(REUSE_KUBECONFIG)" kubectl wait -n $(REUSE_NAMESPACE) --for=condition=Ready certificate/$(REUSE_CERTIFICATE) --timeout=30s
+
+reuse-logs: check-railiance01-kubeconfig ## Tail reuse-surface service logs from Railiance01
+	KUBECONFIG="$(REUSE_KUBECONFIG)" kubectl logs -n $(REUSE_NAMESPACE) -l app.kubernetes.io/instance=$(REUSE_RELEASE) -f --tail=50
 
 ##@ Help
 
@@ -130,4 +181,4 @@ help: ## Show this help
 	  /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
 	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
 
-.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret inter-hub-dry-run inter-hub-deploy inter-hub-status inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-logs help
+.PHONY: check-tools check-sops k8s-server-dry-run apps-pg-status check-railiance01-kubeconfig check-inter-hub-image-tag vergabe-dry-run vergabe-deploy vergabe-ingress-deploy vergabe-status vergabe-migrate vergabe-seed vergabe-superuser vergabe-logs vergabe-db-url-secret inter-hub-dry-run inter-hub-deploy inter-hub-status inter-hub-release-info inter-hub-smoke inter-hub-logs reuse-dry-run reuse-deploy reuse-status reuse-smoke reuse-logs help