Handle app deployment guardrail suggestions

2026-06-15 22:07:03 +02:00
parent a1a1016b84
commit c7d49d3102
12 changed files with 303 additions and 43 deletions
--- a/docs/inter-hub-on-railiance01.md
+++ b/docs/inter-hub-on-railiance01.md
@@ -0,0 +1,110 @@
+# inter-hub on railiance01
+
+Interaction Hub deployment for **`https://hub.coulomb.social`**.
+
+Companion source repo: `coulomb/inter-hub`. This repo owns the Railiance app
+Helm surface and operator targets, not the runtime application code.
+
+## Hosts and release surface
+
+| Server | IP | Role |
+|---|---|---|
+| Railiance01 | `92.205.62.239` | Production k3s; deploy S5 apps here |
+| CoulombCore | `92.205.130.254` | Bootstrap / prerelease only |
+
+| Item | Value |
+|---|---|
+| Namespace | `inter-hub` |
+| Helm release | `inter-hub` |
+| Chart | `charts/inter-hub` |
+| Values | `helm/inter-hub-values.yaml` |
+| Image | `gitea.coulomb.social/coulomb/inter-hub:<tag>` |
+| Secret | `inter-hub-env` |
+| Production kubeconfig | `~/.kube/config-hosteurope` |
+
+## Current evidence
+
+Read-only checks on 2026-06-15 showed:
+
+- Helm release `inter-hub` revision 2 is deployed in namespace `inter-hub`.
+- `helm get values` reports `image.tag: 11ff61c`,
+  `image.pullPolicy: Always`, and `runMigrations: false`.
+- The live Deployment image is
+  `92.205.130.254:32166/coulomb/inter-hub:790b5e5`, so production image state
+  has drifted from Helm values and from this repo's desired Gitea registry
+  target.
+- The pod is Running and `certificate/inter-hub-tls` is Ready on Railiance01.
+- `GET https://hub.coulomb.social/api/v2/hubs` returned `200` unauthenticated,
+  proving the route is present but not satisfying the expected `401` auth gate.
+- `/openapi.json`, `/api/openapi.json`, `/swagger.json`, and
+  `/api/swagger.json` returned `404`; the public OpenAPI route still needs to
+  be confirmed by the upstream inter-hub owner.
+
+## Deploy
+
+Use the Railiance01 kubeconfig. The Makefile defaults to
+`~/.kube/config-hosteurope` and fails fast when it is missing.
+
+```bash
+make inter-hub-dry-run
+INTER_HUB_IMAGE_TAG=91037a4 make inter-hub-deploy
+make inter-hub-status
+```
+
+Deploy automation should pass the image tag without rewriting
+`helm/inter-hub-values.yaml`. The production deploy target requires this
+explicit tag:
+
+```bash
+INTER_HUB_IMAGE_TAG=91037a4 make inter-hub-deploy
+```
+
+Use a tag at or after the commit that contains the required v2 bootstrap API
+routes. The upstream inter-hub workplan names `91037a4` as the first expected
+tag for the IHUB-WP-0019 route surface; verify the actual registry tag before
+announcing rollout.
+
+## Release verification
+
+```bash
+make inter-hub-release-info
+```
+
+This wraps the required non-secret inspection commands:
+
+```bash
+helm history inter-hub -n inter-hub
+helm get values inter-hub -n inter-hub
+kubectl describe deploy/inter-hub -n inter-hub
+kubectl get pods -n inter-hub -o wide
+```
+
+Confirm the rendered deployment uses the intended immutable image tag and does
+not rely on a stale `latest` image.
+
+The chart intentionally keeps the legacy Deployment and Service selector
+`app=inter-hub` because the live Helm release was created with that selector.
+Kubernetes treats Deployment selectors as immutable; do not change this
+selector during a normal in-place production upgrade.
+
+## Migration boundary
+
+The Railiance app chart currently does **not** run inter-hub database
+migrations. Treat migration execution as an upstream inter-hub operator step
+and record the evidence before closing a production rollout. Do not describe
+migrations as automatic unless the chart grows an explicit init job/container
+or another committed migration mechanism.
+
+## Smoke checks
+
+After rollout, the unauthenticated v2 API gate should be present:
+
+```bash
+make inter-hub-smoke
+```
+
+Expected results:
+
+- `GET https://hub.coulomb.social/api/v2/hubs` returns `401`, not `404`.
+- OpenAPI lists `/hubs`, `/hub-capability-manifests`, `/api-consumers`, and
+  `/policy-scopes`.
--- a/docs/operator-setup.md
+++ b/docs/operator-setup.md
@@ -19,6 +19,7 @@ SOPS_SENTINEL=<encrypted-file> make check-sops
 - `helm`
 - `sops`
 - `python3`
+- `curl`

 Install the CNPG plugin for better database diagnostics:

@@ -31,6 +32,44 @@ kubectl krew install cnpg
 plain Kubernetes resources, but the plugin output is the preferred view
 for primary/replica health and backup state.

+## Production Cluster Kubeconfig
+
+S5 production app releases belong on **Railiance01**. CoulombCore may still
+host bootstrap or prerelease services, so do not rely on the workstation's
+ambient `kubectl` context for production app deploys.
+
+| Name | IP | Role |
+|---|---|---|
+| Railiance01 | `92.205.62.239` | Production k3s; deploy S5 apps here |
+| CoulombCore | `92.205.130.254` | Bootstrap / prerelease only |
+
+| Hostname | Production DNS A | Notes |
+|---|---|---|
+| `reuse.coulomb.social` | `92.205.62.239` | Production reuse-surface hub |
+| `hub.coulomb.social` | `92.205.62.239` | Target production inter-hub host; bootstrap may still point at CoulombCore until cutover |
+
+The production Makefile targets default to:
+
+```text
+~/.kube/config-hosteurope
+```
+
+Restore it from Railiance01 when missing:
+
+```bash
+ssh tegwick@92.205.62.239 'sudo cat /etc/rancher/k3s/k3s.yaml' \
+  | sed 's|127.0.0.1|92.205.62.239|' > ~/.kube/config-hosteurope
+chmod 600 ~/.kube/config-hosteurope
+export KUBECONFIG=~/.kube/config-hosteurope
+```
+
+The app-specific targets also accept explicit overrides:
+
+```bash
+REUSE_KUBECONFIG=~/.kube/config-hosteurope make reuse-status
+INTER_HUB_KUBECONFIG=~/.kube/config-hosteurope make inter-hub-status
+```
+
 ## SOPS Age Key Bootstrap

 SOPS-encrypted values used by app release work expect an age identity at:
--- a/docs/reuse-surface-on-railiance01.md
+++ b/docs/reuse-surface-on-railiance01.md
@@ -18,14 +18,15 @@ Companion workplans: **RAILIANCE-WP-0007** (Helm release), **REUSE-WP-0011**
 | `hub.coulomb.social` A | `92.205.62.239` (future) | `92.205.130.254` (CoulombCore bootstrap OK for now) |

 Let's Encrypt HTTP-01 on Railiance01 requires the public A record to reach
-**`92.205.62.239`**. Service is live on the production cluster; TLS waits on DNS.
+**`92.205.62.239`**. Service and TLS are live on the production cluster.

 ```bash
 dig +short reuse.coulomb.social A
 KUBECONFIG=~/.kube/config-hosteurope kubectl get certificate -n reuse
 ```

-Until DNS propagates and `certificate/reuse-surface-tls` is Ready:
+If DNS is being changed in the future, use an explicit resolve only during
+propagation:

 ```bash
 curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health
@@ -63,8 +64,8 @@ links to `/health`, `/v1/federated`, and this operator runbook. It must not
 include `REUSE_SURFACE_TOKEN` or any other runtime secret.

 Rollback: set `landing.enabled: false` in `helm/reuse-surface-values.yaml` and
-run `KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy`; the ingress will
-return to routing all `/` traffic to the API service.
+run `make reuse-deploy`; the ingress will return to routing all `/` traffic to
+the API service.

 ## Deploy

@@ -77,9 +78,9 @@ kubectl create secret generic reuse-surface-env \
  --from-literal=REUSE_SURFACE_TOKEN='<token>' \
  --dry-run=client -o yaml | kubectl apply -f -

-# Production (Railiance01)
-KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy
-KUBECONFIG=~/.kube/config-hosteurope make reuse-status
+# Production (Railiance01, defaults to ~/.kube/config-hosteurope)
+make reuse-deploy
+make reuse-status

 # Restore kubeconfig from the node if missing:
 # ssh tegwick@92.205.62.239 'sudo cat /etc/rancher/k3s/k3s.yaml' \
@@ -89,14 +90,15 @@ KUBECONFIG=~/.kube/config-hosteurope make reuse-status
 ## Smoke checks

 ```bash
+make reuse-smoke
 curl -I http://reuse.coulomb.social/
-curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/
-curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health
-curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/v1/federated
+curl -fsS https://reuse.coulomb.social/
+curl -fsS https://reuse.coulomb.social/health
+curl -fsS https://reuse.coulomb.social/v1/federated

-export REUSE_SURFACE_TOKEN=$(KUBECONFIG=~/.kube/config-hosteurope kubectl get secret reuse-surface-env -n reuse \
+export REUSE_SURFACE_TOKEN=$(kubectl --kubeconfig ~/.kube/config-hosteurope get secret reuse-surface-env -n reuse \
  -o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d)
-export REUSE_SURFACE_URL=https://reuse.coulomb.social   # after DNS + TLS Ready
+export REUSE_SURFACE_URL=https://reuse.coulomb.social
 reuse-surface hub status
 reuse-surface hub list
 curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.capabilities | length'
@@ -116,7 +118,7 @@ Image promotion: build from `coulomb/reuse-surface`, push to Gitea OCI, update
 `helm/reuse-surface-values.yaml` `image.tag`, then:

 ```bash
-KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy
+make reuse-deploy
 ```

 Bootstrap copy on CoulombCore (`92.205.130.254`) was removed 2026-06-15 — use