A record now resolves to 92.205.130.254 (Traefik LB). HTTP probe
reaches Traefik and returns 404 as expected (no Ingress rule yet).
Ingress + cert-manager TLS will be created together with the backing
Service from T05 to avoid wasting a Let's Encrypt issuance attempt.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
issue-facade was renamed to issue-core upstream; vergabe-teilnahme
was rewired (commit 17f511f). Multi-stage Dockerfile shipped in
vergabe-teilnahme commit 483a4df. Smoke test passed: container
healthy, /health/ returns 200.
T03 next, but still blocked on the Gitea package-capable PAT
(same blocker as RAIL-AP-WP-0001-T04).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
uv sync in /home/worsch/vergabe-teilnahme fails because
universal-issue-tracker @ file:///home/worsch/issue-facade points at
an empty directory (only .claude/ remains). The container build
cannot proceed until the upstream dep resolves cleanly.
Documented three resolution options in the workplan; pausing T02
pending an upstream fix.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
T01 inventory:
- No shared cnpg cluster exists; gitea-db (PG18) and net-kingdom-pg (PG16)
are app-dedicated in namespace 'databases'.
- Gitea OCI registry reachable at gitea.coulomb.social/v2 (HEAD → 405,
TLS valid; cert default/gitea-tls ready 3d).
- Traefik LB IP = 92.205.130.254.
- whywhynot.de zone hosted at IONOS (ui-dns.*); A record currently
217.160.0.212. DNS change is a manual step in the IONOS console.
- cert-manager letsencrypt-prod ClusterIssuer healthy.
D-01 resolved: Option D — railiance-platform will provision a new
shared cnpg cluster 'apps-pg' (PG 16). T04 (vergabe role+db) is now
blocked on that cluster reaching healthy state. Coordination message
sent to railiance-platform.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
8-task plan to deploy vergabe-teilnahme as a Helm release at
vergabe-teilnahme.whywhynot.de with image from gitea.coulomb.social
and a dedicated role on the shared cnpg cluster.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Restores the newer local gitea-values.sops.yaml (2026-03-27) over the
upstream scaffold (2026-03-10). Adds database, cache, session, and queue
sections pointing to external PostgreSQL/Valkey (S3 platform services),
and disables bundled postgresql/redis/valkey sub-charts.
Also adds .sops.yaml encryption policy for railiance-apps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Receive gitea-values.sops.yaml from railiance-cluster — S5 now
owns the Gitea deployment lifecycle per ADR-003 boundary rules.
Add gitea-deploy and gitea-status Makefile targets. Update
SCOPE.md to reflect boundary violation resolved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PGPool default 250m CPU request was causing scheduling failures on the
single-node COULOMBCORE cluster (2 vCPU, 98% allocated). Reduced to
100m request / 200m limit — safe for a lightweight connection pooler.
See INC-001: the-custodian/ops/incidents/2026-03-25-gitea-pgpool-crashloop.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
