T07 smoke: migrate all apps; /health/ 200, /ausschreibungen/dashboard/ Übersicht, /admin/login/ Anmelden, static assets (Tailwind, Alpine, htmx, Django admin) all 200. Auth-required smoke and createsuperuser deferred to the operator (interactive credentials not safe through this session); seed_dev deliberately skipped (hardcoded dev user). T08 runbook in docs/vergabe-teilnahme.md: identity, secret rotation recipes, day-to-day make targets, image promotion + rollback, troubleshooting, deferred backup posture, cross-refs.
Workplan status: finished. vergabe-teilnahme is the second S5 application on railiance01 (after Gitea).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
7 items surfaced during RAILIANCE-WP-0002 (vergabe-teilnahme launch): URL-encoding DB passwords at Secret-build time, Django+kube-probe Host-header pattern, publishing issue-core to a Gitea PyPI registry to remove the BuildKit --build-context dependency, kubectl cnpg plugin + SOPS/age in operator onboarding, CI guard against stale yaml vs live CRD drift, and persistent-pod smoke pattern over kubectl run --rm.
Status backlog; pick up individually before the second S5 app onboards.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Platform (railiance-platform 017934d) added managed role 'vergabe' and Database CR vergabe-db owning vergabe_db. Apps side: created vergabe-teilnahme namespace, labeled it railiance.io/postgres-client=apps-pg, mirrored the credential Secret so T05 can wire DSN postgresql://vergabe:.../apps-pg-rw.databases:5432/vergabe_db into Helm values. End-to-end psql confirmed PostgreSQL 16.13.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
apps-pg cluster now has a draft workplan in railiance-platform
(RAILIANCE-WP-0003, workstream 665b3b9b). Adds the consumer recipe
inline so this workplan is self-contained once the platform cluster
goes healthy.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Used the GITEA_API_TOKEN env (token owner: tegwick) to log in to
gitea.coulomb.social and push state-hub:local as
gitea.coulomb.social/coulomb/state-hub:{6186a99,latest}.
Image digest:
sha256:039d29654ccb3754c6ecdbe497c6364bbd8452edcdcb7fa937dd9debf5b734ff
Verified cluster-side pull via kubectl run; pod reached Running in
~5s with no imagePullSecret. The Gitea container registry is now
proven end-to-end for State Hub deployment.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Pushed gitea.coulomb.social/coulomb/vergabe-teilnahme:{483a4df,latest}
using the GITEA_API_TOKEN env (token owner: tegwick).
Image digest:
sha256:e9bbceb35b0239c835d339295a0ae1d2d8b6d08c02a7b4e992c0ecd37de86d7a
Cluster-side pull verified — pod reached Running in ~7s with no
imagePullSecret; the package is public by default, so T05's Helm
release will not need pull credentials wiring.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A record now resolves to 92.205.130.254 (Traefik LB). HTTP probe
reaches Traefik and returns 404 as expected (no Ingress rule yet).
Ingress + cert-manager TLS will be created together with the backing
Service from T05 to avoid wasting a Let's Encrypt issuance attempt.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
issue-facade was renamed to issue-core upstream; vergabe-teilnahme
was rewired (commit 17f511f). Multi-stage Dockerfile shipped in
vergabe-teilnahme commit 483a4df. Smoke test passed: container
healthy, /health/ returns 200.
T03 next, but still blocked on the Gitea package-capable PAT
(same blocker as RAIL-AP-WP-0001-T04).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
uv sync in /home/worsch/vergabe-teilnahme fails because
universal-issue-tracker @ file:///home/worsch/issue-facade points at
an empty directory (only .claude/ remains). The container build
cannot proceed until the upstream dep resolves cleanly.
Documented three resolution options in the workplan; pausing T02
pending an upstream fix.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
T01 inventory:
- No shared cnpg cluster exists; gitea-db (PG18) and net-kingdom-pg (PG16)
are app-dedicated in namespace 'databases'.
- Gitea OCI registry reachable at gitea.coulomb.social/v2 (HEAD → 405,
TLS valid; cert default/gitea-tls ready 3d).
- Traefik LB IP = 92.205.130.254.
- whywhynot.de zone hosted at IONOS (ui-dns.*); A record currently
217.160.0.212. DNS change is a manual step in the IONOS console.
- cert-manager letsencrypt-prod ClusterIssuer healthy.
D-01 resolved: Option D — railiance-platform will provision a new
shared cnpg cluster 'apps-pg' (PG 16). T04 (vergabe role+db) is now
blocked on that cluster reaching healthy state. Coordination message
sent to railiance-platform.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
8-task plan to deploy vergabe-teilnahme as a Helm release at
vergabe-teilnahme.whywhynot.de with image from gitea.coulomb.social
and a dedicated role on the shared cnpg cluster.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Restores the newer local gitea-values.sops.yaml (2026-03-27) over the
upstream scaffold (2026-03-10). Adds database, cache, session, and queue
sections pointing to external PostgreSQL/Valkey (S3 platform services),
and disables bundled postgresql/redis/valkey sub-charts.
Also adds .sops.yaml encryption policy for railiance-apps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Receive gitea-values.sops.yaml from railiance-cluster — S5 now
owns the Gitea deployment lifecycle per ADR-003 boundary rules.
Add gitea-deploy and gitea-status Makefile targets. Update
SCOPE.md to reflect boundary violation resolved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PGPool default 250m CPU request was causing scheduling failures on the
single-node COULOMBCORE cluster (2 vCPU, 98% allocated). Reduced to
100m request / 200m limit — safe for a lightweight connection pooler.
See INC-001: the-custodian/ops/incidents/2026-03-25-gitea-pgpool-crashloop.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
