# Operator Recipes

## Service-IP Smoke Checks

Avoid one-shot `kubectl run --rm -i` probes for service connectivity.
The container can exit before the connection result is reliable, which
creates false negatives during rollout debugging.

Use a persistent pod, wait for readiness, then exec the probe:

```bash
NAMESPACE=vergabe-teilnahme \
tools/smoke-service.sh http://vergabe-teilnahme.vergabe-teilnahme.svc/health/
```

Reuse the same pod for a debugging session:

```bash
NAMESPACE=vergabe-teilnahme POD_NAME=service-smoke \
tools/smoke-service.sh http://vergabe-teilnahme.vergabe-teilnahme.svc/health/
```

Clean it up when finished:

```bash
kubectl delete pod service-smoke -n vergabe-teilnahme
```

Or set `CLEANUP=true` for a single checked run.

## Manifest Server Dry-Run

Schema drift in live CRDs is caught by server-side dry-run, not by Helm
rendering alone:

```bash
make k8s-server-dry-run
```

The command expects a representative Kubernetes API server with the same
APIs, CRDs, admission webhooks, ingress posture, and cert-manager posture as
the Railiance cluster. The CI workflow sets `DRY_RUN_CREATE_NAMESPACES=true`,
which creates the app namespace before server-side dry-run so namespaced
resources can validate. Use that mode only against a disposable or approved
representative cluster.

See `docs/manifest-server-dry-run.md` for runner, credential, and failure
classification rules.