railiance-apps/workplans/RAILIANCE-WP-0007-reuse-surface-hub-on-railiance01.md

id, type, title, domain, repo, status, owner, topic_slug, created, updated

id	type	title	domain	repo	status	owner	topic_slug	created	updated
RAILIANCE-WP-0007	workplan	Deploy reuse-surface federation hub on railiance01	railiance	railiance-apps	active	codex	railiance	2026-06-15	2026-06-15

Deploy reuse-surface federation hub on railiance01

Companion to reuse-surface REUSE-WP-0011. Own the S5 Helm release, ingress, and operator targets for the federation hub service on production cluster node railiance01 (92.205.130.254).

Goal

Expose the helix_forge federation hub API at a stable TLS endpoint so repos can register capability index URLs via reuse-surface hub without per-machine sources.yaml maintenance.

Default hostname (confirm with operator): https://reuse-hub.whywhynot.de

Upstream dependency

Upstream	Workplan	Required artifact
Hub service + image	reuse-surface REUSE-WP-0011	Container image gitea.coulomb.social/coulomb/reuse-surface-hub:<tag>, /health probe path

Do not deploy until REUSE-WP-0011-T04 publishes a buildable image and documents the required environment variables.

Placement

Follow the established inter-hub pattern in this repo:

• charts/reuse-surface-hub/ — Helm chart (Deployment, Service, Ingress, PVC)
• helm/reuse-surface-hub-values.yaml — non-secret overrides (image tag, host)
• SOPS secret handoff for REUSE_SURFACE_HUB_TOKEN (write token)
• Makefile targets: reuse-hub-dry-run, reuse-hub-deploy, reuse-hub-status, reuse-hub-logs

Cross-repo coordination:

Concern	Owner
Application image and API	reuse-surface
Helm release and ingress	railiance-apps (this workplan)
OCI registry push	railiance-forge guidance + reuse-surface CI/docs
DNS A record	DNS owner of whywhynot.de
Traefik / cert-manager	railiance-cluster / railiance-platform (reuse)

Safety contract

• Do not commit decrypted SOPS values or hub write tokens.
• Pin image tags in helm/reuse-surface-hub-values.yaml; no :latest in production.
• Use a dedicated namespace (default reuse-surface-hub).
• PVC for SQLite data; document backup expectation in runbook.

---

Scaffold Helm Chart For reuse-surface-hub

id: RAILIANCE-WP-0007-T01
status: done
priority: high

Create charts/reuse-surface-hub/ modeled on charts/inter-hub/ with:

• Deployment exposing port 8000
• ClusterIP Service
• Optional PVC mount at /data for SQLite persistence
• Ingress (Traefik + cert-manager) disabled by default until hostname confirmed
• Probes targeting GET /health
• envSecretName for hub token and optional config

Add Values, SOPS Template, And Makefile Targets

id: RAILIANCE-WP-0007-T02
status: done
priority: high

Add:

• helm/reuse-surface-hub-values.yaml with image repository gitea.coulomb.social/coulomb/reuse-surface-hub and placeholder tag
• Documented SOPS secret template path (mirror inter-hub-env pattern)
• Makefile variables and targets: reuse-hub-dry-run, reuse-hub-deploy, reuse-hub-status, reuse-hub-logs

Configure Ingress And Hostname

id: RAILIANCE-WP-0007-T03
status: wait
priority: medium

Enable ingress in values with:

• ingress.host: reuse-hub.whywhynot.de (or operator-confirmed host)
• cert-manager.io/cluster-issuer: letsencrypt-prod
• Traefik annotations matching vergabe-teilnahme / inter-hub

Blocked on: DNS A record and hostname approval.

Deploy Release To railiance01

id: RAILIANCE-WP-0007-T04
status: wait
priority: medium

When REUSE-WP-0011-T04 image is available:

1. make reuse-hub-dry-run — inspect rendered manifests
2. Apply SOPS secret for hub token
3. make reuse-hub-deploy
4. Confirm certificate issued and /health returns 200

Post-Deploy Verification And Runbook

id: RAILIANCE-WP-0007-T05
status: todo
priority: low

Add docs/reuse-surface-hub-on-railiance01.md with:

• Namespace, release name, image promotion steps
• Secret rotation notes
• Smoke checks: reuse-surface hub status --hub-url https://reuse-hub.whywhynot.de
• Link back to reuse-surface/docs/RegistryFederation.md