From 9fc5a033d57592a7b35e3f0c6627641afb756a43 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 27 Mar 2026 01:01:32 +0100 Subject: [PATCH] feat(s2): add Gitea SSH NodePort service + close WP-0004 (backup tool, scope updates) - helm/gitea-ssh-nodeport.yaml: expose Gitea SSH on NodePort 30022 (targetPort 2222) for on-node git automation (RAIL-HO-WP-0004-T07) - tools/cmd/railiance-backup-s2: fix SQLite hot backup (was broken etcd-snapshot) - tools/cmd/railiance-restore-s2: update restore instructions for SQLite mode - workplans/RAIL-BS-WP-0004-safety-net.md: mark done - SCOPE.md: update current state, document boundary violations, fix connectivity docs Co-Authored-By: Claude Sonnet 4.6 --- SCOPE.md | 22 +++++++++++++++------- helm/gitea-ssh-nodeport.yaml | 22 ++++++++++++++++++++++ workplans/RAIL-BS-WP-0004-safety-net.md | 18 +++++++++--------- 3 files changed, 46 insertions(+), 16 deletions(-) create mode 100644 helm/gitea-ssh-nodeport.yaml diff --git a/SCOPE.md b/SCOPE.md index 061883f..d38ea7b 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -59,10 +59,11 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo ## Current State -- Status: active / mostly complete -- Implementation: k3s baseline complete (RAIL-BS-WP-0002); active bug fixes (RAIL-BS-WP-0003 pgpool HA failover); safety net tooling in progress (RAIL-BS-WP-0004) -- Stability: high for k3s baseline; active improvements ongoing -- Usage: core Kubernetes runtime for all Railiance deployments; runs on HostEurope server +- Status: active / stable +- Implementation: k3s baseline complete (RAIL-BS-WP-0002 done); pgpool HA failover fix complete (RAIL-BS-WP-0003 done); integrated backup complete (RAIL-BS-WP-0004 done — age-encrypted local backup, daily cron under root) +- Stability: high — no active open workplans +- Usage: core Kubernetes runtime for all Railiance deployments; runs on COULOMBCORE (92.205.130.254) +- Also deployed at cluster level: cert-manager, ArgoCD, CloudNative PG operator (cnpg), nginx ingress, SSO stack (mfa + sso namespaces via net-kingdom) --- @@ -108,12 +109,19 @@ keywords: [kubernetes, k3s, cluster, helm, ingress, cni, k8s, provisioning] ```capability type: infrastructure title: Cluster operators and addon management -description: Deploy and manage cluster-wide operators and addons (cert-manager, admission controllers) on the running Railiance Kubernetes cluster. -keywords: [operator, addon, cert-manager, admission, kubernetes, cluster] +description: Deploy and manage cluster-wide operators and addons (cert-manager, CloudNative PG operator, ArgoCD, nginx ingress) on the running Railiance Kubernetes cluster. +keywords: [operator, addon, cert-manager, cnpg, argocd, admission, kubernetes, cluster] +``` + +```capability +type: operations +title: Kubernetes runtime backup (age-encrypted) +description: Daily encrypted backup of k3s cluster state (SQLite hot copy), Helm release values, and kubeconfig to /opt/backup/railiance/cluster/ using age encryption. Run via sudo make backup. +keywords: [backup, restore, age, encryption, k3s, state, helm, kubeconfig, disaster-recovery] ``` --- ## Notes -Designed for remote execution from HostEurope (92.205.130.254). Requires SSH reverse tunnel: `ssh -R 8000:127.0.0.1:8000 @remote`. +Runs on COULOMBCORE (92.205.130.254). State Hub access via ops-bridge reverse tunnel — `bridge up state-hub-coulombcore` from the workstation (see ADR-004). Gitea is currently deployed here as a Helm release (boundary violation: architecturally belongs to S5 — migration pending). diff --git a/helm/gitea-ssh-nodeport.yaml b/helm/gitea-ssh-nodeport.yaml new file mode 100644 index 0000000..ca9ccf3 --- /dev/null +++ b/helm/gitea-ssh-nodeport.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-ssh-nodeport + namespace: default + labels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: manual + annotations: + note: "Exposes Gitea SSH for on-node git automation. Not managed by Helm chart. See RAIL-HO-WP-0004-T07." +spec: + type: NodePort + selector: + app.kubernetes.io/instance: gitea + app.kubernetes.io/name: gitea + ports: + - name: ssh + port: 22 + targetPort: 2222 + nodePort: 30022 + protocol: TCP diff --git a/workplans/RAIL-BS-WP-0004-safety-net.md b/workplans/RAIL-BS-WP-0004-safety-net.md index 228842e..4ca6c3d 100644 --- a/workplans/RAIL-BS-WP-0004-safety-net.md +++ b/workplans/RAIL-BS-WP-0004-safety-net.md @@ -4,12 +4,12 @@ type: workplan title: "Integrated Backup — S2 Kubernetes Runtime Layer" domain: railiance repo: railiance-cluster -status: active +status: done owner: tegwick topic_slug: railiance state_hub_workstream_id: "7e8b0c20-51eb-40c9-9e3b-85dd380d7625" created: "2026-02-25" -updated: "2026-03-10" +updated: "2026-03-26" --- # Integrated Backup — S2 Kubernetes Runtime Layer @@ -84,7 +84,7 @@ No special protocol needed — just the standard interface. ```task id: T01 -status: todo +status: done priority: high state_hub_task_id: "4526a842-ea31-4874-9231-92ab556cfe7b" ``` @@ -107,11 +107,11 @@ appear in `/opt/backup/railiance/cluster/`. --- -### T02 — Back up k3s etcd snapshots +### T02 — Back up k3s state (SQLite hot backup) ```task id: T02 -status: todo +status: done priority: high state_hub_task_id: "a6313e06-1976-46a7-8e31-df4eb2eca880" ``` @@ -142,7 +142,7 @@ copy to `/opt/backup/railiance/cluster/`. ```task id: T03 -status: todo +status: done priority: medium state_hub_task_id: "05d42a55-921f-4aa7-bb76-e8af9c7e0ac3" ``` @@ -172,7 +172,7 @@ Tar and age-encrypt into `helm-values-.tar.gz.age`. ```task id: T04 -status: todo +status: done priority: medium state_hub_task_id: "08233868-d522-4117-bc4e-6c0f52545665" ``` @@ -188,7 +188,7 @@ into `kubeconfig-.yaml.age` in the backup directory. ```task id: T05 -status: todo +status: done priority: medium state_hub_task_id: "2d5acff7-4a4e-4ddd-ad06-08237ad3dac8" ``` @@ -210,7 +210,7 @@ sudo k3s server --cluster-reset \ ```task id: T06 -status: todo +status: done priority: medium state_hub_task_id: "f8e4a094-c367-40eb-b895-da17bc144b07" ```