generated from coulomb/repo-seed
405 lines
14 KiB
YAML
405 lines
14 KiB
YAML
apiVersion: railiance.fabric/v1alpha1
|
|
kind: DeploymentZoneInventory
|
|
generated_at: "2026-05-24T00:00:00+02:00"
|
|
source:
|
|
repo: railiance-fabric
|
|
workplan: RAIL-FAB-WP-0020
|
|
method: source-search-and-declared-surfaces
|
|
scope:
|
|
note: >
|
|
This inventory captures deployment-zone overlay evidence. It does not
|
|
define fabric membership, port ownership, live health, or access policy.
|
|
deployment_environments:
|
|
- id: dev
|
|
scenario: bernd-laptop
|
|
intended_reachability: private operator workstation
|
|
- id: test
|
|
scenario: coulombcore
|
|
intended_reachability: shared collaborator and early-access test stage
|
|
- id: prod
|
|
scenario: railiance01
|
|
intended_reachability: production stage, currently alpha-accessible to developers
|
|
surfaces:
|
|
- id: dev.bernd-laptop.railiance-fabric.registry-api
|
|
name: Railiance Fabric registry HTTP API
|
|
repo: railiance-fabric
|
|
service_id: railiance-fabric.registry
|
|
deployment_environment: dev
|
|
deployment_scenario: bernd-laptop
|
|
access_zone: private-dev
|
|
exposure_class: local-only
|
|
routing_authority: local-loopback-binding
|
|
policy_authority: local-loopback-binding
|
|
route_evidence:
|
|
route: http://127.0.0.1:8765
|
|
host: 127.0.0.1
|
|
port: 8765
|
|
protocol: http
|
|
evidence:
|
|
- path: fabric/interfaces/railiance-fabric-registry-http-api.yaml
|
|
kind: fabric-interface-declaration
|
|
- id: dev.bernd-laptop.railiance-fabric.graph-explorer
|
|
name: Railiance Fabric graph explorer UI
|
|
repo: railiance-fabric
|
|
service_id: railiance-fabric.registry
|
|
deployment_environment: dev
|
|
deployment_scenario: bernd-laptop
|
|
access_zone: private-dev
|
|
exposure_class: local-only
|
|
routing_authority: local-loopback-binding
|
|
policy_authority: local-loopback-binding
|
|
route_evidence:
|
|
route: http://127.0.0.1:8765/ui/graph-explorer
|
|
host: 127.0.0.1
|
|
port: 8765
|
|
protocol: http
|
|
path: /ui/graph-explorer
|
|
evidence:
|
|
- path: fabric/interfaces/railiance-fabric-registry-graph-explorer-ui.yaml
|
|
kind: fabric-interface-declaration
|
|
- id: dev.bernd-laptop.state-hub.api
|
|
name: State Hub HTTP API
|
|
repo: the-custodian
|
|
service_id: the-custodian.state-hub
|
|
deployment_environment: dev
|
|
deployment_scenario: bernd-laptop
|
|
access_zone: private-dev
|
|
exposure_class: local-only
|
|
routing_authority: local-loopback-binding
|
|
policy_authority: local-loopback-binding
|
|
route_evidence:
|
|
route: http://127.0.0.1:8000
|
|
host: 127.0.0.1
|
|
port: 8000
|
|
protocol: http
|
|
evidence:
|
|
- path: fabric/interfaces/the-custodian-state-hub-http-api.yaml
|
|
kind: fabric-interface-declaration
|
|
- id: dev.bernd-laptop.state-hub.mcp
|
|
name: State Hub MCP API
|
|
repo: the-custodian
|
|
service_id: the-custodian.state-hub
|
|
deployment_environment: dev
|
|
deployment_scenario: bernd-laptop
|
|
access_zone: private-dev
|
|
exposure_class: local-only
|
|
routing_authority: local-loopback-binding
|
|
policy_authority: local-loopback-binding
|
|
route_evidence:
|
|
route: http://127.0.0.1:8001
|
|
host: 127.0.0.1
|
|
port: 8001
|
|
protocol: http
|
|
evidence:
|
|
- path: fabric/interfaces/the-custodian-state-hub-mcp-api.yaml
|
|
kind: fabric-interface-declaration
|
|
- id: dev.bernd-laptop.state-hub.dashboard
|
|
name: State Hub dashboard
|
|
repo: the-custodian
|
|
service_id: the-custodian.state-hub
|
|
deployment_environment: dev
|
|
deployment_scenario: bernd-laptop
|
|
access_zone: private-dev
|
|
exposure_class: local-only
|
|
routing_authority: local-loopback-binding
|
|
policy_authority: local-loopback-binding
|
|
route_evidence:
|
|
route: http://127.0.0.1:3000
|
|
host: 127.0.0.1
|
|
port: 3000
|
|
protocol: http
|
|
evidence:
|
|
- path: fabric/interfaces/the-custodian-state-hub-dashboard.yaml
|
|
kind: fabric-interface-declaration
|
|
- id: dev.bernd-laptop.net-kingdom.control-surface
|
|
name: NetKingdom control surface
|
|
repo: net-kingdom
|
|
service_id: net-kingdom.iam-profile
|
|
deployment_environment: dev
|
|
deployment_scenario: bernd-laptop
|
|
access_zone: private-dev
|
|
exposure_class: local-only
|
|
routing_authority: local-loopback-binding
|
|
policy_authority: local-loopback-binding
|
|
route_evidence:
|
|
route: http://127.0.0.1:8876
|
|
host: 127.0.0.1
|
|
port: 8876
|
|
protocol: http
|
|
evidence:
|
|
- path: fabric/interfaces/net-kingdom-control-surface-ui.yaml
|
|
kind: fabric-interface-declaration
|
|
- path: ../net-kingdom/sso-mfa/k8s/keycape/README.md
|
|
kind: source-search-hit
|
|
note: local OIDC callback lists localhost port 8876
|
|
- id: test.coulombcore.state-hub.http-tunnel
|
|
name: State Hub HTTP API tunnel to coulombcore
|
|
repo: railiance-infra
|
|
service_id: the-custodian.state-hub
|
|
deployment_environment: test
|
|
deployment_scenario: coulombcore
|
|
access_zone: collaborator-test
|
|
exposure_class: collaborator-test
|
|
routing_authority: ops-bridge
|
|
policy_authority: ops-bridge-ssh
|
|
route_evidence:
|
|
route: http://127.0.0.1:18000
|
|
host: 127.0.0.1
|
|
port: 18000
|
|
protocol: http
|
|
tunnel_target: coulombcore
|
|
evidence:
|
|
- path: ../railiance-infra/docs/deploy-stack.md
|
|
lines: "127"
|
|
kind: source-search-hit
|
|
- id: test.coulombcore.state-hub.mcp-tunnel
|
|
name: State Hub MCP tunnel to coulombcore
|
|
repo: railiance-infra
|
|
service_id: the-custodian.state-hub
|
|
deployment_environment: test
|
|
deployment_scenario: coulombcore
|
|
access_zone: collaborator-test
|
|
exposure_class: collaborator-test
|
|
routing_authority: ops-bridge
|
|
policy_authority: ops-bridge-ssh
|
|
route_evidence:
|
|
route: http://127.0.0.1:18001
|
|
host: 127.0.0.1
|
|
port: 18001
|
|
protocol: http
|
|
tunnel_target: coulombcore
|
|
evidence:
|
|
- path: ../railiance-infra/docs/deploy-stack.md
|
|
lines: "128"
|
|
kind: source-search-hit
|
|
- id: test.coulombcore.k3s-api-tunnel
|
|
name: k3s API tunnel to coulombcore
|
|
repo: railiance-infra
|
|
deployment_environment: test
|
|
deployment_scenario: coulombcore
|
|
access_zone: collaborator-test
|
|
exposure_class: collaborator-test
|
|
routing_authority: ops-bridge
|
|
policy_authority: ops-bridge-ssh
|
|
route_evidence:
|
|
route: https://127.0.0.1:16443
|
|
host: 127.0.0.1
|
|
port: 16443
|
|
protocol: https
|
|
tunnel_target: coulombcore
|
|
evidence:
|
|
- path: ../railiance-infra/docs/deploy-stack.md
|
|
lines: "129"
|
|
kind: source-search-hit
|
|
- path: ../railiance-cluster/SCOPE.md
|
|
lines: "127"
|
|
kind: source-search-hit
|
|
note: cluster scope states it runs on COULOMBCORE
|
|
- id: prod.railiance01.gitea
|
|
name: Gitea ingress
|
|
repo: railiance-apps
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-public
|
|
exposure_class: production-public
|
|
routing_authority: traefik
|
|
policy_authority: null
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://gitea.coulomb.social
|
|
hostname: gitea.coulomb.social
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: access zone and policy authority require operator review
|
|
evidence:
|
|
- path: ../railiance-apps/manifests/gitea-ingress.yaml
|
|
lines: "2,12,14,16,27"
|
|
kind: kubernetes-ingress
|
|
- path: ../railiance-apps/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
|
|
lines: "612,613"
|
|
kind: source-search-hit
|
|
note: places Gitea before vergabe-teilnahme on railiance01
|
|
- id: prod.railiance01.vergabe-teilnahme
|
|
name: Vergabe Teilnahme ingress
|
|
repo: railiance-apps
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-public
|
|
exposure_class: production-public
|
|
routing_authority: traefik
|
|
policy_authority: null
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://vergabe-teilnahme.whywhynot.de
|
|
hostname: vergabe-teilnahme.whywhynot.de
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: production public classification is inferred from ingress host and workplan
|
|
evidence:
|
|
- path: ../railiance-apps/manifests/vergabe-teilnahme-ingress.yaml
|
|
lines: "2,11,13,15,26"
|
|
kind: kubernetes-ingress
|
|
- path: ../railiance-apps/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
|
|
lines: "22,40,68,69,163,612,613"
|
|
kind: source-search-hit
|
|
- id: prod.railiance01.authelia
|
|
name: Authelia ingress
|
|
repo: net-kingdom
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-public
|
|
exposure_class: production-public
|
|
routing_authority: traefik
|
|
policy_authority: authelia
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://auth.coulomb.social
|
|
hostname: auth.coulomb.social
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: railiance01 attribution comes from NetKingdom deployment workplan
|
|
evidence:
|
|
- path: ../net-kingdom/sso-mfa/k8s/authelia/ingress.yaml
|
|
lines: "13,22,24,26,38"
|
|
kind: kubernetes-ingress
|
|
- path: ../net-kingdom/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
|
|
lines: "29,47,88,101"
|
|
kind: source-search-hit
|
|
- id: prod.railiance01.keycape
|
|
name: Keycape ingress
|
|
repo: net-kingdom
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-public
|
|
exposure_class: production-public
|
|
routing_authority: traefik
|
|
policy_authority: traefik-middleware
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://kc.coulomb.social
|
|
hostname: kc.coulomb.social
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: middleware is present, but intended audience still needs operator review
|
|
evidence:
|
|
- path: ../net-kingdom/sso-mfa/k8s/keycape/ingress.yaml
|
|
lines: "13,22,23,27,29,41"
|
|
kind: kubernetes-ingress
|
|
- path: ../net-kingdom/sso-mfa/k8s/keycape/middleware.yaml
|
|
lines: "9,24"
|
|
kind: traefik-middleware
|
|
- id: prod.railiance01.privacyidea
|
|
name: privacyIDEA ingress
|
|
repo: net-kingdom
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-admin
|
|
exposure_class: production-admin
|
|
routing_authority: traefik
|
|
policy_authority: traefik-middleware
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://pink.coulomb.social
|
|
hostname: pink.coulomb.social
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: admin classification inferred from privacyIDEA role and middleware
|
|
evidence:
|
|
- path: ../net-kingdom/sso-mfa/k8s/privacyidea/ingress.yaml
|
|
lines: "25,34,36,38,40,52,60,69,71,75,77,89"
|
|
kind: kubernetes-ingress
|
|
- path: ../net-kingdom/sso-mfa/k8s/privacyidea/middleware.yaml
|
|
lines: "19,41"
|
|
kind: traefik-middleware
|
|
- id: prod.railiance01.privacyidea-account
|
|
name: privacyIDEA account self-service ingress
|
|
repo: net-kingdom
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-public
|
|
exposure_class: production-public
|
|
routing_authority: traefik
|
|
policy_authority: traefik-middleware
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://pink-account.coulomb.social
|
|
hostname: pink-account.coulomb.social
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: self-service classification inferred from host name and middleware
|
|
evidence:
|
|
- path: ../net-kingdom/sso-mfa/k8s/privacyidea/ingress.yaml
|
|
lines: "94,103,104,106,108,120"
|
|
kind: kubernetes-ingress
|
|
- id: prod.railiance01.lldap
|
|
name: LLDAP ingress
|
|
repo: net-kingdom
|
|
deployment_environment: prod
|
|
deployment_scenario: railiance01
|
|
access_zone: production-admin
|
|
exposure_class: production-admin
|
|
routing_authority: traefik
|
|
policy_authority: traefik-admin-allowlist
|
|
tls_authority: cert-manager:letsencrypt-prod
|
|
route_evidence:
|
|
route: https://lldap.coulomb.social
|
|
hostname: lldap.coulomb.social
|
|
port: 443
|
|
protocol: https
|
|
review:
|
|
status: candidate
|
|
note: admin allowlist middleware indicates intended restricted access
|
|
evidence:
|
|
- path: ../net-kingdom/sso-mfa/k8s/lldap/ingress.yaml
|
|
lines: "12,21,22,24,26,38"
|
|
kind: kubernetes-ingress
|
|
- path: ../net-kingdom/sso-mfa/k8s/lldap/middleware.yaml
|
|
lines: "11"
|
|
kind: traefik-middleware
|
|
ambiguities:
|
|
- id: railiance01-coulombcore-ip-conflict
|
|
severity: high
|
|
summary: Source documents disagree on which host owns 92.205.130.254.
|
|
evidence:
|
|
- path: ../railiance-apps/workplans/railiance-apps-WP-0002-vergabe-teilnahme-on-railiance01.md
|
|
lines: "22,163"
|
|
note: says railiance01 and Traefik LoadBalancer use 92.205.130.254
|
|
- path: ../railiance-infra/SCOPE.md
|
|
lines: "126"
|
|
note: says COULOMBCORE is 92.205.130.254 and Railiance01 is 92.205.62.239
|
|
next: reconcile host inventory before treating IP evidence as authoritative
|
|
- id: prod-access-zone-review
|
|
severity: medium
|
|
summary: Production access zones are candidate classifications.
|
|
evidence:
|
|
- path: ../railiance-apps/manifests
|
|
note: app ingress manifests show routing and TLS but not business audience
|
|
- path: ../net-kingdom/sso-mfa/k8s
|
|
note: middleware and network policy hint at access intent but do not replace operator review
|
|
next: confirm each production host as public, admin, or early-access
|
|
- id: test-reachability-is-tunneled
|
|
severity: medium
|
|
summary: Current coulombcore routes are ops-bridge tunnel evidence, not public ingress evidence.
|
|
evidence:
|
|
- path: ../railiance-infra/docs/deploy-stack.md
|
|
lines: "127,128,129"
|
|
note: state-hub and k3s API access are tunnel commands
|
|
next: add executable test-stage ingress/service discovery when coulombcore manifests exist
|
|
missing_policy_authority:
|
|
- surface_id: prod.railiance01.gitea
|
|
reason: route and TLS are discovered, but access policy authority is not evident in the ingress artifact
|
|
- surface_id: prod.railiance01.vergabe-teilnahme
|
|
reason: route and TLS are discovered, but access policy authority is not evident in the ingress artifact
|