Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
Define platform-owned AppProjects, root app-of-apps, repository registration
templates, and tenant onboarding docs so issue-core can deploy via ArgoCD.
Ignore encrypted repository secrets locally and cross-link OpenBao delivery
guidance with the new GitOps contract.
Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.
Replace the MutationObserver feedback loop with bounded, idempotent apply
retries so Firefox no longer hangs on the auth page. Route static UI assets
and API calls around HTML sub_filter injection to keep bundles compressed.
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
Generate default CA via ssh/config/ca, split composite KUBECTL for role writes,
read pubkey from config/ca, allow warden key_id in roles, prefer production kubeconfig.
Author the repository's INTENT: the shared platform-services layer — the
dependable, backed-up, secure foundation of stateful services (data,
cache, secret custody, object storage, messaging) that consumers build on,
behind stable interfaces and independently evolvable underneath.
Intent is kept self-coherent and reference-free (no external project or
dependency-product references), describing this repository's own purpose
at the abstract, stable level.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
First consumer of the shared apps-pg cluster: managed role vergabe in apps-pg-cluster.yaml plus Database CR vergabe-db in new helm/apps-pg-databases.yaml. .gitignore whitelists helm/*-databases.yaml. Workplan implementation notes from codex folded in. Live: Database CR applied=true, psql from vergabe-teilnahme ns returns PostgreSQL 16.13.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Marks T01-T06 done and the workplan as finished. apps-pg is in 'Cluster in healthy state', smoke-tested via labeled-ns psql, documented in docs/apps-pg.md, and the platform team has replied on the coordination thread (msg dd119862) so RAILIANCE-WP-0002 T04 can proceed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the shared CloudNativePG cluster apps-pg for S5 application
databases:
- helm/apps-pg-cluster.yaml — Cluster CR, PG 16, 1 instance, 10Gi
- helm/apps-pg-networkpolicies.yaml — egress-to-kube-api +
ingress-from-cnpg-operator + label-based ingress opt-in
(railiance.io/postgres-client=apps-pg)
- helm/apps-pg-secret.sops.yaml.template — bootstrap credential
template (encrypt with SOPS before committing the real .sops.yaml)
- Makefile targets: apps-pg-deploy, apps-pg-status (with cnpg-plugin
fallback), apps-pg-shell (apps_admin/apps_meta), apps-pg-logs
- docs/apps-pg.md (codex) — consumer onboarding contract clarifying
the CNPG 1.28 role/database lifecycle boundary
Also fixes helm/gitea-db-cluster.yaml: spec.postgresql.version is not
a valid CNPG v1 field (strict decoding rejects it). Replaced with
spec.imageName matching the live cluster (postgresql:18.1-system-trixie)
so make db-deploy is a no-op instead of an apply rejection.
Live state at commit time: Cluster apps-pg in healthy state, primary
apps-pg-1 Running, smoke-tested via psql from a labeled temp ns.
Co-Authored-By: codex <noreply@openai.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
6-task plan to provision a shared CloudNative PG cluster apps-pg in
the databases namespace, with NetworkPolicies that use a label-based
consumer opt-in (railiance.io/postgres-client=apps-pg) instead of
the per-namespace allowlist gitea-db uses.
Responds to coordination message 768c18f4 from railiance-apps and
unblocks RAILIANCE-WP-0002 T04 (vergabe-teilnahme role+db creation).
Keeps platform agnostic of individual apps per ADR-003: per-app
Database CRs and credential Secrets are owned by the consuming repos.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add allow-ingress-from-default-gitea-db NetworkPolicy so Gitea pods
in default namespace can connect to gitea-db cnpg cluster on 5432
- Update SCOPE.md to reflect cnpg as the canonical DB operator (postgresql-ha
subchart fully decommissioned as of this session)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
WP-0001 targeted Bitnami postgresql-ha; CloudNative PG (cnpg) is the
deployed operator. Migration path now tracked in RAIL-HO-WP-0004-T03–T05.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
