SHELL := /usr/bin/env bash .DEFAULT_GOAL := help KUBECONFIG ?= $(firstword $(wildcard $(HOME)/.kube/config) $(HOME)/.kube/config-hosteurope) KUBECTL_BIN ?= $(firstword $(shell command -v kubectl 2>/dev/null) $(wildcard $(HOME)/.local/bin/kubectl) kubectl) KUBECTL := $(KUBECTL_BIN) --kubeconfig=$(KUBECONFIG) HELM := helm --kubeconfig=$(KUBECONFIG) NAMESPACE := platform PG_CHART_VERSION ?= 16.2.2 VALKEY_CHART_VERSION ?= 2.x OPENBAO_CHART_VERSION ?= 0.28.2 OPENBAO_NAMESPACE ?= openbao OPENBAO_RELEASE ?= openbao OPENBAO_VALUES ?= helm/openbao-values.yaml OPENBAO_MIDDLEWARE ?= helm/openbao-middleware.yaml OPENBAO_UI_OVERLAY_DIR ?= helm/openbao-ui-overlay OPENBAO_UI_OVERLAY_K8S ?= helm/openbao-ui-overlay-k8s.yaml OPENBAO_VERIFY_AUTH_ARGS ?= OPENBAO_RESTORE_EVIDENCE ?= /tmp/netkingdom-openbao-restore-drill/evidence.json OPENBAO_EMERGENCY_EVIDENCE ?= /tmp/netkingdom-openbao-emergency-drill/evidence.json EXTERNAL_SECRETS_NAMESPACE ?= external-secrets ARGOCD_NAMESPACE ?= argocd ARGOCD_BOOTSTRAP_DIR ?= argocd/bootstrap ARGOCD_REPOSITORY_SECRET ?= CREDENTIAL_GRANTS ?= credential-grants/catalog.yaml OPENBAO_TOKEN_GRANT_ARGS ?= CREDENTIAL_HELPER_GLOBAL_ARGS ?= CREDENTIAL_HELPER_ARGS ?= CREDENTIAL_HELPER_PURPOSE ?= flex-auth-openbao-smoke ##@ CloudNative PG (cnpg) — primary database operator db-deploy: ## Apply Gitea cnpg Cluster (creates gitea-db in databases namespace) $(KUBECTL) apply -f helm/gitea-db-cluster.yaml db-status: ## Show cnpg cluster health $(KUBECTL) cnpg status gitea-db -n databases 2>/dev/null || \ $(KUBECTL) get cluster gitea-db -n databases -o wide db-shell: ## Open psql shell on gitea-db primary $(KUBECTL) cnpg psql gitea-db -n databases -- -U gitea gitea db-logs: ## Tail gitea-db primary logs $(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50 ##@ Shared apps-pg (S5 application databases) apps-pg-deploy: ## Apply shared apps-pg cnpg Cluster + NetworkPolicies $(KUBECTL) apply -f helm/apps-pg-cluster.yaml $(KUBECTL) apply -f helm/apps-pg-networkpolicies.yaml apps-pg-status: ## Show apps-pg cnpg cluster health $(KUBECTL) cnpg status apps-pg -n databases 2>/dev/null || \ $(KUBECTL) get cluster apps-pg -n databases -o wide apps-pg-shell: ## Open psql shell on apps-pg primary as apps_admin / apps_meta $(KUBECTL) cnpg psql apps-pg -n databases -- -U apps_admin apps_meta 2>/dev/null || \ $(KUBECTL) exec -it -n databases apps-pg-1 -- psql -U apps_admin apps_meta apps-pg-logs: ## Tail apps-pg primary logs $(KUBECTL) logs -n databases -l cnpg.io/cluster=apps-pg -f --tail=50 net-kingdom-pg-inter-hub-networkpolicy-deploy: ## Allow inter-hub to reach net-kingdom-pg $(KUBECTL) apply -f helm/net-kingdom-pg-inter-hub-networkpolicy.yaml ##@ PostgreSQL HA (legacy — superseded by cnpg above) pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace $(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f - $(HELM) repo add bitnami https://charts.bitnami.com/bitnami --force-update $(HELM) upgrade --install postgresql-ha bitnami/postgresql-ha \ --version $(PG_CHART_VERSION) \ --namespace $(NAMESPACE) \ -f <(sops -d helm/postgresql-ha-values.sops.yaml) \ --wait --timeout 5m pg-status: ## Check PostgreSQL HA pod status $(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=postgresql-ha pg-pgpool-check: ## Verify pgpool-password secret key is present (see RAIL-BS-WP-0003) @SECRET=$$($(KUBECTL) get secret -n $(NAMESPACE) postgresql-ha-postgresql \ -o jsonpath='{.data.pgpool-password}' 2>/dev/null); \ if [ -z "$$SECRET" ]; then \ echo "ERROR: pgpool-password key missing from secret — pgpool will CrashLoop on restart"; \ exit 1; \ else \ echo "OK: pgpool-password key present"; \ fi ##@ Valkey (cache) valkey-deploy: ## Deploy / upgrade Valkey (Redis-compatible) to platform namespace $(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f - $(HELM) upgrade --install valkey bitnami/valkey \ --namespace $(NAMESPACE) \ -f <(sops -d helm/valkey-values.sops.yaml) \ --wait --timeout 3m valkey-status: ## Check Valkey pod status $(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=valkey ##@ OpenBao (secrets) openbao-repo: ## Add / update the official OpenBao Helm repository $(HELM) repo add openbao https://openbao.github.io/openbao-helm --force-update $(HELM) repo update openbao openbao-dry-run: openbao-repo ## Render the OpenBao Helm release without applying it $(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \ --version $(OPENBAO_CHART_VERSION) \ --namespace $(OPENBAO_NAMESPACE) \ --create-namespace \ -f $(OPENBAO_VALUES) \ --dry-run openbao-overlay-apply: ## Apply KeyCape login overlay gateway and assets OPENBAO_UI_OVERLAY_DIR=$(OPENBAO_UI_OVERLAY_DIR) \ OPENBAO_UI_OVERLAY_K8S=$(OPENBAO_UI_OVERLAY_K8S) \ KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ scripts/openbao-ui-overlay-apply.sh openbao-verify-login-overlay: ## Verify public KeyCape login overlay is active OPENBAO_UI_OVERLAY_DIR=$(OPENBAO_UI_OVERLAY_DIR) \ scripts/openbao-verify-login-overlay.sh $(OPENBAO_VERIFY_LOGIN_OVERLAY_ARGS) openbao-deploy: openbao-repo ## Deploy / upgrade OpenBao to the openbao namespace $(KUBECTL) create namespace $(OPENBAO_NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f - $(KUBECTL) apply -f $(OPENBAO_MIDDLEWARE) $(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \ --version $(OPENBAO_CHART_VERSION) \ --namespace $(OPENBAO_NAMESPACE) \ -f $(OPENBAO_VALUES) \ --wait --timeout 5m $(MAKE) openbao-overlay-apply openbao-status: ## Show OpenBao pods, services, PVCs, and seal/init status $(KUBECTL) get pods,svc,pvc -n $(OPENBAO_NAMESPACE) \ -l app.kubernetes.io/instance=$(OPENBAO_RELEASE) -o wide -$(KUBECTL) exec -n $(OPENBAO_NAMESPACE) $(OPENBAO_RELEASE)-0 -- bao status openbao-verify: ## Run non-secret OpenBao deployment checks KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify.sh basic openbao-verify-post-unseal: ## Run post-unseal OpenBao filesystem checks KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify.sh post-unseal openbao-configure-initial: ## Apply first post-unseal audit, auth, mounts, and policies KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-apply-initial-config.sh openbao-configure-ssh: ## Enable SSH secrets engine, roles, and warden-sign policy KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-apply-ssh-engine.sh openbao-verify-ssh: ## Verify SSH engine mount, roles, and warden-sign policy KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify-ssh-engine.sh openbao-verify-authenticated: ## Run authenticated non-mutating OpenBao audit/auth/mount checks KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify-authenticated.sh $(OPENBAO_VERIFY_AUTH_ARGS) openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role for issue-core ESO pilot KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) \ scripts/openbao-apply-external-secrets-issue-core.sh openbao-validate-restore-evidence: ## Validate non-secret OpenBao restore-drill evidence JSON OPENBAO_RESTORE_EVIDENCE='$(OPENBAO_RESTORE_EVIDENCE)' \ scripts/openbao-validate-restore-evidence.sh openbao-validate-emergency-evidence: ## Validate non-secret OpenBao emergency seal/unseal drill evidence JSON OPENBAO_EMERGENCY_EVIDENCE='$(OPENBAO_EMERGENCY_EVIDENCE)' \ scripts/openbao-validate-emergency-drill-evidence.sh ##@ Credential broker credential-grants-validate: ## Validate non-secret credential grant catalog scripts/credential-grants-validate.py $(CREDENTIAL_GRANTS) openbao-token-grants-dry-run: ## Dry-run OpenBao token roles and issuer policies for credential grants scripts/openbao-apply-token-grants.py --dry-run $(OPENBAO_TOKEN_GRANT_ARGS) openbao-configure-token-grants: ## Apply OpenBao token roles and issuer policies for credential grants KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) \ scripts/openbao-apply-token-grants.py $(OPENBAO_TOKEN_GRANT_ARGS) openbao-verify-token-grants-dry-run: ## Dry-run OpenBao token grant verification scripts/openbao-verify-token-grants.py --dry-run $(OPENBAO_TOKEN_GRANT_ARGS) openbao-verify-token-grants: ## Verify OpenBao token roles and issuer policies for credential grants KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) \ scripts/openbao-verify-token-grants.py $(OPENBAO_TOKEN_GRANT_ARGS) openbao-verify-token-grants-smoke: ## Mint/revoke a child token and prove bounded warden-sign capabilities KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) \ scripts/openbao-verify-token-grants.py --issue-smoke-token $(OPENBAO_TOKEN_GRANT_ARGS) credential-helper-dry-run: ## Dry-run credential request, exec, status, and revoke helper flows scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) request --dry-run \ --grant ops-warden/warden-sign --purpose $(CREDENTIAL_HELPER_PURPOSE) \ $(CREDENTIAL_HELPER_ARGS) scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) request --dry-run \ --grant ops-warden/warden-sign --purpose $(CREDENTIAL_HELPER_PURPOSE) \ --delivery kubernetes-auth $(CREDENTIAL_HELPER_ARGS) scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) exec --dry-run \ --grant ops-warden/warden-sign --purpose $(CREDENTIAL_HELPER_PURPOSE) \ $(CREDENTIAL_HELPER_ARGS) -- SMOKE_VAULT=1 /bin/true scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) status --dry-run example-accessor scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) revoke --dry-run example-accessor credential-tests: ## Run offline credential broker unit tests python3 -m unittest discover -s tests -p 'test_credential*.py' credential-exec-ops-warden-smoke: ## Run ops-warden smoke with an exec-injected warden-sign token KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \ OPENBAO_RELEASE=$(OPENBAO_RELEASE) \ scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) exec \ --grant ops-warden/warden-sign --purpose ops-warden-production-sign-smoke \ $(CREDENTIAL_HELPER_ARGS) -- \ SMOKE_VAULT=1 /home/worsch/ops-warden/scripts/policy_gate_production_smoke.sh ##@ ArgoCD GitOps bootstrap argocd-bootstrap-dry-run: ## Server-side dry-run ArgoCD AppProjects and root Application $(KUBECTL) apply --dry-run=server -k $(ARGOCD_BOOTSTRAP_DIR) argocd-bootstrap-deploy: ## Apply ArgoCD AppProjects and root Application $(KUBECTL) apply -k $(ARGOCD_BOOTSTRAP_DIR) argocd-repo-apply: ## Apply a SOPS-encrypted ArgoCD repository Secret (set ARGOCD_REPOSITORY_SECRET) @test -n "$(ARGOCD_REPOSITORY_SECRET)" || \ (echo "ERROR: set ARGOCD_REPOSITORY_SECRET=argocd/repositories/.repository.sops.yaml"; exit 1) sops -d $(ARGOCD_REPOSITORY_SECRET) | $(KUBECTL) apply -f - argocd-status: ## Show Railiance ArgoCD projects, root app, and registered repos $(KUBECTL) get appprojects.argoproj.io -n $(ARGOCD_NAMESPACE) \ railiance-bootstrap railiance-tenants railiance-platform-addons $(KUBECTL) get applications.argoproj.io -n $(ARGOCD_NAMESPACE) \ railiance-apps-root external-secrets openbao-secretstore issue-core $(KUBECTL) get secrets -n $(ARGOCD_NAMESPACE) \ -l argocd.argoproj.io/secret-type=repository ##@ Backup backup: ## Backup platform services (PostgreSQL logical dump) — age-encrypted to Nextcloud sudo tools/cmd/railiance-backup ##@ Help help: ## Show this help @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} \ /^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-22s\033[0m %s\n", $$1, $$2 } \ /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) .PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help