From 8a9bfcc9bd81b6129a7430b0a500ced3ec031554 Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 25 Jun 2026 15:39:53 +0200 Subject: [PATCH] feat(statehub): deploy empty railiance state hub --- Makefile | 15 ++++++--------- deploy/railiance/README.md | 4 +++- deploy/railiance/apps/helm/state-hub-values.yaml | 5 ++++- .../apps/manifests/state-hub-namespace.yaml | 8 ++++++++ .../platform/state-hub-db-networkpolicies.yaml | 6 +++--- ...T-WP-0011-state-hub-threephoenix-migration.md | 16 +++++++++++++++- 6 files changed, 39 insertions(+), 15 deletions(-) create mode 100644 deploy/railiance/apps/manifests/state-hub-namespace.yaml diff --git a/Makefile b/Makefile index e34fb44..008c5e4 100644 --- a/Makefile +++ b/Makefile @@ -88,8 +88,9 @@ railiance-state-hub-client-dry-run: $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \ $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \ $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \ + $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \ $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \ - $(KUBECTL) apply --dry-run=client -f "$$tmpdir/state-hub.yaml" + $(KUBECTL) apply --dry-run=client -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml" railiance-state-hub-server-dry-run: @set -e; \ @@ -99,22 +100,18 @@ railiance-state-hub-server-dry-run: --namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \ -f $(RAILIANCE_STATE_HUB_VALUES) \ --set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) > "$$tmpdir/state-hub.yaml"; \ - $(HELM) template $(RAILIANCE_STATE_HUB_RELEASE) $(RAILIANCE_STATE_HUB_CHART) \ - --namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \ - -f $(RAILIANCE_STATE_HUB_VALUES) \ - --set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) \ - --show-only templates/namespace.yaml > "$$tmpdir/state-hub-namespace.yaml"; \ $(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \ $(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \ $(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \ - $(KUBECTL) apply --dry-run=server -f "$$tmpdir/state-hub-namespace.yaml"; \ + $(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \ if $(KUBECTL) get namespace $(RAILIANCE_STATE_HUB_NAMESPACE) >/dev/null 2>&1; then \ $(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \ - $(KUBECTL) apply --dry-run=server -f "$$tmpdir/state-hub.yaml"; \ + $(KUBECTL) apply --dry-run=server -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"; \ else \ echo "Namespace $(RAILIANCE_STATE_HUB_NAMESPACE) does not exist; validating namespaced app manifests with client dry-run."; \ + $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \ $(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \ - $(KUBECTL) apply --dry-run=client -f "$$tmpdir/state-hub.yaml"; \ + $(KUBECTL) apply --dry-run=client -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"; \ fi test: test-python dashboard-check diff --git a/deploy/railiance/README.md b/deploy/railiance/README.md index 3df6765..9b9bc6e 100644 --- a/deploy/railiance/README.md +++ b/deploy/railiance/README.md @@ -69,9 +69,11 @@ App promotion into `railiance-apps`: - copy `apps/charts/state-hub/` to `charts/state-hub/`; - copy `apps/helm/state-hub-values.yaml` to `helm/state-hub-values.yaml`; +- apply or GitOps-manage `apps/manifests/state-hub-namespace.yaml`; - create `state-hub-env` in the `state-hub` namespace from the approved secret-delivery path; -- deploy with Helm only after `state-hub-db` is healthy. +- deploy with Helm using the production values file, which sets + `namespace.create=false`, only after `state-hub-db` is healthy. ## Runtime Secret Contract diff --git a/deploy/railiance/apps/helm/state-hub-values.yaml b/deploy/railiance/apps/helm/state-hub-values.yaml index 7033b17..d1a4feb 100644 --- a/deploy/railiance/apps/helm/state-hub-values.yaml +++ b/deploy/railiance/apps/helm/state-hub-values.yaml @@ -1,8 +1,11 @@ # Production values for the State Hub Railiance chart handoff. # Non-secret values only. DATABASE_URL comes from the Secret `state-hub-env`. +namespace: + create: false + image: tag: "b536741" ingress: - enabled: false \ No newline at end of file + enabled: false diff --git a/deploy/railiance/apps/manifests/state-hub-namespace.yaml b/deploy/railiance/apps/manifests/state-hub-namespace.yaml new file mode 100644 index 0000000..bf5c77a --- /dev/null +++ b/deploy/railiance/apps/manifests/state-hub-namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: state-hub + labels: + railiance.io/layer: s5-app + railiance.io/postgres-client: state-hub-db diff --git a/deploy/railiance/platform/state-hub-db-networkpolicies.yaml b/deploy/railiance/platform/state-hub-db-networkpolicies.yaml index 4faed89..69bd262 100644 --- a/deploy/railiance/platform/state-hub-db-networkpolicies.yaml +++ b/deploy/railiance/platform/state-hub-db-networkpolicies.yaml @@ -17,9 +17,9 @@ spec: policyTypes: - Egress egress: - - to: - - namespaceSelector: {} - ports: + - ports: + - protocol: TCP + port: 443 - protocol: TCP port: 6443 --- diff --git a/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md b/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md index fcac92c..70e3c4c 100644 --- a/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md +++ b/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md @@ -266,8 +266,9 @@ in `deploy/railiance/README.md`. ```task id: CUST-WP-0011-T05 -status: todo +status: done priority: high +completed: "2026-06-25" state_hub_task_id: "a307dd46-a8e2-49df-b016-c187759ebcf1" ``` @@ -283,6 +284,19 @@ Checks: **Done when:** an empty but structurally valid State Hub runs on railiance01. +Completed 2026-06-25: deployed an empty State Hub stack to railiance01. +Created the `state-hub` namespace, generated live-only database and app runtime +Secrets, created the dedicated `state-hub-db` CNPG cluster, and applied database +NetworkPolicies. Fixed the State Hub database egress policy to allow the +in-cluster Kubernetes API service on TCP 443 as well as 6443, which CNPG +needed during initdb. Ran Alembic migrations in a one-shot Kubernetes Job +using image `gitea.coulomb.social/coulomb/state-hub:b536741`; migrations +completed through `e9f0a1b2c3d4 (head)`. Installed the Helm release +`state-hub` into the pre-created namespace with `namespace.create=false`. +Verified Deployment rollout, zero pod restarts, service creation, pod logs, +in-pod Alembic current revision, and `/state/health` via temporary port-forward +returning `{"status":"ok","db":"connected"}`. + --- ### T06 — Restore WSL2 data copy into cluster and compare