generated from coulomb/repo-seed
feat(statehub): deploy empty railiance state hub
This commit is contained in:
15
Makefile
15
Makefile
@@ -88,8 +88,9 @@ railiance-state-hub-client-dry-run:
|
|||||||
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \
|
||||||
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \
|
||||||
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \
|
||||||
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \
|
||||||
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
|
||||||
$(KUBECTL) apply --dry-run=client -f "$$tmpdir/state-hub.yaml"
|
$(KUBECTL) apply --dry-run=client -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"
|
||||||
|
|
||||||
railiance-state-hub-server-dry-run:
|
railiance-state-hub-server-dry-run:
|
||||||
@set -e; \
|
@set -e; \
|
||||||
@@ -99,22 +100,18 @@ railiance-state-hub-server-dry-run:
|
|||||||
--namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \
|
--namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \
|
||||||
-f $(RAILIANCE_STATE_HUB_VALUES) \
|
-f $(RAILIANCE_STATE_HUB_VALUES) \
|
||||||
--set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) > "$$tmpdir/state-hub.yaml"; \
|
--set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) > "$$tmpdir/state-hub.yaml"; \
|
||||||
$(HELM) template $(RAILIANCE_STATE_HUB_RELEASE) $(RAILIANCE_STATE_HUB_CHART) \
|
|
||||||
--namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \
|
|
||||||
-f $(RAILIANCE_STATE_HUB_VALUES) \
|
|
||||||
--set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) \
|
|
||||||
--show-only templates/namespace.yaml > "$$tmpdir/state-hub-namespace.yaml"; \
|
|
||||||
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \
|
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \
|
||||||
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \
|
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \
|
||||||
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \
|
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \
|
||||||
$(KUBECTL) apply --dry-run=server -f "$$tmpdir/state-hub-namespace.yaml"; \
|
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \
|
||||||
if $(KUBECTL) get namespace $(RAILIANCE_STATE_HUB_NAMESPACE) >/dev/null 2>&1; then \
|
if $(KUBECTL) get namespace $(RAILIANCE_STATE_HUB_NAMESPACE) >/dev/null 2>&1; then \
|
||||||
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
|
$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
|
||||||
$(KUBECTL) apply --dry-run=server -f "$$tmpdir/state-hub.yaml"; \
|
$(KUBECTL) apply --dry-run=server -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"; \
|
||||||
else \
|
else \
|
||||||
echo "Namespace $(RAILIANCE_STATE_HUB_NAMESPACE) does not exist; validating namespaced app manifests with client dry-run."; \
|
echo "Namespace $(RAILIANCE_STATE_HUB_NAMESPACE) does not exist; validating namespaced app manifests with client dry-run."; \
|
||||||
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \
|
||||||
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
|
$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
|
||||||
$(KUBECTL) apply --dry-run=client -f "$$tmpdir/state-hub.yaml"; \
|
$(KUBECTL) apply --dry-run=client -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"; \
|
||||||
fi
|
fi
|
||||||
|
|
||||||
test: test-python dashboard-check
|
test: test-python dashboard-check
|
||||||
|
|||||||
@@ -69,9 +69,11 @@ App promotion into `railiance-apps`:
|
|||||||
|
|
||||||
- copy `apps/charts/state-hub/` to `charts/state-hub/`;
|
- copy `apps/charts/state-hub/` to `charts/state-hub/`;
|
||||||
- copy `apps/helm/state-hub-values.yaml` to `helm/state-hub-values.yaml`;
|
- copy `apps/helm/state-hub-values.yaml` to `helm/state-hub-values.yaml`;
|
||||||
|
- apply or GitOps-manage `apps/manifests/state-hub-namespace.yaml`;
|
||||||
- create `state-hub-env` in the `state-hub` namespace from the approved
|
- create `state-hub-env` in the `state-hub` namespace from the approved
|
||||||
secret-delivery path;
|
secret-delivery path;
|
||||||
- deploy with Helm only after `state-hub-db` is healthy.
|
- deploy with Helm using the production values file, which sets
|
||||||
|
`namespace.create=false`, only after `state-hub-db` is healthy.
|
||||||
|
|
||||||
## Runtime Secret Contract
|
## Runtime Secret Contract
|
||||||
|
|
||||||
|
|||||||
@@ -1,8 +1,11 @@
|
|||||||
# Production values for the State Hub Railiance chart handoff.
|
# Production values for the State Hub Railiance chart handoff.
|
||||||
# Non-secret values only. DATABASE_URL comes from the Secret `state-hub-env`.
|
# Non-secret values only. DATABASE_URL comes from the Secret `state-hub-env`.
|
||||||
|
|
||||||
|
namespace:
|
||||||
|
create: false
|
||||||
|
|
||||||
image:
|
image:
|
||||||
tag: "b536741"
|
tag: "b536741"
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|||||||
8
deploy/railiance/apps/manifests/state-hub-namespace.yaml
Normal file
8
deploy/railiance/apps/manifests/state-hub-namespace.yaml
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: state-hub
|
||||||
|
labels:
|
||||||
|
railiance.io/layer: s5-app
|
||||||
|
railiance.io/postgres-client: state-hub-db
|
||||||
@@ -17,9 +17,9 @@ spec:
|
|||||||
policyTypes:
|
policyTypes:
|
||||||
- Egress
|
- Egress
|
||||||
egress:
|
egress:
|
||||||
- to:
|
- ports:
|
||||||
- namespaceSelector: {}
|
- protocol: TCP
|
||||||
ports:
|
port: 443
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 6443
|
port: 6443
|
||||||
---
|
---
|
||||||
|
|||||||
@@ -266,8 +266,9 @@ in `deploy/railiance/README.md`.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: CUST-WP-0011-T05
|
id: CUST-WP-0011-T05
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
|
completed: "2026-06-25"
|
||||||
state_hub_task_id: "a307dd46-a8e2-49df-b016-c187759ebcf1"
|
state_hub_task_id: "a307dd46-a8e2-49df-b016-c187759ebcf1"
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -283,6 +284,19 @@ Checks:
|
|||||||
|
|
||||||
**Done when:** an empty but structurally valid State Hub runs on railiance01.
|
**Done when:** an empty but structurally valid State Hub runs on railiance01.
|
||||||
|
|
||||||
|
Completed 2026-06-25: deployed an empty State Hub stack to railiance01.
|
||||||
|
Created the `state-hub` namespace, generated live-only database and app runtime
|
||||||
|
Secrets, created the dedicated `state-hub-db` CNPG cluster, and applied database
|
||||||
|
NetworkPolicies. Fixed the State Hub database egress policy to allow the
|
||||||
|
in-cluster Kubernetes API service on TCP 443 as well as 6443, which CNPG
|
||||||
|
needed during initdb. Ran Alembic migrations in a one-shot Kubernetes Job
|
||||||
|
using image `gitea.coulomb.social/coulomb/state-hub:b536741`; migrations
|
||||||
|
completed through `e9f0a1b2c3d4 (head)`. Installed the Helm release
|
||||||
|
`state-hub` into the pre-created namespace with `namespace.create=false`.
|
||||||
|
Verified Deployment rollout, zero pod restarts, service creation, pod logs,
|
||||||
|
in-pod Alembic current revision, and `/state/health` via temporary port-forward
|
||||||
|
returning `{"status":"ok","db":"connected"}`.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
### T06 — Restore WSL2 data copy into cluster and compare
|
### T06 — Restore WSL2 data copy into cluster and compare
|
||||||
|
|||||||
Reference in New Issue
Block a user