feat(bootstrap): rustfs S3 data-plane + buckets/service account (T04)
foundation-rustfs (rustfs/rustfs digest-pinned) on foundation-net, internal only (9000/9001 unpublished); named volume foundation-rustfs-data with retainOnDelete. The four buckets (forgejo-packages/-artifacts/-lfs, foundation-backups) and a scoped service account with generated keys (CONTRACT_002 rustfs slice) are provisioned post-boot by an idempotent, readiness-gated remote.Command using a throwaway mc container (ADR-007). RustFS speaks enough MinIO admin API for `svcacct add`; `mc ready` is unreliable so readiness gates on `mc ls`; the mc image's busybox lacks grep so existence checks use a shell `case`. Pins the IMAGE_MC tool image in VERSIONS. Live on cx33 Helsinki: 4 buckets present, service key registered, put/get roundtrip OK, no published ports. Acceptance T04 met. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
6edba60612
commit
1792fd9f89
4 changed files with 147 additions and 4 deletions
7
VERSIONS
7
VERSIONS
|
|
@ -60,10 +60,15 @@ IMAGE_CADDY=caddy:2.10@sha256:PIN_DIGEST
|
|||
IMAGE_FORGEJO=codeberg.org/forgejo/forgejo:11@sha256:PIN_DIGEST
|
||||
IMAGE_POSTGRES=postgres:17@sha256:5c855ad7b85e68e48a62f34662853f38b57c1c1d80f3a927ab58034fd6d31c5e
|
||||
IMAGE_VAULT=hashicorp/vault:1.18@sha256:PIN_DIGEST
|
||||
IMAGE_RUSTFS=rustfs/rustfs:latest@sha256:PIN_DIGEST
|
||||
IMAGE_RUSTFS=rustfs/rustfs:latest@sha256:fa19210ac4697c79d7ccca1ec9b0eb91aebacc6691991ffb14014bb3c67e6cc3
|
||||
IMAGE_ACT_RUNNER=code.forgejo.org/forgejo/runner:6@sha256:PIN_DIGEST
|
||||
IMAGE_REGISTRY=registry:2@sha256:PIN_DIGEST
|
||||
|
||||
# Tool image: MinIO client `mc` — used transiently (never a long-running service)
|
||||
# for S3 control-plane ops against RustFS: bucket creation + service accounts
|
||||
# (T04) and backup put/get (T12). RustFS speaks enough of the MinIO admin API.
|
||||
IMAGE_MC=minio/mc:latest@sha256:a7fe349ef4bd8521fb8497f55c6042871b2ae640607cf99d9bede5e9bdf11727
|
||||
|
||||
# NOTE on specific images:
|
||||
# IMAGE_RUSTFS uses `latest` because RustFS does not (yet) publish stable
|
||||
# semver tags reliably (PLAN-002 R3 — RustFS is young). MUST be pinned by
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue