docs(session): complete SESSION_005 + HANDOVER — planning/research + KV-migrate
All checks were successful
CI / preflight (push) Successful in 5s
CI / typecheck (push) Successful in 16s
pulumi-preview / preview (push) Successful in 19s

Records the post-asks work in the durable session log (PLAN-003 org-as-code, PLAN-004
Forgejo15/OpenBao spike research, dr/kv-migrate.sh) and updates the MinIO-creds status
(now in Vault at foundation/seaspots/minio). HANDOVER's spike summary corrected to the
logical KV dump/load (5 secrets, carries seaspots/minio; vault.olsitec.net stays).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 17:40:59 +02:00
parent 712964ad4a
commit 4aacc63ede
2 changed files with 35 additions and 9 deletions

View file

@ -46,9 +46,11 @@ Back up the foundation → redeploy on **Forgejo 15** + **OpenBao** (on a **thro
live forge**) → restore → re-run the whole test matrix. Research is done in **`PLAN-004`** — read it.
Headlines: Forgejo 11→15 is a supported direct LTS upgrade (v11 LTS **EOL 2026-07-16** → timely; review
v1215 breaking changes; v15 drops reusable-workflow quirks 12 and adds OIDC + ephemeral runners).
**OpenBao gives OSS namespaces** (solves PLAN-003's tenant limitation) **but is NOT a drop-in from Vault
1.18** — no in-place raft migration past 1.15 → **re-seed** OpenBao (export/import KV; leverage the
Pulumi-owns-credentials model). The re-seed is the spike's riskiest step.
**OpenBao gives OSS namespaces** (solves PLAN-003's tenant limitation). Migration: the raft **snapshot**
isn't portable past Vault 1.15, but the **KV data is JSON** → [`dr/kv-migrate.sh`](../../dr/kv-migrate.sh)
dumps/loads it (the whole foundation KV is **5 secrets**, incl. `seaspots/minio` — carries over
automatically, nothing re-typed). `vault.olsitec.net` stays (OpenBao is Vault-API-compatible). The one
real check: `@pulumi/vault` drives OpenBao unmodified.
### B. Stage-2 org & CI-config as code → `PLAN-003`
Isolated Pulumi `orgs/` project (Gitea + Vault/OpenBao providers) managing the `seaspots` org + repos +
teams + org secrets/variables (wire `foundation/seaspots/minio` → org secrets). **Verify the Gitea TF
@ -83,8 +85,9 @@ provider covers Forgejo Actions secrets/variables first** (else a `@pulumi/comma
`foundation-runner-03`. NOT a k3s node → runner stack sets `host.bridgeForwardTimer false`, pool `images`
(`/kvm/images`), bridge `br0`.
- **Backup/DR** (for the spike): `backup/{backup,restore}.sh`, `dr/RUNBOOK.md`,
`dr/restore-to-fresh-vm-remote.sh` (closest template for the spike's fresh-VM restore). Vault root token
is in `bootstrap` Pulumi config `vaultCredentials:rootToken` (stack `foundation`; KV mount `foundation/`).
`dr/restore-to-fresh-vm-remote.sh` (closest template for the spike's fresh-VM restore),
`dr/kv-migrate.sh` (logical KV export/import Vault↔OpenBao — foundation KV = 5 secrets). Vault root
token is in `bootstrap` Pulumi config `vaultCredentials:rootToken` (stack `foundation`; KV mount `foundation/`).
- **Reuse mechanism**: Forgejo 11 reusable workflows need `runs-on` + SHORT cross-repo ref + **SHA pin** +
`secrets: inherit` (`.forgejo/workflows/README.md`). Composite actions need FULL-URL.

View file

@ -110,11 +110,34 @@ source-of-truth** with an idempotent provisioning step that pushes them to the o
a hard CI dependency (same trap we avoided for ci-bot). Values must come from the operator (or
Vault); NOT started — awaiting the creds.
**UPDATE (operator supplied the creds):** stored in **Vault at `foundation/seaspots/minio`**
(3 fields), values piped never printed, local copy shredded. NOT yet wired to a Forgejo org
secret — that's the org-as-code work (PLAN-003). Operator noted the creds transited chat → rotate
at leisure. Operator also endorsed a Pulumi-managed org model → **PLAN-003** (below).
## Follow-on planning + research produced this session (post-asks)
- **`PLAN-003-forgejo-org-and-ci-config.md`** — the operator's "Stage-2 Pulumi-managed orgs/repos/
variables" idea, written up (named distinctly to avoid colliding with the package-registry
"Stage-2"). Isolated Pulumi `orgs/` project (Gitea + Vault providers), `seaspots` as its own
org, Vault-sourced org secrets/variables. Corrects "own Vault namespace" → OSS mount+policy (Vault
is Enterprise-gated for namespaces). Flags the first thing to verify: does the Gitea TF provider
cover Forgejo Actions secrets/variables (else a command-shim). §7 has decisions to ratify.
- **`PLAN-004-forgejo15-openbao-spike.md`** — research for the operator's next-session spike (back up
→ redeploy on Forgejo 15 + OpenBao → restore → re-run the test matrix, on a THROWAWAY VM). Key
findings: Forgejo 11→15 is a supported direct LTS upgrade (v11 **EOL 2026-07-16** → timely; minor
v15 breaking changes; drops reusable-workflow quirks 12; adds OIDC + ephemeral runners). **OpenBao
gives OSS namespaces** (would let PLAN-003 use real per-org namespaces). Migration: the raft
**snapshot** isn't portable past Vault 1.15, but the **KV data is JSON** → logical dump/load.
- **`dr/kv-migrate.sh`** — logical KV export/import (Vault↔OpenBao, portable via `SECRETS_BIN`).
Verified the whole foundation KV is **5 leaf secrets** (`backup/`, `forgejo/`, `postgres/`,
`rustfs/service-credentials` + `seaspots/minio`) → migration is a few-KB JSON round-trip that
carries the MinIO creds over automatically (nothing re-typed). `vault.olsitec.net` endpoint stays
(OpenBao is Vault-API-compatible). Also a standalone DR asset.
## Still open
- **osm k8s runner** — no active pipeline yet; recipe in `runners-k8s/README.md §Adding another toolchain`.
- **MinIO creds** — provision the org Actions secrets once the operator supplies values (see above).
- **DR/backlog (carried):** `runners`/`runners-k8s` stack state not backed up; T15; hardening
(Forgejo v15 upgrade would drop quirks 12 and may add container auto-link → revisit the
SHA-pin + explicit-link once upgraded).
- **PLAN-004 spike** (Forgejo 15 + OpenBao) — the primary next ask; research done.
- **PLAN-003 org-as-code** — wire `foundation/seaspots/minio``seaspots` org secrets; verify Gitea provider first.
- **DR/backlog (carried):** `runners`/`runners-k8s` stack state not backed up; T15; hardening; rotate the MinIO creds.
## Operating mode: HIGH-RISK / INFRA (remote VMs, k3s, Docker, secrets).