docs(session): SESSION_005 — postgis k8s runner done (preflight gate); MinIO-creds ask logged
All checks were successful
CI / preflight (push) Successful in 4s
CI / typecheck (push) Successful in 15s
pulumi-preview / preview (push) Successful in 19s

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 16:08:56 +02:00
parent 4ce3420d89
commit 95146009bb

View file

@ -78,10 +78,41 @@ Temp admin API token minted for provisioning was **revoked** (DB delete) at end;
`zz-linktest-*`) and the early junk `token-service:sha256:*` versions were deleted. Registry now
holds exactly `token-service:ci` + `seaspots-homepage:ci`, both repo-linked.
## Ask #2 — postgis k8s toolchain runner — DONE (proven via the preflight gate)
Added the **`seaspots-postgis-utils`** host-mode runner on crunchy k3s (id 7,
`foundation-runner-k8s-postgis`), Pulumi-codified in `runners-k8s/` alongside s57.
- **Combined image** `foundation/seaspots-postgis-runner:1.1.1` = the stock
`seaspots-postgis-utils:1.1.1` (postgis/postgis:18-3.6, Debian trixie) + git + node20 +
forgejo-runner. Built on the forge VM (docker+buildx, gitlab creds from the crunchy
gitlab-ns pull secret), streamed `docker save | gzip``k3s ctr images import` to crunchy
(forge can't reach crunchy's private IP → relayed through the workstation). Build-time
`RUN node --version && …` confirmed the bookworm node binary runs on trixie.
- **Reused the uid-10001 securityContext** (no index.ts uid change): the postgis base is built
to run as any uid, and the job points `PGDATA`/`OUTPUT_DIR`/`ENC_DIR` at the writable
`/scratch` PVC. `toolchains` entry: postgis 4 CPU / 8 Gi / 50 Gi. `pulumi preview` was purely
additive (+2, 8 unchanged — s57 + shared token/ns untouched); `pulumi up` = runner online.
- **Preflight quality gate (operator's ask):** `citest-fenced` task 107 on runner 7, green —
runs the image's own `/app/entrypoint.sh preflight` (tools, SQL files, ENC cells, writable
dirs, ≥20 GB disk, PG 18.3 smoke test) against a dummy `.000` cell on `/scratch`. Seconds, not
the 40-60 min build; writes ~nothing (sidesteps the node-disk risk too). crunchy `/` had
**408 GB free** (52%) — the disk risk was far smaller than the earlier 214 GB estimate.
- Committed `feat(runners-k8s): postgis toolchain runner + preflight quality gate`. Forge-VM
build hygiene: gitlab creds removed from `/root/.docker/config.json` (backup restored), build
images dropped.
## NEW operator ask (end of session) — MinIO/S3 creds for the data pipelines
The postgis/tiles tooling needs `AWS_ENDPOINT_URL` (minio.wob.olsitec.de), `AWS_ACCESS_KEY_ID`,
`AWS_SECRET_ACCESS_KEY` — currently GitLab **group** CI/CD variables. Recommendation (mirrors the
ci-bot pattern): **org-level Forgejo Actions secrets** as the CI runtime source (`AWS_ENDPOINT_URL`
can be a non-secret org *variable*), set via the Actions API like `FORGE_REGISTRY_*`; reusable
workflows read them via `secrets: inherit` (quirk 4). **Vault = optional backup + human
source-of-truth** with an idempotent provisioning step that pushes them to the org secrets — never
a hard CI dependency (same trap we avoided for ci-bot). Values must come from the operator (or
Vault); NOT started — awaiting the creds.
## Still open
- **Ask #2** — postgis/osm k8s toolchain runners (s57 done). Operator note: the runner scripts
have a **pre-flight-only** mode — use it as the CI quality gate so test jobs don't run the full
4060 min pipeline. NEXT.
- **osm k8s runner** — no active pipeline yet; recipe in `runners-k8s/README.md §Adding another toolchain`.
- **MinIO creds** — provision the org Actions secrets once the operator supplies values (see above).
- **DR/backlog (carried):** `runners`/`runners-k8s` stack state not backed up; T15; hardening
(Forgejo v15 upgrade would drop quirks 12 and may add container auto-link → revisit the
SHA-pin + explicit-link once upgraded).