docs(session): SESSION_005 — postgis k8s runner done (preflight gate); MinIO-creds ask logged
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
4ce3420d89
commit
95146009bb
1 changed files with 34 additions and 3 deletions
|
|
@ -78,10 +78,41 @@ Temp admin API token minted for provisioning was **revoked** (DB delete) at end;
|
|||
`zz-linktest-*`) and the early junk `token-service:sha256:*` versions were deleted. Registry now
|
||||
holds exactly `token-service:ci` + `seaspots-homepage:ci`, both repo-linked.
|
||||
|
||||
## Ask #2 — postgis k8s toolchain runner — DONE (proven via the preflight gate)
|
||||
Added the **`seaspots-postgis-utils`** host-mode runner on crunchy k3s (id 7,
|
||||
`foundation-runner-k8s-postgis`), Pulumi-codified in `runners-k8s/` alongside s57.
|
||||
- **Combined image** `foundation/seaspots-postgis-runner:1.1.1` = the stock
|
||||
`seaspots-postgis-utils:1.1.1` (postgis/postgis:18-3.6, Debian trixie) + git + node20 +
|
||||
forgejo-runner. Built on the forge VM (docker+buildx, gitlab creds from the crunchy
|
||||
gitlab-ns pull secret), streamed `docker save | gzip` → `k3s ctr images import` to crunchy
|
||||
(forge can't reach crunchy's private IP → relayed through the workstation). Build-time
|
||||
`RUN node --version && …` confirmed the bookworm node binary runs on trixie.
|
||||
- **Reused the uid-10001 securityContext** (no index.ts uid change): the postgis base is built
|
||||
to run as any uid, and the job points `PGDATA`/`OUTPUT_DIR`/`ENC_DIR` at the writable
|
||||
`/scratch` PVC. `toolchains` entry: postgis 4 CPU / 8 Gi / 50 Gi. `pulumi preview` was purely
|
||||
additive (+2, 8 unchanged — s57 + shared token/ns untouched); `pulumi up` = runner online.
|
||||
- **Preflight quality gate (operator's ask):** `citest-fenced` task 107 on runner 7, green —
|
||||
runs the image's own `/app/entrypoint.sh preflight` (tools, SQL files, ENC cells, writable
|
||||
dirs, ≥20 GB disk, PG 18.3 smoke test) against a dummy `.000` cell on `/scratch`. Seconds, not
|
||||
the 40-60 min build; writes ~nothing (sidesteps the node-disk risk too). crunchy `/` had
|
||||
**408 GB free** (52%) — the disk risk was far smaller than the earlier 214 GB estimate.
|
||||
- Committed `feat(runners-k8s): postgis toolchain runner + preflight quality gate`. Forge-VM
|
||||
build hygiene: gitlab creds removed from `/root/.docker/config.json` (backup restored), build
|
||||
images dropped.
|
||||
|
||||
## NEW operator ask (end of session) — MinIO/S3 creds for the data pipelines
|
||||
The postgis/tiles tooling needs `AWS_ENDPOINT_URL` (minio.wob.olsitec.de), `AWS_ACCESS_KEY_ID`,
|
||||
`AWS_SECRET_ACCESS_KEY` — currently GitLab **group** CI/CD variables. Recommendation (mirrors the
|
||||
ci-bot pattern): **org-level Forgejo Actions secrets** as the CI runtime source (`AWS_ENDPOINT_URL`
|
||||
can be a non-secret org *variable*), set via the Actions API like `FORGE_REGISTRY_*`; reusable
|
||||
workflows read them via `secrets: inherit` (quirk 4). **Vault = optional backup + human
|
||||
source-of-truth** with an idempotent provisioning step that pushes them to the org secrets — never
|
||||
a hard CI dependency (same trap we avoided for ci-bot). Values must come from the operator (or
|
||||
Vault); NOT started — awaiting the creds.
|
||||
|
||||
## Still open
|
||||
- **Ask #2** — postgis/osm k8s toolchain runners (s57 done). Operator note: the runner scripts
|
||||
have a **pre-flight-only** mode — use it as the CI quality gate so test jobs don't run the full
|
||||
40–60 min pipeline. NEXT.
|
||||
- **osm k8s runner** — no active pipeline yet; recipe in `runners-k8s/README.md §Adding another toolchain`.
|
||||
- **MinIO creds** — provision the org Actions secrets once the operator supplies values (see above).
|
||||
- **DR/backlog (carried):** `runners`/`runners-k8s` stack state not backed up; T15; hardening
|
||||
(Forgejo v15 upgrade would drop quirks 1–2 and may add container auto-link → revisit the
|
||||
SHA-pin + explicit-link once upgraded).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue