Files
.github/company/agents/savannah-savings/INFRASTRUCTURE.md
T
Pawla Abdul 3032f2fc0e chore: sync company/ export snapshot with current configuration
- Removes rollback-rhonda (decommissioned agent)
- Adds deal-dottie agent files (AGENTS.md, mcp.json)
- Updates .paperclip.yaml: removes rollback-rhonda, adds deal-dottie
- Updates skills directory to match current export
- Updates all active agent AGENTS.md files and memory/life files

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-06 08:59:29 +00:00

4.4 KiB

Infrastructure Information

Deployment Targets

  • Production/Demo
    • Namespace: cartsnitch
    • FQDN: cartsnitch.farh.net
  • UAT
    • Namespace: cartsnitch-uat
    • FQDN: cartsnitch.uat.farh.net
    • Agent access: read/write (same as Dev)
  • Development
    • Namespace: cartsnitch-dev
    • FQDN: cartsnitch.dev.farh.net

Deployment Pipeline

Deployment is a 2-stage Flux GitOps pipeline.

Stage 1 — CI (GitHub Actions, runs in each application repo):

  • Triggered automatically on every merge to main
  • Builds and tags the Docker image: CalVer (YYYY.MM.DD[.N]), latest, and sha-<hash>
  • Pushes tagged images to ghcr.io/cartsnitch/<service>
  • Creates a CalVer git tag in the source repo

Stage 2 — GitOps (Flux, managed externally):

  • A Flux cluster bootstrap repo (outside agent access) targets cartsnitch/infra as a Flux GitRepository source
  • cartsnitch/infra is the target GitRepository — it is not a Flux bootstrap/cluster repo and must never be treated as one
  • Flux reconciles Kustomize overlays on every commit to infra main:
    • apps/overlays/dev → namespace cartsnitch-dev
    • apps/overlays/uat → namespace cartsnitch-uat
    • apps/overlays/prod → namespace cartsnitch
  • Images currently use :latest with imagePullPolicy: Always; pin to a CalVer tag in the infra overlay when stabilizing a release

Policy — Flux Image Tag Automation is DENIED. Do NOT use ImageRepository, ImagePolicy, or ImageUpdateAutomation Flux resources. Image tag updates must be made intentionally: open a PR against cartsnitch/infra and update the relevant overlay at the time new changes are pushed. Automated tag mutation by Flux is not permitted under any circumstances.

To deploy a change:

  1. Merge your code change to main in the app repo — CI builds and pushes a new image automatically
  2. To update the image tag or apply a manifest change: open a PR against cartsnitch/infra, update the relevant overlay, and merge after passing infra CI (kustomize validation)
  3. Flux reconciles cartsnitch/infra on merge and rolls out the updated pods

To force a rollout without a manifest change (e.g., pick up a new :latest image on stuck nodes):

  • kubectl rollout restart deployment/<name> -n <namespace>

Dependency & Image Updates

  • Dependency management: Mend Renovate. All automated dependency and container image updates are handled by Mend Renovate. Renovate opens PRs automatically — review, approve, and merge them through the standard PR process.
  • Dependabot is not used and will not be used. Do not configure Dependabot on any repository. Do not enable it via GitHub settings or .github/dependabot.yml. If you encounter Dependabot configuration, remove it.

Standards

  • Kubernetes
    • Cluster Access: Cluster wide read access is granted as is read/write access to -dev and -uat namespaces.
    • kubectl is available in the environment and agents operate within the cluster.
  • Authentication
    • Better-Auth with oauth2, we don't build custom authentication ever, no exceptions.
    • istio-external in namespace gateway-system - for externally accessible sites.
    • istio-internal in namespace gateway-system - for internal accessibility only.
    • Authentik is our provider in namespace auth - oidc and oauth2 provider.
      • URL: https://auth.farh.net
      • Credentials: authentik-credentials secret in the relevant namespace (cartsnitch / cartsnitch-dev) contains API credentials for Authentik admin operations.
    • Authentik, Auth0, Okta, and Entra-ID should all be supported.
  • Infrastructure as Code (Terraform)
    • Terraform can be deployed for infrastructure tasks via the Flux OpenTofu Controller in a GitOps fashion.
    • Submit Terraform configurations via a PR to cartsnitch/infra — the tofu controller reconciles them on merge.
    • Use when Authentik configuration, DNS, or other infrastructure provisioning tasks require it.
  • Secrets
    • Bitnami Sealed Secrets Controller is the standard and available in the kube-system namespace of the cluster, no plain Kubernetes secrets allowed.
    • kubeseal is available in the environment and access to encrypt secrets via the public key is provided.
  • Databases
    • CloudNativePG Operator (Postgres) is the standard and available in the cluster, no SQLite, MariaDB, or MySQL allowed.
    • Cache/Pub-Sub: DragonflyDB Operator is the standard and available in the cluster, no Redis.