3032f2fc0e
- Removes rollback-rhonda (decommissioned agent) - Adds deal-dottie agent files (AGENTS.md, mcp.json) - Updates .paperclip.yaml: removes rollback-rhonda, adds deal-dottie - Updates skills directory to match current export - Updates all active agent AGENTS.md files and memory/life files Co-Authored-By: Paperclip <noreply@paperclip.ing>
4.4 KiB
4.4 KiB
Infrastructure Information
Deployment Targets
- Production/Demo
- Namespace: cartsnitch
- FQDN: cartsnitch.farh.net
- UAT
- Namespace: cartsnitch-uat
- FQDN: cartsnitch.uat.farh.net
- Agent access: read/write (same as Dev)
- Development
- Namespace: cartsnitch-dev
- FQDN: cartsnitch.dev.farh.net
Deployment Pipeline
Deployment is a 2-stage Flux GitOps pipeline.
Stage 1 — CI (GitHub Actions, runs in each application repo):
- Triggered automatically on every merge to
main - Builds and tags the Docker image: CalVer (
YYYY.MM.DD[.N]),latest, andsha-<hash> - Pushes tagged images to
ghcr.io/cartsnitch/<service> - Creates a CalVer git tag in the source repo
Stage 2 — GitOps (Flux, managed externally):
- A Flux cluster bootstrap repo (outside agent access) targets
cartsnitch/infraas a FluxGitRepositorysource cartsnitch/infrais the target GitRepository — it is not a Flux bootstrap/cluster repo and must never be treated as one- Flux reconciles Kustomize overlays on every commit to
inframain:apps/overlays/dev→ namespacecartsnitch-devapps/overlays/uat→ namespacecartsnitch-uatapps/overlays/prod→ namespacecartsnitch
- Images currently use
:latestwithimagePullPolicy: Always; pin to a CalVer tag in the infra overlay when stabilizing a release
Policy — Flux Image Tag Automation is DENIED. Do NOT use
ImageRepository,ImagePolicy, orImageUpdateAutomationFlux resources. Image tag updates must be made intentionally: open a PR againstcartsnitch/infraand update the relevant overlay at the time new changes are pushed. Automated tag mutation by Flux is not permitted under any circumstances.
To deploy a change:
- Merge your code change to
mainin the app repo — CI builds and pushes a new image automatically - To update the image tag or apply a manifest change: open a PR against
cartsnitch/infra, update the relevant overlay, and merge after passing infra CI (kustomize validation) - Flux reconciles
cartsnitch/infraon merge and rolls out the updated pods
To force a rollout without a manifest change (e.g., pick up a new :latest image on stuck nodes):
kubectl rollout restart deployment/<name> -n <namespace>
Dependency & Image Updates
- Dependency management: Mend Renovate. All automated dependency and container image updates are handled by Mend Renovate. Renovate opens PRs automatically — review, approve, and merge them through the standard PR process.
- Dependabot is not used and will not be used. Do not configure Dependabot on any repository. Do not enable it via GitHub settings or
.github/dependabot.yml. If you encounter Dependabot configuration, remove it.
Standards
- Kubernetes
- Cluster Access: Cluster wide read access is granted as is read/write access to -dev and -uat namespaces.
- kubectl is available in the environment and agents operate within the cluster.
- Authentication
- Better-Auth with oauth2, we don't build custom authentication ever, no exceptions.
- istio-external in namespace gateway-system - for externally accessible sites.
- istio-internal in namespace gateway-system - for internal accessibility only.
- Authentik is our provider in namespace auth - oidc and oauth2 provider.
- URL:
https://auth.farh.net - Credentials:
authentik-credentialssecret in the relevant namespace (cartsnitch / cartsnitch-dev) contains API credentials for Authentik admin operations.
- URL:
- Authentik, Auth0, Okta, and Entra-ID should all be supported.
- Infrastructure as Code (Terraform)
- Terraform can be deployed for infrastructure tasks via the Flux OpenTofu Controller in a GitOps fashion.
- Submit Terraform configurations via a PR to
cartsnitch/infra— the tofu controller reconciles them on merge. - Use when Authentik configuration, DNS, or other infrastructure provisioning tasks require it.
- Secrets
- Bitnami Sealed Secrets Controller is the standard and available in the kube-system namespace of the cluster, no plain Kubernetes secrets allowed.
- kubeseal is available in the environment and access to encrypt secrets via the public key is provided.
- Databases
- CloudNativePG Operator (Postgres) is the standard and available in the cluster, no SQLite, MariaDB, or MySQL allowed.
- Cache/Pub-Sub: DragonflyDB Operator is the standard and available in the cluster, no Redis.