cartsnitch/org
12
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
org/skills/devops/SKILL.md
T
Chris Farhood 530ecc74e6 refactor(skills): mirror groombook sdlc structure, split devops skill 
- sdlc: trim to application-repo scope with Phase 1-5 pipeline; engineer
  self-merges all branches with per-branch prerequisites; move infra,
  Flux, tofu, and operator-install content out
- devops: new skill mirroring groombook/org/skills/devops — owns
  cartsnitch/infra, Flux GitOps, OpenTofu controller, cluster topology,
  Flux Image Tag Automation denied policy
- safety: add Gitea-origin board-approval gate, board-approval scope
  section, and adapterConfig.env read-before-write rule
- coding-standards: replace "no agent merges their own PR" with the
  reviews-required-then-engineer-may-merge rule consistent with sdlc
- CLAUDE.md: update skill index, branch & merge policy, and SDLC phase
  summary to reflect engineer-self-merge and the new devops skill

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-09 09:25:58 -04:00

4.2 KiB
Raw Permalink Blame History

name, description
name description
devops Infrastructure lifecycle for CartSnitch. Governs work on the cartsnitch/infra repo: single-branch main strategy, the infra PR review pipeline, Flux GitOps reconciliation, OpenTofu controller workflow, cluster topology, and the Flux image-automation policy. For application code, see the sdlc skill.

DevOps Practices

This skill governs work on cartsnitch/infra. For application code lifecycle, see the sdlc skill. For PR/test discipline and the cc @cpfarhood visibility rule, see coding-standards. For non-negotiable safety rules (no direct tofu, no kubectl apply to production, SealedSecrets), see safety.

Gitea authentication

Use the GITEA_TOKEN environment variable for all Gitea operations — it is already set in the agent environment. Use the tea CLI for all Gitea/Git operations (e.g., tea issue list, tea pr create). Gitea is the primary source of truth.

Branch strategy

cartsnitch/infra uses a single long-lived branch: main. Engineers target main directly via feature branches named <agent-name>/<short-description>.

Pipeline

  1. Engineer branches from main, writes code.
  2. Engineer opens a PR against main.
  3. CI fail → back to Engineer.
  4. CI pass → QA (Checkout Charlie 9b6012d0-0406-417e-bb22-78266a6e7f77) performs code review.
  5. QA rejected → back to Engineer.
  6. QA approved → CTO (Savannah Savings 6ec1a5a9-113c-430b-90e6-260d60d79e1d) performs code review.
  7. CTO rejected → back to Engineer.
  8. CTO approved → Engineer merges PR → Flux reconciles automatically.
tea pr create --base main --title "..." --body "... cc @cpfarhood"

Gitea branch protection requires CI checks to pass. See coding-standards for the no-self-merge contract and the cc @cpfarhood rule.

Infrastructure topology

  • Production: namespace cartsnitch, FQDN cartsnitch.com
  • UAT: namespace cartsnitch-uat, FQDN uat.cartsnitch.com
  • Dev: namespace cartsnitch-dev, FQDN dev.cartsnitch.com
  • Cluster: Kubernetes — cluster-wide read; read/write on cartsnitch-dev and cartsnitch-uat; read-only on cartsnitch (production).
  • Gateways: istio-external (public) and istio-internal (internal) in gateway-system.
  • Container registry: git.farh.net/cartsnitch/<service> only.

GitOps (Flux)

Flux watches cartsnitch/infra as the target GitRepository — it is not a Flux bootstrap/cluster repo and must never be treated as one.

Reconciles Kustomize overlays:

  • apps/overlays/devcartsnitch-dev
  • apps/overlays/uatcartsnitch-uat
  • apps/overlays/prodcartsnitch

Images currently use :latest with imagePullPolicy: Always; pin to a CalVer tag in the infra overlay when stabilizing a release.

Policy — Flux Image Tag Automation is DENIED. Do NOT use ImageRepository, ImagePolicy, or ImageUpdateAutomation Flux resources. Image tag updates must be made intentionally via a PR to cartsnitch/infra — typically as the final step of the sdlc application pipeline (Phase 5).

To force a rollout without a manifest change:

kubectl rollout restart deployment/<name> -n <namespace>

Infrastructure as Code

Terraform (OpenTofu) is deployed via the Flux OpenTofu Controller in a GitOps fashion. Submit Terraform configurations via a PR to cartsnitch/infra — the tofu controller reconciles them on merge. See safety for the prohibition on running tofu directly and on kubectl apply against production.

Infra-only tools

These are the operators and controllers the infra repo installs and manages. Alternatives are policy violations:

  • GitOps: Flux CD (managed externally; reconciles cartsnitch/infra).
  • IaC: Flux OpenTofu Controller.
  • Secret management: Bitnami Sealed Secrets Controller — encrypt with kubeseal, commit SealedSecret resources to cartsnitch/infra. No plain Kubernetes secrets.
  • Database operator: CloudNativePG (Postgres).
  • Cache / pub-sub operator: DragonflyDB.

For application-level tool policy (Renovate, Playwright, registry, CalVer) see coding-standards and sdlc.

Reference in New Issue View Git Blame Copy Permalink