From a96bd1065aafdf80fcd69f13aefd8deaa232e958 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sat, 23 May 2026 16:06:42 +0000 Subject: [PATCH] fix(api): use trebuchet-* names + dedicated worker SA in Job spec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The app was renamed hightower → trebuchet but the worker Job spec still referenced hightower-workspaces PVC, hightower-temporal Service, and used the default ServiceAccount. These break at runtime (the hightower-* resources don't exist) and block tightening the Istio ambient AuthorizationPolicies in farhoodlabs/infra. - PVC claimName: hightower-workspaces → trebuchet-workspaces - TEMPORAL_ADDRESS env: hightower-temporal:7233 → trebuchet-temporal:7233 - serviceAccountName: default → trebuchet-worker - config.ts default: hightower-temporal:7233 → trebuchet-temporal:7233 Co-Authored-By: Paperclip --- apps/api/src/config.ts | 2 +- apps/api/src/services/job-builder.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/api/src/config.ts b/apps/api/src/config.ts index ccc4981..09f8c3a 100644 --- a/apps/api/src/config.ts +++ b/apps/api/src/config.ts @@ -30,7 +30,7 @@ export function loadConfig(): Config { return { port: Number(process.env.PORT) || 3000, mcpPort: Number(process.env.MCP_PORT) || 3100, - temporalAddress: process.env.TEMPORAL_ADDRESS || 'hightower-temporal:7233', + temporalAddress: process.env.TEMPORAL_ADDRESS || 'trebuchet-temporal:7233', apiKey, k8sNamespace: process.env.K8S_NAMESPACE || 'hightower', workerImage, diff --git a/apps/api/src/services/job-builder.ts b/apps/api/src/services/job-builder.ts index 572732c..b360430 100644 --- a/apps/api/src/services/job-builder.ts +++ b/apps/api/src/services/job-builder.ts @@ -43,7 +43,7 @@ export function buildJobSpec(params: JobParams): k8s.V1Job { // 2. Build volumes and mounts const volumes: k8s.V1Volume[] = [ - { name: 'workspaces', persistentVolumeClaim: { claimName: 'hightower-workspaces' } }, + { name: 'workspaces', persistentVolumeClaim: { claimName: 'trebuchet-workspaces' } }, { name: 'shm', emptyDir: { medium: 'Memory', sizeLimit: '2Gi' } }, ]; @@ -96,7 +96,7 @@ export function buildJobSpec(params: JobParams): k8s.V1Job { } // 4. Env vars - const env: k8s.V1EnvVar[] = [{ name: 'TEMPORAL_ADDRESS', value: 'hightower-temporal:7233' }]; + const env: k8s.V1EnvVar[] = [{ name: 'TEMPORAL_ADDRESS', value: 'trebuchet-temporal:7233' }]; // 5. Construct the Job return { @@ -123,7 +123,7 @@ export function buildJobSpec(params: JobParams): k8s.V1Job { }, spec: { restartPolicy: 'Never', - serviceAccountName: 'default', + serviceAccountName: 'trebuchet-worker', securityContext: { seccompProfile: { type: 'Unconfined' }, // Claude Code refuses --allow-dangerously-skip-permissions as root.