farhoodlabs/trebuchet
8
0
Fork 0
Code Issues Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix(api): use trebuchet-* names + dedicated worker SA in Job spec #7

Open
Hugh Commit wants to merge 1 commits from far-142/istio-conversion into main
pull from: far-142/istio-conversion
merge into: farhoodlabs:main
Conversation 0 Commits 1 Files Changed 2
+4 -4
Hugh Commit commented 2026-05-23 16:08:17 +00:00
Member
Copy Link
Copy Source

Summary

  • PVC claimName: hightower-workspacestrebuchet-workspaces
  • TEMPORAL_ADDRESS env: hightower-temporal:7233trebuchet-temporal:7233
  • serviceAccountName: defaulttrebuchet-worker
  • config.ts default temporalAddress: hightower-temporal:7233trebuchet-temporal:7233

The app was renamed hightower → trebuchet but these hardcoded names in the worker Job spec still referenced the old resources. The hightower-* PVC and Service don't exist in the cluster, so Jobs were breaking at runtime. The default SA also blocks tightening the Istio ambient AuthorizationPolicies.

Paired infra change needed

Once this PR lands, farhoodlabs/infra (apps/trebuchet/platform/authorizationpolicy.yaml) should:

  1. Drop the default SA principal from the trebuchet-router (port 3456) and trebuchet-temporal (port 7233) policies
  2. Create a trebuchet-worker ServiceAccount in the trebuchet namespace

Out of scope

  • apps/cli/src/k8s.ts hightower-* refs — CLI is upstream Shannon, not used in K8s deployment
  • charts/hightower/values.yaml — same reason
## Summary - PVC `claimName`: `hightower-workspaces` → `trebuchet-workspaces` - `TEMPORAL_ADDRESS` env: `hightower-temporal:7233` → `trebuchet-temporal:7233` - `serviceAccountName`: `default` → `trebuchet-worker` - `config.ts` default `temporalAddress`: `hightower-temporal:7233` → `trebuchet-temporal:7233` The app was renamed hightower → trebuchet but these hardcoded names in the worker Job spec still referenced the old resources. The `hightower-*` PVC and Service don't exist in the cluster, so Jobs were breaking at runtime. The `default` SA also blocks tightening the Istio ambient AuthorizationPolicies. ## Paired infra change needed Once this PR lands, `farhoodlabs/infra` (`apps/trebuchet/platform/authorizationpolicy.yaml`) should: 1. Drop the `default` SA principal from the `trebuchet-router` (port 3456) and `trebuchet-temporal` (port 7233) policies 2. Create a `trebuchet-worker` ServiceAccount in the trebuchet namespace ## Out of scope - `apps/cli/src/k8s.ts` hightower-* refs — CLI is upstream Shannon, not used in K8s deployment - `charts/hightower/values.yaml` — same reason
Hugh Commit added 1 commit 2026-05-23 16:08:17 +00:00
fix(api): use trebuchet-* names + dedicated worker SA in Job spec
CI / Build & push worker image (pull_request) Has been skipped
Details
CI / Type-check & lint (pull_request) Failing after 2m9s
Details
CI / Build & push API image (pull_request) Has been skipped
Details
a96bd1065a 
The app was renamed hightower → trebuchet but the worker Job spec still
referenced hightower-workspaces PVC, hightower-temporal Service, and used
the default ServiceAccount.  These break at runtime (the hightower-*
resources don't exist) and block tightening the Istio ambient
AuthorizationPolicies in farhoodlabs/infra.

- PVC claimName: hightower-workspaces → trebuchet-workspaces
- TEMPORAL_ADDRESS env: hightower-temporal:7233 → trebuchet-temporal:7233
- serviceAccountName: default → trebuchet-worker
- config.ts default: hightower-temporal:7233 → trebuchet-temporal:7233

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Some checks are pending
CI / Build & push worker image (pull_request) Has been skipped
Details
CI / Type-check & lint (pull_request) Failing after 2m9s
Details
CI / Build & push API image (pull_request) Has been skipped
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin far-142/istio-conversion:far-142/istio-conversion
git checkout far-142/istio-conversion
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
fl_blake (Blake MIddleware) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) flux (Flux CD) admin (Gitea Admin) fl_hugh (Hugh Commit) renovate (Mend Renovate) fl_warren (Warren Bufferpool)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: farhoodlabs/trebuchet#7
Delete Branch "far-142/istio-conversion"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?