groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
org/skills/devops/SKILL.md
T
Chris Farhood d6b13fa58d Split devops and sdlc skills by scope; dedupe shared content 
devops/SKILL.md is now the canonical home for infrastructure lifecycle
(groombook/infra, single-branch main, Flux + OpenTofu controller, cluster
topology). sdlc/SKILL.md is scoped to application code (3-branch dev/uat/main,
Phases 1-5, Stage 1 CI image build, app-tool policy). Each skill cross-refs
the other and defers to coding-standards/safety for cross-cutting rules
rather than restating them.

Fixes in devops/SKILL.md:
- Rewrote frontmatter description (was a copy of sdlc, referenced phases
  and dev/uat/prod that do not apply).
- Hoisted "applies to groombook/infra" to a top-level scope statement.
- Renumbered the pipeline (was 1,2,3,4,4,5,4,5,5) and fixed --base dev
  -> --base main in the tea example.
- Closed an unterminated bold marker.
- Removed Authentication framework, Stage 1 image build, and the
  "never tofu / never kubectl apply" lines (now cited from sdlc / safety).
- Trimmed the tools list to infra-only operators and controllers.

Trims in sdlc/SKILL.md:
- Removed Infrastructure topology, IaC, Stage 2 GitOps detail, the Flux
  Image Automation DENIED policy, the "never tofu / never kubectl apply"
  lines, and the External communication section (cited from devops /
  safety / coding-standards instead).
- Trimmed the tools list to application-level dependency choices.
- Added a pointer from Phase 5 into the devops pipeline.

cc @cpfarhood

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 15:31:54 -04:00

3.9 KiB
Raw Permalink Blame History

name, description
name description
devops Infrastructure lifecycle for GroomBook. Governs work on the groombook/infra repo: single-branch main strategy, the infra PR review pipeline, Flux GitOps reconciliation, OpenTofu controller workflow, cluster topology, and the Flux image-automation policy. For application code, see the sdlc skill.

DevOps Practices

This skill governs work on groombook/infra. For application code lifecycle, see the sdlc skill. For PR/test discipline and the cc @cpfarhood visibility rule, see coding-standards. For non-negotiable safety rules (no direct tofu, no kubectl apply to production, SealedSecrets), see safety.

Gitea authentication

Use the GITEA_TOKEN environment variable for all Gitea operations — it is already set in the agent environment. Use the tea CLI for all Gitea/Git operations (e.g., tea issue list, tea pr create). Gitea is the primary source of truth.

Branch strategy

groombook/infra uses a single long-lived branch: main. Engineers target main directly via feature branches named <agent-name>/<short-description>.

Pipeline

  1. Engineer branches from main, writes code.
  2. Engineer opens a PR against main.
  3. CI fail → back to Engineer.
  4. CI pass → QA performs code review.
  5. QA rejected → back to Engineer.
  6. QA approved → CTO performs code review.
  7. CTO rejected → back to Engineer.
  8. CTO approved → Engineer merges PR → Flux reconciles automatically.
tea pr create --base main --title "..." --body "... cc @cpfarhood"

Gitea branch protection requires CI checks to pass. See coding-standards for the no-self-merge contract and the cc @cpfarhood rule.

Infrastructure topology

  • Production: namespace groombook, FQDN demo.groombook.dev
  • UAT: namespace groombook-uat, FQDN uat.groombook.dev
  • Dev: namespace groombook-dev, FQDN dev.groombook.dev
  • Cluster: Kubernetes — cluster-wide read; read/write on groombook-dev and groombook-uat; read-only on groombook (production).
  • Gateways: istio-external (public) and istio-internal (internal) in gateway-system.
  • Container registry: git.farh.net/groombook/<service> only.

GitOps (Flux)

Flux watches groombook/infra as the target GitRepository — it is not a Flux bootstrap/cluster repo and must never be treated as one.

Reconciles Kustomize overlays:

  • apps/overlays/devgroombook-dev
  • apps/overlays/uatgroombook-uat
  • apps/overlays/prodgroombook

Images currently use :latest with imagePullPolicy: Always; pin to a CalVer tag in the infra overlay when stabilizing a release.

Policy — Flux Image Tag Automation is DENIED. Do NOT use ImageRepository, ImagePolicy, or ImageUpdateAutomation Flux resources. Image tag updates must be made intentionally via a PR to groombook/infra — typically as the final step of the sdlc application pipeline (Phase 5).

Infrastructure as Code

Terraform (OpenTofu) is deployed via the Flux OpenTofu Controller in a GitOps fashion. Submit Terraform configurations via a PR to groombook/infra — the tofu controller reconciles them on merge. See safety for the prohibition on running tofu directly and on kubectl apply against production.

Infra-only tools

These are the operators and controllers the infra repo installs and manages. Alternatives are policy violations:

  • GitOps: Flux CD (managed externally; reconciles groombook/infra).
  • IaC: Flux OpenTofu Controller.
  • Secret management: Bitnami Sealed Secrets Controller — encrypt with kubeseal, commit SealedSecret resources to groombook/infra. No plain Kubernetes secrets.
  • Database operator: CloudNativePG (Postgres).
  • Cache / pub-sub operator: DragonflyDB.

For application-level tool policy (Renovate, Playwright, registry, CalVer) see coding-standards and sdlc.

Reference in New Issue View Git Blame Copy Permalink