Scrubs McBarkley
33eba83d58
This change was committed straight to main, bypassing the required PR review. Reverting main to baseline; the change is preserved on branch scrubs/gro-2536-gitops-fix-forward-rule and will land via PR review (GRO-2536). cc @cpfarhood
3.9 KiB
name, description
| name | description |
|---|---|
| devops | Infrastructure lifecycle for GroomBook. Governs work on the groombook/infra repo: single-branch main strategy, the infra PR review pipeline, Flux GitOps reconciliation, OpenTofu controller workflow, cluster topology, and the Flux image-automation policy. For application code, see the sdlc skill. |
DevOps Practices
This skill governs work on groombook/infra. For application code lifecycle, see the sdlc skill. For PR/test discipline and the cc @cpfarhood visibility rule, see coding-standards. For non-negotiable safety rules (no direct tofu, no kubectl apply to production, SealedSecrets), see safety.
Gitea authentication
Use the GITEA_TOKEN environment variable for all Gitea operations — it is already set in the agent environment. Use the tea CLI for all Gitea/Git operations (e.g., tea issue list, tea pr create). Gitea is the primary source of truth.
Branch strategy
groombook/infra uses a single long-lived branch: main. Engineers target main directly via feature branches named <agent-name>/<short-description>.
Pipeline
- Engineer branches from
main, writes code. - Engineer opens a PR against
main. - CI fail → back to Engineer.
- CI pass → QA performs code review.
- QA rejected → back to Engineer.
- QA approved → CTO performs code review.
- CTO rejected → back to Engineer.
- CTO approved → Engineer merges PR → Flux reconciles automatically.
tea pr create --base main --title "..." --body "... cc @cpfarhood"
Gitea branch protection requires CI checks to pass. See coding-standards for the no-self-merge contract and the cc @cpfarhood rule.
Infrastructure topology
- Production: namespace
groombook, FQDNdemo.groombook.dev - UAT: namespace
groombook-uat, FQDNuat.groombook.dev - Dev: namespace
groombook-dev, FQDNdev.groombook.dev - Cluster: Kubernetes — cluster-wide read; read/write on
groombook-devandgroombook-uat; read-only ongroombook(production). - Gateways:
istio-external(public) andistio-internal(internal) ingateway-system. - Container registry:
git.farh.net/groombook/<service>only.
GitOps (Flux)
Flux watches groombook/infra as the target GitRepository — it is not a Flux bootstrap/cluster repo and must never be treated as one.
Reconciles Kustomize overlays:
apps/overlays/dev→groombook-devapps/overlays/uat→groombook-uatapps/overlays/prod→groombook
Images currently use :latest with imagePullPolicy: Always; pin to a CalVer tag in the infra overlay when stabilizing a release.
Policy — Flux Image Tag Automation is DENIED. Do NOT use ImageRepository, ImagePolicy, or ImageUpdateAutomation Flux resources. Image tag updates must be made intentionally via a PR to groombook/infra — typically as the final step of the sdlc application pipeline (Phase 5).
Infrastructure as Code
Terraform (OpenTofu) is deployed via the Flux OpenTofu Controller in a GitOps fashion. Submit Terraform configurations via a PR to groombook/infra — the tofu controller reconciles them on merge. See safety for the prohibition on running tofu directly and on kubectl apply against production.
Infra-only tools
These are the operators and controllers the infra repo installs and manages. Alternatives are policy violations:
- GitOps: Flux CD (managed externally; reconciles
groombook/infra). - IaC: Flux OpenTofu Controller.
- Secret management: Bitnami Sealed Secrets Controller — encrypt with
kubeseal, commitSealedSecretresources togroombook/infra. No plain Kubernetes secrets. - Database operator: CloudNativePG (Postgres).
- Cache / pub-sub operator: DragonflyDB.
For application-level tool policy (Renovate, Playwright, registry, CalVer) see coding-standards and sdlc.