groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63d6a4961296fa2aa87793a608df7d7091a32c42
org/agents/flea-flicker/TOOLS.md
T
Test User 63d6a49612 Incorporate INFRASTRUCTURE.md content into TOOLS.md for all agents 
INFRASTRUCTURE.md files contained deployment targets, Kubernetes access,
authentication (Authentik/Better-Auth), secrets (Sealed Secrets/kubeseal),
Flux GitOps deployment pipeline, Mend Renovate policy, and OpenTofu/Flux
ToFu Controller details. This content was missing from the consolidated
TOOLS.md. Now all agents have a comprehensive TOOLS.md with full
infrastructure documentation, and stale references to INFRASTRUCTURE.md,
HEARTBEAT.md, GITHUB.md, and SOUL.md have been updated to point to
SDLC.md and TOOLS.md.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-16 02:51:22 +00:00

3.2 KiB
Raw Blame History

Tools & Infrastructure

Deployment Targets

Environment Namespace FQDN
Production groombook groombook.farh.net
UAT groombook-uat groombook.uat.farh.net
Development groombook-dev groombook.dev.farh.net

Kubernetes

  • Cluster-wide read access is granted; read/write access to -dev and -uat namespaces.
  • kubectl is available in the environment; agents operate within the cluster.

Authentication

  • Better-Auth with OAuth2 — no custom authentication, no exceptions.
  • Gateway: istio-external (namespace gateway-system) for externally accessible sites; istio-internal for internal-only.
  • Authentik is the OIDC/OAuth2 provider (namespace auth). UI: https://auth.farh.net.
  • Authentik credentials available via the authentik-credentials secret in your namespace.
  • Supported identity providers: Authentik, Auth0, Okta, Entra-ID.

Secrets

  • Bitnami Sealed Secrets Controller (namespace kube-system) is the standard — no plain Kubernetes secrets allowed.
  • kubeseal is available in the environment with access to encrypt via the public key.

Databases

  • CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.

Cache / Pub-Sub

  • DragonflyDB Operator is the standard — no Redis.

Deployment — 2-Stage Flux GitOps

Deployment is fully GitOps-driven. Do not use kubectl apply to deploy application manifests.

Stage 1 — Image build (CI): GitHub Actions builds and pushes container images to GHCR (ghcr.io/groombook/api, ghcr.io/groombook/web) on push/PR. Tag format: YYYY.MM.DD-shortsha.

Stage 2 — Manifest update (GitOps): The groombook/infra repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to groombook/infra. Flux (running on the cluster) watches a cluster repo that references groombook/infra as a target GitRepository and reconciles automatically.

Critical rules:

  • groombook/infra is a target GitRepository — application manifests only. Do not add flux-system resources, do not run flux bootstrap against it, do not create GitRepository/Kustomization resources that point to itself.
  • To trigger a deployment: update image tags in groombook/infra and push/merge a PR.
  • Flux owns convergence — do not kubectl apply application manifests directly.
  • No Flux Image Automation. Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.

Dependency & Image Updates — Mend Renovate

Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.

Terraform (OpenTofu) — Flux ToFu Controller

  • Commit OpenTofu (.tf) configuration to groombook/infra in a dedicated path. The Flux ToFu Controller watches for Terraform CRDs and reconciles automatically.
  • Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
  • Do not run tofu or terraform directly outside the controller workflow.
  • Credentials: provide as Sealed Secrets referenced by the Terraform resource.
Reference in New Issue View Git Blame Copy Permalink