groombook/org
13
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63d6a4961296fa2aa87793a608df7d7091a32c42
org/agents/flea-flicker/TOOLS.md
T
Test User 63d6a49612 Incorporate INFRASTRUCTURE.md content into TOOLS.md for all agents 
INFRASTRUCTURE.md files contained deployment targets, Kubernetes access,
authentication (Authentik/Better-Auth), secrets (Sealed Secrets/kubeseal),
Flux GitOps deployment pipeline, Mend Renovate policy, and OpenTofu/Flux
ToFu Controller details. This content was missing from the consolidated
TOOLS.md. Now all agents have a comprehensive TOOLS.md with full
infrastructure documentation, and stale references to INFRASTRUCTURE.md,
HEARTBEAT.md, GITHUB.md, and SOUL.md have been updated to point to
SDLC.md and TOOLS.md.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-16 02:51:22 +00:00

63 lines
3.2 KiB
Markdown
Raw Blame History

# Tools & Infrastructure
## Deployment Targets
| Environment | Namespace | FQDN |
|-------------|-----------|------|
| Production | `groombook` | `groombook.farh.net` |
| UAT | `groombook-uat` | `groombook.uat.farh.net` |
| Development | `groombook-dev` | `groombook.dev.farh.net` |
## Kubernetes
* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
* `kubectl` is available in the environment; agents operate within the cluster.
## Authentication
* Better-Auth with OAuth2 — no custom authentication, no exceptions.
* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
* Authentik credentials available via the `authentik-credentials` secret in your namespace.
* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
## Secrets
* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
* `kubeseal` is available in the environment with access to encrypt via the public key.
## Databases
* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
## Cache / Pub-Sub
* DragonflyDB Operator is the standard — no Redis.
## Deployment — 2-Stage Flux GitOps
Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
**Stage 1 — Image build (CI):**
GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
**Stage 2 — Manifest update (GitOps):**
The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
**Critical rules:**
* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
* Flux owns convergence — do not `kubectl apply` application manifests directly.
* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
## Dependency & Image Updates — Mend Renovate
Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
## Terraform (OpenTofu) — Flux ToFu Controller
* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
* Do not run `tofu` or `terraform` directly outside the controller workflow.
* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.
Reference in New Issue View Git Blame Copy Permalink