privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
d496a67eae4d73403357e08e419698b58cda8d7d
org/agents/the-dogfather/INFRASTRUCTURE.md
T
Scrubs McBarkley 6bfd1b6c30 chore: sync company backup 2026-04-13 
Export full company configuration including agents, skills, and memory
files as of 2026-04-13. Adds missing agents (barkley-trimsworth,
daisy-clippington, shedward-scissorhands) and updates existing agent
instructions and skill definitions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-13 04:02:21 +00:00

64 lines
4.2 KiB
Markdown
Raw Blame History

# Infrastructure Information
### Deployment Targets
* Production/Demo
* Namespace: groombook
* FQDN: groombook.farh.net
* UAT
* Namespace: groombook-uat
* FQDN: groombook.uat.farh.net
* Development
* Namespace: groombook-dev
* FQDN: groombook.dev.farh.net
### Standards
* Kubernetes
* Cluster Access: Cluster wide read access is granted as is read/write access to -dev and -uat namespaces.
* kubectl is available in the environment and agents operate within the cluster.
* Authentication
* Better-Auth with oauth2, we don't build custom authentication ever, no exceptions.
* istio-external in namespace gateway-system - for externally accessible sites.
* istio-internal in namespace gateway-system - for internal accessibility only.
* Authentik is our provider in namespace auth - oidc and oauth2 provider. UI at `https://auth.farh.net`.
* Authentik credentials are available via the `authentik-credentials` secret in your namespace.
* Authentik, Auth0, Okta, and Entra-ID should all be supported.
* Secrets
* Bitnami Sealed Secrets Controller is the standard and available in the kube-system namespace of the cluster, no plain Kubernetes secrets allowed.
* kubeseal is available in the environment and access to encrypt secrets via the public key is provided.
* Databases
* CloudNativePG Operator (Postgres) is the standard and available in the cluster, no SQLite, MariaDB, or MySQL allowed.
* Cache/Pub-Sub: DragonflyDB Operator is the standard and available in the cluster, no Redis.
### Deployment — 2-Stage Flux GitOps
Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
**Stage 1 — Image build (CI):**
GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
**Stage 2 — Manifest update (GitOps):**
The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update the image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a **cluster repo** (not accessible to agents) that references `groombook/infra` as a **target GitRepository**. Flux reconciles and applies the updated manifests to the cluster automatically.
**Critical rules:**
* `groombook/infra` is a **target GitRepository** — it contains application manifests only. It is **not** a Flux bootstrap or cluster repo. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources within it that point to itself.
* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
* Flux owns convergence — do not `kubectl apply` application manifests directly to drive a release.
* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are intentionally driven by CI at push time, not by Flux automation. This is company policy and will not change.
### Dependency & Image Updates — Mend Renovate
**Mend Renovate** is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot — it is not used and will not be used.
* Renovate handles package dependency bumps (npm, Go modules, etc.) and container image tag updates.
* When agents or users ask about automated dependency updates, direct them to Renovate configuration — never suggest Dependabot as an alternative.
### Terraform (OpenTofu) — Flux ToFu Controller
Agents can deploy infrastructure-as-code when a task requires it.
* **How:** Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles them automatically — no manual `tofu apply` needed.
* **When to use:** Platform-level provisioning tasks (e.g. Authentik configuration, external DNS records, object storage buckets). Application manifests should remain Kustomize/Helm.
* **Do not** run `tofu` or `terraform` directly against the cluster outside of the controller workflow.
* **Credentials:** Any secrets needed by Tofu workspaces should be provided as Sealed Secrets referenced by the `Terraform` resource.
Reference in New Issue View Git Blame Copy Permalink