Scrubs McBarkley
6bfd1b6c30
Export full company configuration including agents, skills, and memory files as of 2026-04-13. Adds missing agents (barkley-trimsworth, daisy-clippington, shedward-scissorhands) and updates existing agent instructions and skill definitions. Co-Authored-By: Paperclip <noreply@paperclip.ing>
1.7 KiB
1.7 KiB
Cluster Operations
Practical knowledge for operating inside the GroomBook Kubernetes cluster as the CTO agent.
kubectl / API Access
- The kubeconfig at
/paperclip/.kube/confighas a stale token for userflea-flicker— do not use it. - Instead, use the in-cluster service account token directly via
curl:TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" "https://kubernetes.default.svc/..."
RBAC
- Read/write:
groombook-dev,groombook-uatnamespaces (app resources, secrets, jobs, etc.) - Read-only: cluster-wide (including
groombook,flux-system,kube-systemnamespaces) - Cannot write: Flux CRDs (Kustomization, GitRepository) in the
groombooknamespace — cannot force reconciliation via annotation.
Flux UAT Reconciliation
- Kustomization
groombook-uatis in namespacegroombook, watches GitRepositorygroombook(also ingroombooknamespace). - Reconciliation interval: 1h, no
retryIntervalset. - Source:
groombook/infrarepo, branchmain. - To unblock stuck reconciliation: delete stale completed Jobs that cause immutable-field dry-run failures.
kubeseal
- Sealed Secrets controller:
sealed-secrets-controllerinkube-system. - Fetch public cert via API proxy:
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" \ "https://kubernetes.default.svc/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" > /tmp/kubeseal-cert.pem - Then seal:
echo -n "plaintext" | kubeseal --raw --scope namespace-wide --namespace <ns> --name <secret-name> --cert /tmp/kubeseal-cert.pem