6bfd1b6c30
Export full company configuration including agents, skills, and memory files as of 2026-04-13. Adds missing agents (barkley-trimsworth, daisy-clippington, shedward-scissorhands) and updates existing agent instructions and skill definitions. Co-Authored-By: Paperclip <noreply@paperclip.ing>
40 lines
1.7 KiB
Markdown
40 lines
1.7 KiB
Markdown
# Cluster Operations
|
|
|
|
Practical knowledge for operating inside the GroomBook Kubernetes cluster as the CTO agent.
|
|
|
|
## kubectl / API Access
|
|
|
|
- The kubeconfig at `/paperclip/.kube/config` has a stale token for user `flea-flicker` — **do not use it**.
|
|
- Instead, use the **in-cluster service account token** directly via `curl`:
|
|
```bash
|
|
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
|
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" "https://kubernetes.default.svc/..."
|
|
```
|
|
|
|
## RBAC
|
|
|
|
- **Read/write**: `groombook-dev`, `groombook-uat` namespaces (app resources, secrets, jobs, etc.)
|
|
- **Read-only**: cluster-wide (including `groombook`, `flux-system`, `kube-system` namespaces)
|
|
- **Cannot write**: Flux CRDs (Kustomization, GitRepository) in the `groombook` namespace — cannot force reconciliation via annotation.
|
|
|
|
## Flux UAT Reconciliation
|
|
|
|
- Kustomization `groombook-uat` is in namespace `groombook`, watches GitRepository `groombook` (also in `groombook` namespace).
|
|
- Reconciliation interval: **1h**, no `retryInterval` set.
|
|
- Source: `groombook/infra` repo, branch `main`.
|
|
- To unblock stuck reconciliation: delete stale completed Jobs that cause immutable-field dry-run failures.
|
|
|
|
## kubeseal
|
|
|
|
- Sealed Secrets controller: `sealed-secrets-controller` in `kube-system`.
|
|
- Fetch public cert via API proxy:
|
|
```bash
|
|
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" \
|
|
"https://kubernetes.default.svc/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" > /tmp/kubeseal-cert.pem
|
|
```
|
|
- Then seal:
|
|
```bash
|
|
echo -n "plaintext" | kubeseal --raw --scope namespace-wide --namespace <ns> --name <secret-name> --cert /tmp/kubeseal-cert.pem
|
|
```
|