This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
org/agents/the-dogfather/life/resources/cluster-operations/summary.md
T
Scrubs McBarkley 6bfd1b6c30 chore: sync company backup 2026-04-13
Export full company configuration including agents, skills, and memory
files as of 2026-04-13. Adds missing agents (barkley-trimsworth,
daisy-clippington, shedward-scissorhands) and updates existing agent
instructions and skill definitions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-13 04:02:21 +00:00

40 lines
1.7 KiB
Markdown

# Cluster Operations
Practical knowledge for operating inside the GroomBook Kubernetes cluster as the CTO agent.
## kubectl / API Access
- The kubeconfig at `/paperclip/.kube/config` has a stale token for user `flea-flicker`**do not use it**.
- Instead, use the **in-cluster service account token** directly via `curl`:
```bash
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" "https://kubernetes.default.svc/..."
```
## RBAC
- **Read/write**: `groombook-dev`, `groombook-uat` namespaces (app resources, secrets, jobs, etc.)
- **Read-only**: cluster-wide (including `groombook`, `flux-system`, `kube-system` namespaces)
- **Cannot write**: Flux CRDs (Kustomization, GitRepository) in the `groombook` namespace — cannot force reconciliation via annotation.
## Flux UAT Reconciliation
- Kustomization `groombook-uat` is in namespace `groombook`, watches GitRepository `groombook` (also in `groombook` namespace).
- Reconciliation interval: **1h**, no `retryInterval` set.
- Source: `groombook/infra` repo, branch `main`.
- To unblock stuck reconciliation: delete stale completed Jobs that cause immutable-field dry-run failures.
## kubeseal
- Sealed Secrets controller: `sealed-secrets-controller` in `kube-system`.
- Fetch public cert via API proxy:
```bash
curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" \
"https://kubernetes.default.svc/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" > /tmp/kubeseal-cert.pem
```
- Then seal:
```bash
echo -n "plaintext" | kubeseal --raw --scope namespace-wide --namespace <ns> --name <secret-name> --cert /tmp/kubeseal-cert.pem
```