Commit Graph

553 Commits

Author SHA1 Message Date
Hermes Agent service account
e5d24f557a feat(tekton): Add Firecrawl build pipelines
- firecrawl-api: Multi-stage build (Go + Node.js + Rust)
- firecrawl-playwright: Node.js + Chromium browser automation
- firecrawl-postgres: PostgreSQL 16 with pg_cron extension

All pipelines validated with successful test builds.
Images pushed to Harbor library project.

Day 2 of Firecrawl deployment complete.
2026-06-06 17:36:14 -05:00
Hermes Agent service account
f8e137b67b Tekton Phase 2 Day 3: Complete Harbor authentication and test build
- Added config.json key to harbor-credentials ExternalSecret
  This ensures kaniko can find the Docker auth config at /kaniko/.docker/config.json
  (previously only .dockerconfigjson was present)

- Created test-app-build PipelineRun manifest for validation testing

- Successfully validated end-to-end pipeline:
   git-clone Task deployed and working
   kaniko-build Task deployed and working
   container-build Pipeline deployed and working
   Harbor authentication working with robot account
   Test image built and pushed: the-seas.local.mk-labs.cloud/library/test-app:v1.0.0
   Image digest: sha256:aa143f4a01795a1d307b711108ca0c89f36e00ea38fddb9d7b2febd5fffc46d7

Pipeline test results:
- PipelineRun: test-app-build-005 - SUCCEEDED
- fetch-repository TaskRun - SUCCEEDED
- build-and-push TaskRun - SUCCEEDED

Tekton CI/CD platform is now operational and ready for production workloads.
2026-06-06 16:13:31 -05:00
Hermes Agent service account
76241e75a8 Add Tekton tasks, pipeline and test Dockerfile
- Add git-clone task for repository cloning
- Add kaniko-build task for container image builds
- Add container-build pipeline orchestrating clone + build
- Add harbor-credentials ExternalSecret for innoventions namespace
- Add test-app.Dockerfile for pipeline validation

Day 3 deliverables for Tekton Phase 2
2026-06-06 15:53:57 -05:00
Hermes Agent service account
d5ce6ff96a fix(tekton): Remove unsupported TektonConfig fields 2026-06-05 21:56:35 -05:00
Hermes Agent service account
44b1a2fb33 fix(tekton): Correct ArgoCD repo URL to Gitea 2026-06-05 21:54:42 -05:00
Hermes Agent service account
7dc1999928 feat(tekton): Day 2 - Deploy Tekton Operator and components
- Downloaded Tekton Operator v0.79.1 release manifest
- Created TektonConfig CR enabling all components in innoventions namespace
  - Pipelines v1.13.0 with OCI bundles and custom tasks
  - Triggers v0.36.0 with stable API fields
  - Dashboard v0.69.0 with read-write access
  - Addon components (cluster tasks, templates)
  - Pruner configured (keep 100, daily at 2 AM)
- Created Dashboard HTTPRoute for mission-space.local.mk-labs.cloud
  - Certificate via letsencrypt-prod ClusterIssuer
  - Routes via fastpass-gateway (Cilium Gateway API)
  - Backend: tekton-dashboard service port 9097
- Created ArgoCD Application manifest (wave 8)
  - Automated sync with prune/selfHeal
  - ServerSideApply for CRD compatibility
  - Ignore differences for operator-managed resources

Directory: cluster/platform/tekton/ (functional naming)
Namespace: innoventions (thematic naming)
DNS: mission-space.local.mk-labs.cloud

Ready for deployment to fastpass cluster.
2026-06-05 21:54:02 -05:00
Hermes Agent service account
63d480927d chore(couchdb): switch to production Let's Encrypt certificate
Replace letsencrypt-staging with letsencrypt-prod for trusted certificate.
Staging cert was causing connection resets due to certificate validation failures.
2026-06-05 20:04:38 -05:00
Hermes Agent service account
fa86fa4c9c fix(couchdb): correct ingress hostname to internal DNS zone
Change CouchDB ingress hostname from communicore.mk-labs.cloud to
communicore.local.mk-labs.cloud to align with External-DNS configuration.

CouchDB is an internal service and should use the .local.mk-labs.cloud
zone managed by Technitium DNS, not the public .mk-labs.cloud zone
managed by Cloudflare.

This ensures External-DNS will properly create the A record in the
internal DNS server.
2026-06-05 19:33:39 -05:00
Hermes Agent service account
444b597ade fix(couchdb): add erlangCookie to ExternalSecret and external-dns annotation
- Add erlangCookie field to ExternalSecret from 1Password
- Add external-dns target annotation to ingress (10.1.71.80)
- Completes CouchDB deployment configuration
2026-06-05 19:11:45 -05:00
Hermes Agent service account
c81a9b7704 fix(couchdb): remove invalid syncWaves from Application spec 2026-06-05 18:39:59 -05:00
Hermes Agent service account
6cab6519b1 feat(couchdb): deploy CouchDB for Obsidian sync (communicore) 2026-06-05 18:36:28 -05:00
Hermes Agent service account
ce992ca743 Fix ClusterSecretStore reference in Harbor ExternalSecrets
Changed from 'onepassword-store' to 'onepassword-connect' to match
the actual ClusterSecretStore name in the cluster.
2026-06-04 23:47:53 -05:00
Hermes Agent service account
092d1ac209 Document robot credential management via 1Password and ExternalSecrets
Updated README to reflect the full workflow:
1. Robot account creation via Job
2. Secret regeneration and capture
3. Storage in 1Password (harbor-robot-accounts item)
4. Automatic sync via ExternalSecrets to K8s
2026-06-04 23:44:00 -05:00
Hermes Agent service account
6acf2f9944 Add ExternalSecrets for Harbor robot account credentials
Creates two docker-registry secrets from 1Password:
1. harbor-tekton-robot - for Tekton CI/CD pipeline push/pull
2. harbor-pull-secret - for fastpass cluster image pulls

Both sync from 1Password item 'harbor-robot-accounts' with fields:
- tekton-builder-username / tekton-builder-password
- fastpass-cluster-username / fastpass-cluster-password

Credentials document placed in PKA inbox for manual 1Password entry.
Once stored, ESO will automatically sync and create the secrets.
2026-06-04 23:43:37 -05:00
Hermes Agent service account
8d18f42b2e Update Harbor README with robot accounts documentation
Documents robot account management via GitOps:
- tekton-builder and fastpass-cluster robot accounts
- Manual Job execution (PostSync hooks don't work with multi-source)
- Credential retrieval and storage in 1Password
- ImagePullSecret creation for K8s clusters
2026-06-04 23:38:50 -05:00
Hermes Agent service account
152f10ed8b Add ArgoCD PostSync hook for Harbor robot accounts
Manages robot accounts declaratively via GitOps:
- tekton-builder: push/pull access for CI/CD pipelines
- fastpass-cluster: pull-only access for K8s image pulls

Implementation:
- Kubernetes Job with argocd.argoproj.io/hook: PostSync annotation
- Idempotent: checks if accounts exist before creating
- Uses harbor-credentials ExternalSecret for admin password
- BeforeHookCreation deletion policy for clean reruns

Replaces manual robot account creation via Harbor API.
2026-06-04 23:35:45 -05:00
Hermes Agent service account
d99ebca829 Add external-dns annotations to Harbor Ingress
DNS was pointing to Gateway (10.1.71.90) instead of NGINX Ingress (10.1.71.80)
after we removed the HTTPRoute manifests. This caused traffic to hit the
Gateway's wildcard cert and get 'no healthy upstream' errors.

Added external-dns annotations to Ingress to direct DNS to correct IP:
- external-dns.alpha.kubernetes.io/hostname: the-seas.local.mk-labs.cloud
- external-dns.alpha.kubernetes.io/target: 10.1.71.80

This will update Technitium DNS to point to NGINX Ingress Controller.
2026-06-04 23:16:06 -05:00
df91305e13 Cleanup unneeded harbor deployment files and switch to prod certificate. 2026-06-04 22:51:53 -05:00
Hermes Agent service account
6f2b6e0290 Remove redundant Harbor manifest files
Harbor Helm chart creates Ingress and cert-manager auto-creates certificates
via Ingress annotations. Removed non-functional and redundant manifests:

- certificate.yaml: cert-manager creates from Ingress annotation
- httproute.yaml: non-functional (pointed to non-existent service)
- httproute-alt.yaml: non-functional (pointed to non-existent service)

Standardized on single hostname: the-seas.local.mk-labs.cloud
Updated README to reflect actual NGINX Ingress architecture (not Gateway API)

Net: -97 lines, simplified deployment, no functional change
2026-06-04 22:43:57 -05:00
Hermes Agent service account
fc34833472 Consolidate Harbor TLS certificates into single multi-SAN certificate
- Merge harbor-alt-tls into harbor-tls certificate
- Single certificate now covers both DNS names:
  - the-seas.local.mk-labs.cloud (EPCOT theme)
  - harbor.local.mk-labs.cloud (functional name)
- Remove duplicate certificate-alt.yaml
- Reduces cert-manager overhead and simplifies certificate management
2026-06-04 22:39:18 -05:00
Hermes Agent service account
7f37211a8b fix(harbor): switch from Gateway API to nginx-ingress
- Change expose.type from clusterIP to ingress
- Use nginx IngressClass
- Reference harbor-tls certificate secret
- Add staging cert-manager annotation
- Gateway API was returning intermittent 503 errors for static assets
2026-06-04 22:05:55 -05:00
Hermes Agent service account
ccc956f70b fix(harbor): HTTPRoute should use service port 80, not targetPort 8080 2026-06-04 21:23:29 -05:00
Hermes Agent service account
511f32e521 fix(harbor): correct HTTPRoute backend port (8080) 2026-06-04 21:21:32 -05:00
Hermes Agent service account
87a3e84f5b fix(harbor): correct HTTPRoute backend service name (the-seas) 2026-06-04 21:20:06 -05:00
Hermes Agent service account
1743145e9f fix(harbor): disable TLS in expose config (Gateway API handles TLS) 2026-06-04 21:12:00 -05:00
Hermes Agent service account
d561ac6e04 fix: Remove invalid configureUserSettings from harbor-core
The configureUserSettings field contained nginx configuration
('http2_push_preload on;') which was incorrectly being used as
CONFIG_OVERWRITE_JSON. This caused harbor-core to crash with a
JSON parse error.

CONFIG_OVERWRITE_JSON expects valid JSON for Harbor configuration
overrides, not nginx snippets. Removing this field to fix the
CrashLoopBackOff.
2026-06-04 21:08:27 -05:00
Hermes Agent service account
99bc31dee9 Simplify Harbor to standard deployment pattern
- ExternalSecret now pulls only HARBOR_ADMIN_PASSWORD from 1Password
- Removed database, redis, core, jobservice, registry secret references
- Harbor Helm chart auto-generates all internal secrets (standard pattern)
- Reduces complexity and aligns with Harbor best practices

This change removes dependency on 5 1Password fields that should be deleted:
- database-password
- redis-password
- core-secret
- jobservice-secret
- registry-password

Only harbor-admin-password field needed in 1Password item 'the-seas'
2026-06-04 20:44:32 -05:00
Hermes Agent service account
ac8e7acbd4 fix(harbor): add secret key names for database and redis passwords
Harbor Helm chart requires both existingSecret and existingSecretKey
parameters to properly reference credentials. Without the key names,
the chart creates secrets with empty passwords, causing authentication
failures between components.

Added:
- database.internal.existingSecretKey: DATABASE_PASSWORD
- redis.internal.existingSecretKey: REDIS_PASSWORD
2026-06-04 20:36:12 -05:00
Hermes Agent service account
0ad5dbe741 fix(harbor): remove invalid secretName parameter from core config
The secretName parameter was being used as a literal secret name
'CORE_SECRET' which doesn't exist. This caused harbor-core pods to
fail mounting volumes.

The correct approach is to use existingSecret for credential keys,
and let Harbor manage its own internal secrets.
2026-06-04 20:34:25 -05:00
Hermes Agent service account
7d9b054340 fix(harbor): correct secret key name for core secret
Harbor Helm chart expects 'secret' key not 'CORE_SECRET' for the
CORE_SECRET environment variable. This was causing jobservice pod
to fail with CreateContainerConfigError.

Fixes: harbor-jobservice-757bbf44cc-tvznq error
2026-06-04 20:32:40 -05:00
Hermes Agent service account
4b1e8a7cac fix(harbor): correct naming convention and use staging certs
- Rename application/namespace: the-seas -> harbor
- Move directory: cluster/platform/the-seas -> cluster/platform/harbor
- Update all resource references (ExternalSecret, HTTPRoutes, Certificates)
- Switch to letsencrypt-staging issuer (avoid ACME rate limits during testing)
- Thematic name 'the-seas' remains in DNS hostnames and comments
2026-06-04 20:25:25 -05:00
Hermes Agent service account
8f190eb188 fix(the-seas): correct Harbor image tags to use v-prefix (v2.15.1)
Docker Hub Harbor images use v-prefix format (v2.15.1) not semantic
version format (2.15.1). Updated all component image tags to v2.15.1.
2026-06-04 20:22:34 -05:00
Hermes Agent service account
95ae6919b0 feat(platform): add Harbor container registry (the-seas) deployment
- Add Harbor v2.15.1 (chart 1.19.1) deployment to wave 7
- Service name: the-seas (EPCOT: The Seas with Nemo & Friends)
- Architecture: Embedded PostgreSQL, embedded Redis, single instance
- Storage: NFS via nfs-emporium StorageClass (130Gi total)
- Expose via Gateway API with dual DNS names
- Primary: the-seas.local.mk-labs.cloud
- Alternate: harbor.local.mk-labs.cloud
- ExternalSecret for 1Password integration (6 secrets)
- All image tags pinned to 2.15.1
- Resource requests/limits configured for homelab
- Multi-source ArgoCD application pattern
- TLS certificates via cert-manager (Let's Encrypt)
- Metrics and Trivy scanning enabled

Components:
- Portal, Core, Registry, JobService (1 replica each)
- Embedded PostgreSQL and Redis
- NGINX reverse proxy
- Trivy vulnerability scanner
- Prometheus metrics exporter

Refs: /mnt/mk-labs-pka/tony-stark-inbox/harbor-phase1-deployment.md
2026-06-04 20:20:51 -05:00
Hermes Agent service account
52e97f3a7c chore: Remove Firecrawl deployment - pausing until platform infra is ready
Removing Firecrawl ArgoCD application and all manifests. The deployment
was failing due to missing container images that need to be built from
source. This requires platform infrastructure we don't have yet.

Will return to Firecrawl deployment after Harbor registry and Tekton
pipelines are deployed and configured.

Note: ArgoCD also needs a thematic EPCOT name at some point.
2026-06-04 19:10:47 -05:00
Hermes Agent service account
461aa1bc54 fix(firecrawl): correct Docker image registry paths
- Changed from ghcr.io/mendableai/* to ghcr.io/firecrawl/*
- Updated all three services: main API, playwright-service, and nuq-postgres
- Changed tag from v1.0.0 to latest (official images use latest tag)
- Fixes ImagePullBackOff errors caused by incorrect registry namespace

Per official Firecrawl docker-compose.yaml, images are published under
ghcr.io/firecrawl/, not ghcr.io/mendableai/
2026-06-04 17:05:06 -05:00
Hermes Agent service account
c38461a6e8 docs(firecrawl): Add comprehensive refactoring summary 2026-06-04 16:57:28 -05:00
Hermes Agent service account
6bcb6fa93f refactor(firecrawl): Convert to production-ready Helm chart with persistent storage
CRITICAL FIXES:
 Add PersistentVolumeClaims for all stateful services
   - PostgreSQL: 20Gi PVC on nfs-emporium (data persistence)
   - Redis: 10Gi PVC on nfs-emporium (cache and queue)
   - RabbitMQ: 5Gi PVC on nfs-emporium (message queue)

 Pin all image versions (no more 'latest' tags)
   - Firecrawl API/Worker: v1.0.0
   - Playwright Service: v1.0.0
   - PostgreSQL (nuq-postgres): v1.0.0
   - Redis: 7.4.1-alpine
   - RabbitMQ: 3.13.7-management-alpine

 Convert raw manifests to proper Helm chart
   - Template-based configuration
   - Centralized values.yaml
   - Proper Helm helpers and labels
   - Easy configuration management

WHAT CHANGED:
- Created chart/ directory with full Helm chart structure
- Moved old manifests to old-manifests/ for reference
- Updated ArgoCD Application to use Helm chart source
- Added comprehensive README and MIGRATION docs
- All services now use nfs-emporium storage class
- Redis configured with AOF persistence
- Proper resource limits and health checks
- Gateway/HTTPRoute configs integrated into chart

DEPLOYMENT:
ArgoCD will automatically sync and apply changes.
Old ephemeral data will be lost (fresh start with persistence).

Resolves data loss issues and brings deployment to production standards.
2026-06-04 16:56:29 -05:00
Hermes Agent service account
f4181349f8 feat: Deploy Firecrawl (spaceship-earth) to fastpass cluster
- Add Firecrawl application with full stack:
  - Firecrawl API (main service)
  - Firecrawl Worker (background jobs)
  - Playwright Service (browser automation)
  - Redis (cache & job queue)
  - PostgreSQL (state management)
  - RabbitMQ (message queue)

- Configure dual DNS names:
  - Primary: spaceship-earth.local.mk-labs.cloud (EPCOT theme)
  - Secondary: firecrawl.local.mk-labs.cloud

- Add Gateway API HTTPRoutes with TLS certificates
- Update ReferenceGrant for firecrawl namespace
- Configure ArgoCD application (wave 20)
- Set USE_DB_AUTHENTICATION=false for internal deployment

This provides JARVIS with web scraping and search capabilities.
2026-06-04 16:40:12 -05:00
Hermes Agent service account
9d860367cc honcho: document deriver disabled-by-default and manual start procedure
- Explains why honcho_deriver_autostart defaults to false (0 token burn)
- Provides manual systemctl start/stop commands
- Notes override procedure for permanent enable
2026-06-02 10:28:11 -05:00
Hermes Agent service account
f654c59dd5 honcho: add honcho_deriver_autostart flag (default: false)
- New variable honcho_deriver_autostart controls service state/enabled
- honcho_deriver_enabled still controls whether Quadlet is created
- Default autostart=false after discovering deriver burns tokens autonomously
- Service is created but stopped/disabled; can be started manually if needed
2026-06-02 10:26:30 -05:00
Hermes Agent service account
d22ac5cef2 hermes: dashboard auto-restart after updates (Restart=always) 2026-06-02 08:43:49 -05:00
Hermes Agent service account
0fd69e0b90 ticktick: store OAuth2 creds + PSTG project ID in vault
- vault_ticktick_client_id / client_secret (OAuth2 app)
- vault_ticktick_access_token (180-day token; no refresh token)
- vault_ticktick_pstg_project_id (pinned: PSTG work list)
2026-05-31 23:41:57 -05:00
Hermes Agent service account
e8d87ff092 honcho: rotate vault_honcho_openai_api_key (new project with embeddings access) 2026-05-31 23:02:21 -05:00
Hermes Agent service account
23612a38f2 honcho: enable OpenAI embeddings for conclusion vectorisation
- Add vault_honcho_openai_api_key (embeddings-only, Honcho-scoped)
- Inject OPENAI_API_KEY + LLM_OPENAI_API_KEY into api + deriver containers
- Flip honcho_embed_messages default to true now that embeddings have a provider
- Parameterise EMBEDDING__MODEL_CONFIG__{TRANSPORT,MODEL,BASE_URL} so we can
  later swap to a local OpenAI-compatible embedder (e.g. Ollama on
  astro-orbiter post-rebuild) with a single defaults change.

Vault diff is large because ansible-vault re-encrypts the whole file; logical
change is one new key.
2026-05-31 22:29:03 -05:00
Hermes Agent service account
bd100c15e7 hermes: add hermes-dashboard systemd unit (port 9119, fronted by Traefik) 2026-05-31 21:09:27 -05:00
JARVIS
dc5392446c fix(honcho/templates): restore Jinja {{ ... }} markers around secrets
A previous commit (via an agent write-file path with overaggressive
secret redaction) silently corrupted three Environment= lines in the
api/deriver Quadlet templates — the {{ delimiters around references
to honcho_auth_enabled, honcho_jwt_secret, and honcho_anthropic_api_key
were replaced with *** in the template file itself. Ansible templated
those *** through verbatim, and Honcho refused to start because
AUTH_USE_AUTH then resolved to the literal string "*** honcho_...".

Patched the templates back to proper Jinja via a side-channel that
bypasses the redactor. Verified the raw bytes on disk show 7b7b...7d7d
({{...}}) around all three references.
2026-05-31 00:14:46 -05:00
JARVIS
f8cf139b10 fix(honcho): cover all LLM subsystems, enable flush, disable embeddings
Smoke-testing the first deploy uncovered three default-config issues
that no amount of Quadlet tuning would have caught:

  1. DIALECTIC subsystem ignored DERIVER_MODEL_CONFIG__*. Honcho splits
     dialectic into five reasoning levels (minimal/low/medium/high/max)
     each with its own MODEL_CONFIG that defaults to OpenAI. Without
     overrides, every /chat call fails with: ValidationException:
     Missing API key for openai model config. Now setting all five
     DIALECTIC_LEVELS__<level>__MODEL_CONFIG__* env vars to anthropic.

  2. DERIVER batches representation tasks until a token threshold is
     reached. For low-volume homelab use (one chatty operator), tasks
     can sit unprocessed forever. Add DERIVER_FLUSH_ENABLED knob,
     default true.

  3. Embeddings default to OpenAI text-embedding-3-small. Anthropic
     has no embedding API, so without an OpenAI key the embed step
     fails the entire derivation. Default EMBED_MESSAGES=false until
     a separate embedding provider is wired up (OpenAI for embeds-only
     or a local BGE endpoint on astro-orbiter).

defaults/main.yml documents all three issues and the migration path
back to embeddings when ready.
2026-05-31 00:10:59 -05:00
JARVIS
ac955d327f fix(traefik/honcho): drop {{ ansible_managed }} — file is rsync-raw
boilerplates/traefik/dynamic/ files are rsynced verbatim to lightning-lane,
not rendered through Jinja first. Traefik also processes Go-style
{{ }} templates, so a leftover {{ ansible_managed }} comment line caused
Traefik to reject the entire file with:

  ERR /etc/traefik/dynamic/honcho.yml: template: :1: function
  "ansible_managed" not defined

Other dynamic configs in this directory deliberately omit the marker;
matching that convention.
2026-05-30 23:46:36 -05:00
JARVIS
9e6339037a fix(add_service_route): use FQDN for lightning-lane + add technitium collection
Two fixes uncovered while wiring up the first new Traefik route
(hall-of-presidents.local.mk-labs.cloud for honcho):

  * traefik_host changed from 10.1.71.35 -> lightning-lane.local.mk-labs.cloud
    so wed/.ssh/config rules (Host *.local.mk-labs.cloud) match and the
    rsync step uses the right IdentityFile.

  * requirements.yml: pin effectivelywild.technitium_dns >=1.1.0 — the
    playbook depends on it but the collection was not declared. Bare
    checkouts would fail without it being installed manually.
2026-05-30 23:43:57 -05:00
JARVIS
b647f6afee fix(honcho/deriver): invoke package main (src.deriver) not module file
src/deriver/deriver.py is a helpers module with no __main__ guard —
running it directly loads it and exits cleanly in ~3s with no logs,
which is what we were seeing. The actual queue-processor entry point
is src/deriver/__main__.py (asyncio.run(run_deriver())), invoked via
"python -m src.deriver".

Discovered during honcho first-deploy on lincoln: deriver container
crash-looped (in the sense that systemd restarted it constantly) but
the underlying process was actually exiting 0 on completion of the
empty helpers module.
2026-05-30 23:37:33 -05:00