Commit Graph

271 Commits

Author SHA1 Message Date
Hermes Agent service account
f375c9567f Switch Portworx deployment to manifest-based
Remove Helm chart source (repo URL invalid). Deploy via manifests only.
Operator must be installed separately via kubectl apply.
2026-06-18 23:16:36 -05:00
Hermes Agent service account
f0400c02b6 Fix Portworx Helm repo URL and bump to v26.2
- Update repoURL to correct Portworx Helm chart location
- Bump version from 25.0.0 to 26.2.0 (latest per docs)
2026-06-18 23:09:35 -05:00
Hermes Agent service account
d1d7331238 Fix portworx-csi ArgoCD Application manifest
Remove invalid syncWaves field from syncPolicy - sync wave is controlled via annotation
2026-06-18 23:08:55 -05:00
Hermes Agent service account
459dbc5d18 Add Portworx CSI driver for Pure Storage FlashArray
- Deploy Portworx Operator + CSI driver via ArgoCD
- Support both iSCSI block and NFS file storage from FlashArray
- Integrate with 1Password External Secrets for FlashArray credentials
- Include comprehensive deployment documentation and validation script
- Storage classes: pure-block (iSCSI) and pure-file (NFS)
- Talos Linux compatible with iSCSI/multipath configuration
2026-06-18 23:08:29 -05:00
Hermes Agent service account
0e4d229df2 docs(signal-cli): document K8s networking limitation and current astro-orbiter production setup
- Production gateway on astro-orbiter VM working correctly
- K8s deployment ready but cannot complete Signal registration
- Signal servers reject WebSocket connections from K8s cluster network path
- Document migration procedure for when astro-orbiter is decommissioned
2026-06-17 23:48:17 -05:00
Hermes Agent service account
53883108d8 fix(signal-cli): run daemon in multi-account mode without --account flag
- Remove --account flag to let signal-cli auto-detect registered accounts
- Multi-account mode will find the registered +126****8840 account automatically
2026-06-17 23:15:53 -05:00
Hermes Agent service account
fcbf6ce092 fix(signal-cli): correct PVC mount path to /var/lib/signal-cli
- Mount PVC root at /var/lib/signal-cli (where data/ directory exists)
- Previous path /home/.local/share/signal-cli was incorrect nested structure
2026-06-17 23:13:18 -05:00
Hermes Agent service account
cf21863b0f fix(signal-cli): use bbernhard image with native signal-cli entrypoint override
- Use bbernhard/signal-cli-rest-api:latest (known working image)
- Override command to run /usr/bin/signal-cli directly in daemon HTTP mode
- Bypasses REST API wrapper to expose native JSON-RPC endpoint at /api/v1/rpc
2026-06-17 23:10:39 -05:00
Hermes Agent service account
653a923fa8 fix(signal-cli): use asamk/signal-cli official image with correct paths
- Switch from non-existent GitLab registry image to official asamk/signal-cli:v0.14.5
- Maintain data path at /home/.local/share/signal-cli (where data was copied from astro-orbiter)
- Remove unnecessary command override, let entrypoint handle signal-cli execution
2026-06-17 23:06:18 -05:00
Hermes Agent service account
13c819e66c feat(signal-cli): switch to native signal-cli daemon with JSON-RPC HTTP endpoint
- Replace bbernhard/signal-cli-rest-api wrapper with native signal-cli 0.14.5
- Run signal-cli daemon in HTTP mode matching astro-orbiter working config
- Expose JSON-RPC API at /api/v1/rpc for Hermes gateway compatibility
- Switch health probes from HTTP /v1/health to TCP port check
- Maintain existing PVC mount path /home/.local/share/signal-cli

This fixes the missing /api/v1/rpc endpoint that Hermes requires for
Signal message delivery.
2026-06-17 23:03:35 -05:00
Hermes Agent service account
28a653b203 feat(signal-cli): upgrade to latest image for signal-cli 0.14.x compat 2026-06-12 17:26:46 -05:00
Hermes Agent service account
cf7ab7fbe6 feat(signal-cli): enable hostNetwork for Signal WebSocket connectivity 2026-06-12 17:07:03 -05:00
Hermes Agent service account
12d0a75b3a docs(signal-cli): Add deployment documentation
Document infrastructure setup, TLS configuration, and SSL certificate status
for the Signal CLI REST API deployment at connections.local.mk-labs.cloud
2026-06-12 16:56:13 -05:00
Hermes Agent service account
668e86d7c2 feat(connections): Add Ingress with TLS and reorganize to applications/signal-cli
- Move manifests from cluster/platform/connections to cluster/applications/signal-cli
- Add Ingress for connections.local.mk-labs.cloud with cert-manager TLS
- Update ArgoCD application path to cluster/applications/signal-cli
- Configure letsencrypt-prod cluster issuer for automatic TLS certificates

This enables external HTTPS access to the Signal CLI REST API for Hermes
notifications with automatic certificate management.
2026-06-12 16:52:56 -05:00
0fb593a313 change application name and deployment location 2026-06-12 16:42:33 -05:00
Hermes Agent service account
b5dc130207 fix(connections): correct deployment naming per mk-labs convention
Deployment name: connections → signal-cli-rest-api (what it IS)
Service name: connections (unchanged - Epcot-themed role)

Updated labels throughout deployment and service selector to match.
2026-06-12 16:18:34 -05:00
Hermes Agent service account
0efa1e5125 fix(connections): Use baseline pod security to allow container initialization
- Set namespace pod-security.kubernetes.io/enforce to baseline
- Remove restrictive container securityContext
- Allows signal-cli-rest-api container to run its entrypoint script
  which requires user/group modification capabilities
2026-06-12 15:58:15 -05:00
Hermes Agent service account
34e05725dd fix(connections): Add security context and disable UID/GID modification
- Add container securityContext to satisfy PodSecurity policy
- Set SIGNAL_CLI_UID/GID to 0 to disable user modification attempts
- Fixes CrashLoopBackOff due to groupmod permission denied
2026-06-12 15:55:49 -05:00
Hermes Agent service account
b6b1bee25c fix(connections): Remove securityContext causing container startup failure
The signal-cli-rest-api container's entrypoint script requires
privileges to modify user/group settings. Removing securityContext
allows the container to run with its default settings.
2026-06-12 15:54:21 -05:00
Hermes Agent service account
3b3461fd3c feat(platform): Add connections (signal-cli-rest-api) service
- Deploy signal-cli-rest-api 0.85 for Hermes Signal notifications
- Replace broken astro-orbiter VM (10.1.71.130:8080) with K8s service
- ArgoCD-managed GitOps deployment in connections namespace
- NFS-backed persistent storage for signal-cli state
- Fixes UNREGISTERED_FAILURE affecting midday market cron job
- Epcot-themed service (communication pavilion concept)

Service endpoint: http://connections.connections.svc.cluster.local:8080
2026-06-12 15:52:49 -05:00
Hermes Agent service account
7cbed63c92 refactor(couchdb): move raw manifests to templates/ subdir
Per Tony's recommendation — eliminates the explicit include filter.
New manifests go in templates/ and are picked up automatically by ArgoCD.
No filter to update when adding future resources.

Moved: namespace.yaml, externalsecret.yaml, ingress-public.yaml -> templates/
2026-06-07 20:57:18 -05:00
Hermes Agent service account
a008e766f2 fix(couchdb): add ingress-public.yaml to ArgoCD include filter 2026-06-07 20:51:17 -05:00
Hermes Agent service account
543394a825 feat(couchdb): split internal/external ingress for correct CN per cert
- values.yaml: internal ingress only (communicore.local.mk-labs.cloud)
  CN=communicore.local.mk-labs.cloud, secret=couchdb-tls
- ingress-public.yaml: external ingress (communicore.mk-labs.cloud)
  CN=communicore.mk-labs.cloud, secret=couchdb-tls-public
  ExternalDNS opt-in annotations for Cloudflare -> ingress.mk-labs.cloud

Obsidian Sync connects externally via communicore.mk-labs.cloud;
JARVIS traffic stays internal on communicore.local.mk-labs.cloud.
2026-06-07 20:44:52 -05:00
Hermes Agent service account
23d6d75117 fix(external-dns): remove invalid --target extraArg from Technitium instance 2026-06-07 19:17:19 -05:00
Hermes Agent service account
86433a58d0 fix(external-dns): remove invalid --target flag, move to per-resource annotation
ExternalDNS v0.15.1 does not support --target as a CLI flag.
Remove the extraArgs stanza from external-dns-cloudflare values.yaml
and instead add the target annotation directly on the CouchDB ingress:
  external-dns.alpha.kubernetes.io/target: ingress.mk-labs.cloud

This achieves the same result (Cloudflare CNAME -> ingress.mk-labs.cloud)
without crashing the controller.
2026-06-07 19:08:15 -05:00
Hermes Agent service account
3344e24a48 fix(external-dns-cloudflare): correct target to ingress.mk-labs.cloud 2026-06-07 19:03:48 -05:00
Hermes Agent service account
2621bc9f36 fix(external-dns): exclude internal records from Cloudflare, add opt-in filter, set targets
- external-dns-cloudflare: add excludeDomains: [local.mk-labs.cloud] to stop
  internal subdomain records from leaking to Cloudflare
- external-dns-cloudflare: replace hostname annotationFilter with opt-in model
  (external-dns.alpha.kubernetes.io/public=true) so only explicitly tagged
  services get public Cloudflare records
- external-dns-cloudflare: add extraArgs --target=lb.mk-labs.cloud
- external-dns (Technitium/rfc2136): add extraArgs
  --target=lightning-lane.local.mk-labs.cloud for internal records
- couchdb: add external-dns.alpha.kubernetes.io/public: 'true' annotation —
  first service to opt in to public DNS; will create communicore.mk-labs.cloud
  pointing to lb.mk-labs.cloud via Cloudflare ExternalDNS

URGENT: Cloudflare was creating records for local.mk-labs.cloud hosts.
Ryan: manually delete any *.local.mk-labs.cloud records currently in Cloudflare
(look for communicore.local.mk-labs.cloud and any other local.* entries).
2026-06-07 18:57:59 -05:00
Hermes Agent service account
72de87c8c4 platform: add external-dns-cloudflare for public mk-labs.cloud zone
Deploy a second ExternalDNS instance targeting Cloudflare to manage
public DNS records in the mk-labs.cloud zone. The existing Technitium
(rfc2136) instance handling local.mk-labs.cloud is unchanged.

Components:
- application.yaml: ArgoCD Application, wave 6, namespace external-dns-cloudflare
- values.yaml: Cloudflare provider, domainFilters: mk-labs.cloud, txtOwnerId: fastpass
- externalsecret.yaml: ExternalSecret pulling CF_API_TOKEN from 1Password

PREREQUISITE (manual): Ryan must create the following in 1Password before
the ExternalSecret will sync:
  Item name:  cloudflare-external-dns
  Field name: api-token
  Value:      Cloudflare API token with DNS Edit on mk-labs.cloud

Until then, the ExternalSecret will show SecretSyncedError — expected.
2026-06-07 18:41:35 -05:00
0ef9703757 Add external url to couchdb 2026-06-07 18:28:18 -05:00
Hermes Agent service account
c137ea0881 fix(firecrawl): Change Playwright probes from HTTP to TCP
Playwright service doesn't expose a health endpoint at /, causing HTTP
probes to fail with 404. Switch to tcpSocket probes which simply verify
the port is listening. Service is already confirmed running on port 3000.
2026-06-06 19:13:36 -05:00
Hermes Agent service account
818b6505dd feat(firecrawl): Add ArgoCD Application manifest for GitOps deployment
- Add application.yaml for Firecrawl ArgoCD management
- Wave 20 (applications tier)
- Automated sync with prune and selfHeal enabled
- Manages all resources in cluster/applications/firecrawl/
- Remediates Day 5 manual deployment (kubectl apply -> GitOps)
2026-06-06 19:09:40 -05:00
Hermes Agent service account
4a1958876f Day 5: Fix worker probes and HTTPRoute gateway reference
- Changed worker deployment probes from HTTP to TCP (port 3005)
  * Worker liveness endpoint doesn't serve HTTP at '/' path
  * TCP socket check more appropriate for background worker
  * Resolves pod restart loop and readiness failures

- Corrected HTTPRoute gateway reference
  * Changed from 'gateway' in 'default' namespace
  * To 'fastpass-gateway' in 'gateway' namespace
  * HTTPRoute now properly accepted by gateway

All 7 deployments Running and Ready. System operational.
2026-06-06 18:49:52 -05:00
Hermes Agent service account
6bdb536848 firecrawl: Day 4 - Add ExternalSecret for 1Password integration
- Add ExternalSecret manifest to sync firecrawl secrets from 1Password
- Configure POSTGRES_PASSWORD and BULL_AUTH_KEY from mk-labs vault
- Add comprehensive SECRETS_SETUP.md documentation
- Verified ExternalSecrets Operator successfully synced secrets
- All 18 deployment manifests validated with dry-run

Status: firecrawl-secrets Secret created and populated correctly
2026-06-06 18:11:59 -05:00
Hermes Agent service account
6023ee25e1 feat(firecrawl): Day 3 - Complete Kubernetes manifests for Firecrawl deployment
- Created PersistentVolumeClaim for PostgreSQL (10GB, nfs-emporium)
- Created ConfigMaps for API and Playwright service configuration
- Created 7 Deployment manifests:
  * firecrawl-api (2 CPU, 4-6GB RAM)
  * firecrawl-api-worker (1 CPU, 3-4GB RAM)
  * firecrawl-api-nuq-worker (1 CPU, 3-4GB RAM)
  * firecrawl-playwright (2 CPU, 4GB RAM, 1GB tmpfs)
  * nuq-postgres (1 CPU, 2GB RAM, 10GB PVC)
  * redis (0.5 CPU, 1GB RAM)
  * rabbitmq (0.5 CPU, 1GB RAM)
- Created 5 ClusterIP Services for inter-service communication
- Created HTTPRoute for external access via Gateway API
  * Primary hostname: spaceship-earth.local.mk-labs.cloud
  * Alias: firecrawl.local.mk-labs.cloud
- All manifests validated with kubectl dry-run=client

Next steps (Day 4): Configure ExternalSecrets for 1Password integration
Next steps (Day 5): Deploy to cluster and verify functionality

Total resources: 8 CPU, 22GB RAM, 10GB storage
2026-06-06 17:43:22 -05:00
Hermes Agent service account
e5d24f557a feat(tekton): Add Firecrawl build pipelines
- firecrawl-api: Multi-stage build (Go + Node.js + Rust)
- firecrawl-playwright: Node.js + Chromium browser automation
- firecrawl-postgres: PostgreSQL 16 with pg_cron extension

All pipelines validated with successful test builds.
Images pushed to Harbor library project.

Day 2 of Firecrawl deployment complete.
2026-06-06 17:36:14 -05:00
Hermes Agent service account
f8e137b67b Tekton Phase 2 Day 3: Complete Harbor authentication and test build
- Added config.json key to harbor-credentials ExternalSecret
  This ensures kaniko can find the Docker auth config at /kaniko/.docker/config.json
  (previously only .dockerconfigjson was present)

- Created test-app-build PipelineRun manifest for validation testing

- Successfully validated end-to-end pipeline:
   git-clone Task deployed and working
   kaniko-build Task deployed and working
   container-build Pipeline deployed and working
   Harbor authentication working with robot account
   Test image built and pushed: the-seas.local.mk-labs.cloud/library/test-app:v1.0.0
   Image digest: sha256:aa143f4a01795a1d307b711108ca0c89f36e00ea38fddb9d7b2febd5fffc46d7

Pipeline test results:
- PipelineRun: test-app-build-005 - SUCCEEDED
- fetch-repository TaskRun - SUCCEEDED
- build-and-push TaskRun - SUCCEEDED

Tekton CI/CD platform is now operational and ready for production workloads.
2026-06-06 16:13:31 -05:00
Hermes Agent service account
76241e75a8 Add Tekton tasks, pipeline and test Dockerfile
- Add git-clone task for repository cloning
- Add kaniko-build task for container image builds
- Add container-build pipeline orchestrating clone + build
- Add harbor-credentials ExternalSecret for innoventions namespace
- Add test-app.Dockerfile for pipeline validation

Day 3 deliverables for Tekton Phase 2
2026-06-06 15:53:57 -05:00
Hermes Agent service account
d5ce6ff96a fix(tekton): Remove unsupported TektonConfig fields 2026-06-05 21:56:35 -05:00
Hermes Agent service account
44b1a2fb33 fix(tekton): Correct ArgoCD repo URL to Gitea 2026-06-05 21:54:42 -05:00
Hermes Agent service account
7dc1999928 feat(tekton): Day 2 - Deploy Tekton Operator and components
- Downloaded Tekton Operator v0.79.1 release manifest
- Created TektonConfig CR enabling all components in innoventions namespace
  - Pipelines v1.13.0 with OCI bundles and custom tasks
  - Triggers v0.36.0 with stable API fields
  - Dashboard v0.69.0 with read-write access
  - Addon components (cluster tasks, templates)
  - Pruner configured (keep 100, daily at 2 AM)
- Created Dashboard HTTPRoute for mission-space.local.mk-labs.cloud
  - Certificate via letsencrypt-prod ClusterIssuer
  - Routes via fastpass-gateway (Cilium Gateway API)
  - Backend: tekton-dashboard service port 9097
- Created ArgoCD Application manifest (wave 8)
  - Automated sync with prune/selfHeal
  - ServerSideApply for CRD compatibility
  - Ignore differences for operator-managed resources

Directory: cluster/platform/tekton/ (functional naming)
Namespace: innoventions (thematic naming)
DNS: mission-space.local.mk-labs.cloud

Ready for deployment to fastpass cluster.
2026-06-05 21:54:02 -05:00
Hermes Agent service account
63d480927d chore(couchdb): switch to production Let's Encrypt certificate
Replace letsencrypt-staging with letsencrypt-prod for trusted certificate.
Staging cert was causing connection resets due to certificate validation failures.
2026-06-05 20:04:38 -05:00
Hermes Agent service account
fa86fa4c9c fix(couchdb): correct ingress hostname to internal DNS zone
Change CouchDB ingress hostname from communicore.mk-labs.cloud to
communicore.local.mk-labs.cloud to align with External-DNS configuration.

CouchDB is an internal service and should use the .local.mk-labs.cloud
zone managed by Technitium DNS, not the public .mk-labs.cloud zone
managed by Cloudflare.

This ensures External-DNS will properly create the A record in the
internal DNS server.
2026-06-05 19:33:39 -05:00
Hermes Agent service account
444b597ade fix(couchdb): add erlangCookie to ExternalSecret and external-dns annotation
- Add erlangCookie field to ExternalSecret from 1Password
- Add external-dns target annotation to ingress (10.1.71.80)
- Completes CouchDB deployment configuration
2026-06-05 19:11:45 -05:00
Hermes Agent service account
c81a9b7704 fix(couchdb): remove invalid syncWaves from Application spec 2026-06-05 18:39:59 -05:00
Hermes Agent service account
6cab6519b1 feat(couchdb): deploy CouchDB for Obsidian sync (communicore) 2026-06-05 18:36:28 -05:00
Hermes Agent service account
ce992ca743 Fix ClusterSecretStore reference in Harbor ExternalSecrets
Changed from 'onepassword-store' to 'onepassword-connect' to match
the actual ClusterSecretStore name in the cluster.
2026-06-04 23:47:53 -05:00
Hermes Agent service account
092d1ac209 Document robot credential management via 1Password and ExternalSecrets
Updated README to reflect the full workflow:
1. Robot account creation via Job
2. Secret regeneration and capture
3. Storage in 1Password (harbor-robot-accounts item)
4. Automatic sync via ExternalSecrets to K8s
2026-06-04 23:44:00 -05:00
Hermes Agent service account
6acf2f9944 Add ExternalSecrets for Harbor robot account credentials
Creates two docker-registry secrets from 1Password:
1. harbor-tekton-robot - for Tekton CI/CD pipeline push/pull
2. harbor-pull-secret - for fastpass cluster image pulls

Both sync from 1Password item 'harbor-robot-accounts' with fields:
- tekton-builder-username / tekton-builder-password
- fastpass-cluster-username / fastpass-cluster-password

Credentials document placed in PKA inbox for manual 1Password entry.
Once stored, ESO will automatically sync and create the secrets.
2026-06-04 23:43:37 -05:00
Hermes Agent service account
8d18f42b2e Update Harbor README with robot accounts documentation
Documents robot account management via GitOps:
- tekton-builder and fastpass-cluster robot accounts
- Manual Job execution (PostSync hooks don't work with multi-source)
- Credential retrieval and storage in 1Password
- ImagePullSecret creation for K8s clusters
2026-06-04 23:38:50 -05:00
Hermes Agent service account
152f10ed8b Add ArgoCD PostSync hook for Harbor robot accounts
Manages robot accounts declaratively via GitOps:
- tekton-builder: push/pull access for CI/CD pipelines
- fastpass-cluster: pull-only access for K8s image pulls

Implementation:
- Kubernetes Job with argocd.argoproj.io/hook: PostSync annotation
- Idempotent: checks if accounts exist before creating
- Uses harbor-credentials ExternalSecret for admin password
- BeforeHookCreation deletion policy for clean reruns

Replaces manual robot account creation via Harbor API.
2026-06-04 23:35:45 -05:00