Commit Graph

265 Commits

Author SHA1 Message Date
Hermes Agent service account
511f32e521 fix(harbor): correct HTTPRoute backend port (8080) 2026-06-04 21:21:32 -05:00
Hermes Agent service account
87a3e84f5b fix(harbor): correct HTTPRoute backend service name (the-seas) 2026-06-04 21:20:06 -05:00
Hermes Agent service account
1743145e9f fix(harbor): disable TLS in expose config (Gateway API handles TLS) 2026-06-04 21:12:00 -05:00
Hermes Agent service account
d561ac6e04 fix: Remove invalid configureUserSettings from harbor-core
The configureUserSettings field contained nginx configuration
('http2_push_preload on;') which was incorrectly being used as
CONFIG_OVERWRITE_JSON. This caused harbor-core to crash with a
JSON parse error.

CONFIG_OVERWRITE_JSON expects valid JSON for Harbor configuration
overrides, not nginx snippets. Removing this field to fix the
CrashLoopBackOff.
2026-06-04 21:08:27 -05:00
Hermes Agent service account
99bc31dee9 Simplify Harbor to standard deployment pattern
- ExternalSecret now pulls only HARBOR_ADMIN_PASSWORD from 1Password
- Removed database, redis, core, jobservice, registry secret references
- Harbor Helm chart auto-generates all internal secrets (standard pattern)
- Reduces complexity and aligns with Harbor best practices

This change removes dependency on 5 1Password fields that should be deleted:
- database-password
- redis-password
- core-secret
- jobservice-secret
- registry-password

Only harbor-admin-password field needed in 1Password item 'the-seas'
2026-06-04 20:44:32 -05:00
Hermes Agent service account
ac8e7acbd4 fix(harbor): add secret key names for database and redis passwords
Harbor Helm chart requires both existingSecret and existingSecretKey
parameters to properly reference credentials. Without the key names,
the chart creates secrets with empty passwords, causing authentication
failures between components.

Added:
- database.internal.existingSecretKey: DATABASE_PASSWORD
- redis.internal.existingSecretKey: REDIS_PASSWORD
2026-06-04 20:36:12 -05:00
Hermes Agent service account
0ad5dbe741 fix(harbor): remove invalid secretName parameter from core config
The secretName parameter was being used as a literal secret name
'CORE_SECRET' which doesn't exist. This caused harbor-core pods to
fail mounting volumes.

The correct approach is to use existingSecret for credential keys,
and let Harbor manage its own internal secrets.
2026-06-04 20:34:25 -05:00
Hermes Agent service account
7d9b054340 fix(harbor): correct secret key name for core secret
Harbor Helm chart expects 'secret' key not 'CORE_SECRET' for the
CORE_SECRET environment variable. This was causing jobservice pod
to fail with CreateContainerConfigError.

Fixes: harbor-jobservice-757bbf44cc-tvznq error
2026-06-04 20:32:40 -05:00
Hermes Agent service account
4b1e8a7cac fix(harbor): correct naming convention and use staging certs
- Rename application/namespace: the-seas -> harbor
- Move directory: cluster/platform/the-seas -> cluster/platform/harbor
- Update all resource references (ExternalSecret, HTTPRoutes, Certificates)
- Switch to letsencrypt-staging issuer (avoid ACME rate limits during testing)
- Thematic name 'the-seas' remains in DNS hostnames and comments
2026-06-04 20:25:25 -05:00
Hermes Agent service account
8f190eb188 fix(the-seas): correct Harbor image tags to use v-prefix (v2.15.1)
Docker Hub Harbor images use v-prefix format (v2.15.1) not semantic
version format (2.15.1). Updated all component image tags to v2.15.1.
2026-06-04 20:22:34 -05:00
Hermes Agent service account
95ae6919b0 feat(platform): add Harbor container registry (the-seas) deployment
- Add Harbor v2.15.1 (chart 1.19.1) deployment to wave 7
- Service name: the-seas (EPCOT: The Seas with Nemo & Friends)
- Architecture: Embedded PostgreSQL, embedded Redis, single instance
- Storage: NFS via nfs-emporium StorageClass (130Gi total)
- Expose via Gateway API with dual DNS names
- Primary: the-seas.local.mk-labs.cloud
- Alternate: harbor.local.mk-labs.cloud
- ExternalSecret for 1Password integration (6 secrets)
- All image tags pinned to 2.15.1
- Resource requests/limits configured for homelab
- Multi-source ArgoCD application pattern
- TLS certificates via cert-manager (Let's Encrypt)
- Metrics and Trivy scanning enabled

Components:
- Portal, Core, Registry, JobService (1 replica each)
- Embedded PostgreSQL and Redis
- NGINX reverse proxy
- Trivy vulnerability scanner
- Prometheus metrics exporter

Refs: /mnt/mk-labs-pka/tony-stark-inbox/harbor-phase1-deployment.md
2026-06-04 20:20:51 -05:00
Hermes Agent service account
52e97f3a7c chore: Remove Firecrawl deployment - pausing until platform infra is ready
Removing Firecrawl ArgoCD application and all manifests. The deployment
was failing due to missing container images that need to be built from
source. This requires platform infrastructure we don't have yet.

Will return to Firecrawl deployment after Harbor registry and Tekton
pipelines are deployed and configured.

Note: ArgoCD also needs a thematic EPCOT name at some point.
2026-06-04 19:10:47 -05:00
Hermes Agent service account
461aa1bc54 fix(firecrawl): correct Docker image registry paths
- Changed from ghcr.io/mendableai/* to ghcr.io/firecrawl/*
- Updated all three services: main API, playwright-service, and nuq-postgres
- Changed tag from v1.0.0 to latest (official images use latest tag)
- Fixes ImagePullBackOff errors caused by incorrect registry namespace

Per official Firecrawl docker-compose.yaml, images are published under
ghcr.io/firecrawl/, not ghcr.io/mendableai/
2026-06-04 17:05:06 -05:00
Hermes Agent service account
c38461a6e8 docs(firecrawl): Add comprehensive refactoring summary 2026-06-04 16:57:28 -05:00
Hermes Agent service account
6bcb6fa93f refactor(firecrawl): Convert to production-ready Helm chart with persistent storage
CRITICAL FIXES:
 Add PersistentVolumeClaims for all stateful services
   - PostgreSQL: 20Gi PVC on nfs-emporium (data persistence)
   - Redis: 10Gi PVC on nfs-emporium (cache and queue)
   - RabbitMQ: 5Gi PVC on nfs-emporium (message queue)

 Pin all image versions (no more 'latest' tags)
   - Firecrawl API/Worker: v1.0.0
   - Playwright Service: v1.0.0
   - PostgreSQL (nuq-postgres): v1.0.0
   - Redis: 7.4.1-alpine
   - RabbitMQ: 3.13.7-management-alpine

 Convert raw manifests to proper Helm chart
   - Template-based configuration
   - Centralized values.yaml
   - Proper Helm helpers and labels
   - Easy configuration management

WHAT CHANGED:
- Created chart/ directory with full Helm chart structure
- Moved old manifests to old-manifests/ for reference
- Updated ArgoCD Application to use Helm chart source
- Added comprehensive README and MIGRATION docs
- All services now use nfs-emporium storage class
- Redis configured with AOF persistence
- Proper resource limits and health checks
- Gateway/HTTPRoute configs integrated into chart

DEPLOYMENT:
ArgoCD will automatically sync and apply changes.
Old ephemeral data will be lost (fresh start with persistence).

Resolves data loss issues and brings deployment to production standards.
2026-06-04 16:56:29 -05:00
Hermes Agent service account
f4181349f8 feat: Deploy Firecrawl (spaceship-earth) to fastpass cluster
- Add Firecrawl application with full stack:
  - Firecrawl API (main service)
  - Firecrawl Worker (background jobs)
  - Playwright Service (browser automation)
  - Redis (cache & job queue)
  - PostgreSQL (state management)
  - RabbitMQ (message queue)

- Configure dual DNS names:
  - Primary: spaceship-earth.local.mk-labs.cloud (EPCOT theme)
  - Secondary: firecrawl.local.mk-labs.cloud

- Add Gateway API HTTPRoutes with TLS certificates
- Update ReferenceGrant for firecrawl namespace
- Configure ArgoCD application (wave 20)
- Set USE_DB_AUTHENTICATION=false for internal deployment

This provides JARVIS with web scraping and search capabilities.
2026-06-04 16:40:12 -05:00
bb5a57e909 remove jarvis deployment 2026-05-25 21:16:52 -05:00
9f3d81729d fix(jarvis): run as root for NFS compat, add namespace PSA baseline label 2026-05-25 20:43:03 -05:00
064d3e8b3d fix(jarvis): move runAsNonRoot to container level, allow init container to run as root for chown 2026-05-25 20:39:39 -05:00
ef7e3c61ed fix(jarvis): add init container to fix PVC ownership for UID 10000 2026-05-25 20:37:01 -05:00
64951e1e5e fix(jarvis): use args not command for hermes entrypoint 2026-05-25 20:35:32 -05:00
58931732f7 fix(jarvis): correct hermes entrypoint command 2026-05-25 20:31:46 -05:00
be8e50d590 deploy hermes 2026-05-25 20:21:24 -05:00
e309acd67d fix typo 2026-05-24 21:15:08 -05:00
4e7f14ea5a additional service name changes 2026-05-24 21:12:10 -05:00
b79f0505b7 update pbs to timekeeper 2026-05-24 19:46:19 -05:00
045ac85353 update glance configmap 2026-05-24 19:43:13 -05:00
60af4304b6 fix url 2026-05-24 18:35:52 -05:00
96e946ac09 change to https 2026-05-24 18:33:16 -05:00
6584ed9dc4 added glance dashboard 2026-05-24 17:04:49 -05:00
3017c27910 fix port 2026-05-19 23:03:49 -05:00
c25c2a25ad update referencegrant 2026-05-19 22:41:41 -05:00
0476e489d4 more 2026-05-19 22:35:05 -05:00
bf0d7a20a7 update gateway 2026-05-19 22:31:22 -05:00
ed0091cd05 adjust session duration 2026-05-19 22:25:00 -05:00
402f93ab38 add ingnore 2026-05-19 22:16:31 -05:00
8944da8c99 folder rename 2026-05-19 22:06:48 -05:00
d671700466 deploy headlamp 2026-05-19 22:00:34 -05:00
562e102a9b enable metrics 2026-05-19 21:34:46 -05:00
f4c60d7560 add grafana dashboards 2026-05-19 21:12:54 -05:00
0dae8327eb update prometheus scrape 2026-05-18 22:57:07 -05:00
39b7b91f45 update snmp exporter 2026-05-18 22:32:13 -05:00
a7f77514d6 additional monitoring scrapes 2026-05-18 22:28:14 -05:00
b45dcea4c3 update gateway spec 2026-05-18 22:01:18 -05:00
2ed70b4964 Deploy monitoring stack 2026-05-18 21:42:32 -05:00
dbf0b18f07 authentik for argo 2026-05-18 19:43:21 -05:00
1cfc9b5f5d align gateway spec 2026-05-18 19:28:50 -05:00
c8f75bef8a fix referencegrant 2026-05-18 19:25:41 -05:00
fc171b48e9 deploy gateway 2026-05-18 19:11:42 -05:00
5504d0c6f4 add gateway to external dns 2026-05-18 18:15:33 -05:00