Phase 3a of telegram-notify migration: each syncs TELEGRAM_BOT_TOKEN/
TELEGRAM_CHAT_ID from shared homelab/prod /telegram via read-only
infisical-operator/infisical-auth, into parallel-name telegram-notify-infisical.
Old plaintext secrets + hooks untouched (repoint=3b, removal=3c).
polymarket-bot: standalone secret only; bot-secrets copy is migration #3.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The PostSync hook now reads telegram-notify-infisical (synced from
homelab/prod /telegram). Deleting this manifest prunes the old plaintext
secret — the bot token leaves git for researchowl. Security win.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Both secretKeyRefs (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) now read the
Infisical-managed secret instead of the plaintext-in-git telegram-notify.
Old secret stays as fallback until 3c removes its manifest.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Syncs TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from shared homelab/prod /telegram
via the read-only infisical-operator/infisical-auth. Targets parallel-name
telegram-notify-infisical; old plaintext telegram-notify stays live until the
hook is repointed (3b) and the old manifest removed (3c).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
api/bot: imagePullSecrets gitea-registry -> gitea-registry-infisical.
dashboard: add gitea-registry-infisical (previously had NO pull secret
despite pulling a private image — fixes latent ErrImagePull-on-reschedule
bug). Old gitea-registry stays as rollback net until decommission.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reconstructs the dockerconfigjson pull secret from the shared /registry v3
fields (GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN) via the shared
infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
imagePullSecrets: gitea-registry -> gitea-registry-infisical (the
InfisicalStaticSecret-managed dockerconfigjson). Old gitea-registry stays
as rollback net until decommission.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reconstructs the dockerconfigjson pull secret from the discrete
GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN fields at homelab/prod /registry,
via the shared infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2: GitOps-managed shared auth layer in infisical-operator ns —
InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth
(kubernetes method, operator SA via TokenReview) + identity-ID Secret
(non-secret UUID; auth is via SA token, so safe in git). To be referenced
cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The multi-source variant ($values git ref) caused the infisical app to
prune its own Application object on first sync (controller pruned
Application/argocd/infisical, orphaning the workloads). Switch to a
single-source Helm app with inline valuesObject (same chart 1.9.0, same
DB/Redis passwords) and drop the hand-written tracking-id annotation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Deploy infisical-standalone 1.9.0 (Infisical v0.158.0) in a dedicated
'infisical' namespace via a multi-source ArgoCD app (chart + values).
Bundled Postgres (dedicated local-path PVC, 8Gi) + Redis. Ingress via
Traefik + cert-manager (letsencrypt-prod) at infisical.chemavx.xyz.
Crown-jewel secrets (ENCRYPTION_KEY, AUTH_SECRET, SITE_URL) are injected
out-of-band via the 'infisical-secrets' Secret (kubectl, IgnoreExtraneous),
NOT in git. Postgres/Redis passwords guard ClusterIP-only in-cluster
services holding ciphertext; acceptable in values per design review.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The dockerconfigjson held the old account password (now rotated/revoked)
in plaintext. Manage this image-pull secret out-of-band via kubectl
(like researchowl), so no registry credential lives in git going forward.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A ConfigMap volume is read-only at the FS level, so the Ghost entrypoint's
chown -R on content/ failed ("Read-only file system") and crash-looped.
Copy redirects.yaml onto the writable PVC with an initContainer instead;
still GitOps-sourced and refreshed on every pod start.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Recover ~454 GSC impressions stranded on a 404. Adds a ghost-en-redirects
ConfigMap (content/data/redirects.yaml) 301-redirecting the old slug
/pentagon-second-uap-declassification-may-2026-apollo-12-sandia/ to the
live /pentagon-uap-second-release-may-2026/. Mounted read-only via subPath
so it survives content PVC recreation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
OLLAMA_EMBED_MODEL=nomic-embed-text (antes embed() caía en qwen2.5:3b,
un modelo de chat). Modelo ya descargado en Ollama. Mejora la calidad
del RAG (vectores de embeddings reales de 768 dims).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same protection already given to polymarket-bot postgres and n8n: without
it, removing a PVC manifest from git (rename, multi-doc refactor) would
make ArgoCD destroy the volume and its data.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The real manifest is researchowl/argocd-app.yaml, self-managed inside the
app's own synced path; edits to this copy get silently reverted by selfHeal.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
researchowl/argocd-app.yaml lives inside the app's own synced path, so it is
the source of truth: annotations applied only to the live object (or to the
argocd/ dump copy) get reverted by selfHeal.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Notifications via generic webhook to the Telegram Bot API: the engine's
native telegram service only supports channels and negative group IDs,
so a positive private chat_id never worked ("chat not found").
- Only on-sync-failed and on-health-degraded triggers; on-sync-succeeded
dropped (CI already reports successful deploys).
- Subscribe annotations on polymarket-bot, researchowl and n8n.
- prune: true on polymarket-bot, guarded by Prune=false on the postgres
PVC so removing the manifest from git can never destroy the data.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The bot snapshots metrics every cycle (~1,300 rows/day, 74K rows in 57
days) but only the last snapshot of each past UTC day is ever read back.
Prune past days to their daily close at 00:10 UTC; today's rows are kept
intact for /api/summary.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The old ROOT_URL (gitea.chemavx.xyz) is not routed by traefik, so every
URL Gitea generated from it was broken — including webhook payload repo
URLs, which is why ArgoCD ignored real push events (host mismatch) and
deploys waited for the ~3min polling cycle. Applied live on 2026-06-12.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Update the 5 Applications that still pointed at the internal Gitea URL
(gitea.gitea.svc.cluster.local) to https://git.chemavx.xyz, matching the
live patch that made the Gitea->ArgoCD webhook effective for them.
- Add the 9 Applications that existed only in the cluster (filebrowser,
ghost-en, k8s-manifests, ollama, renovate, researchowl, trilium, umami,
zona-exclusion) so a cluster rebuild can restore all 14 from git.
Files are verbatim dumps of the live spec. Note: the old
application-polymarket-bot.yaml and application-n8n.yaml in git carried
telegram notification annotations and prune:true that were NOT live; this
snapshot replaces them with what actually runs.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>