Phase 3c of migration #2: drop the Secret stanza from auth.yaml; the Middleware
stays and references filebrowser-auth-infisical (synced from homelab/prod
/filebrowser). ArgoCD prunes the old plaintext filebrowser-auth secret — the
bcrypt htpasswd leaves git. Completes migration #2.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3b of migration #2: Middleware.spec.basicAuth.secret now references the
Infisical-managed secret. Secret stanza in auth.yaml left in place as fallback
until 3b is verified (401 w/o creds, 200 w/ creds), then removed in 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3a of migration #2: syncs FILEBROWSER_USERS from homelab/prod /filebrowser
via read-only infisical-operator/infisical-auth, template-remapped to the
lowercase 'users' key Traefik basic-auth requires, into parallel-name
filebrowser-auth-infisical. Old plaintext filebrowser-auth secret + the Traefik
Middleware untouched (repoint=3b, removal of the Secret stanza=3c).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3c: hooks now read telegram-notify-infisical (synced from homelab/prod
/telegram). Deleting these 4 manifests prunes the old plaintext secrets — the
bot token leaves git for the remaining 4 namespaces. Completes migration #1.
NOTE: polymarket-bot/bot-secrets still embeds the same token (migration #3).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3b: all 4 hooks' secretKeyRefs now read the Infisical-managed secret.
Old plaintext telegram-notify secrets stay as fallback until 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3a of telegram-notify migration: each syncs TELEGRAM_BOT_TOKEN/
TELEGRAM_CHAT_ID from shared homelab/prod /telegram via read-only
infisical-operator/infisical-auth, into parallel-name telegram-notify-infisical.
Old plaintext secrets + hooks untouched (repoint=3b, removal=3c).
polymarket-bot: standalone secret only; bot-secrets copy is migration #3.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The PostSync hook now reads telegram-notify-infisical (synced from
homelab/prod /telegram). Deleting this manifest prunes the old plaintext
secret — the bot token leaves git for researchowl. Security win.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Both secretKeyRefs (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) now read the
Infisical-managed secret instead of the plaintext-in-git telegram-notify.
Old secret stays as fallback until 3c removes its manifest.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Syncs TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from shared homelab/prod /telegram
via the read-only infisical-operator/infisical-auth. Targets parallel-name
telegram-notify-infisical; old plaintext telegram-notify stays live until the
hook is repointed (3b) and the old manifest removed (3c).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
api/bot: imagePullSecrets gitea-registry -> gitea-registry-infisical.
dashboard: add gitea-registry-infisical (previously had NO pull secret
despite pulling a private image — fixes latent ErrImagePull-on-reschedule
bug). Old gitea-registry stays as rollback net until decommission.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reconstructs the dockerconfigjson pull secret from the shared /registry v3
fields (GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN) via the shared
infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
imagePullSecrets: gitea-registry -> gitea-registry-infisical (the
InfisicalStaticSecret-managed dockerconfigjson). Old gitea-registry stays
as rollback net until decommission.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reconstructs the dockerconfigjson pull secret from the discrete
GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN fields at homelab/prod /registry,
via the shared infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2: GitOps-managed shared auth layer in infisical-operator ns —
InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth
(kubernetes method, operator SA via TokenReview) + identity-ID Secret
(non-secret UUID; auth is via SA token, so safe in git). To be referenced
cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The multi-source variant ($values git ref) caused the infisical app to
prune its own Application object on first sync (controller pruned
Application/argocd/infisical, orphaning the workloads). Switch to a
single-source Helm app with inline valuesObject (same chart 1.9.0, same
DB/Redis passwords) and drop the hand-written tracking-id annotation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Deploy infisical-standalone 1.9.0 (Infisical v0.158.0) in a dedicated
'infisical' namespace via a multi-source ArgoCD app (chart + values).
Bundled Postgres (dedicated local-path PVC, 8Gi) + Redis. Ingress via
Traefik + cert-manager (letsencrypt-prod) at infisical.chemavx.xyz.
Crown-jewel secrets (ENCRYPTION_KEY, AUTH_SECRET, SITE_URL) are injected
out-of-band via the 'infisical-secrets' Secret (kubectl, IgnoreExtraneous),
NOT in git. Postgres/Redis passwords guard ClusterIP-only in-cluster
services holding ciphertext; acceptable in values per design review.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The dockerconfigjson held the old account password (now rotated/revoked)
in plaintext. Manage this image-pull secret out-of-band via kubectl
(like researchowl), so no registry credential lives in git going forward.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A ConfigMap volume is read-only at the FS level, so the Ghost entrypoint's
chown -R on content/ failed ("Read-only file system") and crash-looped.
Copy redirects.yaml onto the writable PVC with an initContainer instead;
still GitOps-sourced and refreshed on every pod start.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Recover ~454 GSC impressions stranded on a 404. Adds a ghost-en-redirects
ConfigMap (content/data/redirects.yaml) 301-redirecting the old slug
/pentagon-second-uap-declassification-may-2026-apollo-12-sandia/ to the
live /pentagon-uap-second-release-may-2026/. Mounted read-only via subPath
so it survives content PVC recreation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same protection already given to polymarket-bot postgres and n8n: without
it, removing a PVC manifest from git (rename, multi-doc refactor) would
make ArgoCD destroy the volume and its data.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The real manifest is researchowl/argocd-app.yaml, self-managed inside the
app's own synced path; edits to this copy get silently reverted by selfHeal.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
researchowl/argocd-app.yaml lives inside the app's own synced path, so it is
the source of truth: annotations applied only to the live object (or to the
argocd/ dump copy) get reverted by selfHeal.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Notifications via generic webhook to the Telegram Bot API: the engine's
native telegram service only supports channels and negative group IDs,
so a positive private chat_id never worked ("chat not found").
- Only on-sync-failed and on-health-degraded triggers; on-sync-succeeded
dropped (CI already reports successful deploys).
- Subscribe annotations on polymarket-bot, researchowl and n8n.
- prune: true on polymarket-bot, guarded by Prune=false on the postgres
PVC so removing the manifest from git can never destroy the data.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Brings the existing manually-applied ghost-en (theexclusionzone.com)
into the GitOps repo. Adds redirect-to-www-https middleware to fix the
Google Search Console redirect issue: non-www now 301s to https://www
instead of serving duplicate content.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Extract readyReplicas OR availableReplicas (k8s omits readyReplicas when 0)
- Also accept MinimumReplicasAvailable condition as ready signal
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Create telegram-notify secret in n8n, portfolio, polymarket-bot, researchowl, openclaw
namespaces (values mirrored from monitoring/grafana-telegram)
- Update existing smoke tests (n8n, portfolio, polymarket-bot) to send [OK]/[FAIL]
Telegram notifications on success/failure
- Add postsync-smoke-test for openclaw (curl GET / on port 18789)
- Add postsync-smoke-test for researchowl (no HTTP port; checks readyReplicas via
k8s API using a smoke-test-reader ServiceAccount + Role + RoleBinding)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add ze-manual-html ConfigMap serving ze-manual.html at /ze/index.html
- Mount ze-manual-html in nginx at /usr/share/nginx/html/ze
- Add Projects section in portfolio index with ze card linking to /ze
ArgoCD sobreescribía zona-exclusion-secrets con REPLACE_ME.
El secret se gestiona manualmente con annotation Prune=false.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Añade ignoreDifferences para /data del Secret y
RespectIgnoreDifferences=true para que el sync no aplique
el recurso cuando la única diferencia es en los datos del secret.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add ANTHROPIC_API_KEY from secret for Claude Haiku relevance scoring
- Fix OLLAMA_URL to internal k8s DNS (ollama.ollama.svc.cluster.local)
- Remove Secret resource (was causing ArgoCD to overwrite with REPLACE_ME)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Deleted open-webui namespace, deployment, service, ingress, and PVC
from cluster (replaced by OpenClaw using Claude API)
- Removed openclaw PVC and RBAC manifests no longer needed
- Removed Uptime Kuma monitor for chat.chemavx.xyz
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each alert rule's summary annotation now renders a formatted Telegram
message with emoji and multiline context. The contact point passes the
pre-rendered summary through, adding "✅ Resuelto" on resolution.
Also restores the == 1 filter on Pod Failed/Unknown lost in prior rebase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add hostPath volume for /var/lib/rancher/k3s/server/db (readOnly)
- Script copies state.db + WAL files → k3s-db_<date>.tar.gz in /data/backups/backups/
- Rotation: keeps last 7 copies (same policy as other services)
- rclone-mega-backup picks it up automatically (syncs full /data/backups/backups/)
- Also tracks the CronJob manifest in git (was previously untracked)
Note: k3s uses SQLite/kine (not embedded etcd). etcd-snapshot is disabled.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Configure argocd-notifications-cm with Telegram service, templates and triggers
for sync-succeeded, sync-failed, and app-degraded events
- Add application-polymarket-bot.yaml and application-n8n.yaml with notification
subscription annotations (chat_id: 5138407666)
Note: requires kubectl patch of argocd-notifications-secret with telegram-token
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
El config dir de OpenClaw es /home/node/.openclaw, no /data.
Monta el PVC en la ruta correcta para que openclaw.json persista.
Elimina OPENCLAW_DATA_DIR (no era el config dir).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Manifiestos limpios: namespace, rbac, pvc (5Gi local-path), deployment, service, ingress
- nodeSelector chemavx-k8 en deployment para fijar PVC en el nodo correcto
- Imagen fijada a ghcr.io/openclaw/openclaw:2026.4.12
- Sin initContainers ni secrets en el deployment (config post-arranque via exec)
- Elimina artefactos: configmap-kube-root-ca.crt.yaml, serviceaccount-default.yaml, pvc-openclaw-pvc.yaml, rbac-openclaw-agent.yaml
- Añade argocd/application-openclaw.yaml para gestión GitOps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deploy registry:2 as Docker Hub pull-through cache on chemavx-k8 (hostPort 5000,
ClusterIP 10.43.163.56:5000). Configures dind runner to use local mirror via
daemon.json to eliminate Docker Hub rate limit failures in CI/CD.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
RollingUpdate caused rollout deadlocks because the PVC (ReadWriteOnce)
cannot be mounted by two pods simultaneously.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch from ollama/ollama:rocm + amd.com/gpu to standard CUDA image + nvidia.com/gpu.
RTX 3060 (GA106, 12GB) now used via NVIDIA GPU Operator on chemavx-k8.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>