3a of the researchowl-secrets centralization. Adds researchowl-secrets-infisical
synced from homelab/prod /researchowl (5 lowercase-hyphenated keys, passthrough).
Parallel name — old out-of-band researchowl-secrets stays live until 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Old out-of-band zona-exclusion-secrets deleted (kubectl); SMTP now sourced from
Infisical-backed zona-exclusion-secrets-infisical. Remove the obsolete /data
ignoreDifferences stanza from both app manifests.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
InfisicalStaticSecret syncs shared /smtp-gmail -> zona-exclusion-secrets-infisical,
template-remapping UPPER_SNAKE -> hyphenated lowercase smtp-user/smtp-pass to match
the deployment secretKeyRef. Old secret stays live until 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Old out-of-band ghost-en-smtp secret deleted (kubectl); SMTP now sourced from
Infisical-backed ghost-en-smtp-infisical. Remove the now-obsolete /data
ignoreDifferences stanza from both app manifests.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
mail__options__auth__user/pass secretKeyRef
ghost-en-smtp -> ghost-en-smtp-infisical
Recreate roll picks up the Infisical-synced credentials.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
InfisicalStaticSecret syncs shared /smtp-gmail -> ghost-en-smtp-infisical
(parallel name, passthrough SMTP_USER/SMTP_PASS). Old secret stays live until 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
InfisicalStaticSecret syncs /gitea-runner -> gitea-runner-secret-infisical
(parallel name). Out-of-band: created via kubectl apply; commit is for record.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
7th and final copy of the Telegram bot token leaving git. monitoring is
out-of-band (not ArgoCD-managed), so the live secret is pruned manually with
kubectl. Grafana already reads grafana-telegram-infisical (from /telegram).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Last plaintext secret leaving git; the 6th/last copy of the Telegram token.
ArgoCD prunes the live bot-secrets Secret (and its cleartext
last-applied-configuration annotation). Consumers already on bot-secrets-infisical.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3c of migration #2: drop the Secret stanza from auth.yaml; the Middleware
stays and references filebrowser-auth-infisical (synced from homelab/prod
/filebrowser). ArgoCD prunes the old plaintext filebrowser-auth secret — the
bcrypt htpasswd leaves git. Completes migration #2.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3b of migration #2: Middleware.spec.basicAuth.secret now references the
Infisical-managed secret. Secret stanza in auth.yaml left in place as fallback
until 3b is verified (401 w/o creds, 200 w/ creds), then removed in 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3a of migration #2: syncs FILEBROWSER_USERS from homelab/prod /filebrowser
via read-only infisical-operator/infisical-auth, template-remapped to the
lowercase 'users' key Traefik basic-auth requires, into parallel-name
filebrowser-auth-infisical. Old plaintext filebrowser-auth secret + the Traefik
Middleware untouched (repoint=3b, removal of the Secret stanza=3c).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3c: hooks now read telegram-notify-infisical (synced from homelab/prod
/telegram). Deleting these 4 manifests prunes the old plaintext secrets — the
bot token leaves git for the remaining 4 namespaces. Completes migration #1.
NOTE: polymarket-bot/bot-secrets still embeds the same token (migration #3).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3b: all 4 hooks' secretKeyRefs now read the Infisical-managed secret.
Old plaintext telegram-notify secrets stay as fallback until 3c.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 3a of telegram-notify migration: each syncs TELEGRAM_BOT_TOKEN/
TELEGRAM_CHAT_ID from shared homelab/prod /telegram via read-only
infisical-operator/infisical-auth, into parallel-name telegram-notify-infisical.
Old plaintext secrets + hooks untouched (repoint=3b, removal=3c).
polymarket-bot: standalone secret only; bot-secrets copy is migration #3.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The PostSync hook now reads telegram-notify-infisical (synced from
homelab/prod /telegram). Deleting this manifest prunes the old plaintext
secret — the bot token leaves git for researchowl. Security win.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Both secretKeyRefs (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) now read the
Infisical-managed secret instead of the plaintext-in-git telegram-notify.
Old secret stays as fallback until 3c removes its manifest.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Syncs TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from shared homelab/prod /telegram
via the read-only infisical-operator/infisical-auth. Targets parallel-name
telegram-notify-infisical; old plaintext telegram-notify stays live until the
hook is repointed (3b) and the old manifest removed (3c).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
api/bot: imagePullSecrets gitea-registry -> gitea-registry-infisical.
dashboard: add gitea-registry-infisical (previously had NO pull secret
despite pulling a private image — fixes latent ErrImagePull-on-reschedule
bug). Old gitea-registry stays as rollback net until decommission.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reconstructs the dockerconfigjson pull secret from the shared /registry v3
fields (GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN) via the shared
infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
imagePullSecrets: gitea-registry -> gitea-registry-infisical (the
InfisicalStaticSecret-managed dockerconfigjson). Old gitea-registry stays
as rollback net until decommission.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reconstructs the dockerconfigjson pull secret from the discrete
GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN fields at homelab/prod /registry,
via the shared infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2: GitOps-managed shared auth layer in infisical-operator ns —
InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth
(kubernetes method, operator SA via TokenReview) + identity-ID Secret
(non-secret UUID; auth is via SA token, so safe in git). To be referenced
cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The multi-source variant ($values git ref) caused the infisical app to
prune its own Application object on first sync (controller pruned
Application/argocd/infisical, orphaning the workloads). Switch to a
single-source Helm app with inline valuesObject (same chart 1.9.0, same
DB/Redis passwords) and drop the hand-written tracking-id annotation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Deploy infisical-standalone 1.9.0 (Infisical v0.158.0) in a dedicated
'infisical' namespace via a multi-source ArgoCD app (chart + values).
Bundled Postgres (dedicated local-path PVC, 8Gi) + Redis. Ingress via
Traefik + cert-manager (letsencrypt-prod) at infisical.chemavx.xyz.
Crown-jewel secrets (ENCRYPTION_KEY, AUTH_SECRET, SITE_URL) are injected
out-of-band via the 'infisical-secrets' Secret (kubectl, IgnoreExtraneous),
NOT in git. Postgres/Redis passwords guard ClusterIP-only in-cluster
services holding ciphertext; acceptable in values per design review.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The dockerconfigjson held the old account password (now rotated/revoked)
in plaintext. Manage this image-pull secret out-of-band via kubectl
(like researchowl), so no registry credential lives in git going forward.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A ConfigMap volume is read-only at the FS level, so the Ghost entrypoint's
chown -R on content/ failed ("Read-only file system") and crash-looped.
Copy redirects.yaml onto the writable PVC with an initContainer instead;
still GitOps-sourced and refreshed on every pod start.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Recover ~454 GSC impressions stranded on a 404. Adds a ghost-en-redirects
ConfigMap (content/data/redirects.yaml) 301-redirecting the old slug
/pentagon-second-uap-declassification-may-2026-apollo-12-sandia/ to the
live /pentagon-uap-second-release-may-2026/. Mounted read-only via subPath
so it survives content PVC recreation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
OLLAMA_EMBED_MODEL=nomic-embed-text (antes embed() caía en qwen2.5:3b,
un modelo de chat). Modelo ya descargado en Ollama. Mejora la calidad
del RAG (vectores de embeddings reales de 768 dims).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Same protection already given to polymarket-bot postgres and n8n: without
it, removing a PVC manifest from git (rename, multi-doc refactor) would
make ArgoCD destroy the volume and its data.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The real manifest is researchowl/argocd-app.yaml, self-managed inside the
app's own synced path; edits to this copy get silently reverted by selfHeal.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>