- Deleted open-webui namespace, deployment, service, ingress, and PVC
from cluster (replaced by OpenClaw using Claude API)
- Removed openclaw PVC and RBAC manifests no longer needed
- Removed Uptime Kuma monitor for chat.chemavx.xyz
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Each alert rule's summary annotation now renders a formatted Telegram
message with emoji and multiline context. The contact point passes the
pre-rendered summary through, adding "✅ Resuelto" on resolution.
Also restores the == 1 filter on Pod Failed/Unknown lost in prior rebase.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Grafana threshold expression requires a scalar input, not a raw time
series. Added explicit reduce step (type: reduce, reducer: last) as
refId B between the Prometheus query (A) and the threshold check (C).
All 4 rules updated: CrashLoopBackOff, Disco >80%, RAM >85%, Pod Failed.
condition field changed from B → C on each rule.
Grafana env var substitution of a numeric TELEGRAM_CHAT_ID caused
json unmarshal error (number into string field). chatid is not sensitive
so hardcode it directly; only bottoken uses ${TELEGRAM_BOT_TOKEN}.
- Add hostPath volume for /var/lib/rancher/k3s/server/db (readOnly)
- Script copies state.db + WAL files → k3s-db_<date>.tar.gz in /data/backups/backups/
- Rotation: keeps last 7 copies (same policy as other services)
- rclone-mega-backup picks it up automatically (syncs full /data/backups/backups/)
- Also tracks the CronJob manifest in git (was previously untracked)
Note: k3s uses SQLite/kine (not embedded etcd). etcd-snapshot is disabled.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Configure argocd-notifications-cm with Telegram service, templates and triggers
for sync-succeeded, sync-failed, and app-degraded events
- Add application-polymarket-bot.yaml and application-n8n.yaml with notification
subscription annotations (chat_id: 5138407666)
Note: requires kubectl patch of argocd-notifications-secret with telegram-token
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
El config dir de OpenClaw es /home/node/.openclaw, no /data.
Monta el PVC en la ruta correcta para que openclaw.json persista.
Elimina OPENCLAW_DATA_DIR (no era el config dir).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Manifiestos limpios: namespace, rbac, pvc (5Gi local-path), deployment, service, ingress
- nodeSelector chemavx-k8 en deployment para fijar PVC en el nodo correcto
- Imagen fijada a ghcr.io/openclaw/openclaw:2026.4.12
- Sin initContainers ni secrets en el deployment (config post-arranque via exec)
- Elimina artefactos: configmap-kube-root-ca.crt.yaml, serviceaccount-default.yaml, pvc-openclaw-pvc.yaml, rbac-openclaw-agent.yaml
- Añade argocd/application-openclaw.yaml para gestión GitOps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deploy registry:2 as Docker Hub pull-through cache on chemavx-k8 (hostPort 5000,
ClusterIP 10.43.163.56:5000). Configures dind runner to use local mirror via
daemon.json to eliminate Docker Hub rate limit failures in CI/CD.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
RollingUpdate caused rollout deadlocks because the PVC (ReadWriteOnce)
cannot be mounted by two pods simultaneously.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch from ollama/ollama:rocm + amd.com/gpu to standard CUDA image + nvidia.com/gpu.
RTX 3060 (GA106, 12GB) now used via NVIDIA GPU Operator on chemavx-k8.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Delete 26 secret manifests containing REDACTED placeholder values
(15 cert-manager TLS + 11 app secrets across 8 namespaces)
- REDACTED is valid base64 that decodes to non-UTF-8 bytes — ArgoCD
applying these manifests corrupts live secrets in the cluster
- Add .githooks/pre-commit that rejects any .yaml with REDACTED
- Add README.md documenting secret management policy and manual
creation commands for each service
- n8n secret manifests already fixed in previous commits (618b1e8, db04fd2)
chemavx
chemavx