T

chemavx 4897ca3334 feat(grafana): custom emoji message templates per alert + resolve format

Each alert rule's summary annotation now renders a formatted Telegram
message with emoji and multiline context. The contact point passes the
pre-rendered summary through, adding "✅ Resuelto" on resolution.
Also restores the == 1 filter on Pod Failed/Unknown lost in prior rebase.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-27 07:26:01 +00:00

.githooks

security: remove all REDACTED secrets from repo, add pre-commit guard

2026-04-14 20:02:51 +00:00

argocd

argocd: configure Telegram notifications and add Application manifests

2026-04-25 09:56:35 +00:00

authentik

chore: pin all floating image tags to exact running versions

2026-04-15 08:11:22 +00:00

backup-system

backup: add k3s SQLite backup to daily CronJob

2026-04-25 10:23:18 +00:00

cloudflare-ddns

chore: pin ollama and cloudflare-ddns to exact running versions

2026-04-15 08:13:13 +00:00

cluster-wide

feat: export all K8 Plus cluster manifests

2026-04-10 08:57:02 +00:00

default

security: remove all REDACTED secrets from repo, add pre-commit guard

2026-04-14 20:02:51 +00:00

gitea

feat(registry-cache): add Docker Hub pull-through cache + dind mirror config

2026-04-22 11:35:43 +00:00

homarr

chore: pin all floating image tags to exact running versions

2026-04-15 08:11:22 +00:00

monitoring

feat(grafana): custom emoji message templates per alert + resolve format

2026-04-27 07:26:01 +00:00

n8n

ci: update n8n image to b6a83c68 [skip ci]

2026-04-25 10:03:27 +00:00

ollama

ollama: elimina GPU, fija imagen 0.20.7, reduce a qwen2.5:3b

2026-04-24 15:34:37 +00:00

openclaw

openclaw: añade kubectl-ro via initContainer setup-kubectl

2026-04-24 14:33:17 +00:00

polymarket-bot

ci: update polymarket-bot images to 39cebd3b [skip ci]

2026-04-26 15:03:41 +00:00

portfolio

argocd: add PostSync smoke test hooks for polymarket-bot, n8n, portfolio

2026-04-23 09:14:12 +00:00

registry-cache

registry-cache: switch upstream to mirror.gcr.io (bypass Cloudflare R2 block)

2026-04-22 20:29:11 +00:00

vaultwarden

chore: pin all floating image tags to exact running versions

2026-04-15 08:11:22 +00:00

.gitignore

feat: export all K8 Plus cluster manifests

2026-04-10 08:57:02 +00:00

README.md

security: remove all REDACTED secrets from repo, add pre-commit guard

2026-04-14 20:02:51 +00:00

README.md

k8s-manifests

Manifests de Kubernetes gestionados por ArgoCD para el cluster chemavx.

Regla crítica: secrets en git

Los secrets con datos sensibles NO se guardan en este repo.

Los archivos de secret en este repo sólo contienen metadata (name, namespace, labels, annotations). Los campos data / stringData se gestionan manualmente fuera de git.

Por qué

Un valor placeholder como REDACTED es base64 válido que decodifica a bytes no-UTF-8. Si ArgoCD aplica ese manifest, corrompe el secret en el cluster, lo que puede:

Romper certificados TLS (ERR_CERT_AUTHORITY_INVALID)
Impedir que pods arranquen (grpc: error while marshaling: string field contains invalid UTF-8)
Cifrar credenciales con una clave incorrecta

Secrets TLS (cert-manager)

Los secrets TLS los gestiona cert-manager automáticamente a partir del recurso Certificate. No crear archivos secret-*-tls.yaml con datos.

Secrets de aplicación — crear manualmente antes del primer deploy

Namespace	Secret	Comando
`n8n`	`n8n-secret`	`kubectl create secret generic n8n-secret --from-literal=encryption-key='<valor-en-vaultwarden>' -n n8n`
`authentik`	`authentik-secret`	Ver Vaultwarden → "authentik"
`cloudflare-ddns`	`cloudflare-ddns-secret`	Ver Vaultwarden → "cloudflare-ddns"
`vaultwarden`	`vaultwarden-secret`	Ver Vaultwarden → "vaultwarden"
`openclaw`	`openclaw-token`	Ver Vaultwarden → "openclaw"
`argocd`	`argocd-secret`	Gestionado por ArgoCD bootstrap
`argocd`	`argocd-redis`	Gestionado por ArgoCD bootstrap
`monitoring`	`kube-prometheus-stack-grafana`	Ver Vaultwarden → "grafana"
`monitoring`	`kube-prometheus-stack-admission`	Generado por helm (webhook TLS)

ArgoCD ignoreDifferences para secrets

Toda ArgoCD Application que gestione un namespace con secrets debe incluir ignoreDifferences para el campo /data:

spec:
  ignoreDifferences:
    - group: ""
      kind: Secret
      name: <nombre-del-secret>
      namespace: <namespace>
      jsonPointers:
        - /data
  syncPolicy:
    syncOptions:
      - RespectIgnoreDifferences=true

Ver n8n ArgoCD Application como referencia.

Pre-commit hook

Este repo incluye un pre-commit hook que rechaza commits con REDACTED en archivos .yaml. Instalar con:

cp .githooks/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit