T

chemavx ec3a8c3d55 fix: sleep 15 before k8s API check in researchowl smoke test

Pod takes a few seconds to become ready after PostSync fires.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 12:47:43 +00:00

.githooks

security: remove all REDACTED secrets from repo, add pre-commit guard

2026-04-14 20:02:51 +00:00

argocd

argocd: configure Telegram notifications and add Application manifests

2026-04-25 09:56:35 +00:00

argocd-patches

fix: argocd-redis nodeSelector chemavx-k8 + resource limits

2026-05-20 12:26:42 +00:00

authentik

chore: pin all floating image tags to exact running versions

2026-04-15 08:11:22 +00:00

backup-system

feat: add researchowl

2026-04-27 13:53:42 +00:00

cloudflare-ddns

feat: añadir zonadeexclusion.com a cloudflare-ddns DOMAINS

2026-05-07 21:04:32 +00:00

cluster-wide

feat: export all K8 Plus cluster manifests

2026-04-10 08:57:02 +00:00

default

security: remove all REDACTED secrets from repo, add pre-commit guard

2026-04-14 20:02:51 +00:00

gitea

fix: DinD memory request 1Gi→2Gi, limit 2Gi→4Gi

2026-05-05 09:15:14 +00:00

homarr

chore: pin all floating image tags to exact running versions

2026-04-15 08:11:22 +00:00

monitoring

feat(grafana): custom emoji message templates per alert + resolve format

2026-04-27 07:26:01 +00:00

n8n

feat: add Telegram notifications to PostSync smoke tests + new tests for researchowl/openclaw

2026-05-20 12:40:23 +00:00

ollama

ollama: elimina GPU, fija imagen 0.20.7, reduce a qwen2.5:3b

2026-04-24 15:34:37 +00:00

openclaw

feat: add Telegram notifications to PostSync smoke tests + new tests for researchowl/openclaw

2026-05-20 12:40:23 +00:00

polymarket-bot

feat: add Telegram notifications to PostSync smoke tests + new tests for researchowl/openclaw

2026-05-20 12:40:23 +00:00

portfolio

feat: add Telegram notifications to PostSync smoke tests + new tests for researchowl/openclaw

2026-05-20 12:40:23 +00:00

registry-cache

registry-cache: switch upstream to mirror.gcr.io (bypass Cloudflare R2 block)

2026-04-22 20:29:11 +00:00

researchowl

fix: sleep 15 before k8s API check in researchowl smoke test

2026-05-20 12:47:43 +00:00

umami

feat: add Umami analytics deployment

2026-05-11 07:48:53 +00:00

vaultwarden

chore: pin all floating image tags to exact running versions

2026-04-15 08:11:22 +00:00

zona-exclusion

fix: eliminar Secret de deployment.yaml para gestión manual

2026-05-09 17:48:20 +00:00

.gitignore

feat: export all K8 Plus cluster manifests

2026-04-10 08:57:02 +00:00

README.md

docs: argocd post-install patches

2026-05-20 12:27:14 +00:00

README.md

k8s-manifests

Manifests de Kubernetes gestionados por ArgoCD para el cluster chemavx.

Regla crítica: secrets en git

Los secrets con datos sensibles NO se guardan en este repo.

Los archivos de secret en este repo sólo contienen metadata (name, namespace, labels, annotations). Los campos data / stringData se gestionan manualmente fuera de git.

Por qué

Un valor placeholder como REDACTED es base64 válido que decodifica a bytes no-UTF-8. Si ArgoCD aplica ese manifest, corrompe el secret en el cluster, lo que puede:

Romper certificados TLS (ERR_CERT_AUTHORITY_INVALID)
Impedir que pods arranquen (grpc: error while marshaling: string field contains invalid UTF-8)
Cifrar credenciales con una clave incorrecta

Secrets TLS (cert-manager)

Los secrets TLS los gestiona cert-manager automáticamente a partir del recurso Certificate. No crear archivos secret-*-tls.yaml con datos.

Secrets de aplicación — crear manualmente antes del primer deploy

Namespace	Secret	Comando
`n8n`	`n8n-secret`	`kubectl create secret generic n8n-secret --from-literal=encryption-key='<valor-en-vaultwarden>' -n n8n`
`authentik`	`authentik-secret`	Ver Vaultwarden → "authentik"
`cloudflare-ddns`	`cloudflare-ddns-secret`	Ver Vaultwarden → "cloudflare-ddns"
`vaultwarden`	`vaultwarden-secret`	Ver Vaultwarden → "vaultwarden"
`openclaw`	`openclaw-token`	Ver Vaultwarden → "openclaw"
`argocd`	`argocd-secret`	Gestionado por ArgoCD bootstrap
`argocd`	`argocd-redis`	Gestionado por ArgoCD bootstrap
`monitoring`	`kube-prometheus-stack-grafana`	Ver Vaultwarden → "grafana"
`monitoring`	`kube-prometheus-stack-admission`	Generado por helm (webhook TLS)

ArgoCD ignoreDifferences para secrets

Toda ArgoCD Application que gestione un namespace con secrets debe incluir ignoreDifferences para el campo /data:

spec:
  ignoreDifferences:
    - group: ""
      kind: Secret
      name: <nombre-del-secret>
      namespace: <namespace>
      jsonPointers:
        - /data
  syncPolicy:
    syncOptions:
      - RespectIgnoreDifferences=true

Ver n8n ArgoCD Application como referencia.

Pre-commit hook

Este repo incluye un pre-commit hook que rechaza commits con REDACTED en archivos .yaml. Instalar con:

cp .githooks/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

ArgoCD patches

Después de instalar ArgoCD aplicar: kubectl apply -f argocd-patches/redis-patch.yaml