- Updated bluejay-branding-1.0.0.jar with gold accents, hover fix,
icon fix, pinstripe patterns, Blue Jay SVG logo
- Added guac-k8s-sync CronJob: runs every 2min, auto-updates pod
names in Kubernetes exec connections when pods restart
- Fixed secret reference (guacamole-credentials, not guacamole-db-credentials)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- guacamole-branding ConfigMap with Blue Jay dark theme CSS
- guacamole-properties ConfigMap with ban/TOTP/session config
- kubectl-proxy sidecar on guacd for K8s pod exec connections
- guacd-exec ServiceAccount + ClusterRole/Binding for pod exec RBAC
- Volume mounts for branding JAR and properties on guacamole webapp
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- MySQL StatefulSet, initdb Job, Guacamole web all reference guacamole-credentials
- DB-User, DB-Password, DB-Root-Password, DB-Name fields added to 1Password item
- Zero inline secrets remain in manifest
- Zabbix: Remove hardcoded zabbix-db-secret and zabbix-admin-secret, reference
zabbix-credentials (1Password) for DB-User, DB-Password, and admin password
- Matrix: Remove hardcoded matrix-db-secret, reference matrix-credentials for
Postgres user/password. Convert ConfigMap homeserver.yaml to template with
__DB_PASSWORD__/__DB_USER__ placeholders, inject via busybox init container
- Guacamole: Add OnePasswordItem CRD for future use. MySQL DB creds remain in
guac-db-secret (1Password item lacks DB-specific fields — gap documented)
- All three services now include OnePasswordItem CRD manifests for ArgoCD mgmt
