Codex
0b52093b36
K8s manifest hardening + new bluejay-infra-lint test project
...
Manifest hardening (per documented memories):
- apps/asterisk/deployment.yaml: dnsPolicy: None + explicit dnsConfig
with ndots:2 to prevent CoreDNS *.iamworkin.lan template from
hijacking external egress (downloads.asterisk.org).
- apps/fc-llm-bridge/fc-llm-bridge.yaml: same dnsConfig pattern for
api.anthropic.com egress.
- apps/fc-ttsreader/fc-ttsreader.yaml: same dnsConfig pattern for
huggingface.co model seeding.
- apps/fc-messageboard/fc-messageboard.yaml: tcpSocket probes
(replacing httpGet /health) per "Probes against /health 404 when
app has global auth middleware".
- apps/fc-signalcontrol/fc-signalcontrol.yaml: same tcpSocket probe
fix.
New lint project:
- tests/bluejay-infra-lint/BluejayInfraLint.Tests.csproj — local-first
lint test sweep for the recurring K8s gotchas in the fleet.
- tests/bluejay-infra-lint/FleetManifestLintTests.cs — 7 lint tests
covering tcpSocket probes, dnsConfig presence on egress-heavy pods,
IngressRoute/Service namespace alignment, image pull policy, etc.
- tests/bluejay-infra-lint/conftest.dev/ — matching conftest policies
for environments with conftest/opa.
- .gitignore — adds bin/ + obj/ + DS_Store/swp.
README.md adds a "Local manifest lint" section with the canonical
test command, plus 4 new gotcha entries (IngressRoute namespace
split, public read-only host method allowlists, Traefik VIP netpol
backend ports, auth-safe probes).
Tests: 7 / 7 lint tests passed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-04 03:18:04 -05:00
Andrew Stoltz
7762a0079a
Add K8s deployment manifests for SignalControl, MessageBoard, Chat, TTS Reader
...
Full deployment manifests (Namespace, Deployment, Service, Certificate,
IngressRoute) for 4 new FlowerCore services with port 8080, ClusterIP
on port 80, cert-manager step-ca-acme TLS, and /metrics/prometheus
health probes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-13 20:23:55 -05:00
