bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
Files
sprint42/cx-4-linux-runner-ruby-bake
bluejay-infra/apps/fc-signalcontrol/fc-signalcontrol.yaml
Codex 0b52093b36 K8s manifest hardening + new bluejay-infra-lint test project 
Manifest hardening (per documented memories):
- apps/asterisk/deployment.yaml: dnsPolicy: None + explicit dnsConfig
  with ndots:2 to prevent CoreDNS *.iamworkin.lan template from
  hijacking external egress (downloads.asterisk.org).
- apps/fc-llm-bridge/fc-llm-bridge.yaml: same dnsConfig pattern for
  api.anthropic.com egress.
- apps/fc-ttsreader/fc-ttsreader.yaml: same dnsConfig pattern for
  huggingface.co model seeding.
- apps/fc-messageboard/fc-messageboard.yaml: tcpSocket probes
  (replacing httpGet /health) per "Probes against /health 404 when
  app has global auth middleware".
- apps/fc-signalcontrol/fc-signalcontrol.yaml: same tcpSocket probe
  fix.

New lint project:
- tests/bluejay-infra-lint/BluejayInfraLint.Tests.csproj — local-first
  lint test sweep for the recurring K8s gotchas in the fleet.
- tests/bluejay-infra-lint/FleetManifestLintTests.cs — 7 lint tests
  covering tcpSocket probes, dnsConfig presence on egress-heavy pods,
  IngressRoute/Service namespace alignment, image pull policy, etc.
- tests/bluejay-infra-lint/conftest.dev/ — matching conftest policies
  for environments with conftest/opa.
- .gitignore — adds bin/ + obj/ + DS_Store/swp.

README.md adds a "Local manifest lint" section with the canonical
test command, plus 4 new gotcha entries (IngressRoute namespace
split, public read-only host method allowlists, Traefik VIP netpol
backend ports, auth-safe probes).

Tests: 7 / 7 lint tests passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 03:18:04 -05:00

144 lines
3.4 KiB
YAML
Raw Permalink Blame History

# FlowerCore SignalControl — Signal sequencing and relay coordination
---
apiVersion: v1
kind: Namespace
metadata:
name: fc-signalcontrol
labels:
app.kubernetes.io/part-of: bluejay-infra
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: signalcontrol-data
namespace: fc-signalcontrol
labels:
app.kubernetes.io/name: signalcontrol-web
app.kubernetes.io/part-of: flowercore
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: signalcontrol-web
namespace: fc-signalcontrol
labels:
app.kubernetes.io/name: signalcontrol-web
app.kubernetes.io/part-of: flowercore
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: signalcontrol-web
template:
metadata:
labels:
app.kubernetes.io/name: signalcontrol-web
app.kubernetes.io/part-of: flowercore
spec:
containers:
- name: signalcontrol-web
image: localhost/fc-signalcontrol-web:latest
imagePullPolicy: Never
ports:
- containerPort: 5000
name: http
env:
- name: ASPNETCORE_ENVIRONMENT
value: Production
- name: ASPNETCORE_URLS
value: "http://+:5000"
- name: ConnectionStrings__Default
value: Data Source=/data/signalcontrol.db
- name: Logging__LogLevel__Default
value: Information
- name: Auth__ApiKey
valueFrom:
secretKeyRef:
name: signalcontrol-auth
key: Auth__ApiKey
volumeMounts:
- name: data
mountPath: /data
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
tcpSocket:
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: http
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 6
timeoutSeconds: 5
securityContext:
fsGroup: 4200
fsGroupChangePolicy: OnRootMismatch
volumes:
- name: data
persistentVolumeClaim:
claimName: signalcontrol-data
---
apiVersion: v1
kind: Service
metadata:
name: signalcontrol-web
namespace: fc-signalcontrol
labels:
app.kubernetes.io/name: signalcontrol-web
app.kubernetes.io/part-of: flowercore
spec:
selector:
app.kubernetes.io/name: signalcontrol-web
ports:
- port: 80
targetPort: http
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: signalcontrol-web-tls
namespace: fc-signalcontrol
spec:
secretName: signalcontrol-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- signalcontrol.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: signalcontrol-web
namespace: fc-signalcontrol
spec:
entryPoints:
- websecure
routes:
- match: Host(`signalcontrol.iamworkin.lan`)
kind: Rule
services:
- name: signalcontrol-web
port: 80
tls:
secretName: signalcontrol-web-tls
Reference in New Issue View Git Blame Copy Permalink