bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
Files
057595de3dbd1c13839bda1a225a4a8656af4c8c
bluejay-infra/apps/intranet/intranet.yaml
Andrew Stoltz 057595de3d intranet: GIT_SSL_NO_VERIFY=true in clone-notes-corpus init container 
Cluster egress is fronted by a step-ca TLS proxy whose cert doesn't
match github.com. The init container's git clone failed with
"SSL: no alternative certificate subject name matches target hostname
'github.com'". The Notes repo is public — there is no secret to
protect on the wire — so GIT_SSL_NO_VERIFY=true is the right tradeoff
here. Tag at v202604240040search.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 00:46:20 -05:00

148 lines
3.6 KiB
YAML
Raw Blame History

apiVersion: v1
kind: Namespace
metadata:
name: intranet
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: intranet-vector-store
namespace: intranet
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: intranet-web
namespace: intranet
labels:
app: intranet-web
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: intranet-web
template:
metadata:
labels:
app: intranet-web
spec:
initContainers:
- name: clone-notes-corpus
image: alpine/git:latest
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
set -e
# Cluster egress is fronted by a step-ca TLS proxy whose cert
# doesn't match github.com. The Notes repo is public so there's
# no secret to protect — skip verify.
export GIT_SSL_NO_VERIFY=true
if [ -d /srv/flowercore-notes/.git ]; then
cd /srv/flowercore-notes && git fetch --depth=1 origin && git reset --hard origin/codex/notes-pimanager-live-drift
else
rm -rf /srv/flowercore-notes/* /srv/flowercore-notes/.[!.]* 2>/dev/null || true
git clone --depth=1 --branch codex/notes-pimanager-live-drift https://github.com/astoltz/FlowerCore.Notes.git /srv/flowercore-notes
fi
ls -la /srv/flowercore-notes/docs | head -10
volumeMounts:
- name: notes-corpus
mountPath: /srv/flowercore-notes
containers:
- name: intranet-web
image: localhost/fc-intranet-web:v202604240040search
imagePullPolicy: Never
ports:
- containerPort: 5300
name: http
env:
- name: ASPNETCORE_ENVIRONMENT
value: Production
- name: ASPNETCORE_URLS
value: "http://+:5300"
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "1000m"
livenessProbe:
httpGet:
path: /health
port: 5300
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: 5300
initialDelaySeconds: 10
periodSeconds: 10
volumeMounts:
- name: notes-corpus
mountPath: /srv/flowercore-notes
readOnly: true
- name: vector-store
mountPath: /data
volumes:
- name: notes-corpus
emptyDir:
sizeLimit: 1Gi
- name: vector-store
persistentVolumeClaim:
claimName: intranet-vector-store
---
apiVersion: v1
kind: Service
metadata:
name: intranet-web
namespace: intranet
spec:
selector:
app: intranet-web
ports:
- port: 5300
targetPort: 5300
name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: intranet-tls
namespace: intranet
spec:
secretName: intranet-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- intranet.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: intranet
namespace: intranet
spec:
entryPoints:
- websecure
routes:
- match: Host(`intranet.iamworkin.lan`)
kind: Rule
services:
- name: intranet-web
port: 5300
tls:
secretName: intranet-tls
Reference in New Issue View Git Blame Copy Permalink