bluejay-infra/apps at 191eb91642de7bd9e1f3aab08f6a8061117be08b - bluejay-infra - Gitea: Git with a cup of tea

bluejay/bluejay-infra

Files

History

Andrew Stoltz 191eb91642 security(agent-zero): replace cluster-admin with least-privilege read-only RBAC (SEC-6/RBAC-001)

agent-zero is an LLM agent; cluster-admin let raw kubectl bypass the MCP layer to
read every Secret / exec any pod. Swap for a read-only ClusterRole (no secrets/
configmaps/exec/writes) so sensitive + mutating actions go through gated MCP tools.
Already applied live + verified (secrets/exec/write -> Forbidden, observe stays);
this makes it durable so ArgoCD selfHeal doesn't revert to cluster-admin.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-18 14:46:07 -05:00

..

security(agent-zero): replace cluster-admin with least-privilege read-only RBAC (SEC-6/RBAC-001)

2026-06-18 14:46:07 -05:00

Fix Traefik dashboard cert issuer: step-ca-acme

2026-03-10 01:12:08 -05:00

K8s manifest hardening + new bluejay-infra-lint test project

2026-05-04 03:18:04 -05:00

authentik: align volumeClaimTemplates TypeMeta with SSA-created live object

2026-06-10 15:18:29 -05:00

feat(infra): add Multus CNI + CDI + PROD VLAN 57 NAD as GitOps prereqs for ci1

2026-05-08 13:05:58 -05:00

Fix Traefik dashboard cert issuer: step-ca-acme

2026-03-10 01:12:08 -05:00

edge2-services: print.iamworkin.lan Traefik HTTPS for Print.Web (XL Track C)

2026-04-26 14:37:33 -05:00

Fix Traefik dashboard cert issuer: step-ca-acme

2026-03-10 01:12:08 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

deploy(chat): chat-web v20260616-circuit-mood-5711f2d

2026-06-16 13:29:01 -05:00

feat(fc-desktop): OnePasswordItem CRD for remotedesktop-oidc-client (L9 flip-readiness, gate stays OFF)

2026-06-12 11:31:07 -05:00

deploy(devicemgmt): pin regroup web image

2026-06-14 12:52:30 -05:00

fc-distribution

fix(auth): mark OIDC healthz probes anonymous

2026-06-04 11:03:20 -05:00

fc-divoom-dm-pi-device

divoom: add pi deploy artifact manifests

2026-06-02 21:45:27 -05:00

fc-divoom-tv-pi

divoom: add pi deploy artifact manifests

2026-06-02 21:45:27 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

deploy(dns): pin current DNS image

2026-06-16 11:45:13 -05:00

deploy: align gateway key field

2026-06-16 21:08:03 -05:00

Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing

2026-04-08 18:20:23 -05:00

deploy(library): pin RL5 fine action image

2026-06-15 15:56:20 -05:00

fc-llm-bridge: repoint Ollama to GX10 NodePort (fix AZ MTU black-hole)

2026-06-14 15:12:05 -05:00

fix(auth): mark OIDC healthz probes anonymous

2026-06-04 11:03:20 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

fc-messageboard

fix(hardening): align probe-path annotations with live health routes

2026-06-04 22:01:04 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

feat(fc-network): add FlowerCore.Network app (read-only pfSense plane, ADR-189)

2026-06-12 14:21:45 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

fc-presentations

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

feat(fc-redis): add SignalR backplane for cross-product event bus (Q-SO-1 Phase A)

2026-05-11 19:02:58 -05:00

deploy(retail-library): roll regroup web images

2026-06-14 12:38:57 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

fc-segmentdisplay

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

feat(infra): prestage broader app exposure hardening

2026-06-04 18:14:22 -05:00

fc-signage-appletv

Add Apple TV signage docs manifest

2026-05-13 20:32:48 -05:00

fc-signage-pi-player

Tighten Pi signage HDMI settle coverage (#3 )

2026-05-18 02:35:17 +00:00

fc-signalcontrol

K8s manifest hardening + new bluejay-infra-lint test project

2026-05-04 03:18:04 -05:00

deploy(ttsreader): pin TT-3 endpoint fix image

2026-06-16 05:33:43 -05:00

harden updatecenter public route methods

2026-06-18 10:37:53 -05:00

Fix Traefik dashboard cert issuer: step-ca-acme

2026-03-10 01:12:08 -05:00

Adopt fc-updater into ArgoCD

2026-05-06 17:33:32 -05:00

Update telephony-web image to v20260324d, resolve merge conflicts

2026-03-24 15:55:52 -05:00

ops(github-runner): scale tts-reader runner to 0 (crash-looping, memory relief)

2026-06-16 11:27:40 -05:00

fix(guacamole): add --- separator between macmini-vnc-creds OnePasswordItem and guacamole-branding ConfigMap

2026-05-12 09:26:03 -05:00

infra(ai): consolidate fleet Ollama consumers onto GX10 VIP 10.0.57.201

2026-06-14 00:54:36 -05:00

fix(irc): use short name for unrealircd in anope + thelounge configs

2026-04-22 21:23:38 -05:00

infra(ai): consolidate fleet Ollama consumers onto GX10 VIP 10.0.57.201

2026-06-14 00:54:36 -05:00

ops: trim load for degraded 2-node cluster (agent2 PSU dead)

2026-05-28 13:47:13 -05:00

mail: remove cert-manager Certificate (manage mail-tls via step-ca JWK + noc1 renew timer)

2026-06-01 15:55:38 -05:00

statefulsets: align guacamole and matrix drift defaults

2026-04-22 23:11:47 -05:00

monitoring: mirror Sprint 60 probe coverage

2026-06-04 13:15:18 -05:00

fix(multus): bump kube-multus-ds memory 50Mi/50Mi -> 1Gi/512Mi (prevent OOM cascade)

2026-05-11 10:30:05 -05:00

feat(noc-services): wire puppetdb.iamworkin.lan through Traefik step-ca cert

2026-04-28 15:13:20 -05:00

Add infrastructure manifests for 9 services

2026-03-09 16:35:04 -05:00

selenium: right-size hub + chrome + edge memory limits

2026-05-25 20:11:41 -05:00

Update telephony-web image to v20260324d, resolve merge conflicts

2026-03-24 15:55:52 -05:00

deploy: add MCP gateway for Agent Zero

2026-06-16 21:01:52 -05:00

traefik-dashboard

Fix Traefik dashboard cert issuer: step-ca-acme

2026-03-10 01:12:08 -05:00

Update telephony-web image to v20260324d, resolve merge conflicts

2026-03-24 15:55:52 -05:00

deploy: roll e4 conformance web images

2026-06-12 19:48:07 -05:00

fix(zabbix): bump web probe timeouts 5s→15s + add failureThreshold

2026-05-15 15:59:04 -05:00