bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity
Files
a77fbd0381e29fcbe9db0f918a5f0dd8c46cbcf6
bluejay-infra/apps
History
Andrew Stoltz a77fbd0381 security(agent-zero): remove cluster RBAC entirely + no token mount (operator directive — MCP only) 
Operator: agent-zero must reach the cluster ONLY through gated MCP tools, not a
service account with cluster roles for raw kubectl. Removed the read-only
ClusterRole/ClusterRoleBinding entirely (SA now has zero cluster perms) and set
automountServiceAccountToken: false so no K8s API token is mounted at all.
Applied live (SA secrets/exec/pods/namespaces -> all Forbidden); this makes it
durable so ArgoCD selfHeal won't re-create any role.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 14:46:07 -05:00
..
agent-zero
security(agent-zero): remove cluster RBAC entirely + no token mount (operator directive — MCP only)
2026-06-18 14:46:07 -05:00
andrew
Fix Traefik dashboard cert issuer: step-ca-acme
2026-03-10 01:12:08 -05:00
asterisk
K8s manifest hardening + new bluejay-infra-lint test project
2026-05-04 03:18:04 -05:00
authentik
authentik: align volumeClaimTemplates TypeMeta with SSA-created live object
2026-06-10 15:18:29 -05:00
cdi
feat(infra): add Multus CNI + CDI + PROD VLAN 57 NAD as GitOps prereqs for ci1
2026-05-08 13:05:58 -05:00
dustin
Fix Traefik dashboard cert issuer: step-ca-acme
2026-03-10 01:12:08 -05:00
edge2-services
edge2-services: print.iamworkin.lan Traefik HTTPS for Print.Web (XL Track C)
2026-04-26 14:37:33 -05:00
erik
Fix Traefik dashboard cert issuer: step-ca-acme
2026-03-10 01:12:08 -05:00
fc-aistation
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-chat
deploy(chat): chat-web v20260616-circuit-mood-5711f2d
2026-06-16 13:29:01 -05:00
fc-desktop
feat(fc-desktop): OnePasswordItem CRD for remotedesktop-oidc-client (L9 flip-readiness, gate stays OFF)
2026-06-12 11:31:07 -05:00
fc-devicemgmt
deploy(devicemgmt): pin regroup web image
2026-06-14 12:52:30 -05:00
fc-distribution
fix(auth): mark OIDC healthz probes anonymous
2026-06-04 11:03:20 -05:00
fc-divoom-dm-pi-device
divoom: add pi deploy artifact manifests
2026-06-02 21:45:27 -05:00
fc-divoom-tv-pi
divoom: add pi deploy artifact manifests
2026-06-02 21:45:27 -05:00
fc-dms
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-dns
deploy(dns): pin current DNS image
2026-06-16 11:45:13 -05:00
fc-gateway
deploy: align gateway key field
2026-06-16 21:08:03 -05:00
fc-landing
Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing
2026-04-08 18:20:23 -05:00
fc-library
deploy(library): pin RL5 fine action image
2026-06-15 15:56:20 -05:00
fc-llm-bridge
fc-llm-bridge: repoint Ollama to GX10 NodePort (fix AZ MTU black-hole)
2026-06-14 15:12:05 -05:00
fc-media
fix(auth): mark OIDC healthz probes anonymous
2026-06-04 11:03:20 -05:00
fc-menuboard
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-messageboard
fix(hardening): align probe-path annotations with live health routes
2026-06-04 22:01:04 -05:00
fc-mysql
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-network
feat(fc-network): add FlowerCore.Network app (read-only pfSense plane, ADR-189)
2026-06-12 14:21:45 -05:00
fc-php
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-presentations
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-redis
feat(fc-redis): add SignalR backplane for cross-product event bus (Q-SO-1 Phase A)
2026-05-11 19:02:58 -05:00
fc-retail
deploy(retail-library): roll regroup web images
2026-06-14 12:38:57 -05:00
fc-scoreboard
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-segmentdisplay
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-signage
feat(infra): prestage broader app exposure hardening
2026-06-04 18:14:22 -05:00
fc-signage-appletv
Add Apple TV signage docs manifest
2026-05-13 20:32:48 -05:00
fc-signage-pi-player
Tighten Pi signage HDMI settle coverage (#3)
2026-05-18 02:35:17 +00:00
fc-signalcontrol
K8s manifest hardening + new bluejay-infra-lint test project
2026-05-04 03:18:04 -05:00
fc-ttsreader
deploy(ttsreader): pin TT-3 endpoint fix image
2026-06-16 05:33:43 -05:00
fc-updater
harden updatecenter public route methods
2026-06-18 10:37:53 -05:00
fit
Fix Traefik dashboard cert issuer: step-ca-acme
2026-03-10 01:12:08 -05:00
flowercore
Adopt fc-updater into ArgoCD
2026-05-06 17:33:32 -05:00
gitea-public
Update telephony-web image to v20260324d, resolve merge conflicts
2026-03-24 15:55:52 -05:00
github-runner
ops(github-runner): scale tts-reader runner to 0 (crash-looping, memory relief)
2026-06-16 11:27:40 -05:00
guacamole
fix(guacamole): add --- separator between macmini-vnc-creds OnePasswordItem and guacamole-branding ConfigMap
2026-05-12 09:26:03 -05:00
intranet
infra(ai): consolidate fleet Ollama consumers onto GX10 VIP 10.0.57.201
2026-06-14 00:54:36 -05:00
irc
fix(irc): use short name for unrealircd in anope + thelounge configs
2026-04-22 21:23:38 -05:00
knowledge
infra(ai): consolidate fleet Ollama consumers onto GX10 VIP 10.0.57.201
2026-06-14 00:54:36 -05:00
kubevirt-vms
ops: trim load for degraded 2-node cluster (agent2 PSU dead)
2026-05-28 13:47:13 -05:00
mail
mail: remove cert-manager Certificate (manage mail-tls via step-ca JWK + noc1 renew timer)
2026-06-01 15:55:38 -05:00
matrix
statefulsets: align guacamole and matrix drift defaults
2026-04-22 23:11:47 -05:00
monitoring
monitoring: mirror Sprint 60 probe coverage
2026-06-04 13:15:18 -05:00
multus
fix(multus): bump kube-multus-ds memory 50Mi/50Mi -> 1Gi/512Mi (prevent OOM cascade)
2026-05-11 10:30:05 -05:00
noc-services
feat(noc-services): wire puppetdb.iamworkin.lan through Traefik step-ca cert
2026-04-28 15:13:20 -05:00
pki-web
Add infrastructure manifests for 9 services
2026-03-09 16:35:04 -05:00
selenium
selenium: right-size hub + chrome + edge memory limits
2026-05-25 20:11:41 -05:00
teamspeak
Update telephony-web image to v20260324d, resolve merge conflicts
2026-03-24 15:55:52 -05:00
telephony
deploy: add MCP gateway for Agent Zero
2026-06-16 21:01:52 -05:00
traefik-dashboard
Fix Traefik dashboard cert issuer: step-ca-acme
2026-03-10 01:12:08 -05:00
voice
Update telephony-web image to v20260324d, resolve merge conflicts
2026-03-24 15:55:52 -05:00
worldbuilder
deploy: roll e4 conformance web images
2026-06-12 19:48:07 -05:00
zabbix
fix(zabbix): bump web probe timeouts 5s→15s + add failureThreshold
2026-05-15 15:59:04 -05:00