6c21d14a98
Promotes the fleet to FlowerCore.Updater main @ 2bdf108 which combines: - PR #6 publish pre-signed releases (1a188f4) - PR #7 deeper public-host privacy enforcement (8cd8544) - PublishPreSignedAsync(stream, sig) Integration coverage (2bdf108) Live image already imported to rke2-server and rolled via deploy-web.ps1. This commit aligns the bluejay-infra source of truth so ArgoCD doesn't snap the spec back to the previous tag (per feedback_argocd_managed_image_overrides_do_not_stick).
fc-updater — Update Center GitOps adoption
Status: adopted into bluejay-infra on 2026-05-06. The live ArgoCD
Application is infra-fc-updater, generated by the bluejay-infra
ApplicationSet with automated sync, prune: true, and selfHeal: true.
Managed manifest set
apps/fc-updater/fc-updater.yaml manages:
Namespace/fc-updaterPersistentVolumeClaim/updatecenter-dataDeployment/updatecenter-webService/updatecenter-webCertificate/updatecenter-web-tlsCertificate/updatecenter-web-internal-tlsIngressRoute/updatecenter-webIngressRoute/updatecenter-web-internalIngressRoute/updatecenter-web-public
The Deployment intentionally sets revisionHistoryLimit: 3 and
strategy.type: Recreate. The service is singleton + SQLite/local bundle
storage on PersistentVolumeClaim/updatecenter-data, pinned to
rke2-server.
Runtime dependencies intentionally not stored here
These live Secrets are pre-existing runtime material and are not committed to Git:
updater-bootstrap-authupdater-signingupdater-webhookscf-origin-flowercore-io
Rotate the Cloudflare Origin Certificate through
FlowerCore.Notes/docs/standards/code-signing-rotation-runbook.md; the
shared origin cert must exist in every namespace that serves a
*.flowercore.io public IngressRoute.
Verification
kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n argocd get application infra-fc-updater
kubectl.exe --kubeconfig C:\Users\AndrewStoltz\.kube\rke2.yaml -n fc-updater get deploy,svc,ingressroute,certificate,pvc
curl.exe -sk https://update.flowercore.io/api/v1/manifests/_schema