Deploy releases/k8s-manifests 1b74200 by github-actions[bot] · Pull Request #164 · CodeForPhilly/cfp-sandbox-cluster

github-actions · 2026-05-18T19:03:51Z

kubectl diff reports that applying 1b74200 will change:

diff -uN /tmp/LIVE-181038495/apps.v1.Deployment.codeforphilly-rewrite-sandbox.codeforphilly /tmp/MERGED-3118197632/apps.v1.Deployment.codeforphilly-rewrite-sandbox.codeforphilly
--- /tmp/LIVE-181038495/apps.v1.Deployment.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.350423794 +0000
+++ /tmp/MERGED-3118197632/apps.v1.Deployment.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.359423795 +0000
@@ -1 +1,100 @@
-{}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: codeforphilly
+  namespace: codeforphilly-rewrite-sandbox
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: codeforphilly
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: codeforphilly
+    spec:
+      containers:
+      - env:
+        - name: HOST
+          value: 0.0.0.0
+        envFrom:
+        - configMapRef:
+            name: codeforphilly-env
+        - secretRef:
+            name: codeforphilly-secrets
+        image: ghcr.io/codeforphilly/codeforphilly-ng:sandbox
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /api/health
+            port: http
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          successThreshold: 1
+          timeoutSeconds: 5
+        name: codeforphilly
+        ports:
+        - containerPort: 3001
+          name: http
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 30
+          httpGet:
+            path: /api/health/ready
+            port: http
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          limits:
+            cpu: "1"
+            memory: 768Mi
+          requests:
+            cpu: 100m
+            memory: 384Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /app/data
+          name: data
+        - mountPath: /app/private-storage
+          name: private
+        - mountPath: /etc/cfp-data-deploy-key
+          name: deploy-key
+          readOnly: true
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext:
+        fsGroup: 1000
+      serviceAccount: codeforphilly
+      serviceAccountName: codeforphilly
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: codeforphilly-data
+      - name: private
+        persistentVolumeClaim:
+          claimName: codeforphilly-private
+      - name: deploy-key
+        secret:
+          defaultMode: 256
+          secretName: codeforphilly-data-deploy-key
diff -uN /tmp/LIVE-181038495/gateway.networking.k8s.io.v1.Gateway.codeforphilly-rewrite-sandbox.codeforphilly /tmp/MERGED-3118197632/gateway.networking.k8s.io.v1.Gateway.codeforphilly-rewrite-sandbox.codeforphilly
--- /tmp/LIVE-181038495/gateway.networking.k8s.io.v1.Gateway.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.353423795 +0000
+++ /tmp/MERGED-3118197632/gateway.networking.k8s.io.v1.Gateway.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.362423795 +0000
@@ -3,9 +3,6 @@
 metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly
   namespace: codeforphilly-rewrite-sandbox
 spec:
diff -uN /tmp/LIVE-181038495/gateway.networking.k8s.io.v1.HTTPRoute.codeforphilly-rewrite-sandbox.codeforphilly /tmp/MERGED-3118197632/gateway.networking.k8s.io.v1.HTTPRoute.codeforphilly-rewrite-sandbox.codeforphilly
--- /tmp/LIVE-181038495/gateway.networking.k8s.io.v1.HTTPRoute.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.354423795 +0000
+++ /tmp/MERGED-3118197632/gateway.networking.k8s.io.v1.HTTPRoute.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.362423795 +0000
@@ -1,9 +1,6 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly
   namespace: codeforphilly-rewrite-sandbox
 spec:
diff -uN /tmp/LIVE-181038495/v1.ConfigMap.codeforphilly-rewrite-sandbox.codeforphilly-env /tmp/MERGED-3118197632/v1.ConfigMap.codeforphilly-rewrite-sandbox.codeforphilly-env
--- /tmp/LIVE-181038495/v1.ConfigMap.codeforphilly-rewrite-sandbox.codeforphilly-env	2026-05-18 19:08:54.354423795 +0000
+++ /tmp/MERGED-3118197632/v1.ConfigMap.codeforphilly-rewrite-sandbox.codeforphilly-env	2026-05-18 19:08:54.363423795 +0000
@@ -13,8 +13,5 @@
   STORAGE_BACKEND: filesystem
 kind: ConfigMap
 metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly-env
   namespace: codeforphilly-rewrite-sandbox
diff -uN /tmp/LIVE-181038495/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-data /tmp/MERGED-3118197632/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-data
--- /tmp/LIVE-181038495/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-data	2026-05-18 19:08:54.356423795 +0000
+++ /tmp/MERGED-3118197632/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-data	2026-05-18 19:08:54.363423795 +0000
@@ -6,9 +6,6 @@
     pv.kubernetes.io/bound-by-controller: "yes"
     volume.beta.kubernetes.io/storage-provisioner: linodebs.csi.linode.com
     volume.kubernetes.io/storage-provisioner: linodebs.csi.linode.com
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly-data
   namespace: codeforphilly-rewrite-sandbox
 spec:
diff -uN /tmp/LIVE-181038495/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-private /tmp/MERGED-3118197632/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-private
--- /tmp/LIVE-181038495/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-private	2026-05-18 19:08:54.356423795 +0000
+++ /tmp/MERGED-3118197632/v1.PersistentVolumeClaim.codeforphilly-rewrite-sandbox.codeforphilly-private	2026-05-18 19:08:54.364423795 +0000
@@ -6,9 +6,6 @@
     pv.kubernetes.io/bound-by-controller: "yes"
     volume.beta.kubernetes.io/storage-provisioner: linodebs.csi.linode.com
     volume.kubernetes.io/storage-provisioner: linodebs.csi.linode.com
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly-private
   namespace: codeforphilly-rewrite-sandbox
 spec:
diff -uN /tmp/LIVE-181038495/v1.Service.codeforphilly-rewrite-sandbox.codeforphilly /tmp/MERGED-3118197632/v1.Service.codeforphilly-rewrite-sandbox.codeforphilly
--- /tmp/LIVE-181038495/v1.Service.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.358423795 +0000
+++ /tmp/MERGED-3118197632/v1.Service.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.365423795 +0000
@@ -1,9 +1,6 @@
 apiVersion: v1
 kind: Service
 metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly
   namespace: codeforphilly-rewrite-sandbox
 spec:
@@ -19,5 +16,4 @@
     port: 80
     targetPort: 3001
   selector:
-    app.kubernetes.io/managed-by: kustomize
     app.kubernetes.io/name: codeforphilly
diff -uN /tmp/LIVE-181038495/v1.ServiceAccount.codeforphilly-rewrite-sandbox.codeforphilly /tmp/MERGED-3118197632/v1.ServiceAccount.codeforphilly-rewrite-sandbox.codeforphilly
--- /tmp/LIVE-181038495/v1.ServiceAccount.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.358423795 +0000
+++ /tmp/MERGED-3118197632/v1.ServiceAccount.codeforphilly-rewrite-sandbox.codeforphilly	2026-05-18 19:08:54.365423795 +0000
@@ -1,8 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  labels:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/name: codeforphilly
   name: codeforphilly
   namespace: codeforphilly-rewrite-sandbox
diff -uN /tmp/LIVE-1331007326/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen /tmp/MERGED-458842601/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen
--- /tmp/LIVE-1331007326/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 19:09:00.828424267 +0000
+++ /tmp/MERGED-458842601/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 19:09:00.842424268 +0000
@@ -1 +1,70 @@
-{}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade
+  labels:
+    app.kubernetes.io/instance: envoy-gateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gateway-helm
+    app.kubernetes.io/version: v1.7.3
+    helm.sh/chart: gateway-helm-v1.7.3
+  name: envoy-gateway-gateway-helm-certgen
+  namespace: envoy-gateway-system
+spec:
+  backoffLimit: 1
+  completionMode: NonIndexed
+  completions: 1
+  manualSelector: false
+  parallelism: 1
+  podReplacementPolicy: TerminatingOrFailed
+  selector:
+    matchLabels:
+      batch.kubernetes.io/controller-uid: 8d85b1d1-1842-48f1-8c43-6a07dcdadfd5
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: certgen
+        batch.kubernetes.io/controller-uid: 8d85b1d1-1842-48f1-8c43-6a07dcdadfd5
+        batch.kubernetes.io/job-name: envoy-gateway-gateway-helm-certgen
+        controller-uid: 8d85b1d1-1842-48f1-8c43-6a07dcdadfd5
+        job-name: envoy-gateway-gateway-helm-certgen
+    spec:
+      containers:
+      - command:
+        - envoy-gateway
+        - certgen
+        env:
+        - name: ENVOY_GATEWAY_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: docker.io/envoyproxy/gateway:v1.7.3
+        imagePullPolicy: IfNotPresent
+        name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      serviceAccount: envoy-gateway-gateway-helm-certgen
+      serviceAccountName: envoy-gateway-gateway-helm-certgen
+      terminationGracePeriodSeconds: 30
+  ttlSecondsAfterFinished: 30

Codifies the hologit projection model, post-Envoy-migration patterns (per-app Gateway + HTTPRoute, gw-tls naming, cnpg same-namespace rule), required local-projection QA step, and guardrails for shared infrastructure so agents arriving cold don't have to re-derive everything from code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Brings the rewrite of codeforphilly.org under GitOps. App is live at https://next-v2.codeforphilly.org served by Envoy Gateway. Until now the workload was being applied to the cluster manually via `kubectl apply -k` from the upstream repo's overlay; this PR makes the cluster state declarative. Layout follows the established balancer pattern: - `.holo/sources/codeforphilly-ng.toml` — pin upstream main - `.holo/branches/k8s-manifests/codeforphilly-ng/app/manifests.toml` — pulls workload-only files (configmap, deployment, service, serviceaccount, pvcs); excludes upstream gateway/httproute and kustomization (composed here instead) - `.holo/lenses/codeforphilly-ng.toml` — kustomize lens - `codeforphilly-ng/{kustomization,app/...}` — local kustomize composition; sets namespace + creates Namespace resource - `_gateways/codeforphilly-ng.yaml` — Gateway + HTTPRoute for `next-v2.codeforphilly.org`, cert via `codeforphilly-gw-tls` (existing live cert) - `codeforphilly-ng.secrets/` — sealed env (JWT, OAuth, data remote) + sealed read-write SSH deploy key for the data repo

Add codeforphilly-ng (the rewrite of codeforphilly.org)

Source-holobranch: k8s-manifests-github Source-commit: 044c2b0 Source: 044c2b0

github-actions · 2026-05-18T19:20:43Z

kubectl apply output (excluding unchanged) for bc5b338 was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterimagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusters.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/databases.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/failoverquorums.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/imagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/poolers.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/publications.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/scheduledbackups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/subscriptions.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role configured
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-mutating-webhook-configuration configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system configured
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-validating-webhook-configuration configured
gateway.gateway.networking.k8s.io/balancer configured
httproute.gateway.networking.k8s.io/balancer configured
deployment.apps/choose-native-plants configured
gateway.gateway.networking.k8s.io/choose-native-plants configured
httproute.gateway.networking.k8s.io/choose-native-plants configured
cluster.postgresql.cnpg.io/shared-cluster configured
configmap/cnpg-controller-manager-config configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
configmap/codeforphilly-env configured
deployment.apps/codeforphilly created
gateway.gateway.networking.k8s.io/codeforphilly configured
httproute.gateway.networking.k8s.io/codeforphilly configured
persistentvolumeclaim/codeforphilly-data configured
persistentvolumeclaim/codeforphilly-private configured
service/codeforphilly configured
serviceaccount/codeforphilly configured
statefulset.apps/data-warehouse-postgresql configured
gateway.gateway.networking.k8s.io/echo-http configured
httproute.gateway.networking.k8s.io/echo-http configured
deployment.apps/envoy-gateway configured
httproute.gateway.networking.k8s.io/http-redirect configured
job.batch/envoy-gateway-gateway-helm-certgen created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana configured
httproute.gateway.networking.k8s.io/grafana configured
deployment.apps/metrics-server configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
secret/promtail configured
statefulset.apps/loki configured
gateway.gateway.networking.k8s.io/metabase configured
httproute.gateway.networking.k8s.io/metabase configured
statefulset.apps/database configured
gateway.gateway.networking.k8s.io/paws-data-pipeline configured
httproute.gateway.networking.k8s.io/paws-data-pipeline configured
gateway.gateway.networking.k8s.io/prevention-point configured
httproute.gateway.networking.k8s.io/prevention-point configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets configured
httproute.gateway.networking.k8s.io/sealed-secrets configured
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured

themightychris and others added 4 commits May 18, 2026 10:49

Merge pull request #163 from CodeForPhilly/add-codeforphilly-ng

044c2b0

Add codeforphilly-ng (the rewrite of codeforphilly.org)

☀ projected k8s-manifests-github from 044c2b0

1b74200

Source-holobranch: k8s-manifests-github Source-commit: 044c2b0 Source: 044c2b0

themightychris merged commit bc5b338 into deploys/k8s-manifests May 18, 2026
2 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deploy releases/k8s-manifests 1b74200#164

Deploy releases/k8s-manifests 1b74200#164
themightychris merged 4 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

github-actions Bot commented May 18, 2026 •

edited

Loading

Uh oh!

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

github-actions Bot commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions Bot commented May 18, 2026 •

edited

Loading