From fadcf31c86e9c3070a510f7f34ea2e4665a771f0 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Mon, 18 May 2026 10:49:29 -0400 Subject: [PATCH 1/2] docs(claude): add repo-local agent instructions Codifies the hologit projection model, post-Envoy-migration patterns (per-app Gateway + HTTPRoute, gw-tls naming, cnpg same-namespace rule), required local-projection QA step, and guardrails for shared infrastructure so agents arriving cold don't have to re-derive everything from code. Co-Authored-By: Claude Opus 4.7 (1M context) --- .claude/CLAUDE.md | 161 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 .claude/CLAUDE.md diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md new file mode 100644 index 0000000..f8771f1 --- /dev/null +++ b/.claude/CLAUDE.md @@ -0,0 +1,161 @@ +# cfp-sandbox-cluster — agent instructions + +GitOps repo for the CodeForPhilly sandbox Kubernetes cluster on Linode LKE. Source-projected via hologit. Don't edit deployed branches directly — change the workspace, project, push the result. + +## Source pipeline + +``` +JarvusInnovations/cluster-template + └─ civic-cloud/cluster-template + └─ this repo (cfp-sandbox-cluster) + └─ projected branches → live cluster +``` + +This repo pulls civic-cloud via `.holo/sources/civic-cloud.toml`. + +To refresh a holosource: `git holo source fetch `. **Never** `git fetch ` — that auto-pulls upstream tags into local `refs/tags/` and pollutes the tag namespace. + +## How projection works + +- **Workspace files** are what humans edit. `.holo/branches//` configs map workspace paths to source content. +- `git holo project ` runs the pipeline and prints a tree SHA on the last stdout line. Inspect with `git ls-tree -r ` or `git diff `. +- Two branches matter: + - `k8s-manifests` — manifests only + - `k8s-manifests-github` — manifests + GitHub Actions workflows (overlays on top of `k8s-manifests`) +- Deploy lifecycle: push to `main` → `Build k8s-manifests` workflow → `releases/k8s-manifests` → Deploy PR auto-opens → merge → `deploys/k8s-manifests` → `K8s: Deploy k8s-manifests` workflow → `kubectl apply` to cluster. +- The deploy workflow's "Apply manifests: deleted resources" step removes anything that disappears from the projection. Drop a file from the workspace → resource deleted on next deploy. + +### Lenses + +`.holo/lenses/.toml` describes per-source transformations: + +- **helm3** — renders a chart against the app's `release-values.yaml` +- **kustomize** — builds a kustomization +- **k8s-normalize** — routes flat manifests into the `//.yaml` layout + +Cluster-scoped resources land in `_//.yaml`. + +## Directory map + +| Path | Purpose | +|---|---| +| `_infra/` | Cluster-level infra (cert-manager issuers, envoy-gateway config, cnpg cluster) | +| `_gateways/` | Per-app Gateway + HTTPRoute pairs, one file per app | +| `/` | App workspace — `release-values.yaml` for helm, `kustomization.yaml` for kustomize | +| `.secrets/` | SealedSecrets for that namespace | +| `.holo/sources/` | Holosource pins (URL + ref) | +| `.holo/branches//` | Holomappings — source content → workspace path | +| `.holo/lenses/` | Lens configs | + +`_` prefix means "not a workload namespace." Workspace convention; projected tree drops it. + +## Standing patterns + +Established post-Envoy migration. Mimic these. + +### Per-app routing + +Each public-facing app gets `_gateways/.yaml` containing: + +- `Gateway` in the app's namespace with HTTPS listener on the app's hostname, `cert-manager.io/cluster-issuer: letsencrypt-prod` annotation, certificateRef to `-gw-tls` +- `HTTPRoute` with `parentRefs` attached **only** to the per-app Gateway (no `main-gateway`) + +HTTP (port 80) is handled globally by `_infra/envoy-gateway/http-redirect.yaml` — a single `HTTPRoute` on `main-gateway` that 301s everything to HTTPS. ACME challenge paths bypass it via Gateway API conflict resolution (cert-manager creates an `Exact`-path HTTPRoute per challenge). + +### Cert Secret naming + +`-gw-tls` — to avoid collision with legacy `-tls`. + +### Database resources (cnpg) + +The shared `cloudnative-pg/Cluster/shared-cluster` is the only PostgreSQL cluster. To add a database: + +- `Database` CR lives in `cloudnative-pg` namespace (cnpg requires same-namespace reference to the Cluster — not configurable) +- Workspace file can live wherever organizationally makes sense (e.g. `/cnpg/database.yaml`). k8s-normalize routes by `metadata.namespace` at projection time. +- Add a `managed.roles[]` entry to the Cluster CR with `passwordSecret: name: -db-credentials` +- Create the SealedSecret `-db-credentials` in `cloudnative-pg` namespace before cnpg can fully provision the role + +### Envoy Gateway + +- `EnvoyProxy` resource has `mergeGateways: true` — every Gateway shares one Envoy data plane and one LoadBalancer. **Do not disable.** +- `GatewayClass` is named `eg` +- The shared HTTP `main-gateway` lives in `envoy-gateway-system`; per-app Gateways attach implicitly via the merged data plane. + +## Before pushing a PR — required QA + +Run a local projection and diff it against the deployed tree. **No PR ships without this.** + +```bash +# 1. Commit everything first +git status # must be clean + +# 2. Fetch and project against the deploy branch's layout +git fetch origin +SHA=$(git holo project k8s-manifests-github 2>&1 | tail -1) + +# 3. Diff +git diff --name-status origin/deploys/k8s-manifests "$SHA" +git diff --stat origin/deploys/k8s-manifests "$SHA" + +# 4. Spot-check content for changed files +git show "$SHA": +``` + +If using `git holo project --working` to test uncommitted changes, project `k8s-manifests` (not `-github`) and expect the deploy workflow files to show as deletions — they live in `k8s-manifests-github`, not `k8s-manifests`. Harmless noise. Committing first is usually simpler. + +The diff is the definitive preview. Read it carefully — admission webhooks add defaults that show up here (cnpg adds `databaseReclaimPolicy: retain`, HTTPRoutes get default `PathPrefix: /` matches, etc.) and side effects of changed helm values can surface as unrelated-looking ConfigMap or Deployment edits (e.g. `ingress.enabled: false` clearing `server.domain` on grafana). + +## Common operations + +### Add a new app + +1. Create workspace dir + resources (chart values or kustomize) +2. Add holomapping at `.holo/branches/k8s-manifests//` +3. Add lens config at `.holo/lenses/.toml` if applicable +4. Add `_gateways/.yaml` if it needs external HTTPS +5. Run the projection + diff (above) + +### Bump an upstream chart version + +Edit the version pin in `.holo/sources/.toml` → `git holo source fetch ` → project → diff. + +For chart versions owned by the upstream chain: bump in cluster-template or civic-cloud → wait for release → bump civic-cloud pin here. + +### Disable an Ingress on a helm-managed app + +`/release-values.yaml`: `ingress.enabled: false`. If the chart inferred its public hostname from `ingress.hosts[0]` (historical examples: grafana → `grafana.ini.server.domain`, metabase → `MB_SITE_URL`), set it directly via the chart's other values. Verify via render diff. + +## Cluster context + +Things not in any single grep-able file: + +- **`shared-cluster` (cnpg)**: PG 18.0 + PostGIS 3.6.3 + pgvector 0.8.2 + pgaudit 18.0 (available, not preloaded). 2 instances. Image `ghcr.io/cloudnative-pg/postgis:18-3-system-trixie`. Storage class `linode-block-storage-retain`. +- **Envoy LB**: external IP for the cluster. Wildcard DNS `*.sandbox.k8s.phl.io` resolves there. Linode LKE supports LoadBalancer hairpin natively (in-cluster pods can reach the LB external IP). +- **No hairpin-proxy, no ingress-nginx**: both were decommissioned in the May 2026 Envoy migration. Don't reintroduce. +- **DNS for some non-wildcard hostnames** (e.g. `sandbox.balancerproject.org`, `test.pawsdp.org`) was retired during the migration. Those hostnames don't work anymore. + +## Guardrails + +Take these only with explicit user authorization: + +- `kubectl apply/delete/patch` against shared-infra namespaces: `kube-system`, `cert-manager`, `cloudnative-pg`, `envoy-gateway-system`, `sealed-secrets` +- Force-pushes to `releases/k8s-manifests` or `deploys/k8s-manifests` +- Merging upstream release PRs (cluster-template, civic-cloud) — user handles these +- Restarting deployments in shared namespaces +- Modifying `Cluster/shared-cluster` (especially `instances`, storage, `managed.roles`) + +Editing workspace files in this repo and opening PRs are fine without per-action approval. + +## Known external issues + +- **hologit shallow-clone race** ([JarvusInnovations/hologit#450](https://github.com/JarvusInnovations/hologit/issues/450)) — `Build k8s-manifests` intermittently fails with `fatal: shallow file has changed since we read it`. Rerun the workflow. + +For repo-local issues, check the open issue list directly — anything I'd list here will rot. + +## References + +- Migration umbrella: [#130](https://github.com/CodeForPhilly/cfp-sandbox-cluster/issues/130) +- Live-cluster equivalent plan: [cfp-live-cluster#144](https://github.com/CodeForPhilly/cfp-live-cluster/issues/144) +- Upstream cluster-template: +- civic-cloud cluster-template: +- Hologit: From bbb9942811f0460140ed0825bd31bb625a6f1a7c Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Mon, 18 May 2026 11:21:56 -0400 Subject: [PATCH 2/2] Add codeforphilly-ng (the rewrite) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Brings the rewrite of codeforphilly.org under GitOps. App is live at https://next-v2.codeforphilly.org served by Envoy Gateway. Until now the workload was being applied to the cluster manually via `kubectl apply -k` from the upstream repo's overlay; this PR makes the cluster state declarative. Layout follows the established balancer pattern: - `.holo/sources/codeforphilly-ng.toml` — pin upstream main - `.holo/branches/k8s-manifests/codeforphilly-ng/app/manifests.toml` — pulls workload-only files (configmap, deployment, service, serviceaccount, pvcs); excludes upstream gateway/httproute and kustomization (composed here instead) - `.holo/lenses/codeforphilly-ng.toml` — kustomize lens - `codeforphilly-ng/{kustomization,app/...}` — local kustomize composition; sets namespace + creates Namespace resource - `_gateways/codeforphilly-ng.yaml` — Gateway + HTTPRoute for `next-v2.codeforphilly.org`, cert via `codeforphilly-gw-tls` (existing live cert) - `codeforphilly-ng.secrets/` — sealed env (JWT, OAuth, data remote) + sealed read-write SSH deploy key for the data repo --- .../codeforphilly-ng/app/manifests.toml | 14 +++++++ .holo/lenses/codeforphilly-ng.toml | 9 ++++ .holo/sources/codeforphilly-ng.toml | 3 ++ _gateways/codeforphilly-ng.yaml | 42 +++++++++++++++++++ .../codeforphilly-data-deploy-key.yaml | 13 ++++++ .../codeforphilly-secrets.yaml | 16 +++++++ codeforphilly-ng/app/kustomization.yaml | 13 ++++++ codeforphilly-ng/app/namespace.yaml | 4 ++ codeforphilly-ng/kustomization.yaml | 7 ++++ 9 files changed, 121 insertions(+) create mode 100644 .holo/branches/k8s-manifests/codeforphilly-ng/app/manifests.toml create mode 100644 .holo/lenses/codeforphilly-ng.toml create mode 100644 .holo/sources/codeforphilly-ng.toml create mode 100644 _gateways/codeforphilly-ng.yaml create mode 100644 codeforphilly-ng.secrets/codeforphilly-data-deploy-key.yaml create mode 100644 codeforphilly-ng.secrets/codeforphilly-secrets.yaml create mode 100644 codeforphilly-ng/app/kustomization.yaml create mode 100644 codeforphilly-ng/app/namespace.yaml create mode 100644 codeforphilly-ng/kustomization.yaml diff --git a/.holo/branches/k8s-manifests/codeforphilly-ng/app/manifests.toml b/.holo/branches/k8s-manifests/codeforphilly-ng/app/manifests.toml new file mode 100644 index 0000000..bed4e97 --- /dev/null +++ b/.holo/branches/k8s-manifests/codeforphilly-ng/app/manifests.toml @@ -0,0 +1,14 @@ +[holomapping] +holosource = "codeforphilly-ng" +root = "deploy/kustomize/base" +files = [ + "configmap.yaml", + "deployment.yaml", + "service.yaml", + "serviceaccount.yaml", + "pvc-data.yaml", + "pvc-private.yaml", +] +# Excludes the upstream `gateway.yaml` + `httproute.yaml` (replaced by +# per-cluster _gateways/codeforphilly-ng.yaml) and `kustomization.yaml` +# (we compose our own at codeforphilly-ng/app/kustomization.yaml). diff --git a/.holo/lenses/codeforphilly-ng.toml b/.holo/lenses/codeforphilly-ng.toml new file mode 100644 index 0000000..a729f74 --- /dev/null +++ b/.holo/lenses/codeforphilly-ng.toml @@ -0,0 +1,9 @@ +[hololens] +container = "ghcr.io/hologit/lenses/kustomize:latest" + +[hololens.input] +root = "codeforphilly-ng" +files = "**" + +[hololens.output] +merge = "replace" diff --git a/.holo/sources/codeforphilly-ng.toml b/.holo/sources/codeforphilly-ng.toml new file mode 100644 index 0000000..0d94e7e --- /dev/null +++ b/.holo/sources/codeforphilly-ng.toml @@ -0,0 +1,3 @@ +[holosource] +url = "https://github.com/CodeForPhilly/codeforphilly-ng.git" +ref = "refs/heads/main" diff --git a/_gateways/codeforphilly-ng.yaml b/_gateways/codeforphilly-ng.yaml new file mode 100644 index 0000000..89d3318 --- /dev/null +++ b/_gateways/codeforphilly-ng.yaml @@ -0,0 +1,42 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: codeforphilly + namespace: codeforphilly-rewrite-sandbox + annotations: + # cert-manager watches Gateways with this annotation and creates a + # Certificate that resolves into the listener's certificateRef Secret. + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + gatewayClassName: eg + listeners: + - name: https + protocol: HTTPS + port: 443 + hostname: next-v2.codeforphilly.org + tls: + mode: Terminate + certificateRefs: + - name: codeforphilly-gw-tls + allowedRoutes: + namespaces: + from: Same +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: codeforphilly + namespace: codeforphilly-rewrite-sandbox +spec: + parentRefs: + - name: codeforphilly + hostnames: + - next-v2.codeforphilly.org + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: codeforphilly + port: 80 diff --git a/codeforphilly-ng.secrets/codeforphilly-data-deploy-key.yaml b/codeforphilly-ng.secrets/codeforphilly-data-deploy-key.yaml new file mode 100644 index 0000000..4eff4a6 --- /dev/null +++ b/codeforphilly-ng.secrets/codeforphilly-data-deploy-key.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: codeforphilly-data-deploy-key + namespace: codeforphilly-rewrite-sandbox +spec: + encryptedData: + id_ed25519: AgAfJZfYzNyySAAyeqVVS297WB/+sXIz9rU8OXzryC0Vp2AgS+al9ZzOqgB/GrNDub10Tdt2d/IuSLE8FKUXz0OiIv19WwJfsINZUJjbRX04C6TXnyRa5wRcOv/hP9Va/Hz2SxpfDtWxey2O6IBCH2b0+5pajC8YsXxw8VHvZY+bJJMuNv6piphgxIo67kcrGsx3pN7naUUObutRkm3aThsmZ5TWxd7fHuiVWi7+E3ek7JLqAmOXdA8JFv14CLtEKDgx524wLavJ1vzEBAxdhd5PBWgp0CY2FKmlSbxzYmp/wFUEc2hBvWQJWO1SjfIt/CgdjSanVR7/wQARCvQ7EBV3DYVi8TkoGthtz3yD9O58Et6q6V88m/lhB+hCjrevSnwk3EqbygZh8nkWM8UDhXzShvurowakWb1YWTKBvGn7HMiaC3coBcakPf1dgJkzr3BAijZL/2cvWOiSZQx9VX///vYmxyr72jSabIW2nArnz1K9q88mL0RjNPB/0vdjTt4MLKC+2UwQ4jtfB7NLp6UPELZe68MH6Xr3YiufEoZJ3wFpSK1X4deIz4pRJwCkX4BrCyDg2S+TgEZnI8O9HkwOkd8PxlkpB7WUTeR8wrR3RouBHilXh3iUGt949rjC6t8ww9qsvfTzrtSMCX87rdD4B9ewxgetIzMLzJWJTyllQNz8srVFCu5FFjaYZTgUbPxKWQ+RePchnWGPxgTjduwSODjPdKimfLZwIacT+XfcBe+0jMW2IarXNC9lLPrpT+iV/9UO7CufyWaduHAkWVHJUJmgf5a8ljcAEuaj+nfkLqCU2jLIAtnUDGHQIk7sKiuJn/e1xkK8PRL2m2OAZU7jUmgWlB/KwMNhoqipkP9+O7AIFHYaxfK+ATyoGAmHjF9ko94sJclaXwz/uPsKyFNUSUH1cxsPfco0LmEPatJHccDXO/yQmXjJaFEOekYQufHp8ThudYv5i1COpHEa8y0A21jL28Pt8vDEHNxJVFNOS+Og85ESvda/CmYefXUlRdLaESITQOukEdS4H/aHkFaympO4GAcZl0Qjzn+EWznbH9GmQipaL0PRUUhEmiiciuDgiNGveFfuNx05096adW8YAxVjNlwookDshzjxW+6OYIBboy1+FWFE+YQlugQusRmm1svXtBlL/Rrh4eM3hyBiuSobtPJ9s9wYyHlIT3D06bLkJdRWCfg7ZwDrqEdTWRmkhJldhNEfop5GAxoyhNX5X3IvxbTiWS1QLY+QP57a2ZtdnBgOsnrVko7kSaWPY1U= + template: + metadata: + name: codeforphilly-data-deploy-key + namespace: codeforphilly-rewrite-sandbox diff --git a/codeforphilly-ng.secrets/codeforphilly-secrets.yaml b/codeforphilly-ng.secrets/codeforphilly-secrets.yaml new file mode 100644 index 0000000..806bf15 --- /dev/null +++ b/codeforphilly-ng.secrets/codeforphilly-secrets.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: codeforphilly-secrets + namespace: codeforphilly-rewrite-sandbox +spec: + encryptedData: + CFP_DATA_REMOTE: AgAj4UY/M3uFDp4jJLykFSzihy+C2uSQXHQuuyaOAd7ew14gpw6Vogu5oYMgM1y1yBv1sbJObbnh7ddexYqRfgFKJrgiwc60MoVzwbwt5JHQh1aJJIZ4xizvitbyT1h7GkLzLZbvLdJxAFH876wXn9zw0UAco62qsxkIQgoRGBN/Gq7SQDT6+HHv1Uc3LeDiqdnne49LIP/M32DSu8IQ0CffyA+pdAdTwCaRoMBh63rdhoLM4Ildvlt6jSWHP0dJFmYRP9gtKCKgLUycz7fXhU0xxYaAOc7T2Z0rVf6DkkZDaqwgKEFk52300kuz1xW3BufrZ2jCfcXs4AAwwUuWj17MNICq0dei7MDRurmGpgJJDdfaCvTD4+wggm/VUBvXWQIuhE9/PtIumx/brVCJQ05YmeyFSrL4D+COSmhlXS3vmngpy3lHB+2qEbwM8ZHnwB/Ff1XP4HVSPUdXejWU4vdFY6VQ/4hjCLDAgjQLGRTGBmaFX1aJqygjK1JzRnGts0aCniPTL/qF1s5OcHJeIAvkN0WleceEi5u7CnvEdAcSAfkYu0QiwnoXNeIhFzPekEJyP6c6KY9oaw+kEirWgvCwis5QUiGOIO4kFcGXfDVzCRu1GM4T7WV969n8nJSGcSQQSmVa4uPCAlZld8etvbR4xa8dSXaeZ6Nb6L3FIVqc05Zy0U9cnKnfSGKWvHEANtBA7ItPq9GUlE6DCTb9guwlUGWHpG7tk1iuTnUD5b0P5r7zALF7rAufCKHEPpNWn7Mfg/k= + CFP_JWT_SIGNING_KEY: AgClhcixIR+sgvwpmHiqkB3MOL9CTCgjRT7d7AcWkYe7tjXCdvj42x5RiTbHRJh7h8koWwvm/M9txEhCnkV8iT8O6vLAq1ZPBvSk+L+uh6dZDW92u8L0/WIpVxLF9CjLmD7YbLpt2LA7ntne3pbZM6XgH6Xs9yYVEdLhEZ4/vOgzwJF1o3rj6puVsx5pWdUFgl1AXsjUdwUEK7fYSyQIXOLeLY3TVquTRATC/BEXaJHTSqHJjGaDemr1+ZqdbysFCADtOOhjOUxbItfGsm0sIUFEFkPOf+rGrTt0Mqp8CAoJEgkwEITHjA8qXKsJN/zZmDDh5xutCw36k5KtABUMPcn+QT6EjK+N9EutM08Ul+DZL+KfHg5z9/B/3lL68xU/J7H2TbB93icSDgbvV/NEjiyZ7JnaZqt+fPDpl0Gs/QMAdjNxtqYCYp9gFj5MsM0s5qkx4mnrgSHyOACb2H96wqVI7LvIZqhjnpNqY5V8Qvhb7rjLedEsmLDfPSRJYrg7s/cpmdxaCyuBf/zqUSSCvjKo7L66lZ0t3lG+dtVy3fgRoabeOGB6hOY5Jj1GAK8avC4PZ0vLuYTTPIweOJOIakSL37Rxit4UgvuuoiB6oEqnsDD/9YBeZAJNjf3XNDDud7dScWhI1zRJ9N7qbHeAcSkWOO/CK+cFWXVB31ErBCrDIuiwiMnna5VurC96+xASRxGdeDh83I3f3uTM5OQCH0efUAHhw5ld3IAu/2wpfQK3ac2XziYn7L2QIyHOsULkAf0oRoJjodOX3V2Kmp3khY8w + GITHUB_OAUTH_CLIENT_ID: AgBZj/mQl8EKMl6Cey9OWK090/IecVx6YlonWqh7v63QOVwyFzj6ksObLC2Fw0H9OHaFtL3qGF1qGn35MyYI3uhGB1miLLYivGVA7jNHN8Wy4es/tDnZRHcsP4LI7NQMTsf1dz4tknLinpmZqPuMwwqcUCRrSasagmYLHREXZNvGm1ONSSniuoqmnQobj2v7/YNHhn7qK/kVqflOGb0n9Ai4bHvrgGuxXTHCvl/3N8Mb4p3/aWAJuxpFgc6n21MS7Hjn5mcMb/RwJ7TOn7F/BJnQ4Ii2nzZ5d6U0F37lnMBdN6/Bowp+MNynTttJ+SBUZkjidJ+9s/KXLUXJ8IQp+NR9Ycbbc0+osnHIAhZzBF7+4du0f0S7Te310vll6b4xd0oRoXSQ9FZcqlS5ysOCdgH98q9OWw5TJWF8KfwNq+j62YifICSz5u5FfUnbzTgxe7RctIkhW0elgHTJx07WJx2I53PrxbbrICnCqDSMQbWU5wcqyCXxmFXOBSMZG0Gycjg2rAWaPgot7Q7F752I8oOewB28uACYjHlULR/2BKrCf90+RZOFI4AhUctvTTMn4qR89QrDE5EIdJi5x/x7pcMiM6doWrL1MJdnQ/VEUa+AsJEDVWA0G1a4y/OIRI7rKyYZdpUSabmzQTBxk0CBMa07dX3N5IaX0+YDt2NosW+xtsjQugifYPze/AnKIFjdB5cHVQzdVWHIls4WKR9bOahstrScrQ== + GITHUB_OAUTH_CLIENT_SECRET: AgA5TBdNd4A6g04YyvGd+ZkpdTrQFeODGLY3MSA+M8STT6ejTBtlVmj0m4ooggPtOYXaUAYAytlANT51yRE7GGbAX5/SiHO04N4MJ2Qpw4Izb1j5OvqZSNRD/78D8Q2KUg+cp/AyqwGctG0v2UYg/qBw536+4q53EMSQzcS2HZADqw5sZNyuqBwA+vUfXFHXqU+ZZw+Dqa5E+2tdCLu6lZdsmM0oWM/iAbKfszT9aNRYJ8I2W6NPyUHLFmoRcDtxYKs1Wqk29Dhfuk7ZsanFrkN0C48a2F1167qhBJMf0dIZ7ZeenFpSoPv5XODOnB89G+ziA7pQVcccegZpA4/rhgoPV8jfFecuY8U+FqDQaAOxwVEXvFZ1kwbsYHO0Ggo1rPivJcCh1oYWufCWFvwLCzIQpZ+KV1wAzjrkcnNeM8kFSwnp3ptbI9ZzgxEbn5zcDC+mRP6O07urKta+4qW+TGepaUuDWN/Ocsz1UP6vEQMtr6fChAxkJFjfJo8O1270VlDLBa0vwF3rmtsUpsfR+OMk/kU7rjrTuJWLcXDiKWoZKprPivWqCcGGLh/7MVsDOYGo9Pc4f4fhrlv14cxIZLc9PhPhgY9MEkZhnqg3RCikRuB9otL6EkPrXx5+qiTl5JsP1Xau9mM77hE2eMY2lyWeokRvCWS7jkBR4q0gL5iuonHMck5ccsiFwBGHP7VFUQeo92p1FZdbX1g5gph7b942uRyuthZTKdfwD/qSBseg4r/06nLlK+Jh + template: + metadata: + name: codeforphilly-secrets + namespace: codeforphilly-rewrite-sandbox diff --git a/codeforphilly-ng/app/kustomization.yaml b/codeforphilly-ng/app/kustomization.yaml new file mode 100644 index 0000000..e6bee84 --- /dev/null +++ b/codeforphilly-ng/app/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: codeforphilly-rewrite-sandbox + +resources: + - namespace.yaml + - manifests/configmap.yaml + - manifests/deployment.yaml + - manifests/service.yaml + - manifests/serviceaccount.yaml + - manifests/pvc-data.yaml + - manifests/pvc-private.yaml diff --git a/codeforphilly-ng/app/namespace.yaml b/codeforphilly-ng/app/namespace.yaml new file mode 100644 index 0000000..c9b7bc8 --- /dev/null +++ b/codeforphilly-ng/app/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: codeforphilly-rewrite-sandbox diff --git a/codeforphilly-ng/kustomization.yaml b/codeforphilly-ng/kustomization.yaml new file mode 100644 index 0000000..9852d1c --- /dev/null +++ b/codeforphilly-ng/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Sub-kustomizations set their own namespace. k8s-normalize routes by +# metadata.namespace at projection time. +resources: + - app