diff --git a/AGENTS.md b/AGENTS.md index c3230d6..22ee526 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -15,13 +15,12 @@ Sync waves order resources within a single ArgoCD Application — they are **not ## Domain Architecture -| Domain | Access | TLS | +| Domain | Path | TLS | |---|---|---| -| `*.makeitwork.cloud` | Cloudflare Tunnel (`TunnelBinding`) | Cloudflare edge | -| `*.apps.makeitwork.cloud` | WARP-only | Let's Encrypt (DNS-01) | -| `api.makeitwork.cloud` | WARP-only | Let's Encrypt (DNS-01) | +| `.makeitwork.cloud` | HTTP via cloudflare-operator `TunnelBinding` | Cloudflare edge | +| `k3s.makeitwork.cloud` | TCP via `ClusterTunnel` to kube-apiserver, gated by Cloudflare Access | Cloudflare edge | -There is no in-cluster ingress controller. All `*.makeitwork.cloud` apps reach the cluster via a Cloudflare Tunnel managed by cloudflare-operator. +There is no in-cluster ingress controller and no public IP. Every external entry point — public web, kubectl, everything — is a Cloudflare Tunnel managed by cloudflare-operator. Legacy hostnames `api.makeitwork.cloud` and `*.apps.makeitwork.cloud` are not in use. ## Key Namespaces diff --git a/README.md b/README.md index 941f600..1bd64e0 100644 --- a/README.md +++ b/README.md @@ -27,11 +27,10 @@ Sync waves order resources within a single Application — they are not global a | Domain | Path | TLS | |---|---|---| -| `*.makeitwork.cloud` | Cloudflare Tunnel via cloudflare-operator `TunnelBinding` | Cloudflare edge | -| `*.apps.makeitwork.cloud` | WARP-only | Let's Encrypt in cluster | -| `api.makeitwork.cloud` | WARP-only | Let's Encrypt in cluster | +| `.makeitwork.cloud` | HTTP via cloudflare-operator `TunnelBinding` | Cloudflare edge | +| `k3s.makeitwork.cloud` | TCP via `ClusterTunnel` to kube-apiserver, gated by Cloudflare Access | Cloudflare edge | -There is no in-cluster ingress controller. All public traffic flows through a Cloudflare Tunnel; in-cluster TLS is issued by cert-manager using the Cloudflare DNS-01 solver. +There is no in-cluster ingress controller and no public IP. Every external entry point is a Cloudflare Tunnel. ### TunnelBinding DNS diff --git a/bootstrap/ci-token-sync-job.yaml b/bootstrap/ci-token-sync-job.yaml index ee5f1d6..c2041ed 100644 --- a/bootstrap/ci-token-sync-job.yaml +++ b/bootstrap/ci-token-sync-job.yaml @@ -53,17 +53,17 @@ spec: # (NOT the auto-mounted bound token which expires in 1 hour) SA_TOKEN=$(cat /var/run/secrets/ci-deployer/token) - # Repos that need the OpenShift token + # Repos that need the ci-deployer cluster API token REPOS=( "makeitworkcloud/images" "makeitworkcloud/kustomize-cluster" ) - echo "Syncing OpenShift token to GitHub repositories..." + echo "Syncing ci-deployer token to GitHub repositories..." for repo in "${REPOS[@]}"; do - echo "Updating OPENSHIFT_TOKEN in $repo" - gh secret set OPENSHIFT_TOKEN \ + echo "Updating CI_DEPLOYER_TOKEN in $repo" + gh secret set CI_DEPLOYER_TOKEN \ --repo "$repo" \ --body "$SA_TOKEN" done diff --git a/bootstrap/wait-for-crds.yaml b/bootstrap/wait-for-crds.yaml index 3bf59d5..181f608 100644 --- a/bootstrap/wait-for-crds.yaml +++ b/bootstrap/wait-for-crds.yaml @@ -11,7 +11,7 @@ metadata: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/hook-delete-policy: HookSucceeded ignore-check.kube-linter.io/non-existent-service-account: "SA created by GitOps operator" - ignore-check.kube-linter.io/latest-tag: "Using cluster-managed OpenShift CLI imagestream" + ignore-check.kube-linter.io/latest-tag: "bitnami/kubectl:latest is acceptable for a one-shot bootstrap wait Job" spec: ttlSecondsAfterFinished: 300 backoffLimit: 30 diff --git a/bootstrap/wait-for-repo-server.yaml b/bootstrap/wait-for-repo-server.yaml index cf67ee0..42203f9 100644 --- a/bootstrap/wait-for-repo-server.yaml +++ b/bootstrap/wait-for-repo-server.yaml @@ -11,7 +11,7 @@ metadata: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/hook-delete-policy: HookSucceeded ignore-check.kube-linter.io/non-existent-service-account: "SA created by GitOps operator" - ignore-check.kube-linter.io/latest-tag: "Using cluster-managed OpenShift CLI imagestream" + ignore-check.kube-linter.io/latest-tag: "bitnami/kubectl:latest is acceptable for a one-shot bootstrap wait Job" spec: ttlSecondsAfterFinished: 300 backoffLimit: 10