chore: purge OpenShift-era references from docs and bootstrap

AGENTS.md

@@ -15,13 +15,12 @@ Sync waves order resources within a single ArgoCD Application — they are **not
 
 ## Domain Architecture
 
-| Domain | Access | TLS |
+| Domain | Path | TLS |
 |---|---|---|
-| `*.makeitwork.cloud` | Cloudflare Tunnel (`TunnelBinding`) | Cloudflare edge |
-| `*.apps.makeitwork.cloud` | WARP-only | Let's Encrypt (DNS-01) |
-| `api.makeitwork.cloud` | WARP-only | Let's Encrypt (DNS-01) |
+| `<app>.makeitwork.cloud` | HTTP via cloudflare-operator `TunnelBinding` | Cloudflare edge |
+| `k3s.makeitwork.cloud` | TCP via `ClusterTunnel` to kube-apiserver, gated by Cloudflare Access | Cloudflare edge |
 
-There is no in-cluster ingress controller. All `*.makeitwork.cloud` apps reach the cluster via a Cloudflare Tunnel managed by cloudflare-operator.
+There is no in-cluster ingress controller and no public IP. Every external entry point — public web, kubectl, everything — is a Cloudflare Tunnel managed by cloudflare-operator. Legacy hostnames `api.makeitwork.cloud` and `*.apps.makeitwork.cloud` are not in use.
 
 ## Key Namespaces
 

README.md

@@ -27,11 +27,10 @@ Sync waves order resources within a single Application — they are not global a
 
 | Domain | Path | TLS |
 |---|---|---|
-| `*.makeitwork.cloud` | Cloudflare Tunnel via cloudflare-operator `TunnelBinding` | Cloudflare edge |
-| `*.apps.makeitwork.cloud` | WARP-only | Let's Encrypt in cluster |
-| `api.makeitwork.cloud` | WARP-only | Let's Encrypt in cluster |
+| `<app>.makeitwork.cloud` | HTTP via cloudflare-operator `TunnelBinding` | Cloudflare edge |
+| `k3s.makeitwork.cloud` | TCP via `ClusterTunnel` to kube-apiserver, gated by Cloudflare Access | Cloudflare edge |
 
-There is no in-cluster ingress controller. All public traffic flows through a Cloudflare Tunnel; in-cluster TLS is issued by cert-manager using the Cloudflare DNS-01 solver.
+There is no in-cluster ingress controller and no public IP. Every external entry point is a Cloudflare Tunnel.
 
 ### TunnelBinding DNS
 

bootstrap/ci-token-sync-job.yaml

@@ -53,17 +53,17 @@ spec:
               # (NOT the auto-mounted bound token which expires in 1 hour)
               SA_TOKEN=$(cat /var/run/secrets/ci-deployer/token)
 
-              # Repos that need the OpenShift token
+              # Repos that need the ci-deployer cluster API token
               REPOS=(
                 "makeitworkcloud/images"
                 "makeitworkcloud/kustomize-cluster"
               )
 
-              echo "Syncing OpenShift token to GitHub repositories..."
+              echo "Syncing ci-deployer token to GitHub repositories..."
 
               for repo in "${REPOS[@]}"; do
-                echo "Updating OPENSHIFT_TOKEN in $repo"
-                gh secret set OPENSHIFT_TOKEN \
+                echo "Updating CI_DEPLOYER_TOKEN in $repo"
+                gh secret set CI_DEPLOYER_TOKEN \
                   --repo "$repo" \
                   --body "$SA_TOKEN"
               done

bootstrap/wait-for-crds.yaml

@@ -11,7 +11,7 @@ metadata:
     argocd.argoproj.io/hook: PostSync
     argocd.argoproj.io/hook-delete-policy: HookSucceeded
     ignore-check.kube-linter.io/non-existent-service-account: "SA created by GitOps operator"
-    ignore-check.kube-linter.io/latest-tag: "Using cluster-managed OpenShift CLI imagestream"
+    ignore-check.kube-linter.io/latest-tag: "bitnami/kubectl:latest is acceptable for a one-shot bootstrap wait Job"
 spec:
   ttlSecondsAfterFinished: 300
   backoffLimit: 30

bootstrap/wait-for-repo-server.yaml

@@ -11,7 +11,7 @@ metadata:
     argocd.argoproj.io/hook: PostSync
     argocd.argoproj.io/hook-delete-policy: HookSucceeded
     ignore-check.kube-linter.io/non-existent-service-account: "SA created by GitOps operator"
-    ignore-check.kube-linter.io/latest-tag: "Using cluster-managed OpenShift CLI imagestream"
+    ignore-check.kube-linter.io/latest-tag: "bitnami/kubectl:latest is acceptable for a one-shot bootstrap wait Job"
 spec:
   ttlSecondsAfterFinished: 300
   backoffLimit: 10