generated from coulomb/repo-seed
619 lines
18 KiB
YAML
619 lines
18 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: actcore-runtime-config
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: activity-core
|
|
app.kubernetes.io/part-of: activity-core
|
|
data:
|
|
TEMPORAL_HOST: actcore-temporal:7233
|
|
TEMPORAL_NAMESPACE: default
|
|
NATS_URL: nats://actcore-nats:4222
|
|
STATE_HUB_URL: http://actcore-state-hub-bridge:8000
|
|
REPO_SCOPING_URL: http://repo-scoping.repo-scoping.svc.cluster.local:8020
|
|
ISSUE_CORE_URL: http://issue-core.issue-core.svc.cluster.local:8010
|
|
ISSUE_SINK_TYPE: "null"
|
|
ACTIVITY_DEFINITION_DIRS: /etc/activity-core/external-definitions
|
|
OPS_INVENTORY_PATH: /etc/activity-core/ops/service-inventory.yml
|
|
INTER_HUB_URL: ""
|
|
OPS_HUB_WIDGET_MAPPING: ""
|
|
PROMETHEUS_BIND_ADDR: 0.0.0.0:9090
|
|
ACTIVITY_CURATOR_GATE: disabled
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: actcore-external-activity-definitions
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: activity-core
|
|
app.kubernetes.io/part-of: activity-core
|
|
data:
|
|
hourly-recently-on-scope.md: |
|
|
---
|
|
id: "d104348c-d792-4377-943c-70a31e81a9bc"
|
|
name: "Hourly RecentlyOnScope Reports"
|
|
type: activity-definition
|
|
version: "1.0"
|
|
enabled: true
|
|
owner: custodian
|
|
governance: custodian
|
|
status: active
|
|
created: "2026-05-22"
|
|
trigger:
|
|
type: cron
|
|
cron_expression: "0 * * * *"
|
|
timezone: Europe/Berlin
|
|
misfire_policy: skip
|
|
context_sources:
|
|
- type: state-hub
|
|
query: recently_on_scope_hourly
|
|
required: true
|
|
params:
|
|
range: "1h"
|
|
active_only: true
|
|
include_attention: false
|
|
bind_to: context.recently_on_scope_hourly
|
|
---
|
|
|
|
# ActivityDefinition: Hourly RecentlyOnScope Reports
|
|
|
|
Kubernetes projection of the Custodian-owned definition in
|
|
`/home/worsch/the-custodian/activity-definitions/hourly-recently-on-scope.md`.
|
|
ops-service-inventory-probes.md: |
|
|
---
|
|
id: "40d15a87-7ff6-4d8e-992c-37df15f95110"
|
|
name: "Ops Service Inventory Probes"
|
|
type: activity-definition
|
|
version: "0.1"
|
|
enabled: false
|
|
owner: custodian
|
|
governance: custodian
|
|
status: proposed
|
|
created: "2026-06-05"
|
|
trigger:
|
|
type: cron
|
|
cron_expression: "15 * * * *"
|
|
timezone: Europe/Berlin
|
|
misfire_policy: skip
|
|
context_sources:
|
|
- type: ops-inventory
|
|
query: probe_services
|
|
required: false
|
|
params:
|
|
inventory_path: /etc/activity-core/ops/service-inventory.yml
|
|
timeout_seconds: 10
|
|
include_kinds:
|
|
- http
|
|
- https
|
|
allow_network: true
|
|
evidence_sinks:
|
|
- type: state-hub-progress
|
|
event_type: ops_inventory_probe
|
|
author: activity-core
|
|
bind_to: context.ops_inventory_probe
|
|
---
|
|
|
|
# ActivityDefinition: Ops Service Inventory Probes
|
|
|
|
Disabled Railiance projection of the Custodian-owned definition in
|
|
`/home/worsch/the-custodian/activity-definitions/ops-service-inventory-probes.md`.
|
|
Keep disabled until ops-hub Inter-Hub evidence intake is active.
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: actcore-ops-service-inventory
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: activity-core
|
|
app.kubernetes.io/part-of: activity-core
|
|
data:
|
|
service-inventory.yml: |
|
|
version: 1
|
|
last_reviewed: "2026-06-05"
|
|
policy:
|
|
non_secret_inventory: true
|
|
source_of_truth: "/home/worsch/the-custodian/ops/service-inventory.yml"
|
|
projection: "Railiance activity-core ConfigMap snapshot for disabled probes"
|
|
environments:
|
|
- id: local
|
|
name: "Local Workstation"
|
|
role: "Workstation development and local operations"
|
|
lifecycle_state: observed
|
|
- id: coulombcore
|
|
name: "CoulombCore"
|
|
role: "Transitional production-like runtime"
|
|
lifecycle_state: observed
|
|
- id: railiance01
|
|
name: "Railiance01"
|
|
role: "First ThreePhoenix foundation node"
|
|
lifecycle_state: observed
|
|
- id: threephoenix-prod
|
|
name: "ThreePhoenix Production"
|
|
role: "Target governed production topology"
|
|
lifecycle_state: planned
|
|
hosts:
|
|
- id: local-workstation
|
|
environment: local
|
|
role: "State Hub and operator workstation runtime"
|
|
- id: coulombcore
|
|
environment: coulombcore
|
|
address: "92.205.130.254"
|
|
role: "Current live production-like server"
|
|
- id: railiance01
|
|
environment: railiance01
|
|
address: "92.205.62.239"
|
|
role: "First ThreePhoenix foundation node"
|
|
clusters:
|
|
- id: coulombcore-k3s
|
|
environment: coulombcore
|
|
host: coulombcore
|
|
kind: k3s
|
|
lifecycle_state: observed
|
|
- id: railiance01-k3s
|
|
environment: railiance01
|
|
host: railiance01
|
|
kind: k3s
|
|
lifecycle_state: observed
|
|
services:
|
|
- id: gitea
|
|
name: "Gitea"
|
|
kind: application
|
|
lifecycle_state: observed
|
|
health_status: unknown
|
|
environment: coulombcore
|
|
owner_repos:
|
|
- railiance-apps
|
|
runtime:
|
|
type: k3s
|
|
cluster: coulombcore-k3s
|
|
namespace: default
|
|
endpoints:
|
|
- id: gitea-oci-registry
|
|
type: https
|
|
url: "https://gitea.coulomb.social/v2/"
|
|
expected_status: 401
|
|
expected_signal: "OCI registry auth challenge"
|
|
widget_ref: "ops:endpoint:gitea-registry"
|
|
backing_stores:
|
|
- "database:gitea-db"
|
|
- "pvc:default/gitea-shared-storage"
|
|
access_paths:
|
|
- type: k8s
|
|
target: "coulombcore-k3s/default"
|
|
status: unknown
|
|
evidence: []
|
|
gaps:
|
|
- "Backup and restore evidence for database and shared storage not recorded in ops inventory."
|
|
- id: state-hub
|
|
name: "State Hub"
|
|
kind: coordination-service
|
|
lifecycle_state: observed
|
|
health_status: observed_ok
|
|
environment: local
|
|
owner_repos:
|
|
- state-hub
|
|
- the-custodian
|
|
runtime:
|
|
type: local-process
|
|
host: local-workstation
|
|
endpoints:
|
|
- id: state-hub-local-api
|
|
type: http
|
|
url: "http://actcore-state-hub-bridge:8000/state/health"
|
|
expected_status: 200
|
|
expected_signal: "health response"
|
|
backing_stores:
|
|
- "postgresql:state-hub"
|
|
access_paths:
|
|
- type: http
|
|
target: "http://actcore-state-hub-bridge:8000"
|
|
status: observed_ok
|
|
evidence: []
|
|
gaps:
|
|
- "Future cluster deployment readiness still needs ops evidence."
|
|
- id: inter-hub
|
|
name: "Inter-Hub"
|
|
kind: governance-service
|
|
lifecycle_state: observed
|
|
health_status: unknown
|
|
environment: threephoenix-prod
|
|
owner_repos:
|
|
- inter-hub
|
|
runtime:
|
|
type: external
|
|
public_endpoint: "https://hub.coulomb.social"
|
|
endpoints:
|
|
- id: inter-hub-openapi
|
|
type: https
|
|
url: "https://hub.coulomb.social/api/v2/openapi.json"
|
|
expected_status: 200
|
|
expected_signal: "OpenAPI document"
|
|
- id: inter-hub-ui
|
|
type: https
|
|
url: "https://hub.coulomb.social/Hubs"
|
|
expected_status: 302
|
|
expected_signal: "login redirect when unauthenticated"
|
|
backing_stores: []
|
|
access_paths:
|
|
- type: https
|
|
target: "https://hub.coulomb.social"
|
|
status: unknown
|
|
evidence: []
|
|
gaps:
|
|
- "ops-hub bootstrap requires authenticated UI flow or deployment-side migration."
|
|
- id: activity-core
|
|
name: "activity-core"
|
|
kind: automation-service
|
|
lifecycle_state: observed
|
|
health_status: observed_ok
|
|
environment: railiance01
|
|
owner_repos:
|
|
- activity-core
|
|
- the-custodian
|
|
runtime:
|
|
type: k3s
|
|
cluster: railiance01-k3s
|
|
namespace: activity-core
|
|
endpoints:
|
|
- id: activity-core-api
|
|
type: cluster-http
|
|
url: "http://actcore-api:8010/health"
|
|
expected_status: 200
|
|
expected_signal: "db"
|
|
backing_stores:
|
|
- "postgresql:activity-core"
|
|
- "temporal:activity-core"
|
|
- "nats:railiance01"
|
|
access_paths:
|
|
- type: k8s
|
|
target: "railiance01-k3s/activity-core"
|
|
status: observed_ok
|
|
evidence: []
|
|
gaps:
|
|
- "Add explicit ops inventory probes and evidence events."
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: actcore-state-hub-bridge
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-state-hub-bridge
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
selector:
|
|
app.kubernetes.io/name: actcore-state-hub-bridge
|
|
ports:
|
|
- name: http
|
|
port: 8000
|
|
targetPort: http
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: actcore-state-hub-bridge
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-state-hub-bridge
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: actcore-state-hub-bridge
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: actcore-state-hub-bridge
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
hostNetwork: true
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
containers:
|
|
- name: proxy
|
|
image: activity-core:railiance01-prod
|
|
imagePullPolicy: Never
|
|
ports:
|
|
- name: http
|
|
containerPort: 18080
|
|
command:
|
|
- python
|
|
- -c
|
|
- |
|
|
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
|
|
from urllib.error import HTTPError, URLError
|
|
from urllib.request import Request, urlopen
|
|
|
|
TARGET = "http://127.0.0.1:18000"
|
|
HOP_HEADERS = {"connection", "host", "keep-alive", "proxy-authenticate",
|
|
"proxy-authorization", "te", "trailers",
|
|
"transfer-encoding", "upgrade"}
|
|
|
|
class Proxy(BaseHTTPRequestHandler):
|
|
def do_GET(self):
|
|
self._proxy()
|
|
|
|
def do_POST(self):
|
|
self._proxy()
|
|
|
|
def do_PATCH(self):
|
|
self._proxy()
|
|
|
|
def _proxy(self):
|
|
length = int(self.headers.get("content-length", "0") or "0")
|
|
body = self.rfile.read(length) if length else None
|
|
headers = {
|
|
key: value
|
|
for key, value in self.headers.items()
|
|
if key.lower() not in HOP_HEADERS
|
|
}
|
|
request = Request(
|
|
TARGET + self.path,
|
|
data=body,
|
|
headers=headers,
|
|
method=self.command,
|
|
)
|
|
try:
|
|
with urlopen(request, timeout=30) as response:
|
|
payload = response.read()
|
|
self.send_response(response.status)
|
|
for key, value in response.headers.items():
|
|
if key.lower() not in HOP_HEADERS:
|
|
self.send_header(key, value)
|
|
self.end_headers()
|
|
self.wfile.write(payload)
|
|
except HTTPError as exc:
|
|
payload = exc.read()
|
|
self.send_response(exc.code)
|
|
self.end_headers()
|
|
self.wfile.write(payload)
|
|
except URLError as exc:
|
|
self.send_response(502)
|
|
self.end_headers()
|
|
self.wfile.write(str(exc).encode())
|
|
|
|
ThreadingHTTPServer(("0.0.0.0", 18080), Proxy).serve_forever()
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /state/summary
|
|
port: http
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: actcore-migrate
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-migrate
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
backoffLimit: 3
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: actcore-migrate
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: migrate
|
|
image: activity-core:railiance01-prod
|
|
imagePullPolicy: Never
|
|
command: ["python", "-m", "alembic", "upgrade", "head"]
|
|
envFrom:
|
|
- configMapRef:
|
|
name: actcore-runtime-config
|
|
- secretRef:
|
|
name: actcore-runtime-secret
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: actcore-sync
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-sync
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
backoffLimit: 3
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: actcore-sync
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: sync
|
|
image: activity-core:railiance01-prod
|
|
imagePullPolicy: Never
|
|
command:
|
|
- sh
|
|
- -c
|
|
- python scripts/sync_event_types.py && python -m activity_core.sync_activity_definitions
|
|
envFrom:
|
|
- configMapRef:
|
|
name: actcore-runtime-config
|
|
- secretRef:
|
|
name: actcore-runtime-secret
|
|
volumeMounts:
|
|
- name: external-activity-definitions
|
|
mountPath: /etc/activity-core/external-definitions/activity-definitions
|
|
readOnly: true
|
|
volumes:
|
|
- name: external-activity-definitions
|
|
configMap:
|
|
name: actcore-external-activity-definitions
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: actcore-api
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-api
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
selector:
|
|
app.kubernetes.io/name: actcore-api
|
|
ports:
|
|
- name: http
|
|
port: 8010
|
|
targetPort: http
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: actcore-api
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-api
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: actcore-api
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: actcore-api
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
containers:
|
|
- name: api
|
|
image: activity-core:railiance01-prod
|
|
imagePullPolicy: Never
|
|
command: ["uvicorn", "activity_core.api:app", "--host", "0.0.0.0", "--port", "8010"]
|
|
ports:
|
|
- name: http
|
|
containerPort: 8010
|
|
envFrom:
|
|
- configMapRef:
|
|
name: actcore-runtime-config
|
|
- secretRef:
|
|
name: actcore-runtime-secret
|
|
volumeMounts:
|
|
- name: external-activity-definitions
|
|
mountPath: /etc/activity-core/external-definitions/activity-definitions
|
|
readOnly: true
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 45
|
|
periodSeconds: 20
|
|
timeoutSeconds: 5
|
|
volumes:
|
|
- name: external-activity-definitions
|
|
configMap:
|
|
name: actcore-external-activity-definitions
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: actcore-worker-metrics
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-worker
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
selector:
|
|
app.kubernetes.io/name: actcore-worker
|
|
ports:
|
|
- name: metrics
|
|
port: 9090
|
|
targetPort: metrics
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: actcore-worker
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-worker
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: actcore-worker
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: actcore-worker
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
containers:
|
|
- name: worker
|
|
image: activity-core:railiance01-prod
|
|
imagePullPolicy: Never
|
|
command: ["python", "-m", "activity_core.worker"]
|
|
ports:
|
|
- name: metrics
|
|
containerPort: 9090
|
|
envFrom:
|
|
- configMapRef:
|
|
name: actcore-runtime-config
|
|
- secretRef:
|
|
name: actcore-runtime-secret
|
|
volumeMounts:
|
|
- name: external-activity-definitions
|
|
mountPath: /etc/activity-core/external-definitions/activity-definitions
|
|
readOnly: true
|
|
- name: ops-service-inventory
|
|
mountPath: /etc/activity-core/ops
|
|
readOnly: true
|
|
volumes:
|
|
- name: external-activity-definitions
|
|
configMap:
|
|
name: actcore-external-activity-definitions
|
|
- name: ops-service-inventory
|
|
configMap:
|
|
name: actcore-ops-service-inventory
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: actcore-event-router
|
|
namespace: activity-core
|
|
labels:
|
|
app.kubernetes.io/name: actcore-event-router
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: actcore-event-router
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: actcore-event-router
|
|
app.kubernetes.io/part-of: activity-core
|
|
spec:
|
|
containers:
|
|
- name: event-router
|
|
image: activity-core:railiance01-prod
|
|
imagePullPolicy: Never
|
|
command: ["python", "-m", "activity_core.event_router"]
|
|
envFrom:
|
|
- configMapRef:
|
|
name: actcore-runtime-config
|
|
- secretRef:
|
|
name: actcore-runtime-secret
|