coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c3cde06b5d401608f06e375c764044b1f9ed9fa
net-kingdom/CONFIG.md
tegwick 7c3cde06b5 docs: introduce CONFIG.md config point registry (CP-NK-001) 
Establishes the local config point registry pattern. A config point is an
explicit non-default value that cannot be derived from topology, naming
convention, component defaults, or automation. Minimizing the list is a
design goal — absence of an entry means "accepting the upstream default".

CP-NK-001: ACME contact email (bernd.worsch+netkingdom@gmail.com)
  Location: sso-mfa/k8s/cert-manager/issuers.yaml:38
  Why non-default: ACME requires a real monitored inbox; no system default
  qualifies. Automation via Local Identity GECOS email is deferred.

State-hub extension point EP 8e1cda6a registered in custodian domain:
  "Config point registry: centralized view of explicit non-default
  configuration values" — proposes ConfigPoint entity type + MCP tools
  + cross-domain minimization metric.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 11:47:14 +01:00

1.8 KiB
Raw Blame History

Config Point Registry

Philosophy

net-kingdom is opinionated: defaults, conventions, and automation are preferred at every level. A config point in this file is a conscious exception — a value that cannot be derived from the system's topology, naming conventions, component defaults, or available automation.

Minimizing this list is a design goal. Before adding a config point, ask:

  • Can the value be derived from a naming convention or topology fact?
  • Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
  • Is the default provided by the upstream component safe to accept?

If yes to any of the above, don't add it here.

Summary

ID Name Value Location(s)
CP-NK-001 ACME contact email bernd.worsch+netkingdom@gmail.com sso-mfa/k8s/cert-manager/issuers.yaml:38

CP-NK-001 — ACME contact email

Value: bernd.worsch+netkingdom@gmail.com Set: 2026-03-02 Set by: worsch

Location(s):

  • sso-mfa/k8s/cert-manager/issuers.yaml:38spec.acme.email on the letsencrypt-prod ClusterIssuer

Why non-default: ACME (Let's Encrypt) requires a contact address for certificate lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements. There is no system-level default that qualifies: this must be a real, monitored inbox.

Why not automated: The Linux user GECOS email (via Local Identity) would be a natural source. However, that introduces a runtime dependency between cluster provisioning and the local-identity tool. Deferred; revisit when Local Identity gains a structured "operator contact" concept.

Scope: All TLS certificates issued by the letsencrypt-prod ClusterIssuer across the entire cluster.

Reference in New Issue View Git Blame Copy Permalink