Skip to content

@claude go-live: materialize fuzefront-secrets + ghcr-pull so app.fuzefront.com serves (devops-engineer + fuzeinfra-expert) #76

Description

@izzywdev

@claude — please handle the final go-live unblock for app.fuzefront.com end-to-end. Use the fuzeinfra-expert agent (cluster contract) and the devops-engineer agent (the seal/apply slice). This is FuzeInfra's to do because FuzeInfra is the only party holding both the privileged values (Postgres superuser pwd) and the prod kubeconfig — the FuzeFront owner can't supply these.

The single remaining blocker

The Argo fuzefront app cannot sync: its pre-install/pre-upgrade DB-bootstrap Job (deploy/helm/fuzefront/templates/db-bootstrap-job.yaml) has no superuser password, and pods can't pull the private GHCR images. Result: no Ingress is created → Cloudflare→Traefik has nothing to route → https://app.fuzefront.com/api/health is 404 (confirmed, 30/30 attempts). Everything else is live: CF route + tunnel, Argo app-of-apps registered, FuzeInfra prod Synced+Healthy, V92/V76 whitelisted (#67).

What to create (namespace fuzefront)

1. Secret fuzefront-secrets (Opaque)

key value source
DB_SUPERUSER_PASSWORD the live fuzeinfra Postgres superuser pwd: kubectl -n fuzeinfra get secret fuzeinfra-secrets -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d (expected = chart default fuzeinfra_secure_password unless ClickOps changed it — confirm against the live cluster)
DB_PASSWORD freshly generate (openssl rand -hex 24) — bootstrap sets the fuzefront_user role to this; backend reads the same secret
JWT_SECRET, SESSION_SECRET, INTERNAL_PROVISION_SECRET freshly generate (openssl rand -hex 32)
PERMIT_API_KEY, AUTHENTIK_CLIENT_ID, AUTHENTIK_CLIENT_SECRET placeholder (e.g. placeholder) is fine to reach /api/health green — these are non-optional secretKeyRefs so they must EXIST; real values are a later follow-up for SSO/authz

(Backend expects superuser username fuzeinfra, db fuzefront_platform, role fuzefront_user — already set in values-prod.yaml, don't change.)

2. ghcr-pull (the private-image pull)

The izzywdev/fuzefront-backend + fuzefront-frontend GHCR packages are private. Preferred (lowest friction, same-account): make those two packages public → then ghcr-pull isn't needed at all. If you cannot change package visibility (token scope), post @izzywdev BLOCKED: asking the owner to either flip them public or supply a read:packages PAT, and proceed with everything else.

How to apply

You hold KUBE_CONFIG, so the cleanest path is to create/seal these directly in-cluster (you don't need the offline-cert flow that owners use). Then let Argo retry the fuzefront app and confirm the DB-bootstrap hook passes + backend/frontend pods become Ready + the Ingress for app.fuzefront.com is created. Do not edit the FuzeFront repo (decoupling) — apply to the cluster; if you want them GitOps-persisted, note it back and I'll add a sealed-dir Argo app on the FuzeFront side.

Heads-up the expert found

https://sealed-secrets.prod.fuzefront.com/v1/cert.pem returns a Traefik 404 (Access bypass works, but the controller isn't serving the cert at that path). Not blocking for you (you have kubeconfig), but worth fixing the controller Ingress so the owner's offline-seal path works later.

Acceptance criteria

  • fuzefront-secrets (8 keys) + ghcr-pull resolution done in ns fuzefront.
  • Argo fuzefront app reaches Synced + Healthy; DB-bootstrap Job completes; backend+frontend pods Ready.
  • curl -s -o /dev/null -w '%{http_code}' https://app.fuzefront.com/api/health200.
  • Reply on THIS issue with DONE: <what you did> + the live health code (or BLOCKED: <q> with a STATE block) so the FuzeFront agent's monitor picks it up.

STATE

  • done: CF route+tunnel live; Argo app-of-apps registered; FuzeInfra prod Synced+Healthy; Whitelist Contabo V92 + V76 in infra-request auto-apply whitelist #67 whitelist; recipe doc deploy/contabo/SEAL_PROD_SECRETS.md on FuzeFront master.
  • remaining: the 2 secrets above + Argo sync + health=200.
  • originating: izzywdev/FuzeFront, goal "app.fuzefront.com shows the fuzefront MF platform".
  • decisions: PERMIT/AUTHENTIK placeholders acceptable for first-light (SSO is a follow-up); GHCR public preferred over a PAT.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions