infra

Author SHA1 Message Date

Author	SHA1	Message	Date
Viktor Barzin	fd0f4a0365	fix: restore tree dropped by `6d224861`; land stem95su gdrive-sync (10m) [ci skip] `6d224861` came from a --no-checkout worktree whose empty index made the commit drop every file except two. This restores 05b50d2b's full tree and correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the live infra was never applied from the broken commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-09 08:45:33 +00:00
Viktor Barzin	6d224861c4	stem95su: scheduled Drive->site sync CronJob (every 10m) CronJob stem95su-gdrive-sync (*/10) mounts the content PVC RW and rclone-syncs the read-only Drive folder "claude" (stem claude/files) onto it (rclone/rclone:1.74.3, scope=drive.readonly, empty-source guard + --max-delete 25). ESO ExternalSecret stem95su-rclone <- Vault secret/stem95su. Requires the GCP OAuth app published to Production or the refresh token expires ~weekly. Lands the gdrive-sync stack on master (it had landed on a feature branch by accident on the shared devvm checkout). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-09 08:42:26 +00:00
Viktor Barzin	3962513036	security(wave1): W1.7 analysis snapshot — observation data → allowlist plan First analysis pass over Calico GNP wave1-egress-observe-tier34 data captured in Loki since 2026-05-19. Pulled ~10000 flow log lines covering 36 source namespaces (of 82 selected by tier 3+4). Analysis script outputs preserved on the dev host at /tmp/{analyze_flows2,build_allowlist}.py. ## Findings Universal baseline (every observed ns): - DNS to kube-system/kube-dns UDP/53 - Often mysql.dbaas TCP/3306 or pg.dbaas TCP/5432 - Often redis.redis TCP/6379 Rollout tiering by egress fan-out: - Tier A (recruiter-responder only): 2 destinations, ideal pilot - Tier B (29 namespaces): ≤3 external IPs, ≤5 internal — batch rollout - Tier C (4 namespaces: f1-stream/openclaw/woodpecker/status-page): needs per-IP investigation - Tier D (servarr): 130+ external IPs (BitTorrent P2P) — keep Log+Allow permanently or move to dedicated egress proxy ## Caveats blocking immediate enforce - Observation horizon too short: ~6h dense data, ~24h total. Need ≥7 days to catch weekly CronJobs, Vault token rotations, Keel pulls. - External IPs are dynamic (Cloudflare/AWS rotate). Static IP allowlists will break — need DNS-based selectors or CIDR ranges. - Some intra-namespace traffic bypasses the Calico filter chain. ## Recommended next steps 1. Continue observation through 2026-05-29 (full week). Compare destination set day-over-day; if stable, allowlist is ready. 2. First enforce: recruiter-responder (allowlist = kube-dns + telegram CIDR + vault/ESO service IPs). 3. Tier B phased rollout at 3-5 ns/day after pilot proves out. Full analysis: docs/architecture/wave1-egress-observation-2026-05-22.md Tracked under beads code-8ywc. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 15:22:25 +00:00

Viktor Barzin

fd0f4a0365

fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]

6d224861 came from a --no-checkout worktree whose empty index made the
commit drop every file except two. This restores 05b50d2b's full tree and
correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su
entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the
live infra was never applied from the broken commit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-09 08:45:33 +00:00

Viktor Barzin

6d224861c4

stem95su: scheduled Drive->site sync CronJob (every 10m)

CronJob stem95su-gdrive-sync (*/10) mounts the content PVC RW and
rclone-syncs the read-only Drive folder "claude" (stem claude/files) onto
it (rclone/rclone:1.74.3, scope=drive.readonly, empty-source guard +
--max-delete 25). ESO ExternalSecret stem95su-rclone <- Vault
secret/stem95su. Requires the GCP OAuth app published to Production or the
refresh token expires ~weekly.

Lands the gdrive-sync stack on master (it had landed on a feature branch
by accident on the shared devvm checkout).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-09 08:42:26 +00:00

Viktor Barzin

3962513036

security(wave1): W1.7 analysis snapshot — observation data → allowlist plan

First analysis pass over Calico GNP wave1-egress-observe-tier34 data captured
in Loki since 2026-05-19. Pulled ~10000 flow log lines covering 36 source
namespaces (of 82 selected by tier 3+4). Analysis script outputs preserved
on the dev host at /tmp/{analyze_flows2,build_allowlist}.py.

## Findings

**Universal baseline (every observed ns):**
- DNS to kube-system/kube-dns UDP/53
- Often mysql.dbaas TCP/3306 or pg.dbaas TCP/5432
- Often redis.redis TCP/6379

**Rollout tiering by egress fan-out:**
- Tier A (recruiter-responder only): 2 destinations, ideal pilot
- Tier B (29 namespaces): ≤3 external IPs, ≤5 internal — batch rollout
- Tier C (4 namespaces: f1-stream/openclaw/woodpecker/status-page):
  needs per-IP investigation
- Tier D (servarr): 130+ external IPs (BitTorrent P2P) — keep Log+Allow
  permanently or move to dedicated egress proxy

## Caveats blocking immediate enforce
- Observation horizon too short: ~6h dense data, ~24h total. Need ≥7 days
  to catch weekly CronJobs, Vault token rotations, Keel pulls.
- External IPs are dynamic (Cloudflare/AWS rotate). Static IP allowlists
  will break — need DNS-based selectors or CIDR ranges.
- Some intra-namespace traffic bypasses the Calico filter chain.

## Recommended next steps
1. Continue observation through 2026-05-29 (full week). Compare destination
   set day-over-day; if stable, allowlist is ready.
2. First enforce: recruiter-responder (allowlist = kube-dns + telegram CIDR
   + vault/ESO service IPs).
3. Tier B phased rollout at 3-5 ns/day after pilot proves out.

Full analysis: docs/architecture/wave1-egress-observation-2026-05-22.md
Tracked under beads code-8ywc.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-22 15:22:25 +00:00

3 commits