viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/recruiter-responder/main.tf
Viktor Barzin 18928eb8ac recruiter-responder + openclaw: wire gpt-mini secret keys + VIKTOR_CHAT_ID 
recruiter-responder ExternalSecret gains GPT_MINI_ENDPOINT/_API_KEY/_MODEL
(NIM-served qwen3-coder-480b — gpt-5.4-mini in OpenClaw is OAuth-only and
not HTTP-accessible to external services). OpenClaw gains VIKTOR_CHAT_ID
env consumed by the recruiter-api plugin's announcement loop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 21:10:56 +00:00

350 lines
12 KiB
HCL
Raw Blame History

variable "image_tag" {
type = string
default = "latest"
description = "recruiter-responder image tag. Use 8-char git SHA in CI."
}
variable "postgresql_host" { type = string }
variable "tls_secret_name" {
type = string
sensitive = true
}
locals {
namespace = "recruiter-responder"
image = "forgejo.viktorbarzin.me/viktor/recruiter-responder:${var.image_tag}"
labels = {
app = "recruiter-responder"
}
}
resource "kubernetes_namespace" "recruiter_responder" {
metadata {
name = local.namespace
labels = {
tier = local.tiers.aux
"istio-injection" = "disabled"
# Opt into Keel auto-update (inject-keel-annotations ClusterPolicy).
"keel.sh/enrolled" = "true"
}
}
lifecycle {
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label.
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
}
}
# App secrets — seed these in Vault before applying:
# secret/recruiter-responder
# webhook_bearer_token — bearer for all /api/* endpoints (consumed by
# the OpenClaw recruiter-api plugin)
# imap_me_user — IMAP for me@viktorbarzin.me (full address)
# imap_me_pass — IMAP password for me@
# imap_spam_user — IMAP for spam@viktorbarzin.me
# imap_spam_pass — IMAP password for spam@
# smtp_password — SMTP password for me@viktorbarzin.me
# claude_agent_token — Bearer for claude-agent-service (Tier-2)
# telegram_bot_token — Bot token for @ViktorBarzinOpenClawBot
# (same as secret/openclaw.telegram_bot_token)
# telegram_chat_id — Viktor's Telegram chat id (8281953845)
#
# Schema in CNPG: `recruiter_responder` (alembic creates on first migrate).
# DB user: created via Vault database engine — see static-creds/pg-recruiter-responder.
resource "kubernetes_manifest" "external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "recruiter-responder-secrets"
namespace = local.namespace
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-kv"
kind = "ClusterSecretStore"
}
target = {
name = "recruiter-responder-secrets"
template = {
metadata = {
annotations = {
"reloader.stakater.com/match" = "true"
}
}
}
}
data = [
{ secretKey = "WEBHOOK_BEARER_TOKEN", remoteRef = { key = "recruiter-responder", property = "webhook_bearer_token" } },
{ secretKey = "IMAP_ME_USER", remoteRef = { key = "recruiter-responder", property = "imap_me_user" } },
{ secretKey = "IMAP_ME_PASS", remoteRef = { key = "recruiter-responder", property = "imap_me_pass" } },
{ secretKey = "IMAP_SPAM_USER", remoteRef = { key = "recruiter-responder", property = "imap_spam_user" } },
{ secretKey = "IMAP_SPAM_PASS", remoteRef = { key = "recruiter-responder", property = "imap_spam_pass" } },
{ secretKey = "SMTP_PASSWORD", remoteRef = { key = "recruiter-responder", property = "smtp_password" } },
{ secretKey = "CLAUDE_AGENT_TOKEN", remoteRef = { key = "recruiter-responder", property = "claude_agent_token" } },
{ secretKey = "TELEGRAM_BOT_TOKEN", remoteRef = { key = "recruiter-responder", property = "telegram_bot_token" } },
{ secretKey = "TELEGRAM_CHAT_ID", remoteRef = { key = "recruiter-responder", property = "telegram_chat_id" } },
# Gmail app password for the backtest CLI (read-only). Same
# credential as wealthfolio uses for broker statement ingestion.
{ secretKey = "GMAIL_IMAP_USER", remoteRef = { key = "recruiter-responder", property = "gmail_imap_user" } },
{ secretKey = "GMAIL_IMAP_PASS", remoteRef = { key = "recruiter-responder", property = "gmail_imap_pass" } },
# gpt-5.4-mini (NIM-served qwen3-coder-480b) for /api/draft generation.
{ secretKey = "GPT_MINI_ENDPOINT", remoteRef = { key = "recruiter-responder", property = "gpt_mini_endpoint" } },
{ secretKey = "GPT_MINI_API_KEY", remoteRef = { key = "recruiter-responder", property = "gpt_mini_api_key" } },
{ secretKey = "GPT_MINI_MODEL", remoteRef = { key = "recruiter-responder", property = "gpt_mini_model" } },
]
}
}
depends_on = [kubernetes_namespace.recruiter_responder]
}
# DB credentials from Vault database engine (7-day rotation).
# Builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
# Pre-req in dbaas: CNPG cluster has DB `recruiter_responder`, role
# `recruiter_responder`, and Vault role `static-creds/pg-recruiter-responder`.
resource "kubernetes_manifest" "db_external_secret" {
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
metadata = {
name = "recruiter-responder-db-creds"
namespace = local.namespace
}
spec = {
refreshInterval = "15m"
secretStoreRef = {
name = "vault-database"
kind = "ClusterSecretStore"
}
target = {
name = "recruiter-responder-db-creds"
template = {
metadata = {
annotations = {
"reloader.stakater.com/match" = "true"
}
}
data = {
DB_CONNECTION_STRING = "postgresql+asyncpg://recruiter_responder:{{ .password }}@${var.postgresql_host}:5432/recruiter_responder"
DB_PASSWORD = "{{ .password }}"
}
}
}
data = [{
secretKey = "password"
remoteRef = {
key = "static-creds/pg-recruiter-responder"
property = "password"
}
}]
}
}
depends_on = [kubernetes_namespace.recruiter_responder]
}
resource "kubernetes_deployment" "recruiter_responder" {
metadata {
name = "recruiter-responder"
namespace = kubernetes_namespace.recruiter_responder.metadata[0].name
labels = merge(local.labels, {
tier = local.tiers.aux
})
annotations = {
"reloader.stakater.com/search" = "true"
}
}
spec {
# IMAP IDLE + APScheduler want a single leader; concurrency hurts both.
replicas = 1
strategy {
type = "Recreate"
}
selector {
match_labels = local.labels
}
template {
metadata {
labels = local.labels
}
spec {
image_pull_secrets {
name = "registry-credentials"
}
init_container {
name = "alembic-migrate"
image = local.image
command = ["alembic", "upgrade", "head"]
env_from {
secret_ref { name = "recruiter-responder-secrets" }
}
env_from {
secret_ref { name = "recruiter-responder-db-creds" }
}
resources {
requests = { cpu = "50m", memory = "256Mi" }
limits = { memory = "512Mi" }
}
}
container {
name = "recruiter-responder"
image = local.image
port {
container_port = 8080
}
env_from {
secret_ref { name = "recruiter-responder-secrets" }
}
env_from {
secret_ref { name = "recruiter-responder-db-creds" }
}
# IMAP fan-in: read both mailboxes off the in-cluster mailserver.
env {
name = "IMAP_MAILBOXES"
value = "me,spam"
}
env {
name = "IMAP_ME_HOST"
value = "mailserver.mailserver.svc.cluster.local"
}
env {
name = "IMAP_SPAM_HOST"
value = "mailserver.mailserver.svc.cluster.local"
}
# SMTP (outbound reply) — same mailserver service, STARTTLS on 587.
env {
name = "SMTP_HOST"
value = "mailserver.mailserver.svc.cluster.local"
}
env {
name = "SMTP_PORT"
value = "587"
}
env {
name = "SMTP_USER"
value = "me@viktorbarzin.me"
}
env {
name = "SMTP_FROM_ADDR"
value = "me@viktorbarzin.me"
}
env {
name = "SMTP_FROM_NAME"
value = "Viktor Barzin"
}
# Tier-0 LLM
env {
name = "LLAMA_SWAP_URL"
value = "http://llama-swap.llama-cpp.svc.cluster.local:8080"
}
env {
name = "LLAMA_SWAP_MODEL"
value = "qwen3-8b"
}
# Tier-2 LLM (deep_research only)
env {
name = "CLAUDE_AGENT_URL"
value = "http://claude-agent-service.claude-agent.svc.cluster.local:8080"
}
# Telegram bot (no URL env needed — token in secret)
# Public callback base URL for inline-keyboard URL buttons.
# Must match the ingress host below (proxied via Cloudflare).
env {
name = "CALLBACK_BASE_URL"
value = "https://recruiter-responder.viktorbarzin.me"
}
readiness_probe {
http_get {
path = "/healthz"
port = 8080
}
initial_delay_seconds = 5
period_seconds = 10
}
liveness_probe {
http_get {
path = "/healthz"
port = 8080
}
initial_delay_seconds = 30
period_seconds = 30
}
resources {
requests = { cpu = "100m", memory = "384Mi" }
limits = { memory = "768Mi" }
}
}
}
}
}
lifecycle {
ignore_changes = [
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
metadata[0].annotations["keel.sh/policy"],
metadata[0].annotations["keel.sh/trigger"],
metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
]
}
depends_on = [
kubernetes_manifest.external_secret,
kubernetes_manifest.db_external_secret,
]
}
resource "kubernetes_service" "recruiter_responder" {
metadata {
name = "recruiter-responder"
namespace = kubernetes_namespace.recruiter_responder.metadata[0].name
labels = local.labels
}
spec {
type = "ClusterIP"
selector = local.labels
port {
name = "http"
port = 8080
target_port = 8080
}
}
}
# Kyverno ClusterPolicy `sync-tls-secret` auto-clones the wildcard TLS
# secret into every namespace, so we don't need a setup_tls_secret module.
# Public ingress for the /cb/* callback endpoints driven by Telegram URL
# buttons. /api/* and /healthz stay internal — they're routed via cluster
# DNS from the OpenClaw plugin / kubelet probes respectively.
#
# auth = "none": the /cb endpoints are gated by HMAC-signed query params
# (sig + exp) generated from WEBHOOK_BEARER_TOKEN. Authentik would force
# a login flow before the GET could fire and break the one-tap flow.
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
# auth = "none": HMAC + expiry gate the /cb endpoints — Authentik would
# force a login dance and break Telegram's one-tap UX. See callback_links.py.
auth = "none"
anti_ai_scraping = false
dns_type = "proxied"
namespace = kubernetes_namespace.recruiter_responder.metadata[0].name
name = "recruiter-responder"
port = 8080
ingress_path = ["/cb"]
tls_secret_name = var.tls_secret_name
}
Reference in a new issue View git blame Copy permalink