infra

Viktor Barzin bde713f8a4 broker-sync: add Fidelity PlanViewer CronJob (suspended) ## Context Viktor's UK workplace pension is at Fidelity PlanViewer. The broker-sync provider + CLI landed in the broker-sync repo (commits 804e6a8 + 7c9be54); this commit adds the infra bits so the monthly sync runs in-cluster like the other broker-sync jobs. One successful manual backfill on 2026-04-18 pulled 51 contributions + valuation into a new WF WORKPLACE_PENSION account; Net Worth moved from £865k → £1,003k. This commit productionises that flow. ## This change - New kubernetes_cron_job_v1.fidelity in stacks/broker-sync/main.tf: - Schedule: 05:00 UK on the 20th of each month (after mid-month payroll settles; finance data shows credits on the 13th-18th). - Suspended by default — unsuspend once broker-sync image is rebuilt with Chromium baked in (Dockerfile change shipped separately in the broker-sync repo). - Init container materialises the storage_state JSON (projected from the broker-sync-secrets K8s Secret, synced from Vault by ESO) to the encrypted PVC at /data/fidelity_storage_state.json. Chromium then loads it. - Container: broker-sync fidelity-ingest with WF + FIDELITY_* env vars. Memory request 512Mi, limit 1280Mi — Chromium is hungry. - Lifecycle ignore_changes on dns_config per the KYVERNO_LIFECYCLE_V1 convention documented in AGENTS.md. ## What is NOT in this change - The Vault keys fidelity_storage_state + fidelity_plan_id — already staged via `vault kv patch` on 2026-04-18. - Dockerfile Chromium install — in broker-sync repo (commit 7c9be54). - Prometheus BrokerSyncFidelityFailed alert — deferred until the CronJob has run successfully for a month and we have a baseline. Existing broker-sync CronJobs also don't have per-job alerts yet; filing as a follow-up. ## Verification ### Automated terraform fmt ran clean. `terragrunt plan` would show a single new kubernetes_cron_job_v1 (suspended, so no pods scheduled). ### Manual (after apply + image rebuild) 1. Build + push broker-sync:<sha> with Chromium. 2. `scripts/tg apply stacks/broker-sync` (updates image_tag + adds fidelity CronJob). 3. Unsuspend: `kubectl -n broker-sync patch cronjob broker-sync-fidelity \ -p '{"spec":{"suspend":false}}'` OR flip the tf flag. 4. Trigger a test run: `kubectl -n broker-sync create job \ fidelity-test --from=cronjob/broker-sync-fidelity`. 5. Expect logs: `fidelity-ingest: fetched=N new=N imported=N failed=0`. 6. On FidelitySessionError: run `broker-sync fidelity-seed` locally + `vault kv patch secret/broker-sync fidelity_storage_state=@...`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 18:51:20 +00:00
..
main.tf	broker-sync: add Fidelity PlanViewer CronJob (suspended)	2026-04-18 18:51:20 +00:00
terragrunt.hcl	Add broker-sync Terraform stack (#7 )	2026-04-17 21:17:45 +01:00

Viktor Barzin bde713f8a4 broker-sync: add Fidelity PlanViewer CronJob (suspended)

## Context

Viktor's UK workplace pension is at Fidelity PlanViewer. The broker-sync
provider + CLI landed in the broker-sync repo (commits 804e6a8 +
7c9be54); this commit adds the infra bits so the monthly sync runs
in-cluster like the other broker-sync jobs.

One successful manual backfill on 2026-04-18 pulled 51 contributions +
valuation into a new WF WORKPLACE_PENSION account; Net Worth moved from
£865k → £1,003k. This commit productionises that flow.

## This change

- New kubernetes_cron_job_v1.fidelity in stacks/broker-sync/main.tf:
  - Schedule: 05:00 UK on the 20th of each month (after mid-month
    payroll settles; finance data shows credits on the 13th-18th).
  - Suspended by default — unsuspend once broker-sync image is rebuilt
    with Chromium baked in (Dockerfile change shipped separately in the
    broker-sync repo).
  - Init container materialises the storage_state JSON (projected from
    the broker-sync-secrets K8s Secret, synced from Vault by ESO) to the
    encrypted PVC at /data/fidelity_storage_state.json. Chromium then
    loads it.
  - Container: broker-sync fidelity-ingest with WF + FIDELITY_* env
    vars. Memory request 512Mi, limit 1280Mi — Chromium is hungry.
  - Lifecycle ignore_changes on dns_config per the KYVERNO_LIFECYCLE_V1
    convention documented in AGENTS.md.

## What is NOT in this change

- The Vault keys fidelity_storage_state + fidelity_plan_id — already
  staged via `vault kv patch` on 2026-04-18.
- Dockerfile Chromium install — in broker-sync repo (commit 7c9be54).
- Prometheus BrokerSyncFidelityFailed alert — deferred until the
  CronJob has run successfully for a month and we have a baseline.
  Existing broker-sync CronJobs also don't have per-job alerts yet;
  filing as a follow-up.

## Verification

### Automated
terraform fmt ran clean. `terragrunt plan` would show a single new
kubernetes_cron_job_v1 (suspended, so no pods scheduled).

### Manual (after apply + image rebuild)

1. Build + push broker-sync:<sha> with Chromium.
2. `scripts/tg apply stacks/broker-sync` (updates image_tag + adds
   fidelity CronJob).
3. Unsuspend: `kubectl -n broker-sync patch cronjob broker-sync-fidelity \
     -p '{"spec":{"suspend":false}}'` OR flip the tf flag.
4. Trigger a test run: `kubectl -n broker-sync create job \
     fidelity-test --from=cronjob/broker-sync-fidelity`.
5. Expect logs: `fidelity-ingest: fetched=N new=N imported=N failed=0`.
6. On FidelitySessionError: run `broker-sync fidelity-seed` locally +
   `vault kv patch secret/broker-sync fidelity_storage_state=@...`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-18 18:51:20 +00:00

main.tf

broker-sync: add Fidelity PlanViewer CronJob (suspended)

2026-04-18 18:51:20 +00:00

terragrunt.hcl

Add broker-sync Terraform stack (#7 )

2026-04-17 21:17:45 +01:00