@pleri/olam-cli 0.1.160 → 0.1.162

package/host-cp/peripheral-services/helm-values/promtail-staging.yaml

@@ -0,0 +1,92 @@
+# Promtail Helm values — Phase A Task A5 staging (Phase B consumes)
+#
+# Tails every container's stdout; ships to Loki single-binary (Phase B installs Loki).
+# Per OQ-p3-6: Traefik native config can redact HEADERS but NOT URL query params —
+# query-param scrubbing for `?token=`, `?code=`, `?access_token=`, `?state=` happens
+# HERE at Promtail ingest via pipeline_stages.replace regex.
+#
+# Resource limits per OQ-p3-37 (Promtail OOM risk under chatty container-cp 100ms cadence):
+#   - memory limit 256Mi
+#   - pipeline_stages.limit rate 100 lines/sec/stream
+#
+# Scrape config matches every pod log; namespace-scope labels are added so Loki LogQL queries
+# can filter by service / namespace / pod.
+#
+# SECURITY NOTE — replace stage regex semantics (load-bearing):
+#   Promtail's `replace` stage iterates over CAPTURE GROUPS, not full matches.
+#   The `replace` field is a Go text/template string; `${1}` is NOT valid Go
+#   template syntax and silently becomes a literal. The correct pattern is:
+#     expression: '(?:prefix)(secret_value_only)'  — capture ONLY the secret part
+#     replace: 'REDACTED'                          — replace captured secret with literal
+#   See promtail-values.yaml header comment for full details.
+
+deploymentMode: DaemonSet
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi   # OQ-p3-37: bounded; OOM-kill restart preferred over runaway memory
+
+config:
+  clients:
+    - url: http://olam-loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+
+  snippets:
+    pipelineStages:
+      # 1. Parse JSON access logs from Traefik (key field present in JSON line)
+      - match:
+          selector: '{container="traefik"}'
+          stages:
+            - json:
+                expressions:
+                  request_method: RequestMethod
+                  request_path: RequestPath
+                  status: DownstreamStatus
+                  request_id: requestId
+                  service: ServiceName
+                  router: RouterName
+
+      # 2. Scrub OAuth/token values from URL query params and Authorization headers.
+      #
+      #    IMPORTANT — capture group semantics:
+      #    The replace stage replaces each CAPTURE GROUP with the `replace` template
+      #    value. Capture groups must wrap ONLY the secret value, not the surrounding
+      #    context. The prefix (e.g. `?code=`) uses a non-capturing group `(?:...)` so
+      #    it is preserved in the output while only the secret is replaced.
+      - replace:
+          # OAuth code= callback values — capture only the token value after `code=`
+          expression: '(?:\?|&)code=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Bearer / access tokens in query strings — capture only the value
+          expression: '(?:\?|&)(?:access_token|token|api_key|secret)=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # OAuth state param (may carry session info) — capture only the value
+          expression: '(?:\?|&)state=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Authorization header Bearer value — capture only the token after `Bearer `
+          expression: '(?:Authorization|authorization):\s*(?:Bearer|bearer)\s+(\S+)'
+          replace: 'REDACTED'
+
+      # 3. Rate-limit ingestion per-stream to prevent OOM cascade under chatty containers (OQ-p3-37)
+      - limit:
+          rate: 100         # max log lines/sec per stream
+          burst: 200
+          drop: true        # drop excess lines; do NOT block tail
+
+      # 4. Promote parsed fields to labels (low-cardinality only — taxonomy compliance)
+      - labels:
+          service:          # from Traefik JSON access log; matches taxonomy `service` label
+          router:           # Traefik router name
+          status:           # HTTP status code (within taxonomy)
+
+# Retention is configured on Loki side (Phase B), not Promtail.
+# Sample retention target: 7 days per Performance budget Row.
+
+serviceMonitor:
+  enabled: true   # Prometheus (Phase C) scrapes Promtail's own /metrics for self-observability

package/host-cp/peripheral-services/helm-values/promtail-values.yaml

@@ -0,0 +1,102 @@
+# Promtail Helm values — k3s-ingress-observability Phase B Task B1 (production)
+#
+# Production Promtail values. Staging copy at promtail-staging.yaml has the
+# same scrubbing pipeline shape; this file sets the Loki client URL +
+# production resource limits.
+#
+# Scrubbing pipeline:
+#   - 4 `replace` stages: code=, token/access_token/api_key/secret=, state=, Authorization
+#   - `limit` stage: rate=100/burst=200/drop=true (OQ-p3-37: Promtail OOM under chatty containers)
+# Client URL: http://olam-loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+#   Service name `olam-loki` is the Helm release name used in scripts/e2e/loki-ingest.sh
+#   (`helm upgrade --install olam-loki grafana/loki ...`); the chart's Service
+#   is named after the release, so `olam-loki` is the in-cluster DNS hostname.
+#
+# SECURITY NOTE — replace stage regex semantics (load-bearing):
+#   Promtail's `replace` stage iterates over CAPTURE GROUPS, not full matches.
+#   The `replace` field is a Go text/template string; `${1}` is NOT valid Go
+#   template syntax and silently becomes a literal. The correct pattern is:
+#     expression: '(?:prefix)(secret_value_only)'  — capture ONLY the secret part
+#     replace: 'REDACTED'                          — replace captured secret with literal
+#   This leaves the surrounding context (e.g. `?code=`) intact and redacts only
+#   the value. The broken pattern `(\?|&)code=[^&\s]+` with `replace: '${1}code=REDACTED'`
+#   was the root cause of the Phase B scrubbing regression (PR #776).
+#
+# See: docs/plans/k3s-ingress-observability/DESIGN.md (T8, T9)
+
+deploymentMode: DaemonSet
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi   # OQ-p3-37: bounded; OOM-kill restart preferred over runaway memory
+
+config:
+  clients:
+    - url: http://olam-loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+
+  snippets:
+    pipelineStages:
+      # 1. Parse JSON access logs from Traefik (key field present in JSON line)
+      - match:
+          selector: '{container="traefik"}'
+          stages:
+            - json:
+                expressions:
+                  request_method: RequestMethod
+                  request_path: RequestPath
+                  status: DownstreamStatus
+                  request_id: requestId
+                  service: ServiceName
+                  router: RouterName
+
+      # 2. Scrub OAuth/token values from URL query params and Authorization headers.
+      #
+      #    IMPORTANT — capture group semantics:
+      #    The replace stage replaces each CAPTURE GROUP with the `replace` template
+      #    value. Capture groups must wrap ONLY the secret value, not the surrounding
+      #    context. The prefix (e.g. `?code=`) uses a non-capturing group `(?:...)` so
+      #    it is preserved in the output while only the secret is replaced.
+      - replace:
+          # OAuth code= callback values — capture only the token value after `code=`
+          expression: '(?:\?|&)code=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Bearer / access tokens in query strings — capture only the value
+          expression: '(?:\?|&)(?:access_token|token|api_key|secret)=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # OAuth state param (may carry session info) — capture only the value
+          expression: '(?:\?|&)state=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Authorization header Bearer value — capture only the token after `Bearer `
+          expression: '(?:Authorization|authorization):\s*(?:Bearer|bearer)\s+(\S+)'
+          replace: 'REDACTED'
+
+      # 3. Rate-limit ingestion per-stream to prevent OOM cascade under chatty containers (OQ-p3-37)
+      - limit:
+          rate: 100         # max log lines/sec per stream
+          burst: 200
+          drop: true        # drop excess lines; do NOT block tail
+
+      # 4. Promote parsed fields to labels (low-cardinality only — taxonomy compliance)
+      - labels:
+          service:          # from Traefik JSON access log; matches taxonomy `service` label
+          router:           # Traefik router name
+          status:           # HTTP status code (within taxonomy)
+
+# Retention is configured on Loki side (loki-values.yaml: 7 days / 168h).
+
+serviceMonitor:
+  # Disabled in the source-of-truth values file so a standalone Phase B install
+  # (without kube-prometheus-stack) does not hard-fail with
+  # "no matches for kind ServiceMonitor in version monitoring.coreos.com/v1".
+  # The C1 e2e script flips this on at RUNTIME via
+  #   helm upgrade ... --reuse-values --set serviceMonitor.enabled=true
+  # AFTER kube-prom-stack has installed the ServiceMonitor CRD. Source-of-truth
+  # stays standalone-friendly; runtime override wires Prometheus discovery.
+  enabled: false

package/host-cp/peripheral-services/helm-values/traefik-values.yaml

@@ -0,0 +1,73 @@
+# Traefik Helm values — k3s-ingress-observability Phase A Task A3
+# Pinned NodePort 30080 per OQ-p3-7 (world hooks bake this URL).
+# Structured JSON access logs ready for Phase A Task A5 + Phase B Promtail pickup.
+
+deployment:
+  replicas: 1   # SPOF mitigation = host systemd watchdog (Phase A Task A11), not HA replicas
+
+ports:
+  web:
+    port: 8000
+    expose:
+      default: true
+    exposedPort: 80
+    nodePort: 30080   # PIN (OQ-p3-7); world hooks reach via host.docker.internal:30080
+    protocol: TCP
+  websecure:
+    port: 8443
+    expose:
+      default: true
+    exposedPort: 443
+    nodePort: 30443
+    protocol: TCP
+    # v1: HTTPS deferred to fatbox multi-org (Out-of-scope of this plan); TLS not configured.
+
+service:
+  type: NodePort
+
+# Structured access logs to stdout — Promtail picks up in Phase B.
+# Authorization header redaction here; URL query-param scrubbing happens
+# at Promtail pipeline_stages.replace per OQ-p3-6 (Traefik can't scrub query params natively).
+logs:
+  general:
+    level: INFO
+    format: json
+  access:
+    enabled: true
+    format: json
+    fields:
+      headers:
+        defaultMode: keep
+        names:
+          Authorization: redact
+          Cookie: redact
+
+# Built-in /metrics for Phase C Prometheus scrape
+metrics:
+  prometheus:
+    enabled: true
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+
+# Dashboard disabled in cluster — operator uses Grafana (Phase B)
+ingressRoute:
+  dashboard:
+    enabled: false
+
+# IngressRoute CRD enabled
+providers:
+  kubernetesCRD:
+    enabled: true
+    allowCrossNamespace: false   # explicit; matches namespace-isolation strategy from A1
+  kubernetesIngress:
+    enabled: false   # CRD-only; vanilla Ingress not supported in this stack
+
+# Resource bounds — observability stack target <500MB RAM idle (P2)
+resources:
+  requests:
+    cpu: 100m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 256Mi

package/host-cp/peripheral-services/manifests/20-namespace.yaml

@@ -0,0 +1,6 @@
+# Namespace for k3s-ingress-observability peripheral services
+# (Traefik installs to kube-system; observability stack to monitoring; this is for IngressRoute CRDs targeting olam services)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: olam

package/host-cp/peripheral-services/manifests/24-deploy-kg-service.yaml

@@ -0,0 +1,245 @@
+# 24-deploy-kg-service.yaml — kg-service Service + Deployment for local k3s dogfood.
+#
+# Bridges the gap between Phase C's ServiceMonitor (92-servicemonitor-kg-service.yaml)
+# and a running service. The ServiceMonitor targets namespace `olam`,
+# label `app: olam-kg-service`, port name `http` — this manifest satisfies that
+# contract so Prometheus can scrape kg-service's /metrics endpoint.
+#
+# Canonical per-service manifest tree: packages/host-cp/k8s/manifests/kg-service/
+# This file is the "peripheral-services entry point" view — it folds Service +
+# Deployment into a single file for `kubectl apply -f manifests/` convenience.
+#
+# Secrets prerequisite: operator MUST create `olam-kg-service-secret` in the
+# `olam` namespace BEFORE applying this manifest. See README.md § Secrets.
+#
+# Image: pinned to sha256 digest (not :latest) per T4 threat model.
+# Digest resolves to ghcr.io/pleri/olam-kg-service:0.1.158.
+# To update:
+#   TOKEN=$(curl -s "https://ghcr.io/token?scope=repository:pleri/olam-kg-service:pull&service=ghcr.io" | jq -r .token)
+#   curl -sI -H "Authorization: Bearer $TOKEN" \
+#     -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \
+#     https://ghcr.io/v2/pleri/olam-kg-service/manifests/<tag> | grep docker-content-digest
+#
+# Memory: bge-small-en-v1.5 ONNX model is pre-cached in the image (~90 MB).
+# Container needs ≥512Mi to load the model + serve requests. Limit set to 1Gi.
+#
+# Apply-manifests.sh: this file is SKIPPED by the phase-a-e2e harness
+# (apply-manifests.sh skip-list includes 2[3-4]-deploy-*) because the
+# harness cluster has no operator secrets or kg-data PVC.
+# Operator-side `kubectl apply -f manifests/` applies it.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["olam-kg-service"]
+    verbs: ["get", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+subjects:
+  - kind: ServiceAccount
+    name: olam-kg-service
+    namespace: olam
+roleRef:
+  kind: Role
+  name: olam-kg-service
+  apiGroup: rbac.authorization.k8s.io
+---
+# ConfigMap — non-sensitive env vars.
+# Sensitive values (OLAM_KG_BEARER_TOKEN) live in `olam-kg-service-secret`.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-kg-service-env
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+data:
+  # Port kg-service listens on — must match Service targetPort below.
+  OLAM_KG_SERVICE_PORT: "9997"
+  # CRITICAL: kg-service defaults to 127.0.0.1 bind. In k8s the readiness
+  # probe hits the pod IP, so 127.0.0.1-only listener causes probe failures.
+  # Force all-interfaces bind without requiring an image rebuild.
+  OLAM_KG_SERVICE_BIND: "0.0.0.0"
+  # Data directory — backed by the PVC mounted at /data.
+  OLAM_KG_DATA_PATH: "/data/kg"
+  # Auth-service URL — cluster-internal DNS (olam namespace).
+  OLAM_AUTH_SERVICE_URL: "http://olam-auth-service.olam.svc.cluster.local:9999"
+---
+# PersistentVolumeClaim — backs /data (KG index + savings telemetry).
+# 10Gi: graph index grows with codebase size. See kg-service/45-pvc.yaml rationale.
+# local-path StorageClass ships with k3d. Substitute for non-k3d clusters.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-kg-data
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-kg-service
+  template:
+    metadata:
+      labels:
+        app: olam-kg-service
+    spec:
+      # Disable k8s automatic Service env injection.
+      # Without this, k8s injects OLAM_KG_SERVICE_PORT as "tcp://..." which
+      # breaks Python's int() parse of the port env var.
+      enableServiceLinks: false
+      imagePullSecrets:
+        - name: ghcr-pull
+      serviceAccountName: olam-kg-service
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: chown-data
+          # busybox:1.36 — sha256-pinned per T4 threat model.
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: kg-data
+              mountPath: /data
+      containers:
+        - name: olam-kg-service
+          # Digest resolves to ghcr.io/pleri/olam-kg-service:0.1.158
+          # Run `npm run refresh:manifest-digests` to update.
+          image: ghcr.io/pleri/olam-kg-service@sha256:72030f3054315e7ebf575f6dcb9b4965e1ddee13ea7bfdeb0bde32253beeb1c7
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            # CRITICAL: port name `http` must match ServiceMonitor
+            # 92-servicemonitor-kg-service.yaml endpoints[0].port.
+            - name: http
+              containerPort: 9997
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-kg-service-env
+            - secretRef:
+                name: olam-kg-service-secret
+          volumeMounts:
+            - name: kg-data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+          readinessProbe:
+            # kg-service returns {"ok":true,"ready":true} once bge-small model loads.
+            # initialDelaySeconds 30 gives the model warmup thread time to complete.
+            httpGet:
+              path: /health
+              port: 9997
+            initialDelaySeconds: 30
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9997
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "100m"
+              # bge-small ONNX model requires ~400Mi at runtime; 512Mi is the
+              # minimum viable request. Set higher if OOM-killed on first classify.
+              memory: "512Mi"
+            limits:
+              cpu: "1000m"
+              # 1Gi: bge-small model (~90Mi) + index cache + request headroom.
+              memory: "1Gi"
+      volumes:
+        - name: kg-data
+          persistentVolumeClaim:
+            claimName: olam-kg-data
+        - name: tmp
+          emptyDir: {}
+---
+# Service — exposes kg-service to the cluster.
+# CRITICAL: `name: http` matches 92-servicemonitor-kg-service.yaml endpoints[0].port.
+# Namespace `olam` matches ServiceMonitor's namespaceSelector.matchNames.
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-kg-service
+  namespace: olam
+  labels:
+    # CRITICAL: matches 92-servicemonitor-kg-service.yaml spec.selector.matchLabels.
+    app: olam-kg-service
+    app.kubernetes.io/managed-by: olam
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-kg-service
+  ports:
+    # CRITICAL: name `http` matches ServiceMonitor endpoints[0].port.
+    - name: http
+      port: 9997
+      targetPort: 9997
+      protocol: TCP

package/host-cp/peripheral-services/manifests/30-traefik-ingressroute-host-cp.yaml

@@ -0,0 +1,22 @@
+# IngressRoute — host-cp (bare /api/* per Decision 3 hybrid routing)
+# host-cp preserves 50+ existing SPA fetch sites at /api/* (no strip-prefix).
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: olam-host-cp
+  namespace: olam
+spec:
+  entryPoints:
+    - web
+  routes:
+    # host-cp is the catch-all (per Decision 3 hybrid routing); explicit low priority
+    # so service-prefix routes (kg, agent-memory, etc.) win when their longer prefix matches.
+    # Default Traefik priority is rule-string length; OR'd rules inflate the host-cp aggregate
+    # ABOVE more-specific PathPrefix matches, causing /api/kg/* to land on host-cp incorrectly.
+    # Explicit priority avoids the silent precedence bug (caught in PR #736 live-validation).
+    - match: PathPrefix(`/api/`) || PathPrefix(`/session/`) || PathPrefix(`/v1/`) || Path(`/health`)
+      kind: Rule
+      priority: 10
+      services:
+        - name: olam-host-cp
+          port: 19000

package/host-cp/peripheral-services/manifests/40-traefik-ingressroute-kg.yaml

@@ -0,0 +1,29 @@
+# IngressRoute — kg-service via /api/kg/* strip-prefix (Decision 3 new-services pattern)
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: strip-api-kg
+  namespace: olam
+spec:
+  stripPrefix:
+    prefixes:
+      - /api/kg
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: olam-kg-service
+  namespace: olam
+spec:
+  entryPoints:
+    - web
+  routes:
+    # Priority 100 > host-cp's 10 so /api/kg/* wins over host-cp's catch-all /api/*.
+    - match: PathPrefix(`/api/kg/`)
+      kind: Rule
+      priority: 100
+      services:
+        - name: olam-kg-service
+          port: 9997
+      middlewares:
+        - name: strip-api-kg

package/host-cp/peripheral-services/manifests/50-traefik-ingressroute-agent-memory.yaml

@@ -0,0 +1,29 @@
+# IngressRoute — agent-memory via /api/agent-memory/* strip-prefix (Decision 3 new-services pattern)
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: strip-api-agent-memory
+  namespace: olam
+spec:
+  stripPrefix:
+    prefixes:
+      - /api/agent-memory
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: olam-agent-memory
+  namespace: olam
+spec:
+  entryPoints:
+    - web
+  routes:
+    # Priority 100 > host-cp's 10 so /api/agent-memory/* wins over host-cp's catch-all /api/*.
+    - match: PathPrefix(`/api/agent-memory/`)
+      kind: Rule
+      priority: 100
+      services:
+        - name: olam-memory-service
+          port: 3111   # Real memory-service listen port (per packages/memory-service/src/worker.ts:206 + AGENTMEMORY_HOST_INTERNAL_URL in container.ts:101). Pass-1 plan said 3112 (incorrect); A6 corrects to 3111.
+      middlewares:
+        - name: strip-api-agent-memory

package/host-cp/peripheral-services/manifests/60-networkpolicy-ingress.yaml

@@ -0,0 +1,80 @@
+# NetworkPolicy — olam namespace ingress fence (Phase A Task A9)
+#
+# Defense-in-depth: even if a world agent escapes its container or steals a
+# bearer token, NetworkPolicy ensures it can only reach olam services via the
+# Traefik ingress path (which enforces bearer auth on world-originated calls
+# per A6 — see packages/peripheral-services/manifests/30-traefik-ingressroute-host-cp.yaml).
+# Direct pod-to-pod access bypassing ingress is denied.
+#
+# Enforcement matrix — two separate enforcement paths exist; the comment below
+# previously conflated them (corrected 2026-05-21, see dogfood incident finding #2):
+#
+#   k3d/k3s with --disable-network-policy=false (production k3s default):
+#     k3s ships a built-in NetworkPolicy controller that enforces NetworkPolicies
+#     via iptables rules, INDEPENDENT of the CNI. Flannel itself does not enforce,
+#     but the k3s controller does. Result: NetworkPolicies ARE enforced even on
+#     default Flannel k3s/k3d clusters — this is what the operator's colima+k3d
+#     dogfood cluster experienced (the fence was live despite using Flannel).
+#
+#   k3d/k3s with --disable-network-policy=true (this harness — cluster-up.sh):
+#     The harness explicitly passes --k3s-arg '--disable-network-policy@server:*'
+#     to disable the k3s built-in controller. With the controller off, enforcement
+#     depends entirely on the CNI: Flannel = no enforcement; Calico = enforced.
+#     The harness uses Calico precisely so tests exercise real enforcement.
+#
+#   Production k3s (default, no --disable-network-policy):
+#     Controller-enforced via iptables unless the operator explicitly disables it.
+#
+# See docs/architecture/networkpolicy-fence.md for the full environment matrix
+# and docs/incidents/2026-05-21-phase-c-dogfood.md (finding #2) for the live
+# evidence that k3s' bundled controller enforces on Flannel clusters.
+#
+# Threat mitigated: T6 (world→host SSRF via unauthenticated ingress route).
+# Companion mitigations (do not remove A6 + A9 together): bearer auth (A6),
+# 127.0.0.1 bind on host-cp + kube-apiserver (OS-level, separate from k8s).
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: olam-ingress-fence
+  namespace: olam
+  labels:
+    app.kubernetes.io/part-of: olam
+    app.kubernetes.io/component: security-fence
+    olam.io/phase: a
+    olam.io/task: a9
+spec:
+  # Selects every pod in the olam namespace. Intra-namespace traffic is allowed
+  # explicitly below so olam services can call each other; cross-namespace and
+  # external traffic must traverse Traefik (which the second rule allows).
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow inbound from Traefik (canonical ingress path). The label selector
+    # matches the standard Helm-chart label that k3s' bundled Traefik install
+    # sets (`app.kubernetes.io/name: traefik`); also matched by the upstream
+    # `traefik/traefik` chart used by Phase A Task A3.
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+    # Allow intra-namespace pod-to-pod traffic — olam services may call each
+    # other directly (host-cp → kg-service, etc.) without round-tripping
+    # through Traefik. Audit log on world-originated calls still fires at the
+    # bearer-auth layer (A6), so this allowance does not weaken T6 mitigation.
+    - from:
+        - podSelector: {}
+    # Allow inbound from the monitoring namespace — Phase C's Prometheus
+    # (kube-prometheus-stack) scrapes pod IPs directly for /metrics
+    # collection. Without this rule, ServiceMonitor targets in `olam` ns
+    # appear "up" but yield 0 samples (the scrape connection silently fails
+    # at CNI level on enforcing CNIs). Surfaced during 2026-05-21 operator
+    # dogfood — see docs/incidents/2026-05-21-phase-c-dogfood.md, finding #2.
+    # Scope: monitoring → olam ingress only (not the reverse direction).
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring