@pleri/olam-cli 0.1.161 → 0.1.162

package/host-cp/peripheral-services/helm-values/kyverno-values.yaml

@@ -0,0 +1,85 @@
+# Kyverno Helm values — k3s-ingress-observability Phase C C8 follow-up.
+#
+# Kyverno is the policy-as-code layer for cluster-wide cardinality
+# enforcement (closes codex's C2 concern on PR #783). The companion
+# ClusterPolicy in
+# `packages/peripheral-services/manifests/96-kyverno-cardinality-mutate.yaml`
+# mutates every incoming ServiceMonitor and PodMonitor to inject the
+# labeldrop rule before the object is persisted — so a third-party
+# chart (or hand-rolled object) cannot bypass the layer-2
+# per-ServiceMonitor enforcement landed in C2.
+#
+# Chart: kyverno/kyverno; pinned to 3.8.1 (app v1.18.1, 2026-05-21 latest stable).
+# Upgrade discipline: this pin AND the helm-install line in
+# `scripts/e2e/kyverno-cardinality-mutate.sh` must stay in sync.
+#
+# Footprint posture (single-operator k3s scale):
+#   We only run admission-time mutation. The ClusterPolicy uses
+#   `spec.background: false`, so the background-scan controller is
+#   unused. Cleanup + reports controllers are also dead weight for
+#   a single ClusterPolicy with no PolicyExceptions — they're disabled
+#   so Kyverno's pod count stays minimal (1 pod, not 4).
+#
+#   Footprint (Phase C C8 contribution to P2 target <500MB idle / <1GB typical):
+#     admissionController:    128Mi req / 384Mi limit (chart default 128Mi/384Mi)
+#     Total addition:         ~128Mi req / ~384Mi limit
+#
+#   If/when we want policy reports populated for observability dashboards,
+#   flip `reportsController.enabled: true` and the `features.policyReports`
+#   block below. Same for cleanup.
+#
+# Resource limits — tuned upward from chart default for admission webhook
+# stability under burst churn (kube-prom-stack ships ~10 ServiceMonitors at
+# once during `helm upgrade`, which arrives as a burst of AdmissionReviews).
+
+# -------------------------------------------------------------------------
+# Disable controllers we don't need
+# -------------------------------------------------------------------------
+backgroundController:
+  enabled: false   # ClusterPolicy is admission-only (background: false)
+
+cleanupController:
+  enabled: false   # no CleanupPolicy objects in this repo
+
+reportsController:
+  enabled: false   # no policy-reports surface wired into Grafana yet
+
+# -------------------------------------------------------------------------
+# Features — admissionReports + policyReports remain ON inside the
+# admission controller itself even when the standalone reports controller
+# is disabled. This keeps `kubectl get clusterpolicyreport` queryable
+# during dogfood; the reports controller would only AGGREGATE them
+# cluster-wide, which we don't need yet.
+# -------------------------------------------------------------------------
+features:
+  admissionReports:
+    enabled: true
+  policyReports:
+    enabled: true
+  # Background scan is N/A — the policy uses background: false. Explicit
+  # off avoids the controller scheduling unnecessary scan workers even
+  # when the controller pod is disabled above.
+  backgroundScan:
+    enabled: false
+  # Logging volume defaults are fine; level 2 = info-ish.
+  logging:
+    format: text
+    verbosity: 2
+
+# -------------------------------------------------------------------------
+# Admission controller — the only pod we run.
+# -------------------------------------------------------------------------
+admissionController:
+  replicas: 1   # single-operator k3s scale; HA is N/A for dogfood
+
+  rbac:
+    create: true   # ClusterPolicy needs cluster-wide watch on ServiceMonitor + PodMonitor
+
+  container:
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi

package/host-cp/peripheral-services/helm-values/loki-values.yaml

@@ -0,0 +1,166 @@
+# Loki Helm values — k3s-ingress-observability Phase B Task B1
+#
+# Single-binary mode (Decision-16 + Phase B scope):
+#   Distributed mode (microservices) adds 5+ independent Deployments + a Minio
+#   or S3 backend for object storage — pure overhead for a single-operator
+#   k3s install where Loki's write throughput is bounded by one Promtail
+#   DaemonSet and a handful of containers. SingleBinary collapses all roles
+#   (ingester, querier, compactor) into one Pod, fits within the <500MB idle
+#   LGTM RAM target (P2), and is trivially replaceable if scale demands change.
+#
+# See: docs/plans/k3s-ingress-observability/DESIGN.md (P2, S2)
+#
+# Chart: grafana/loki; pinned to 6.7.4 (latest stable as of 2026-05-20).
+# Upgrade discipline: chart version is embedded in the e2e script comment.
+
+deploymentMode: SingleBinary
+
+loki:
+  auth_enabled: false   # single-tenant; multi-tenancy adds header overhead with no benefit here
+
+  commonConfig:
+    replication_factor: 1   # single-binary; no replicas = no cross-replica consistency needed
+
+  # -------------------------------------------------------------------------
+  # Storage backend: filesystem (boltdb-shipper + tsdb index; local PV).
+  # Object storage (S3/GCS/MinIO) deferred to fatbox multi-org Phase F+.
+  # For single-operator k3s, local PV is simpler and sufficient.
+  # -------------------------------------------------------------------------
+  storage:
+    type: filesystem
+
+  schemaConfig:
+    configs:
+      - from: "2024-01-01"
+        store: tsdb
+        object_store: filesystem
+        schema: v13
+        index:
+          prefix: loki_index_
+          period: 24h
+
+  # -------------------------------------------------------------------------
+  # Retention: 7 days (168h) per Performance budget acceptance criterion #6.
+  # compactor.retention_enabled enables deletion; ring config required for
+  # single-binary mode.
+  # -------------------------------------------------------------------------
+  limits_config:
+    retention_period: 168h           # 7 days
+    ingestion_rate_mb: 4             # per-tenant ingestion cap (single tenant)
+    ingestion_burst_size_mb: 8
+    max_query_series: 5000           # cap log-derived queries from going wide (P3 <3s p95)
+    max_entries_limit_per_query: 5000
+
+  compactor:
+    retention_enabled: true
+    delete_request_store: filesystem
+    compaction_interval: 10m
+    working_directory: /var/loki/compactor
+
+  ingester:
+    chunk_idle_period: 30m   # flush to storage; appropriate for low write rate
+    chunk_retain_period: 1m
+    max_chunk_age: 2h
+
+  # Self-metrics endpoint — Phase C Prometheus scrapes this.
+  # Server block exposed on port 3100 (default); /metrics is always available.
+
+singleBinary:
+  replicas: 1
+
+  # -------------------------------------------------------------------------
+  # Persistence: 10Gi PV.
+  #
+  # Rationale: 7-day retention at olam scale (<500 containers, access logs
+  # estimated 1–2MB/day compressed) → ~100MB typical stored. 10Gi gives 10x
+  # headroom for burst (failed deploy loops, chatty containers) and is well
+  # within the <1GB typical acceptance criterion #6. Cloud provider default SC
+  # is fine; on bare-metal k3s the local-path provisioner is used.
+  # -------------------------------------------------------------------------
+  persistence:
+    enabled: true
+    size: 10Gi   # 10× headroom over 7-day typical (~100MB); <1GB usage target per AC#6
+
+  # -------------------------------------------------------------------------
+  # Resources: memory limit 512Mi per task spec.
+  # Typical usage at olam scale: <200MB idle (boltdb index + block cache).
+  # 512Mi limit prevents compaction spikes from triggering OOM on the node.
+  # -------------------------------------------------------------------------
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi   # P2: <500MB idle / <1GB typical; limit prevents spike OOM
+
+# -------------------------------------------------------------------------
+# Self-metrics for Phase C Prometheus scrape.
+# ServiceMonitor is created here; Prometheus picks it up in Phase C.
+# -------------------------------------------------------------------------
+monitoring:
+  selfMonitoring:
+    enabled: false   # disables the bundled GrafanaAgent sub-chart dependency
+    grafanaAgent:
+      installOperator: false
+  serviceMonitor:
+    # Disabled in the source-of-truth values file so a standalone Phase B install
+    # (without kube-prometheus-stack) does not hard-fail when the CRD is absent.
+    # The C1 e2e script flips this on at RUNTIME via
+    #   helm upgrade ... --reuse-values --set monitoring.serviceMonitor.enabled=true
+    # AFTER kube-prom-stack has installed the ServiceMonitor CRD.
+    # NOTE: Loki 6.7.4 uses monitoring.serviceMonitor (not top-level serviceMonitor).
+    enabled: false
+
+# -------------------------------------------------------------------------
+# Backend and read/write gateway: disabled for SingleBinary mode.
+# These are microservices-mode components and must be off or the chart
+# emits validation errors when deploymentMode=SingleBinary.
+# -------------------------------------------------------------------------
+backend:
+  replicas: 0
+read:
+  replicas: 0
+write:
+  replicas: 0
+
+# Grafana agent / canary: not needed; disable to keep resource footprint minimal.
+lokiCanary:
+  enabled: false
+
+test:
+  enabled: false
+
+# -------------------------------------------------------------------------
+# Sub-component slimming — chart 6.7.4 defaults include nginx gateway +
+# two Memcached clusters + minio + sidecar watchers that single-binary
+# mode doesn't need. Each adds image-pull and Ready-wait time. Disabling
+# all of them brings the install Ready-time within the harness budget.
+# If a future scenario needs query-result caching, re-evaluate
+# resultsCache specifically.
+# -------------------------------------------------------------------------
+
+# nginx routing front; Promtail writes direct to single-binary :3100
+gateway:
+  enabled: false
+
+# Memcached cluster — overhead for single-binary
+chunksCache:
+  enabled: false
+
+# second Memcached cluster — overhead for single-binary
+resultsCache:
+  enabled: false
+
+# minio is off because storage.type=filesystem, but be explicit
+minio:
+  enabled: false
+
+# Sidecar that watches ConfigMaps for runtime config reloads — we don't ship one.
+sidecar:
+  rules:
+    enabled: false
+  datasources:
+    enabled: false
+  configs:
+    enabled: false

package/host-cp/peripheral-services/helm-values/promtail-staging.yaml

@@ -0,0 +1,92 @@
+# Promtail Helm values — Phase A Task A5 staging (Phase B consumes)
+#
+# Tails every container's stdout; ships to Loki single-binary (Phase B installs Loki).
+# Per OQ-p3-6: Traefik native config can redact HEADERS but NOT URL query params —
+# query-param scrubbing for `?token=`, `?code=`, `?access_token=`, `?state=` happens
+# HERE at Promtail ingest via pipeline_stages.replace regex.
+#
+# Resource limits per OQ-p3-37 (Promtail OOM risk under chatty container-cp 100ms cadence):
+#   - memory limit 256Mi
+#   - pipeline_stages.limit rate 100 lines/sec/stream
+#
+# Scrape config matches every pod log; namespace-scope labels are added so Loki LogQL queries
+# can filter by service / namespace / pod.
+#
+# SECURITY NOTE — replace stage regex semantics (load-bearing):
+#   Promtail's `replace` stage iterates over CAPTURE GROUPS, not full matches.
+#   The `replace` field is a Go text/template string; `${1}` is NOT valid Go
+#   template syntax and silently becomes a literal. The correct pattern is:
+#     expression: '(?:prefix)(secret_value_only)'  — capture ONLY the secret part
+#     replace: 'REDACTED'                          — replace captured secret with literal
+#   See promtail-values.yaml header comment for full details.
+
+deploymentMode: DaemonSet
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi   # OQ-p3-37: bounded; OOM-kill restart preferred over runaway memory
+
+config:
+  clients:
+    - url: http://olam-loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+
+  snippets:
+    pipelineStages:
+      # 1. Parse JSON access logs from Traefik (key field present in JSON line)
+      - match:
+          selector: '{container="traefik"}'
+          stages:
+            - json:
+                expressions:
+                  request_method: RequestMethod
+                  request_path: RequestPath
+                  status: DownstreamStatus
+                  request_id: requestId
+                  service: ServiceName
+                  router: RouterName
+
+      # 2. Scrub OAuth/token values from URL query params and Authorization headers.
+      #
+      #    IMPORTANT — capture group semantics:
+      #    The replace stage replaces each CAPTURE GROUP with the `replace` template
+      #    value. Capture groups must wrap ONLY the secret value, not the surrounding
+      #    context. The prefix (e.g. `?code=`) uses a non-capturing group `(?:...)` so
+      #    it is preserved in the output while only the secret is replaced.
+      - replace:
+          # OAuth code= callback values — capture only the token value after `code=`
+          expression: '(?:\?|&)code=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Bearer / access tokens in query strings — capture only the value
+          expression: '(?:\?|&)(?:access_token|token|api_key|secret)=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # OAuth state param (may carry session info) — capture only the value
+          expression: '(?:\?|&)state=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Authorization header Bearer value — capture only the token after `Bearer `
+          expression: '(?:Authorization|authorization):\s*(?:Bearer|bearer)\s+(\S+)'
+          replace: 'REDACTED'
+
+      # 3. Rate-limit ingestion per-stream to prevent OOM cascade under chatty containers (OQ-p3-37)
+      - limit:
+          rate: 100         # max log lines/sec per stream
+          burst: 200
+          drop: true        # drop excess lines; do NOT block tail
+
+      # 4. Promote parsed fields to labels (low-cardinality only — taxonomy compliance)
+      - labels:
+          service:          # from Traefik JSON access log; matches taxonomy `service` label
+          router:           # Traefik router name
+          status:           # HTTP status code (within taxonomy)
+
+# Retention is configured on Loki side (Phase B), not Promtail.
+# Sample retention target: 7 days per Performance budget Row.
+
+serviceMonitor:
+  enabled: true   # Prometheus (Phase C) scrapes Promtail's own /metrics for self-observability

package/host-cp/peripheral-services/helm-values/promtail-values.yaml

@@ -0,0 +1,102 @@
+# Promtail Helm values — k3s-ingress-observability Phase B Task B1 (production)
+#
+# Production Promtail values. Staging copy at promtail-staging.yaml has the
+# same scrubbing pipeline shape; this file sets the Loki client URL +
+# production resource limits.
+#
+# Scrubbing pipeline:
+#   - 4 `replace` stages: code=, token/access_token/api_key/secret=, state=, Authorization
+#   - `limit` stage: rate=100/burst=200/drop=true (OQ-p3-37: Promtail OOM under chatty containers)
+# Client URL: http://olam-loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+#   Service name `olam-loki` is the Helm release name used in scripts/e2e/loki-ingest.sh
+#   (`helm upgrade --install olam-loki grafana/loki ...`); the chart's Service
+#   is named after the release, so `olam-loki` is the in-cluster DNS hostname.
+#
+# SECURITY NOTE — replace stage regex semantics (load-bearing):
+#   Promtail's `replace` stage iterates over CAPTURE GROUPS, not full matches.
+#   The `replace` field is a Go text/template string; `${1}` is NOT valid Go
+#   template syntax and silently becomes a literal. The correct pattern is:
+#     expression: '(?:prefix)(secret_value_only)'  — capture ONLY the secret part
+#     replace: 'REDACTED'                          — replace captured secret with literal
+#   This leaves the surrounding context (e.g. `?code=`) intact and redacts only
+#   the value. The broken pattern `(\?|&)code=[^&\s]+` with `replace: '${1}code=REDACTED'`
+#   was the root cause of the Phase B scrubbing regression (PR #776).
+#
+# See: docs/plans/k3s-ingress-observability/DESIGN.md (T8, T9)
+
+deploymentMode: DaemonSet
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi   # OQ-p3-37: bounded; OOM-kill restart preferred over runaway memory
+
+config:
+  clients:
+    - url: http://olam-loki.monitoring.svc.cluster.local:3100/loki/api/v1/push
+
+  snippets:
+    pipelineStages:
+      # 1. Parse JSON access logs from Traefik (key field present in JSON line)
+      - match:
+          selector: '{container="traefik"}'
+          stages:
+            - json:
+                expressions:
+                  request_method: RequestMethod
+                  request_path: RequestPath
+                  status: DownstreamStatus
+                  request_id: requestId
+                  service: ServiceName
+                  router: RouterName
+
+      # 2. Scrub OAuth/token values from URL query params and Authorization headers.
+      #
+      #    IMPORTANT — capture group semantics:
+      #    The replace stage replaces each CAPTURE GROUP with the `replace` template
+      #    value. Capture groups must wrap ONLY the secret value, not the surrounding
+      #    context. The prefix (e.g. `?code=`) uses a non-capturing group `(?:...)` so
+      #    it is preserved in the output while only the secret is replaced.
+      - replace:
+          # OAuth code= callback values — capture only the token value after `code=`
+          expression: '(?:\?|&)code=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Bearer / access tokens in query strings — capture only the value
+          expression: '(?:\?|&)(?:access_token|token|api_key|secret)=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # OAuth state param (may carry session info) — capture only the value
+          expression: '(?:\?|&)state=([^&\s]+)'
+          replace: 'REDACTED'
+      - replace:
+          # Authorization header Bearer value — capture only the token after `Bearer `
+          expression: '(?:Authorization|authorization):\s*(?:Bearer|bearer)\s+(\S+)'
+          replace: 'REDACTED'
+
+      # 3. Rate-limit ingestion per-stream to prevent OOM cascade under chatty containers (OQ-p3-37)
+      - limit:
+          rate: 100         # max log lines/sec per stream
+          burst: 200
+          drop: true        # drop excess lines; do NOT block tail
+
+      # 4. Promote parsed fields to labels (low-cardinality only — taxonomy compliance)
+      - labels:
+          service:          # from Traefik JSON access log; matches taxonomy `service` label
+          router:           # Traefik router name
+          status:           # HTTP status code (within taxonomy)
+
+# Retention is configured on Loki side (loki-values.yaml: 7 days / 168h).
+
+serviceMonitor:
+  # Disabled in the source-of-truth values file so a standalone Phase B install
+  # (without kube-prometheus-stack) does not hard-fail with
+  # "no matches for kind ServiceMonitor in version monitoring.coreos.com/v1".
+  # The C1 e2e script flips this on at RUNTIME via
+  #   helm upgrade ... --reuse-values --set serviceMonitor.enabled=true
+  # AFTER kube-prom-stack has installed the ServiceMonitor CRD. Source-of-truth
+  # stays standalone-friendly; runtime override wires Prometheus discovery.
+  enabled: false

package/host-cp/peripheral-services/helm-values/traefik-values.yaml

@@ -0,0 +1,73 @@
+# Traefik Helm values — k3s-ingress-observability Phase A Task A3
+# Pinned NodePort 30080 per OQ-p3-7 (world hooks bake this URL).
+# Structured JSON access logs ready for Phase A Task A5 + Phase B Promtail pickup.
+
+deployment:
+  replicas: 1   # SPOF mitigation = host systemd watchdog (Phase A Task A11), not HA replicas
+
+ports:
+  web:
+    port: 8000
+    expose:
+      default: true
+    exposedPort: 80
+    nodePort: 30080   # PIN (OQ-p3-7); world hooks reach via host.docker.internal:30080
+    protocol: TCP
+  websecure:
+    port: 8443
+    expose:
+      default: true
+    exposedPort: 443
+    nodePort: 30443
+    protocol: TCP
+    # v1: HTTPS deferred to fatbox multi-org (Out-of-scope of this plan); TLS not configured.
+
+service:
+  type: NodePort
+
+# Structured access logs to stdout — Promtail picks up in Phase B.
+# Authorization header redaction here; URL query-param scrubbing happens
+# at Promtail pipeline_stages.replace per OQ-p3-6 (Traefik can't scrub query params natively).
+logs:
+  general:
+    level: INFO
+    format: json
+  access:
+    enabled: true
+    format: json
+    fields:
+      headers:
+        defaultMode: keep
+        names:
+          Authorization: redact
+          Cookie: redact
+
+# Built-in /metrics for Phase C Prometheus scrape
+metrics:
+  prometheus:
+    enabled: true
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+
+# Dashboard disabled in cluster — operator uses Grafana (Phase B)
+ingressRoute:
+  dashboard:
+    enabled: false
+
+# IngressRoute CRD enabled
+providers:
+  kubernetesCRD:
+    enabled: true
+    allowCrossNamespace: false   # explicit; matches namespace-isolation strategy from A1
+  kubernetesIngress:
+    enabled: false   # CRD-only; vanilla Ingress not supported in this stack
+
+# Resource bounds — observability stack target <500MB RAM idle (P2)
+resources:
+  requests:
+    cpu: 100m
+    memory: 64Mi
+  limits:
+    cpu: 500m
+    memory: 256Mi

package/host-cp/peripheral-services/manifests/20-namespace.yaml

@@ -0,0 +1,6 @@
+# Namespace for k3s-ingress-observability peripheral services
+# (Traefik installs to kube-system; observability stack to monitoring; this is for IngressRoute CRDs targeting olam services)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: olam