@pleri/olam-cli 0.1.186 → 0.1.188

package/host-cp/k8s/manifests/chunks-postgres/30-configmap.yaml

@@ -0,0 +1,185 @@
+# ConfigMap for olam-chunks-postgres.
+#
+# Two ConfigMaps in one file:
+#
+# 1. olam-chunks-postgres-env       — non-secret env vars (POSTGRES_USER, POSTGRES_DB).
+#                                     POSTGRES_PASSWORD lives in the Secret rendered by
+#                                     packages/cli/src/lib/k8s-secret-render.ts.
+#
+# 2. olam-chunks-postgres-initdb-sql — the chunks schema. Mounted at
+#                                     /docker-entrypoint-initdb.d/01-chunks.sql so
+#                                     the postgres image's entrypoint auto-applies it
+#                                     on FIRST init (empty data dir). Subsequent
+#                                     restarts skip the directory by design.
+#
+#                                     Source-of-truth: packages/chunks/src/schema.ts
+#                                     (SCHEMA_SQL export). The CI gate
+#                                     `audit:chunks-schema-parity` (follow-up) will
+#                                     fail when this ConfigMap drifts from
+#                                     SCHEMA_VERSION-tagged schema.ts.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-chunks-postgres-env
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+data:
+  POSTGRES_USER: "postgres"
+  POSTGRES_DB: "chunks"
+  # PGDATA must point at a subdirectory of the PVC mount, not its root —
+  # the PVC root may carry the local-path provisioner's lost+found dir,
+  # which postgres's initdb rejects ("data directory not empty").
+  PGDATA: "/var/lib/postgresql/data/pgdata"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-chunks-postgres-initdb-sql
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+data:
+  # MIRRORS packages/chunks/src/schema.ts SCHEMA_VERSION=2.
+  # Idempotent: CREATE TABLE IF NOT EXISTS / ADD COLUMN IF NOT EXISTS /
+  # DO blocks with EXCEPTION-WHEN-{undefined_object,duplicate_object}.
+  01-chunks.sql: |
+    CREATE TABLE IF NOT EXISTS chunks (
+      world_id    TEXT        NOT NULL,
+      session_id  TEXT        NOT NULL,
+      message_id  TEXT        NOT NULL,
+      seq         INTEGER     NOT NULL,
+      actor_id    TEXT        NOT NULL,
+      actor_type  TEXT        NOT NULL CHECK (actor_type IN ('agent', 'operator', 'codex', 'system')),
+      role        TEXT        NOT NULL CHECK (role       IN ('user', 'assistant', 'tool', 'system')),
+      chunk       TEXT        NOT NULL,
+      chunk_type  TEXT        NOT NULL DEFAULT 'text' CHECK (chunk_type IN ('text', 'tool_use', 'goal_mode_assumption', 'dispatch_overflow')),
+      created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp(),
+      PRIMARY KEY (message_id, seq)
+    );
+
+    ALTER TABLE chunks ADD COLUMN IF NOT EXISTS chunk_type TEXT NOT NULL DEFAULT 'text';
+
+    DO $$ BEGIN
+      ALTER TABLE chunks DROP CONSTRAINT IF EXISTS chunks_chunk_type_check;
+    EXCEPTION WHEN undefined_object THEN NULL;
+    END $$;
+
+    DO $$ BEGIN
+      ALTER TABLE chunks ADD CONSTRAINT chunks_chunk_type_check
+        CHECK (chunk_type IN ('text', 'tool_use', 'goal_mode_assumption', 'dispatch_overflow'));
+    EXCEPTION WHEN duplicate_object THEN NULL;
+    END $$;
+
+    CREATE INDEX IF NOT EXISTS chunks_world_session_seq
+      ON chunks (world_id, session_id, seq);
+
+    CREATE INDEX IF NOT EXISTS chunks_world_session_created
+      ON chunks (world_id, session_id, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_chunks_planning
+      ON chunks (session_id, seq)
+      WHERE world_id = '_planning';
+
+    CREATE TABLE IF NOT EXISTS planning_sessions (
+      session_id            TEXT PRIMARY KEY,
+      actor_id              TEXT NOT NULL,
+      summary               TEXT,
+      crystallize_status    TEXT NOT NULL DEFAULT 'open'
+                              CHECK (crystallize_status IN ('open', 'in_progress', 'crystallized', 'failed', 'abandoned')),
+      crystallized_world_id TEXT,
+      created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_planning_sessions_created_at
+      ON planning_sessions (created_at DESC);
+
+    ALTER TABLE planning_sessions ADD COLUMN IF NOT EXISTS session_source TEXT;
+
+    CREATE OR REPLACE FUNCTION chunks_append_only_trigger()
+    RETURNS trigger AS $body$
+    BEGIN
+      RAISE EXCEPTION 'chunks is append-only; % forbidden', TG_OP;
+    END;
+    $body$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS chunks_no_update ON chunks;
+    CREATE TRIGGER chunks_no_update
+      BEFORE UPDATE ON chunks
+      FOR EACH ROW EXECUTE FUNCTION chunks_append_only_trigger();
+
+    DROP TRIGGER IF EXISTS chunks_no_delete ON chunks;
+    CREATE TRIGGER chunks_no_delete
+      BEFORE DELETE ON chunks
+      FOR EACH ROW EXECUTE FUNCTION chunks_append_only_trigger();
+
+    CREATE TABLE IF NOT EXISTS message_usage (
+      world_id              TEXT        NOT NULL,
+      session_id            TEXT        NOT NULL,
+      message_id            TEXT        NOT NULL,
+      actor_id              TEXT        NOT NULL,
+      model                 TEXT        NOT NULL,
+      input_tokens          INTEGER     NOT NULL DEFAULT 0,
+      output_tokens         INTEGER     NOT NULL DEFAULT 0,
+      cache_read_tokens     INTEGER     NOT NULL DEFAULT 0,
+      cache_create_tokens   INTEGER     NOT NULL DEFAULT 0,
+      created_at            TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp(),
+      PRIMARY KEY (message_id, actor_id)
+    );
+
+    CREATE INDEX IF NOT EXISTS message_usage_session_created
+      ON message_usage (session_id, created_at);
+
+    CREATE OR REPLACE FUNCTION message_usage_append_only_trigger()
+    RETURNS trigger AS $body$
+    BEGIN
+      RAISE EXCEPTION 'message_usage is append-only; % forbidden', TG_OP;
+    END;
+    $body$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS message_usage_no_update ON message_usage;
+    CREATE TRIGGER message_usage_no_update
+      BEFORE UPDATE ON message_usage
+      FOR EACH ROW EXECUTE FUNCTION message_usage_append_only_trigger();
+
+    DROP TRIGGER IF EXISTS message_usage_no_delete ON message_usage;
+    CREATE TRIGGER message_usage_no_delete
+      BEFORE DELETE ON message_usage
+      FOR EACH ROW EXECUTE FUNCTION message_usage_append_only_trigger();
+
+    CREATE TABLE IF NOT EXISTS planning_artifacts (
+      id                    TEXT PRIMARY KEY,
+      world_id              TEXT NOT NULL,
+      session_id            TEXT NOT NULL,
+      type                  TEXT NOT NULL CHECK (type IN ('commit_plan', 'component_scaffold', 'design_jam')),
+      title                 TEXT NOT NULL,
+      body                  JSONB NOT NULL,
+      status                TEXT NOT NULL DEFAULT 'open'
+                              CHECK (status IN ('open', 'crystallized', 'failed', 'archived')),
+      linear_issue_url      TEXT,
+      crystallized_world_id TEXT,
+      created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_planning_artifacts_session
+      ON planning_artifacts (session_id, created_at);
+
+    CREATE INDEX IF NOT EXISTS idx_planning_artifacts_world
+      ON planning_artifacts (world_id, status);
+
+    CREATE OR REPLACE FUNCTION planning_artifacts_touch_updated_at()
+    RETURNS trigger AS $body$
+    BEGIN
+      NEW.updated_at = NOW();
+      RETURN NEW;
+    END;
+    $body$ LANGUAGE plpgsql;
+
+    DROP TRIGGER IF EXISTS planning_artifacts_touch ON planning_artifacts;
+    CREATE TRIGGER planning_artifacts_touch
+      BEFORE UPDATE ON planning_artifacts
+      FOR EACH ROW EXECUTE FUNCTION planning_artifacts_touch_updated_at();

package/host-cp/k8s/manifests/chunks-postgres/45-pvc.yaml

@@ -0,0 +1,24 @@
+# PVC for the chunks-postgres data directory.
+#
+# Sized 10Gi for local-dev. Chunks rows are small (~1KB each) so even a
+# busy single-operator world rarely cracks 1Gi; the headroom is for the
+# message_usage + planning_artifacts sidecar tables.
+#
+# accessModes: ReadWriteOnce — postgres is a StatefulSet with replicas=1.
+# k3d's local-path provisioner only supports RWO; the in-cluster postgres
+# pattern is single-writer by design (no operator-managed HA).
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-chunks-postgres-data
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi

package/host-cp/k8s/manifests/chunks-postgres/50-deployment.yaml

@@ -0,0 +1,101 @@
+# StatefulSet for olam-chunks-postgres.
+#
+# Why StatefulSet vs Deployment: even with replicas=1 the StatefulSet gives
+# stable network identity (olam-chunks-postgres-0 inside the headless service)
+# and ordered termination semantics — both useful when Electric's replication
+# slot survives pod restarts.
+#
+# command override: postgres requires wal_level=logical for Electric SQL's
+# logical-replication subscription. The image's default postgresql.conf
+# ships wal_level=replica; the -c overrides on the entrypoint args take
+# precedence. max_replication_slots / max_wal_senders need raising too —
+# Electric holds one slot per database.
+#
+# securityContext: postgres image runs as uid 999 by default. fsGroup=999
+# on the pod ensures the PVC mount is chowned to 999 so postgres can write
+# its data dir.
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+spec:
+  replicas: 1
+  serviceName: olam-chunks-postgres
+  selector:
+    matchLabels:
+      app: olam-chunks-postgres
+  template:
+    metadata:
+      labels:
+        app: olam-chunks-postgres
+    spec:
+      enableServiceLinks: false
+      serviceAccountName: olam-chunks-postgres
+      securityContext:
+        fsGroup: 999
+      containers:
+        - name: postgres
+          # postgres:16-alpine — sha256-pinned per T4 threat model.
+          image: postgres:16-alpine@sha256:16bc17c64a573ef34162af9298258d1aec548232985b33ed7b1eac33ba35c229
+          imagePullPolicy: IfNotPresent
+          args:
+            - postgres
+            - -c
+            - wal_level=logical
+            - -c
+            - max_replication_slots=10
+            - -c
+            - max_wal_senders=10
+          ports:
+            - name: postgres
+              containerPort: 5432
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-chunks-postgres-env
+            - secretRef:
+                name: olam-chunks-postgres-secret
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+            - name: initdb
+              mountPath: /docker-entrypoint-initdb.d
+              readOnly: true
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - pg_isready -U postgres -d chunks -h 127.0.0.1
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - pg_isready -U postgres -h 127.0.0.1
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "256Mi"
+            limits:
+              cpu: "1000m"
+              memory: "1Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: olam-chunks-postgres-data
+        - name: initdb
+          configMap:
+            name: olam-chunks-postgres-initdb-sql

package/host-cp/k8s/manifests/chunks-postgres/60-service.yaml

@@ -0,0 +1,24 @@
+# Headless Service for olam-chunks-postgres StatefulSet.
+#
+# clusterIP: None gives the StatefulSet's pod stable DNS:
+#   olam-chunks-postgres-0.olam-chunks-postgres.olam.svc.cluster.local
+# Callers (plan-chat-service, chunks-electric) connect via the shorter
+# olam-chunks-postgres.olam.svc.cluster.local form which Kubernetes resolves
+# round-robin to the single backing pod.
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-chunks-postgres
+  namespace: olam
+  labels:
+    app: olam-chunks-postgres
+    olam.io/component: substrate
+spec:
+  clusterIP: None
+  selector:
+    app: olam-chunks-postgres
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+      protocol: TCP

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:a031eeb1a906b646396d1954e9116b228e5ad9ccedfc9953465f347541e1ecb2
+          image: ghcr.io/pleri/olam-kg-service@sha256:c9a0226339907711443657e2ca1eb40d2e2df120562dbb5d7d0ddf628614fb74
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:be68e388e003ccc4489b3dcf6caecb43bf1e529b6e6384b6cab0d7a6f897438e
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:eba57d0c5c89763bc266faba80e98912875f541c9ad8e96ee5f28790f9fb96d8
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:a28ad257f7c4d9de3ff6a99fbc016b66356ad09b487840fce106f407096eea3c
+          image: ghcr.io/pleri/olam-memory-service@sha256:33390ba1b2b4785ebf9af9732c42c40ae572ec1176e01f1fed8225d0d449ca57
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/plan-chat-service/10-serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral

package/host-cp/k8s/manifests/plan-chat-service/20-rbac.yaml

@@ -0,0 +1,29 @@
+# plan-chat-service does not need to read or write any Kubernetes API objects.
+# A no-op Role + RoleBinding documents the minimal-privilege stance and
+# keeps the file present so audit:cli-bundle-k8s does not skip this peripheral.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: olam-plan-chat-service
+subjects:
+  - kind: ServiceAccount
+    name: olam-plan-chat-service
+    namespace: olam

package/host-cp/k8s/manifests/plan-chat-service/30-configmap.yaml

@@ -0,0 +1,36 @@
+# ConfigMap for olam-plan-chat-service.
+#
+# plan-chat-service.mjs (packages/host-cp/src/plan-chat-service.mjs) reads
+# these env vars at startup. See the file header for the canonical names.
+#
+# DATABASE_URL: points at the in-cluster chunks-postgres StatefulSet's Service.
+#               The password is sourced from the chunks-postgres-secret
+#               (mounted via envFrom in 50-deployment.yaml) — the literal
+#               here uses the env-var substitution syntax
+#               `$(VAR)` which kubelet expands when DATABASE_URL is itself
+#               read via envFrom or env: subordinate.
+#
+#               BUT: kubelet only expands env-refs declared on the container,
+#               not values inside a ConfigMap key. So we keep DATABASE_URL
+#               OUT of this ConfigMap and assemble it in the Deployment's
+#               env: section instead (which CAN reference the Secret-backed
+#               POSTGRES_PASSWORD via $(POSTGRES_PASSWORD)). See 50-deployment.yaml.
+#
+# ELECTRIC_URL: chunks-electric ClusterIP. No auth (ELECTRIC_INSECURE=true on
+#               that service in local-dev mode).
+#
+# SECRET_PATH: filesystem path where the olam-plan-chat-secret Secret is
+#              mounted (see volumeMounts in 50-deployment.yaml). The mount
+#              key is "secret" → file `/etc/olam-plan-chat/secret`.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: olam-plan-chat-service-env
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+data:
+  OLAM_PLAN_CHAT_PORT: "3200"
+  OLAM_PLAN_CHAT_ELECTRIC_URL: "http://olam-chunks-electric.olam.svc.cluster.local:3000"
+  OLAM_PLAN_CHAT_SECRET_PATH: "/etc/olam-plan-chat/secret"

package/host-cp/k8s/manifests/plan-chat-service/45-pvc.yaml

@@ -0,0 +1,24 @@
+# PersistentVolumeClaim for olam-plan-chat-service /data volume.
+#
+# plan-chat-service is mostly stateless (DB lives in chunks-postgres, secret
+# lives in olam-plan-chat-secret), but ships a /data PVC for parity with
+# the other peripherals. Used for any transient state the service decides
+# to spool (e.g. planning-session resumption buffers).
+#
+# local-path StorageClass ships with k3d by default. On non-k3d clusters,
+# substitute storageClassName with your cluster's provisioner.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: olam-plan-chat-service-data
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1Gi

package/host-cp/k8s/manifests/plan-chat-service/50-deployment.yaml

@@ -0,0 +1,135 @@
+# Deployment for olam-plan-chat-service.
+#
+# Image strategy: REUSES the olam-host-cp image. Per the package layout,
+# plan-chat-service.mjs is a sibling under packages/host-cp/src/, and the
+# host-cp image's WORKDIR=/app already contains it at /app/src/plan-chat-service.mjs.
+# The single shared image avoids version-drift between the two binaries that
+# share plan-chat-secret.mjs (bearer-auth logic), planning-sessions.mjs,
+# crystallize-planning.mjs, and resolver.mjs.
+#
+# The command override replaces the host-cp default
+# ENTRYPOINT (`node src/server.mjs`) with the plan-chat-service entrypoint.
+#
+# Image: pinned to the SAME digest as host-cp's 50-deployment.yaml. Refresh
+# both in lockstep via scripts/refresh-manifest-digests.mjs on every release.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app: olam-plan-chat-service
+  template:
+    metadata:
+      labels:
+        app: olam-plan-chat-service
+    spec:
+      enableServiceLinks: false
+      imagePullSecrets:
+        - name: ghcr-pull
+      serviceAccountName: olam-plan-chat-service
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        # chown-data: identical to memory-service pattern. Postgres-RWO PVC
+        # mounts as root-owned on local-path; this brings it to 1000:1000.
+        - name: chown-data
+          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          command: ["chown", "-R", "1000:1000", "/data"]
+          volumeMounts:
+            - name: plan-chat-data
+              mountPath: /data
+      containers:
+        - name: olam-plan-chat-service
+          # Reuses the host-cp image (same source tree, same node_modules).
+          # Digest pinned in lockstep with packages/host-cp/k8s/manifests/50-deployment.yaml.
+          image: ghcr.io/pleri/olam-host-cp@sha256:20d84b6d490c633bc5a158b0f7f849152aba3cf1d2d45657360f627d8d41ec3f
+          imagePullPolicy: IfNotPresent
+          # Override the host-cp ENTRYPOINT. plan-chat-service.mjs exports
+          # startService(); we boot it via -e import-and-call.
+          command: ["node"]
+          args:
+            - "-e"
+            - "import('/app/src/plan-chat-service.mjs').then(m => m.startService()).catch(e => { console.error('[plan-chat-service]', e); process.exit(1); });"
+          workingDir: /app
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: http
+              containerPort: 3200
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: olam-plan-chat-service-env
+          env:
+            # DATABASE_URL composition. Same pattern as chunks-electric.
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: olam-chunks-postgres-secret
+                  key: POSTGRES_PASSWORD
+            - name: OLAM_PLAN_CHAT_DATABASE_URL
+              value: "postgres://postgres:$(POSTGRES_PASSWORD)@olam-chunks-postgres.olam.svc.cluster.local:5432/chunks"
+          volumeMounts:
+            - name: plan-chat-data
+              mountPath: /data
+            - name: plan-chat-secret
+              mountPath: /etc/olam-plan-chat
+              readOnly: true
+          readinessProbe:
+            httpGet:
+              path: /livez
+              port: 3200
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 3200
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "256Mi"
+            limits:
+              cpu: "500m"
+              memory: "1Gi"
+      volumes:
+        - name: plan-chat-data
+          persistentVolumeClaim:
+            claimName: olam-plan-chat-service-data
+        - name: plan-chat-secret
+          secret:
+            secretName: olam-plan-chat-secret
+            defaultMode: 0400
+            items:
+              - key: PLAN_CHAT_SECRET
+                path: secret

package/host-cp/k8s/manifests/plan-chat-service/60-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: olam-plan-chat-service
+  namespace: olam
+  labels:
+    app: olam-plan-chat-service
+    olam.io/component: peripheral
+spec:
+  type: ClusterIP
+  selector:
+    app: olam-plan-chat-service
+  ports:
+    - name: http
+      port: 3200
+      targetPort: 3200
+      protocol: TCP