Changelog

All meaningful changes to this repository must be recorded here.

Format rules:

• Add a new dated section for every work session that changes tracked files.
• Put newest changes first.
• Include the intent, touched files, deployment impact, and verification performed.
• Call out security-sensitive handling, especially anything related to tokens, kubeconfigs, cluster credentials, or deployment credentials.
• Do not record secret values.

2026-05-07

Moved RKE2 Vault export to Kubernetes auth

Intent: remove the brittle static Vault token from the RKE2 DC replication export path.

Changed files:

• ADR.md
• CHANGELOG.md
• MEMORY.md

Details:

• Updated durable docs to record that argocd/vault-replication on RKE2 DC now uses Vault Kubernetes auth through ServiceAccount vault-replicator.
• Recorded ADR 0005 for the switch from static VAULT_TOKEN to Vault role vault-replicator-export on auth path kubernetes/.
• Recorded the GitOps source-of-truth repo and commit for the workload-side change:
• repo http://30.30.30.5/infra/gitops-rke2.git
• commit 15a6d90
• Recorded that the live vault/vault-replicator Secret now keeps only:
• VAULT_ADDR
• MINIO_URL
• MINIO_AK
• MINIO_SK

Verification:

• RKE2 DC Argo CD app vault-replication synced revision 15a6d90d4a1ffe69caaaa077da42db60f4de6e8d.
• App health returned to Synced / Healthy.
• Manual export Job completed successfully after Kubernetes-auth login.
• Export logs showed policy capture, auth-method capture, KV export, and MinIO upload completion.

Deployment impact:

• The live RKE2 DC Vault export CronJob now authenticates with Kubernetes auth instead of a static Vault token.

Security notes:

• The stale VAULT_TOKEN key was removed from the live vault/vault-replicator Secret.
• No token values, kubeconfig contents, private keys, certificates, or passwords were added to tracked files.

Recorded dl385 as the cluster jump host

Intent: make it explicit that OpenShift and RKE2 access must go through dl385.

Changed files:

• ADR.md
• INFRASTRUCTURE.md
• MEMORY.md
• CHANGELOG.md

Details:

• Updated ADR 0001 to describe dl385 as the required jump host.
• Added ADR 0004 for the decision to run cluster operations from dl385.
• Updated infrastructure notes to say oc and kubectl commands should run from dl385.
• Updated project memory so new laptops do not assume local kubeconfigs or direct cluster network access.

Verification:

• npm run build
• Confirmed generated ADR, Infrastructure, Project Memory, and Changelog pages include the dl385 jump-host rule.

Deployment impact:

• The wiki pages for ADR, Infrastructure, Project Memory, and Changelog reflect the jump-host rule after the next Cloudflare Pages deploy.

Security notes:

• No secret values were added.
• The update records access pattern only, not kubeconfig contents, tokens, private keys, certificates, or passwords.

Added git-tracked project memory

Intent: preserve durable project context in the repository so work can continue after changing laptops.

Changed files:

• MEMORY.md
• AGENTS.md
• ADR.md
• README.md
• CHANGELOG.md
• scripts/build-wiki.mjs

Details:

• Added MEMORY.md as the tracked handoff memory for repo URLs, wiki URLs, deployment setup, safe cluster access patterns, ignored local paths, and new laptop bootstrap steps.
• Added ADR 0003 to record the decision to track durable memory in git while excluding secret values.
• Updated agent rules so future durable context changes also update MEMORY.md.
• Added the memory page to the generated wiki navigation and README document list.

Verification:

• npm run build
• Generated dist/memory.html locally.
• Confirmed the wiki navigation includes the project memory page.
• Reviewed MEMORY.md for secret values and kept only safe references, names, paths, and commands.

Deployment impact:

• The wiki gains a memory.html page after the next Cloudflare Pages deploy.

Security notes:

• No secret values were added.
• MEMORY.md records only secret names and local paths, not token contents, kubeconfig contents, private keys, certificates, or passwords.

Added aggressive change tracking

Intent: make change history a required operating habit for this wiki.

Changed files:

• CHANGELOG.md
• AGENTS.md
• ADR.md
• README.md
• scripts/build-wiki.mjs

Details:

• Added this changelog as the canonical change history for the repository.
• Added explicit rules requiring future agents and operators to update the changelog for meaningful changes.
• Added the changelog to the generated Cloudflare Pages wiki navigation.
• Recorded an ADR for strict changelog discipline.

Verification:

• npm run build
• Generated dist/changelog.html locally.
• Confirmed the wiki navigation includes the changelog page.

Deployment impact:

• The wiki gains a changelog.html page after the next Cloudflare Pages deploy.

Security notes:

• No secrets were added to tracked files.

Published Cloudflare Pages wiki automation

Intent: make the Markdown wiki deploy automatically from GitHub.

Changed files:

• .github/workflows/deploy-pages.yml
• README.md

Details:

• Added a GitHub Actions workflow that builds the static wiki and deploys dist/ to Cloudflare Pages on pushes to main.
• Stored Cloudflare deployment credentials as GitHub Actions secrets.
• Updated the workflow to use current actions/checkout@v6 and actions/setup-node@v6.
• Documented the Pages URL in the README.

Verification:

• npm run build
• GitHub Actions workflow Deploy Wiki succeeded.
• https://opp-test-app-wiki.pages.dev returned HTTP 200.

Deployment impact:

• Live wiki available at https://opp-test-app-wiki.pages.dev.

Security notes:

• Cloudflare token and account ID were stored in GitHub Actions secrets.
• Local secrets/, dist/, and .wrangler/ directories are ignored by git.

Created GitHub repository and static wiki

Intent: turn the infrastructure notes into a versioned repository and publishable wiki.

Changed files:

• .gitignore
• README.md
• package.json
• wrangler.toml
• scripts/build-wiki.mjs
• INFRASTRUCTURE.md
• ADR.md
• AGENTS.md

Details:

• Initialized the repository on branch main.
• Created private GitHub repo zeshaq/opp-test-app.
• Added a small Node.js static wiki generator.
• Built pages for infrastructure notes, ADRs, and agent instructions.
• Added Cloudflare Pages config for project opp-test-app-wiki.

Verification:

• npm run build
• Initial manual Cloudflare Pages deploy succeeded.
• Production Pages URL returned HTTP 200.

Deployment impact:

• Created Cloudflare Pages project opp-test-app-wiki.

Security notes:

• Added .gitignore entries for secrets/, dist/, .wrangler/, logs, and local OS metadata.

Documented infrastructure access

Intent: capture verified cluster access details without storing credentials.

Changed files:

• INFRASTRUCTURE.md
• AGENTS.md
• ADR.md

Details:

• Documented SSH access through ze@dl385.
• Recorded verified OpenShift access for hub-dc, hub-dr, spoke-dc, and spoke-dr.
• Recorded verified RKE2 access for rke2 and rke2-dr.
• Added safety guidance for future agents.
• Added ADR 0001 for documenting cluster access without storing secrets.

Verification:

• oc whoami
• oc whoami --show-server
• oc get --raw=/readyz
• kubectl --kubeconfig ~/.kube/configs/<cluster>.kubeconfig get --raw=/readyz
• kubectl --kubeconfig ~/.kube/configs/<cluster>.kubeconfig auth can-i get pods -A

Deployment impact:

• Documentation only at the time of the change.

Security notes:

• No kubeconfig contents, tokens, client certificates, private keys, or passwords were stored in tracked files.