Source-of-truth repository for the Solid Stats staging runtime: the
k8s/staging/ Kubernetes (k3s) manifests, runtime wiring (secrets, env, network
isolation), deployment scripts and operational runbooks, the PostgreSQL backup
schedule, and observability.
Boundary — this repo owns: Kubernetes staging manifests, runtime wiring,
deployment scripts and runbooks (Bash/Python), and the staging CI/CD pipeline. It
must not: own application source code or build container images (the app
repos do that), manage the production environment (out of scope for v1), or store
secret values in git (secrets come from the GitHub environment at deploy time
only). Image SHAs in k8s/staging/ are pinned and updated explicitly — never
auto-pull latest. See the cross-app boundary map (§D) in
solidstats-shared-project-standards for the full platform-tier boundaries.
Shared standards for every SolidStats repo live in the
skills repo — start with
solidstats-shared-project-standards.
Solid Stats Infrastructure
This repository is the source of truth for Solid Stats infrastructure, starting with the staging k3s environment. It owns shared runtime wiring, Kubernetes manifests, operational scripts, backup and restore runbooks, and the path toward manual full-run and diff verification before any production traffic switch.
Application repositories still own application code and image builds. This project owns how those images are composed into a reliable Solid Stats runtime.
Core Value: Staging must be reproducible, backed up, and safe to run end-to-end before it is used to produce or compare new statistics.
- Environment: v1 targets
solid-stats-stagingonly — production cutover is intentionally deferred. - Cluster: k3s is already running on the staging VPS — this project deploys resources into it but does not reinstall the server in v1.
- Storage: Timeweb S3-compatible storage is the object storage provider — backup, raw replay, artifact, and future report prefixes must coexist safely.
- Database: PostgreSQL in k3s is the durable metadata source — full-run work must not proceed without a current backup point.
- Deploy Ownership: app repositories still have legacy deploy workflows — migration to infra-owned deploy must be gradual to avoid breaking active staging.
- Safety:
replays-fetcherstays suspended until manual backup and restore-list validation pass. - Secrets: secrets come from GitHub environment secrets and live Kubernetes Secrets — no secret values belong in git or planning docs.
- Validation: completion claims require fresh evidence from scripts, Kubernetes dry-runs, live rollout state, backup logs, or S3 object checks.
- Kubernetes Safety: workload manifests must avoid default ServiceAccounts, add pod/container security context where images allow it, keep resource requests/limits, and define network isolation or a documented exception.
- Kubernetes batch/apps/core APIs in
k8s/staging/*.yaml. - k3s on the staging VPS, targeted through remote
kubectlin - PostgreSQL 17 Alpine image in
k8s/staging/10-postgres.yaml. - RabbitMQ 4 management image in
k8s/staging/20-rabbitmq.yaml. - GHCR-hosted application images pinned in:
- Timeweb S3-compatible object storage configured through manifests and
- Bash:
- Python 3:
validatechecks that expected files and manifest directories exist.deployinstalls the SSH private key, trusts the deploy host, then runs
- PostgreSQL PVC
postgres-datarequests20Giin - RabbitMQ PVC
rabbitmq-datarequests5Giin
- one environment per directory
- numeric filename prefixes for apply ordering
- explicit namespace on namespaced resources
- standard Kubernetes app labels
- image tags pinned to explicit SHAs for app deployments
imagePullPolicy: IfNotPresentfor pinned images
#!/usr/bin/env bashset -euo pipefail- explicit required env var checks through shell parameter expansion
- remote
kubectlexecution over SSH - standard library only
- explicit
required()helper for mandatory environment variables - exits with code
64for missing configuration
- PostgreSQL StatefulSet and Service from
k8s/staging/10-postgres.yaml. - RabbitMQ StatefulSet and Service from
k8s/staging/20-rabbitmq.yaml. server-2ConfigMap, Service, and Deployment fromreplay-parser-2Deployment fromk8s/staging/40-replay-parser-2.yaml.replays-fetcherCronJob fromk8s/staging/50-replays-fetcher.yaml.postgres-backupCronJob fromk8s/staging/60-postgres-backup.yaml.
- namespace
- persistent services
- runtime manifests
- backup scheduling
- deployment runbooks
- staging operational docs
- Human docs:
README.md,docs/staging.md,docs/backup-restore.md. - CI/CD:
.github/workflows/deploy-staging.yml. - CI deploy helpers:
scripts/ssh-tunnel-up.sh(opens SSH local-forward 127.0.0.1:16443 → k3s API 6443),scripts/kubeconfig-setup.sh. - Manual backup script:
scripts/backup-postgres-now.sh. - Runtime manifests:
k8s/staging/*.yaml.
| Skill | Description | Path |
|---|---|---|
| kubernetes-specialist | Use when deploying or managing Kubernetes workloads. Invoke to create deployment manifests, configure pod security policies, set up service accounts, define network isolation rules, debug pod crashes, analyze resource limits, inspect container logs, or right-size workloads. Use for Helm charts, RBAC policies, NetworkPolicies, storage configuration, performance optimization, GitOps pipelines, and multi-cluster management. | .agents/skills/kubernetes-specialist/SKILL.md |
Before using Edit, Write, or other file-changing tools, start work through a GSD command so planning artifacts and execution context stay in sync.
Use these entry points:
/gsd-quickfor small fixes, doc updates, and ad-hoc tasks/gsd-debugfor investigation and bug fixing/gsd-execute-phasefor planned phase work
Do not make direct repo edits outside a GSD workflow unless the user explicitly asks to bypass it.
Profile not yet configured. Run
/gsd-profile-userto generate your developer profile. This section is managed bygenerate-claude-profile-- do not edit manually.