Fast lookups — the concrete facts for this Ultron Infra instance (node
ultron): pinned versions, endpoints, namespaces, and secrets. Exact values
pulled from the platform runbook and build summary. Anything Penvoice-specific
below is the example app onboarded onto this instance, not the platform itself.
| Chart / operator | Version |
|---|
| cert-manager | v1.20.2 |
| kube-prometheus-stack | 86.2.3 |
| argo-cd | 9.5.21 |
| argo-rollouts | 2.41.0 |
| argo-workflows | 1.0.15 |
| argo-events | 2.4.21 |
| CloudNativePG | 0.28.3 (operator v1.29.1) |
| Keycloak operator | 26.6.3 |
| Host | What |
|---|
argocd.webbies.dev | Argo CD UI |
test-auth.webbies.dev | Keycloak (test instance) |
test-api.penvoice.app | Penvoice API |
test.penvoice.app | Web app (Vercel) |
auth.webbies.dev | Reserved — future prod Keycloak |
The Kubernetes API is Tailscale-only (no public 6443); ultron resolves
to the node’s Tailscale IP on dev machines.
| Repo | Contents |
|---|
webb1es/gitops | Manifests (app-of-apps). Private. Source of truth. |
webb1es/penvoice-api | Go REST API. CI → GHCR. |
penvoice-web | Angular SPA. Deploys on Vercel (branch-based). |
Image: ghcr.io/webb1es/penvoice-api:sha-<sha> (must be public, or use an
imagePullSecret). Runbook: gitops/docs/platform.md.
| Namespace | Runs |
|---|
argocd | Argo CD / Rollouts / Workflows / Events |
cert-manager | cert-manager |
monitoring | kube-prometheus-stack (Prometheus / Grafana / Alertmanager) |
cnpg-system | CloudNativePG operator |
keycloak | Keycloak operator + test instance + its Postgres |
penvoice | Penvoice API Rollout + Postgres + ingress |
Recreate these by hand on rebuild — see
Disaster recovery.
| Secret | Namespace | What |
|---|
penvoice-api-kc | penvoice | Keycloak API client secret |
penvoice-pg-backup-creds | penvoice | Oracle Object Storage S3 keys |
keycloak-pg-backup-creds | keycloak | Oracle Object Storage S3 keys |
Oracle S3 keys: access key = clean hex; secret key has +/= — don’t swap.
The Keycloak realm config also lives out-of-band (in its DB, which is backed
up).
| Setting | Value |
|---|
| Bucket | penvoice-pg-backups (per-cluster folders) |
| Schedule | Nightly ScheduledBackup + continuous WAL archiving |
| PITR window | 30 days |
| Region | af-johannesburg-1 |
| Required S3 env | AWS_REQUEST_CHECKSUM_CALCULATION=when_required, AWS_RESPONSE_CHECKSUM_VALIDATION=when_required, AWS_DEFAULT_REGION=af-johannesburg-1 |
The canary gate for the example Penvoice API:
| Setting | Value |
|---|
| AnalysisTemplate | penvoice-success-rate (namespace penvoice) |
| Success condition | result[0] >= 0.95 (non-5xx / total) |
| Interval | 30s, failureLimit: 2 |
| Prometheus | http://prometheus-operated.monitoring:9090 |
| Steps | 25% → 50% → 75% → 100%, 60s pause each |