Retire Frank and promote Felix (#2356)

* Retire Frank and promote Felix

Replace the Frank Kubernetes app with Felix, remove stale Frank Authentik and Slack definitions, and drop the obsolete Frank descheduler policy.

Add Felix Authentik and Slack configuration, preserve the Goldilocks/VPA namespace behavior from Frank, and update Slack documentation for the new app name.

* chore: regenerate Helm manifests

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: claytono

kubernetes/descheduler/helm/templates/configmap.yaml

@@ -44,23 +44,6 @@ data:
           enabled:
           - PodLifeTime
           - RemovePodsHavingTooManyRestarts
-    - name: frank-daily-restart
-      pluginConfig:
-      - args:
-          evictLocalStoragePods: true
-        name: DefaultEvictor
-      - args:
-          maxPodLifeTimeSeconds: 86400
-          namespaces:
-            include:
-            - frank
-          states:
-          - Running
-        name: PodLifeTime
-      plugins:
-        deschedule:
-          enabled:
-          - PodLifeTime
     - name: node-utilization
       pluginConfig:
       - args:

kubernetes/descheduler/helm/templates/cronjob.yaml

@@ -19,7 +19,7 @@ spec:
         metadata:
           name: descheduler
           annotations:
-            checksum/config: c44366ab197059f0c572e61f1ffd0b76e77ecb742cc3465ef008e2e2ea87a5c9
+            checksum/config: e9a9ab4fceb73cd039544c1623189d0a475d066fe375b666455078932bb05531
           labels:
             app.kubernetes.io/name: descheduler
             app.kubernetes.io/instance: descheduler

kubernetes/descheduler/values.yaml

@@ -32,23 +32,6 @@ deschedulerPolicy:
         enabled:
         - PodLifeTime
         - RemovePodsHavingTooManyRestarts
-  - name: frank-daily-restart
-    pluginConfig:
-    - name: DefaultEvictor
-      args:
-        evictLocalStoragePods: true
-    - name: PodLifeTime
-      args:
-        namespaces:
-          include:
-          - frank
-        maxPodLifeTimeSeconds: 86400  # 24 hours
-        states:
-        - Running
-    plugins:
-      deschedule:
-        enabled:
-        - PodLifeTime
   - name: node-utilization
     pluginConfig:
     - name: DefaultEvictor

kubernetes/frank/api-entrypoint.sh kubernetes/felix/api-entrypoint.shkubernetes/frank/api-entrypoint.sh renamed to kubernetes/felix/api-entrypoint.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 trap 'kill 0; wait; exit 0' TERM INT
 
-API_DIR="/home/node/.openclaw/workspace/www/games/api"
+API_DIR="/opt/workspace/www/games/api"
 LOG_DIR="$API_DIR/logs"
 LOG_FILE="$LOG_DIR/server.log"
 RESTART_FILE="$API_DIR/.restart"
@@ -11,7 +11,7 @@ KEEP=3
 mkdir -p "$LOG_DIR"
 : >> "$LOG_FILE"
 
-# Background log rotator - checks every 60s
+# Background log rotator - checks every 60 seconds.
 (while sleep 60; do
   size=$(stat -c%s "$LOG_FILE" 2>/dev/null || echo 0)
   if [ "$size" -gt "$MAX_BYTES" ]; then
@@ -25,20 +25,20 @@ mkdir -p "$LOG_DIR"
   fi
 done) &
 
-# Stream log to stdout for kubectl logs
+# Stream log to stdout for kubectl logs.
 tail -f "$LOG_FILE" &
 
 cd "$API_DIR" || exit 1
 
-# Main loop — restarts bun in-process to avoid CrashLoopBackOff.
+# Main loop restarts bun in-process to avoid CrashLoopBackOff.
 while true; do
   rm -f "$RESTART_FILE"
   bun install >> "$LOG_FILE" 2>&1
 
   bun run --watch server.js >> "$LOG_FILE" 2>&1 &
   BUN_PID=$!
 
-  # Wait for .restart trigger or bun exit
+  # Wait for .restart trigger or bun exit.
   while kill -0 "$BUN_PID" 2>/dev/null; do
     if [ -f "$RESTART_FILE" ]; then
       rm -f "$RESTART_FILE"

kubernetes/felix/deployment.yaml

@@ -0,0 +1,173 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+
+metadata:
+  name: felix
+  annotations:
+    reloader.stakater.com/auto: 'true'
+
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: felix
+      app.kubernetes.io/instance: felix
+  template:
+    metadata:
+      name: felix
+      labels:
+        app.kubernetes.io/name: felix
+        app.kubernetes.io/instance: felix
+    spec:
+      serviceAccountName: felix
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10000
+        runAsGroup: 10000
+        fsGroup: 10000
+      initContainers:
+      - name: www
+        image: nginxinc/nginx-unprivileged:1.29-alpine@sha256:0c79d56aee561a1d81c63f00eee5fb5fe29279560cdc55e91425133104c7fbe6
+        restartPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: www
+          protocol: TCP
+        securityContext:
+          runAsUser: 10000
+          runAsGroup: 10000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - name: data
+          mountPath: /data
+          subPath: workspace
+          readOnly: true
+        - name: nginx-config
+          mountPath: /etc/nginx/conf.d
+          readOnly: true
+        - name: nginx-tmp
+          mountPath: /tmp
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+      - name: api
+        image: oven/bun:1.3.13-alpine@sha256:4de475389889577f346c636f956b42a5c31501b654664e9ae5726f94d7bb5349
+        restartPolicy: Always
+        command:
+        - /bin/sh
+        - /etc/api/api-entrypoint.sh
+        ports:
+        - containerPort: 3001
+          name: api
+          protocol: TCP
+        env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: felix-db-app
+              key: uri
+        - name: PORT
+          value: '3001'
+        - name: BUN_INSTALL_CACHE_DIR
+          value: /tmp
+        - name: BUN_RUNTIME_TRANSPILER_CACHE_PATH
+          value: /tmp/bun-cache
+        securityContext:
+          runAsUser: 10000
+          runAsGroup: 10000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - name: data
+          mountPath: /opt/workspace
+          subPath: workspace
+          readOnly: false
+        - name: api-tmp
+          mountPath: /tmp
+        - name: api-entrypoint
+          mountPath: /etc/api
+          readOnly: true
+      containers:
+      - name: hermes
+        image: docker.io/nousresearch/hermes-agent:v2026.6.5@sha256:9ad3b04ec916ea2c2da22358fd43b024c788d74073210695af88bfc2e63869b4
+        args:
+        - gateway
+        - run
+        ports:
+        - name: gateway
+          containerPort: 8642
+        - name: dashboard
+          containerPort: 9119
+        env:
+        - name: API_SERVER_ENABLED
+          value: 'true'
+        - name: API_SERVER_HOST
+          value: 0.0.0.0
+        - name: HERMES_DASHBOARD
+          value: '1'
+        - name: HERMES_DASHBOARD_OIDC_ISSUER
+          value: https://auth.k.oneill.net/application/o/felix-dashboard/
+        - name: HERMES_DASHBOARD_OIDC_CLIENT_ID
+          value: felix-dashboard
+        - name: HERMES_DASHBOARD_PUBLIC_URL
+          value: https://felix-dashboard.k.oneill.net
+        envFrom:
+        - secretRef:
+            name: felix-secrets
+        volumeMounts:
+        - name: data
+          mountPath: /opt/data
+        - name: kube-api-access
+          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          readOnly: true
+      volumes:
+      - name: kube-api-access
+        projected:
+          defaultMode: 0444
+          sources:
+          - serviceAccountToken:
+              expirationSeconds: 3600
+              path: token
+          - configMap:
+              name: kube-root-ca.crt
+              items:
+              - key: ca.crt
+                path: ca.crt
+          - downwardAPI:
+              items:
+              - fieldRef:
+                  fieldPath: metadata.namespace
+                path: namespace
+      - name: data
+        persistentVolumeClaim:
+          claimName: felix-data
+      - name: nginx-config
+        configMap:
+          name: felix-nginx-config
+      - name: api-entrypoint
+        configMap:
+          name: felix-api-entrypoint
+          defaultMode: 0755
+      - name: nginx-tmp
+        emptyDir:
+          sizeLimit: 1Gi
+      - name: nginx-cache
+        emptyDir:
+          sizeLimit: 1Gi
+      - name: api-tmp
+        emptyDir:
+          sizeLimit: 10Gi

kubernetes/frank/externalsecret.yaml kubernetes/felix/externalsecret.yamlkubernetes/frank/externalsecret.yaml renamed to kubernetes/felix/externalsecret.yaml

@@ -3,29 +3,29 @@ apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 
 metadata:
-  name: frank-secrets
+  name: felix-secrets
 
 spec:
   secretStoreRef:
     name: production
     kind: ClusterSecretStore
   target:
-    name: frank-secrets
+    name: felix-secrets
     creationPolicy: Owner
   data:
-  - secretKey: OPENCLAW_GATEWAY_TOKEN
+  - secretKey: API_SERVER_KEY
     remoteRef:
-      key: frank
-      property: gateway-api-token
+      key: felix
+      property: api-server-key
   - secretKey: SLACK_BOT_TOKEN
     remoteRef:
-      key: frank
+      key: felix
       property: bot-user-oauth-token
   - secretKey: SLACK_APP_TOKEN
     remoteRef:
-      key: frank
+      key: felix
       property: socket-mode-token
-  - secretKey: BRAVE_API_KEY
+  - secretKey: SLACK_ALLOWED_USERS
     remoteRef:
-      key: frank
-      property: brave-api-key
+      key: felix
+      property: slack-allowed-users

kubernetes/felix/ingress-dashboard.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+
+metadata:
+  name: felix-dashboard
+  namespace: felix
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    ak-type: oidc
+    ak-oidc-client-type: public
+    ak-oidc-callback: /auth/callback
+
+spec:
+  tls:
+  - hosts:
+    - felix-dashboard.k.oneill.net
+    secretName: felix-dashboard-tls
+  rules:
+  - host: felix-dashboard.k.oneill.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: felix-dashboard
+            port:
+              number: 9119

kubernetes/frank/ingress-www.yaml kubernetes/felix/ingress-www.yamlkubernetes/frank/ingress-www.yaml renamed to kubernetes/felix/ingress-www.yaml

@@ -3,31 +3,31 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 
 metadata:
-  name: frank-www
-  namespace: frank
+  name: felix-www
+  namespace: felix
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
     ak-type: simple
     gethomepage.dev/enabled: 'true'
-    gethomepage.dev/name: Frank
+    gethomepage.dev/name: Felix
     gethomepage.dev/description: Personal Assistant
     gethomepage.dev/group: Productivity
-    gethomepage.dev/icon: mdi-cash-multiple
-    gethomepage.dev/pod-selector: app.kubernetes.io/name=frank
+    gethomepage.dev/icon: mdi-robot
+    gethomepage.dev/pod-selector: app.kubernetes.io/name=felix
 
 spec:
   tls:
   - hosts:
-    - frank.k.oneill.net
-    secretName: frank-www-tls
+    - felix.k.oneill.net
+    secretName: felix-www-tls
   rules:
-  - host: frank.k.oneill.net
+  - host: felix.k.oneill.net
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
-            name: frank-www
+            name: felix-www
             port:
               number: 8080