feat(multi-env): Phase D4 — register erp-sandbox ArgoCD Application #18

arcodange · 2026-06-28T18:36:12+02:00

arcodange commented

2026-06-28 18:36:12 +02:00

Summary

Phase D4 of ADR-0002 — the final, GitOps step. Adds envs: { sandbox: {} } to the erp entry in argocd/values.yaml, so the Phase B per-env loop renders an extra erp-sandbox Application.

On merge to main, the factory app-of-apps re-renders and ArgoCD creates the erp-sandbox Application → deploys the Dolibarr chart (values.yaml + values-sandbox.yaml) into namespace erp-sandbox. The pod's VSO consumes the Vault paths from D2/D3 and the DB from D1.

Render diff (verified) — purely additive

The only change vs main is the new erp-sandbox Application; prod erp + all other apps render byte-identical:

name: erp-sandbox
spec:
  source:
    repoURL: https://gitea.arcodange.lab/arcodange-org/erp
    path: chart
    helm:
      valueFiles: [values.yaml, values-sandbox.yaml]
  destination:
    namespace: erp-sandbox
  syncPolicy: { automated: { prune: true, selfHeal: true }, syncOptions: [CreateNamespace=true] }

Phase E (DNS/TLS) — nothing needed

Investigated: *.arcodange.lab is a wildcard in Pi-hole (k3s CoreDNS forwards to it), and cert-manager holds a *.arcodange.lab wildcard cert set as Traefik's default TLS. So erp-sandbox.arcodange.lab resolves + gets HTTPS automatically once the ingress is up — no DNS record or cert change. The only Phase E remnant is creating the write-scoped ai_agent_sandbox Dolibarr user (UI), which feeds the future V9 write skill.

Phase D — complete

step	repo	PR	result
D1 Postgres DB+role	factory	#17	6 added, 0 destroyed
D2 Vault policies	tools	#3	1 add, 1 change, 0 destroy
D3 erp Vault auth/creds/KV	erp	#12	5 moved, 5 added, 0 destroyed
D4 ArgoCD app (this)	factory	—	render additive

🤖 Generated with Claude Code

## Summary **Phase D4** of [ADR-0002](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/vibe/ADR/0002-per-application-environments.md) — the final, GitOps step. Adds `envs: { sandbox: {} }` to the erp entry in `argocd/values.yaml`, so the Phase B per-env loop renders an extra `erp-sandbox` Application. On merge to main, the factory app-of-apps re-renders and ArgoCD creates the `erp-sandbox` Application → deploys the Dolibarr chart (`values.yaml` + `values-sandbox.yaml`) into namespace `erp-sandbox`. The pod's VSO consumes the Vault paths from D2/D3 and the DB from D1. ### Render diff (verified) — purely additive The only change vs main is the new `erp-sandbox` Application; prod `erp` + all other apps render byte-identical: ``` name: erp-sandbox spec: source: repoURL: https://gitea.arcodange.lab/arcodange-org/erp path: chart helm: valueFiles: [values.yaml, values-sandbox.yaml] destination: namespace: erp-sandbox syncPolicy: { automated: { prune: true, selfHeal: true }, syncOptions: [CreateNamespace=true] } ``` ### Phase E (DNS/TLS) — nothing needed Investigated: `*.arcodange.lab` is a wildcard in Pi-hole (k3s CoreDNS forwards to it), and cert-manager holds a `*.arcodange.lab` wildcard cert set as Traefik's default TLS. So `erp-sandbox.arcodange.lab` resolves + gets HTTPS automatically once the ingress is up — no DNS record or cert change. The only Phase E remnant is creating the write-scoped `ai_agent_sandbox` Dolibarr user (UI), which feeds the future V9 write skill. ### Phase D — complete | step | repo | PR | result | |---|---|---|---| | D1 Postgres DB+role | factory | [#17](https://gitea.arcodange.lab/arcodange-org/factory/pulls/17) | 6 added, 0 destroyed | | D2 Vault policies | tools | [#3](https://gitea.arcodange.lab/arcodange-org/tools/pulls/3) | 1 add, 1 change, 0 destroy | | D3 erp Vault auth/creds/KV | erp | [#12](https://gitea.arcodange.lab/arcodange-org/erp/pulls/12) | 5 moved, 5 added, 0 destroyed | | **D4 ArgoCD app** (this) | factory | — | render additive | 🤖 Generated with [Claude Code](https://claude.com/claude-code)

arcodange added 1 commit 2026-06-28 18:36:14 +02:00

feat(multi-env): Phase D4 — register erp-sandbox ArgoCD Application 90498e4f55

ADR-0002 Phase D, final step. Adds `envs: { sandbox: {} }` to the erp entry
in argocd/values.yaml, so the Phase B per-env loop in templates/apps.yaml
renders an extra Application "erp-sandbox":
  - source: same erp repo + chart, overlaid with values.yaml + values-sandbox.yaml
  - destination namespace: erp-sandbox (CreateNamespace=true)
  - syncPolicy: automated prune + selfHeal (default)

GitOps activation: on merge to main, the factory app-of-apps re-renders and
ArgoCD creates the erp-sandbox Application, which deploys the Dolibarr chart
into the erp-sandbox namespace. The pod's VSO reads the Vault paths created in
D2/D3 (auth/kubernetes/role/erp-sandbox, postgres/creds/erp-sandbox,
kvv2/erp-sandbox/config) and connects to the erp-sandbox DB created in D1.

Render verified: the only diff vs main is the added erp-sandbox Application;
prod erp + all other apps render byte-identical.

No DNS/TLS change needed (Phase E): *.arcodange.lab is a wildcard in Pi-hole
(CoreDNS forwards to it) and cert-manager holds a *.arcodange.lab wildcard set
as Traefik's default TLS — so erp-sandbox.arcodange.lab resolves + gets HTTPS
automatically once the ingress is up.

Completes Phase D. D1=factory#17, D2=tools#3, D3=erp#12 (all merged).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

arcodange merged commit 5c60677171 into main

2026-06-28 18:36:23 +02:00

arcodange deleted branch claude/phaseD-erp-sandbox-argocd

2026-06-28 18:36:24 +02:00

arcodange referenced this issue from a commit

2026-06-28 18:36:25 +02:00

Merge pull request 'feat(multi-env): Phase D4 — register erp-sandbox ArgoCD Application' (#18) from claude/phaseD-erp-sandbox-argocd into main

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: arcodange-org/factory#18