Same pattern as infinity-tales and marktvogt.de: the tenant-2 namespace
holds a pre-provisioned dockerconfigjson secret named itsh-registry that
authenticates pulls from registry.itsh.dev. Reference it from the pod
spec so the kubelet can fetch the image.
ITSH Cloud's multi-tenant model forbids tenants from creating Roles or
RoleBindings, so the custom least-privilege Role we shipped can't be
applied. The pre-provisioned 'tenant-2' ServiceAccount in the tenant
namespace already carries the necessary secret-patch permission, so we
just point the CronJob at it.
Also fixes the kustomize commonLabels -> labels deprecation.
Match the registry pattern used by infinity-tales and marktvogt.de.
Pinning to 0.1.0 instead of latest so deploys are deterministic; bump
the tag here when you push a new image.
Multi-stage Alpine build pinned to python:3.14-alpine, with libolm pulled
in only for the runtime layer. K8s manifests cover ServiceAccount, Role
(scoped to a single named Secret), RoleBinding, ConfigMap, RWO PVC, and
the CronJob itself (concurrencyPolicy=Forbid, runAsNonRoot, dropped caps,
readOnlyRootFilesystem). Kustomize overlay targets the tenant-2 namespace.
bootstrap-local.sh prepares ./local/ from a Claude install (honors
CLAUDE_CONFIG_DIR for work/priv splits) and prompts for the Matrix bot
credentials.
vikingowl