This is a single-maintainer repository for a local OrbStack Kubernetes cluster. External contributions are welcome but the bar is high — changes must not break the live monitoring pipeline.
Requires: kubectl, kustomize, kubeconform, OrbStack with k3s running.
With direnv (recommended) — auto-activates the dev shell whenever you cd into the worktree:
direnv allow # one-time per worktreeWithout direnv — manually enter the dev shell each time:
nix developInstall the pre-commit hooks once per fresh clone or new worktree:
pre-commit install --hook-type pre-commit --hook-type commit-msg --hook-type pre-pushOn first-time setup (or after pulling new hook revisions), run the full suite once to verify every hook resolves and passes against the current tree:
pre-commit run --all-files-
From the main worktree, sync and create a new worktree:
git fetch --prune origin && git pull git worktree add ../<type>/<name> -b <type>/<name> main
(The
../<type>/<name>path keeps the worktree alongsidemain/in whatever directory layout you use locally.) -
Make changes, then run unit tests (no cluster required):
make test-unit
-
Verify the full stack if your change touches
k8s/orscripts/:make deploy make test-e2e
-
Open a PR with a Conventional Commit title:
fix:for bug fixes and small adjustments → patch releasefeat:for new capabilities → minor releasechore:,docs:,ci:for non-release changes
- No plaintext secrets. All secrets live in
secrets.enc.yaml(SOPS-encrypted). Seedocs/DEPLOYMENT.md. - No hardcoded local paths. Base manifests use
PLACEHOLDER_HOME_DIR; real paths are injected by the generated overlay. - Edge → Stream → Splunk is the only allowed data path. The architecture invariant tests enforce this.
- Image tags stay
latestfor upstream images. Renovate and the Trivy scan handle supply-chain hygiene.
See docs/TESTING.md for the full test tier breakdown (unit → smoke → pipeline → forwarding → sourcetypes).