podverse/podverse-k8s-patterns
.cursor/skills/k8s/SKILL.md
Common patterns for Kubernetes manifests in infra/k8s. Use when editing or adding K8s manifests, changing deployment config, adding env vars to ConfigMaps, or working with ArgoCD/Kustomize/SOPS.
$ install --global
skillsauthnpx skillsauth add podverse/podverse podverse-k8s-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:48 PM4.4s1 file scanned
SKILL.md
- name:
- podverse-k8s-patterns
- description:
- Common patterns for Kubernetes manifests in infra/k8s. Use when editing or adding K8s manifests, changing deployment config, adding env vars to ConfigMaps, or working with ArgoCD/Kustomize/SOPS.
- version:
- 1.0.0
Podverse K8s Development Patterns
This skill provides quick reference for common patterns used in the Podverse Kubernetes infrastructure.
When to Use This Skill
Use this skill when:
- Editing or adding files under
infra/k8s/ - Changing deployment configuration
- Adding environment variables to ConfigMaps
- Working with ArgoCD, Kustomize, or SOPS in this repo
- Creating new K8s components or services
Directory Structure
infra/k8s/
├── alpha-application.yaml # Root ArgoCD app (App of Apps)
├── base/ # Shared manifests (all environments)
│ ├── api/
│ │ ├── 01-configmap.yaml
│ │ ├── 02-service.yaml
│ │ ├── 03-deployment.yaml
│ │ └── kustomization.yaml
│ ├── web/
│ ├── workers/
│ ├── db/
│ ├── mq/
│ ├── keyvaldb/
│ ├── cron/
│ ├── ops/
│ └── common/ # Shared resources (Ingress, TLS)
├── alpha/ # Alpha environment overlays
│ ├── apps/ # ArgoCD Application definitions
│ │ ├── api.yaml
│ │ ├── web.yaml
│ │ ├── common.yaml
│ │ └── ...
│ ├── api/
│ │ ├── kustomization.yaml
│ │ └── deployment-link-patch.yaml
│ ├── web/
│ ├── workers/
│ └── ...
├── system/ # Cluster-wide config
│ └── traefik-config.yaml
└── scripts/ # Helper scripts
├── create_*_secret.sh
├── db-connect.sh
└── README.md
Architecture: App of Apps Pattern
The deployment uses ArgoCD's App of Apps pattern:
- Root Application (
alpha-application.yaml) syncs thealpha/apps/directory - Child Applications (e.g.,
alpha/apps/api.yaml,alpha/apps/web.yaml) appear in ArgoCD - Resources (Deployments, Services, ConfigMaps) are deployed by their respective child apps
Flow:
alpha-application.yaml → alpha/apps/*.yaml → alpha/<component>/kustomization.yaml → base/<component>/*.yaml
Kustomize Usage
Building Overlays
Always use the --load-restrictor LoadRestrictionsNone flag because bases live outside overlay folders:
# From repo root
kustomize build --load-restrictor LoadRestrictionsNone infra/k8s/alpha/api/
kustomize build --load-restrictor LoadRestrictionsNone infra/k8s/alpha/workers/
Validating Locally
Add dry-run to validate before pushing to Git:
kustomize build --load-restrictor LoadRestrictionsNone infra/k8s/alpha/api/ | kubectl apply -f - --dry-run=client
Base vs Overlay Structure
Base manifests (base/<component>/):
- Shared resources for all environments
- Use numbered naming:
01-configmap.yaml,02-service.yaml,03-deployment.yaml - Image tags may be placeholders (overlays set actual tags)
- ConfigMap names like
podverse-api-config,podverse-workers-config
Alpha overlays (alpha/<component>/):
- Reference base resources in
kustomization.yaml - Set
namespace: podverse-alpha - Apply common labels with
includeSelectors: true - Override ConfigMap values with
configMapGenerator(behavior: merge) - Set image tags in
images:section - Apply patches (e.g.,
deployment-link-patch.yaml)
ConfigMap Conventions
Sync with env templates
ConfigMaps in base/<component>/01-configmap.yaml should mirror the structure of the authoritative app .env.example files (e.g. apps/api/.env.example, apps/workers/.env.example). Infra env-templates for apps are link-only stubs.
- Use same section headers (e.g.,
##### App / General #####) - Add comment:
# Mapped from apps/<component>/.env.example - Keep variable names and structure aligned
Secrets Handling
- Never put secrets in ConfigMaps
- Mark sensitive variables with
# in secretscomment - Align comments: When several consecutive lines have
# in secrets(or# in secrets (...)), align the# in secretspart vertically (same column) by padding with spaces after the value so the comment starts at the same position - Actual secrets go in SOPS-encrypted files under
k8s/secrets/ - Use
secretRefin DeploymentenvFromto load secrets
Example (aligned # in secrets in a sequence):
# In ConfigMap – consecutive "in secrets" lines aligned
# DB_READ_USERNAME: "" # in secrets
# DB_PASSWORD: "" # in secrets
# DB_READ_WRITE_USERNAME: "" # in secrets
# DB_READ_WRITE_PASSWORD: "" # in secrets
# In Deployment
envFrom:
- configMapRef:
name: podverse-api-config
- secretRef:
name: podverse-api-opaque
Environment Overrides
Override ConfigMap values in alpha (or other environment) overlays using configMapGenerator:
# alpha/api/kustomization.yaml
configMapGenerator:
- name: podverse-api-config
behavior: merge
literals:
- API_ALLOWED_CORS_ORIGINS="http://podverse-web:3000,https://alpha-podverse.k.podverse.fm"
- COOKIE_DOMAIN=".k.podverse.fm"
Image Versioning
Base deployments:
- Use image name without tag or with placeholder tag
- Example:
image: ghcr.io/podverse/podverse/api
Overlay kustomization:
- Set actual image tags in
images:section - Example:
images:
- name: ghcr.io/podverse/podverse-api/podverse-api
newTag: '5.1.28-alpha.0'
ArgoCD Applications
Child applications in alpha/apps/<component>.yaml define:
metadata.name: e.g.,podverse-alpha-apispec.project:podversespec.source.repoURL: GitHub repo URLspec.source.targetRevision: branch name (e.g.,alpha)spec.source.path: path to overlay (e.g.,k8s/alpha/api)spec.destination.namespace:podverse-alphaspec.syncPolicy.automated:prune: true,selfHeal: true
Secrets and SOPS
Creating Secrets
Use helper scripts in infra/k8s/scripts/:
# Run from repo root with nix develop
bash infra/k8s/scripts/create_db_secret.sh
bash infra/k8s/scripts/create_api_secret.sh
bash infra/k8s/scripts/create_mq_secret.sh
# ... etc
Applying Secrets
Secrets are SOPS-encrypted and stored in k8s/secrets/podverse-<env>-<component>-opaque.enc.yaml.
Manual apply:
sops -d k8s/secrets/podverse-alpha-db-opaque.enc.yaml | kubectl apply -f -
ArgoCD: Consumes encrypted files directly (SOPS plugin configured).
Never Commit Decrypted Secrets
- All secrets must be encrypted with SOPS before committing
.gitignoreshould exclude decrypted secret files- Scripts generate encrypted files automatically
Linting and Formatting
K8s-Specific Prettier Rules
infra/k8s/ uses its own Prettier rules (not repo-wide YAML rules):
- Where configured: Root
.prettierrc.json, overrides section forinfra/k8s/**/*.ymlandinfra/k8s/**/*.yaml - Options:
singleQuote: false(double quotes for strings)tabWidth: 2(2-space indentation)printWidth: 140(wider than repo default of 100 to avoid wrapping long env values and list items)
How to Apply
- Format-on-save: VS Code/Cursor automatically applies k8s overrides when saving files under
infra/k8s/ - Manual format: From repo root:
npm run prettier:write npm run lint:fix - Pre-commit:
lint-stagedruns Prettier on staged k8s YAML files
Important
- Do not add
infra/k8s/to.prettierignore(it was previously ignored but now uses overrides) - K8s files are intentionally formatted with these k8s-specific rules
- The wider
printWidthmatches existing k8s patterns and avoids unnecessary line breaks
Resource Naming Patterns
Base Manifests
Use numbered prefixes for ordering:
01-configmap.yaml- Configuration02-service.yaml- Service03-deployment.yamlor03-statefulset.yaml- Workload- Additional resources:
04-,05-, etc.
Resource Names
- ConfigMaps:
podverse-<component>-config(e.g.,podverse-api-config) - Services:
podverse-<component>(e.g.,podverse-db) - Deployments:
podverse-<component>(e.g.,podverse-api) - Secrets:
podverse-<component>-opaque(e.g.,podverse-db-opaque)
Labels
Apply consistent labels in overlays:
labels:
- pairs:
app: podverse-api
environment: alpha
includeSelectors: true
Common Tasks
Adding a New Environment Variable
- Add to
apps/<component>/.env.example(if not secret) - Add to
base/<component>/01-configmap.yamlwith same section/comments - If secret, add to appropriate secret creation script
- If environment-specific, override in
alpha/<component>/kustomization.yaml
Creating a New Component
- Create
base/<component>/directory - Add
01-configmap.yaml,02-service.yaml,03-deployment.yaml - Create
base/<component>/kustomization.yamllisting resources - Create
alpha/<component>/overlay withkustomization.yaml - Add ArgoCD Application in
alpha/apps/<component>.yaml - Create secrets script in
infra/k8s/scripts/create_<component>_secret.sh
Updating Image Versions
Edit the overlay's kustomization.yaml (e.g., alpha/api/kustomization.yaml):
images:
- name: ghcr.io/podverse/podverse-api/podverse-api
newTag: '5.1.29-alpha.0' # Update this
ArgoCD will detect the change and sync automatically.
Helper Scripts
Located in infra/k8s/scripts/:
| Script | Purpose |
| --------------------------- | -------------------------------------------- |
| create_db_secret.sh | Generate encrypted DB credentials |
| create_api_secret.sh | Generate encrypted API secrets (JWT, mailer) |
| create_mq_secret.sh | Generate encrypted message queue credentials |
| create_keyvaldb_secret.sh | Generate encrypted Valkey/Redis password |
| create_firebase_secret.sh | Generate encrypted Firebase service account |
| db-connect.sh | Port-forward and connect to PostgreSQL |
| keyvaldb-gui-connect.sh | Port-forward to RedisInsight GUI |
| mq-connect.sh | Port-forward to message queue |
See infra/k8s/scripts/README.md for details.
References
- infra/k8s/README.md - Full K8s documentation
- docs/operations/ALPHA-DEPLOYMENT.md - Docker/CI and alpha deployment
- .cursor/rules/infra-k8s.mdc - K8s cursor rules
- .prettierrc.json - Prettier config with k8s overrides
Related Skills
- API Patterns - Backend API patterns
- Web Patterns - Frontend patterns
- ORM Patterns - Database patterns
- Global Patterns - Monorepo conventions
Related Skills
podverse/podverse-workers-patterns
documentation
VerifiedTrustedCommunity
Per-job env validation and config patterns for the workers app. Use when adding or changing worker commands, touching workers startup validation, or documenting worker env vars.
4SKILL.mdUpdated Apr 16, 2026
podverse/podverse-web-patterns
development
VerifiedTrustedCommunity
Common patterns and examples for the podverse-web Next.js application
4SKILL.mdUpdated Apr 16, 2026
podverse/time-format-local
tools
VerifiedTrustedCommunity
Ensures client-side time displays use formatDateTimeAbbrev for localized, readable timestamps. Use when rendering dates/times in the UI or when the user mentions time formatting or local timezone display.
4SKILL.mdUpdated Apr 16, 2026
podverse/.cursor/skills/testing-policy
testing
VerifiedTrustedCommunity
--- name: podverse-testing-policy description: Skip test implementation unless the user explicitly asks. Use when a plan or task includes adding unit tests, a test phase, or "Phase 3: Tests". version: 1.0.0 --- # Testing policy — skip tests for now ## When to use - When a plan or task includes adding unit tests, a test phase, or "Phase 3: Tests". - When deciding whether to implement tests for a feature. ## Rules 1. **We are not concerning ourselves with tests at this time.** Skip test imp
4SKILL.mdUpdated Apr 16, 2026