# FleetDM Stack — Project Rules

## Project Overview

Helm-based deployment of FleetDM Server + MySQL + Redis on local Kubernetes (Kind/Minikube).
Gitea Actions CI at https://git.produktor.io/eSlider/flamingo-tech-test

## Structure

- `fleetdm-stack/` — Helm umbrella chart (Fleet subchart brings MySQL + Redis)
- `Makefile` — cluster lifecycle: `cluster`, `install`, `uninstall`, `verify`, `port-forward`, `clean`
- `docs/` — theoretical architecture docs with Mermaid diagrams
- `.github/workflows/release.yaml` — Gitea Actions (lint on push, release on `v*` tag)

## Conventions

- Helm values: all Fleet config lives under `fleet:` key in `fleetdm-stack/values.yaml`
- Secrets: `fleet-secret.yaml` (TLS certs via `.Files.Get`), `mysql-secret-alias.yaml` (password alias)
- TLS certs generated by `make tls-certs` into `fleetdm-stack/certs/` (self-signed, local dev only)
- Local access: `make port-forward` on port 8585 (configurable via `FLEET_PORT`)
- DB migrations: `autoApplySQLMigrations: true` — no manual `fleet prepare db` needed

## CI/CD

- Gitea Actions runner uses manual `git clone` (not `actions/checkout`) due to Docker DNS
- Avoid piping to `head` in CI steps (causes SIGPIPE exit 141)
- Release job only triggers on `v*` tags via `if: startsWith(gitea.ref, 'refs/tags/v')`

## Do Not

- Do not modify `TASKS.md` — it is the assignment spec
- Do not commit real credentials; `fleetdm-local-dev` password is for local dev only
- Do not remove `fleetdm-stack/certs/` from git — needed for Helm `.Files.Get` at package time