Update agent deployment: HTTPS backend + MCP endpoints + improved resources

- Use HTTPS api.fuq.tv instead of internal service URL
- Update MCP endpoint to /api/mcp (HTTP endpoints)
- Increase resources: 500m-2000m CPU, 1-4Gi RAM
- Add serviceAccount for RBAC
- Update secrets template

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

k8s/agents/README.md

@@ -0,0 +1,41 @@
+# Agent Deployment
+
+## Prerequisites
+
+1. Create namespace:
+```bash
+kubectl apply -f namespace.yaml
+```
+
+2. Copy registry secret to agents namespace:
+```bash
+kubectl get secret gitea-registry -n control-plane -o yaml | \
+  sed 's/namespace: control-plane/namespace: agents/' | \
+  kubectl apply -f -
+```
+
+3. Create agent secrets (replace with actual values):
+```bash
+kubectl create secret generic agent-secrets -n agents \
+  --from-literal=anthropic-api-key='YOUR_ANTHROPIC_API_KEY' \
+  --from-literal=gitea-token='159a5de2a16d15f33e388b55b1276e431dbca3f3'
+```
+
+## Deploy
+
+```bash
+kubectl apply -f deployment.yaml
+```
+
+## Verify
+
+```bash
+kubectl get pods -n agents
+kubectl logs -f -n agents deployment/claude-agent
+```
+
+## Check agent registration
+
+```bash
+curl -s https://api.fuq.tv/api/agents | jq
+```

k8s/agents/deployment.yaml

@@ -0,0 +1,64 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: claude-agent
+  namespace: agents
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: claude-agent
+  template:
+    metadata:
+      labels:
+        app: claude-agent
+    spec:
+      serviceAccountName: agent-sa
+      imagePullSecrets:
+      - name: gitea-registry
+      containers:
+      - name: agent
+        image: git.fuq.tv/admin/aiworker-agent:latest
+        imagePullPolicy: Always
+        env:
+        - name: ANTHROPIC_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: agent-secrets
+              key: anthropic-api-key
+        - name: BACKEND_URL
+          value: "https://api.fuq.tv"
+        - name: MCP_ENDPOINT
+          value: "https://api.fuq.tv/api/mcp"
+        - name: GITEA_URL
+          value: "https://git.fuq.tv"
+        - name: GITEA_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: agent-secrets
+              key: gitea-token
+        - name: AGENT_ID
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: 500m
+            memory: 1Gi
+          limits:
+            cpu: 2000m
+            memory: 4Gi
+        volumeMounts:
+        - name: workspace
+          mountPath: /workspace
+      volumes:
+      - name: workspace
+        emptyDir: {}

k8s/agents/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: agents
+  labels:
+    name: agents

k8s/agents/secrets-template.yaml

@@ -0,0 +1,13 @@
+# Agent Secrets Template
+# Copy this file and fill in the values, then apply with kubectl
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: agent-secrets
+  namespace: agents
+type: Opaque
+stringData:
+  gitea-token: "159a5de2a16d15f33e388b55b1276e431dbca3f3"
+  # Add more secrets as needed
+  # anthropic-api-key: "your-api-key-here"

k8s/agents/serviceaccount.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: agent-sa
+  namespace: agents
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: agent-cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: agent-sa
+  namespace: agents
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

k8s/agents/simple-pod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: claude-agent
+  namespace: agents
+spec:
+  serviceAccountName: agent-sa
+  containers:
+  - name: claude
+    image: oven/bun:1.3.6-alpine
+    command: ["/bin/sh"]
+    args: ["-c", "apk add --no-cache git bash curl openssh-client ca-certificates && bun install -g @anthropic-ai/claude-code && tail -f /dev/null"]
+    workingDir: /workspace
+    resources:
+      requests:
+        cpu: 200m
+        memory: 512Mi
+      limits:
+        cpu: 2000m
+        memory: 2Gi
+    volumeMounts:
+    - name: workspace
+      mountPath: /workspace
+    - name: kube-config
+      mountPath: /root/.kube
+      readOnly: true
+  volumes:
+  - name: workspace
+    emptyDir: {}
+  - name: kube-config
+    secret:
+      secretName: agent-kubeconfig

k8s/agents/web-terminal-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: claude-terminal
+  namespace: agents
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/websocket-services: claude-terminal
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - claude.fuq.tv
+    secretName: claude-terminal-tls
+  rules:
+  - host: claude.fuq.tv
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: claude-terminal
+            port:
+              number: 7681

k8s/agents/web-terminal-pod.yaml

@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: claude-terminal
+  namespace: agents
+  labels:
+    app: claude-terminal
+spec:
+  serviceAccountName: agent-sa
+  containers:
+  - name: claude
+    image: alpine:3.19
+    command: ["/bin/sh", "-c"]
+    args:
+      - |
+        # Install dependencies
+        apk add --no-cache \
+          bash \
+          git \
+          curl \
+          tmux \
+          ttyd \
+          nodejs \
+          npm \
+          openssh-client \
+          ca-certificates
+
+        # Install Bun
+        curl -fsSL https://bun.sh/install | bash
+        export PATH="/root/.bun/bin:$PATH"
+
+        # Install Claude Code with Bun
+        bun install -g @anthropic-ai/claude-code
+
+        # Configure git
+        git config --global user.name "Claude Agent"
+        git config --global user.email "agent@aiworker.local"
+
+        # Start tmux session with Claude Code
+        tmux new-session -d -s claude 'bash -c "cd /workspace && exec bash"'
+
+        # Start ttyd to expose tmux over HTTP
+        ttyd -p 7681 -W tmux attach -t claude
+    workingDir: /workspace
+    ports:
+    - containerPort: 7681
+      name: web-terminal
+    resources:
+      requests:
+        cpu: 200m
+        memory: 512Mi
+      limits:
+        cpu: 2000m
+        memory: 2Gi
+    volumeMounts:
+    - name: workspace
+      mountPath: /workspace
+    - name: kube-config
+      mountPath: /root/.kube
+      readOnly: true
+  volumes:
+  - name: workspace
+    persistentVolumeClaim:
+      claimName: claude-workspace
+  - name: kube-config
+    secret:
+      secretName: agent-kubeconfig
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: claude-workspace
+  namespace: agents
+spec:
+  accessModes:
+  - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: claude-terminal
+  namespace: agents
+spec:
+  selector:
+    app: claude-terminal
+  ports:
+  - port: 7681
+    targetPort: 7681
+    name: web-terminal
+  type: ClusterIP

k8s/frontend/deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: control-plane
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      imagePullSecrets:
+      - name: gitea-registry
+      containers:
+      - name: frontend
+        image: git.fuq.tv/admin/aiworker-frontend:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 3001
+        env:
+        - name: PORT
+          value: "3001"
+        - name: BACKEND_URL
+          value: "http://backend.control-plane.svc.cluster.local:3000"
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3001
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3001
+          initialDelaySeconds: 5
+          periodSeconds: 10

k8s/frontend/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: frontend
+  namespace: control-plane
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - app.fuq.tv
+    secretName: frontend-tls
+  rules:
+  - host: app.fuq.tv
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: frontend
+            port:
+              number: 3001

k8s/frontend/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  namespace: control-plane
+spec:
+  selector:
+    app: frontend
+  ports:
+  - name: http
+    port: 3001
+    targetPort: 3001
+  type: ClusterIP