DevOps
Infrastructure, security, CI/CD, and platform engineering
Tasks
Create DNS record for jarvis.jonathansilverstein.us
Point to ingress-nginx external IP (34.44.19.142).
completed
Configure Terraform remote backend (GCS)
Set up GCS bucket for state locking and team collaboration. Currently using local state which is a security and collaboration risk.
pending
Deploy Jarvis to GKE
Create Artifact Registry repo, build Docker image, provision DB credentials, apply K8s manifests.
completed
Set up GCP service account for Jarvis workload identity
Create jarvis-sa with cloudsql.client and secretmanager.secretAccessor roles.
completed
Add automation-db to Terraform management
automation-db Cloud SQL instance is not in Terraform. Add it for IaC consistency.
pending
Add network policies for all namespaces
Only chess namespace has default-deny policies. Add to: predictions, trading-automation, jarvis, wasabi-dev, wasabi-prod, transcribed, hannah.
pending
Configure Jarvis MCP server in Claude Code settings
Register the MCP server so all agents can interact with Jarvis.
pending
Enable GKE private cluster mode
Enable private nodes once VPN/IAP tunnel is configured for kubectl access.
pending
Enable Binary Authorization on GKE
Enforce only signed container images. Requires setting up attestor and signing pipeline.
pending
Audit all LoadBalancer services for necessity
chess namespace has 3 LoadBalancers with public IPs. Migrate to ingress-nginx where possible to reduce attack surface.
pending
Set up Prometheus alerting rules
Managed Prometheus is enabled but no custom alerting rules are configured.
pending
Review and right-size resource limits across all deployments
Audit CPU/memory requests and limits for all workloads.
pending
Consolidate LoadBalancer services to ingress-nginx
chess services use individual LoadBalancers ($18/mo each). Route through shared ingress-nginx instead.
pending
Set up GCP billing alerts
Configure budget alerts for the project to catch cost spikes early.
pending
Scale down argo-workflows (currently 0/0 replicas)
Argo Workflows server and controller have 0 replicas. Either remove or document why it is paused.
pending
Restrict GKE API server access (master_authorized_networks)
Add CIDR allowlist for kubectl access. Currently open to all IPs. Low priority because we don't have a way to force authorized machines to a single IP
pending
Messages
No messages
Reminders
No pending reminders
Notifications
warning
Terraform state is local
2026-03-12 01:51
Infrastructure state is stored locally, not in a remote backend. Risk of state loss and no locking for concurrent operations.
error
GKE API server is publicly accessible
2026-03-12 01:51
No master_authorized_networks configured. Any IP can attempt to authenticate to the cluster API.
info
Multiple unused LoadBalancer IPs
2026-03-12 01:51
chess namespace has 3 LoadBalancer services. Consider consolidating to ingress-nginx to save ~$54/mo.