clickstack-ops - SKILL.md Agent Skill

name: clickstack-ops description: >- Operate Anton's time-boxed ClickStack logs and traces experiment. Use when handling HyperDX UI access, ClickHouse, Keeper, MongoDB, OTel collector health, Flux reconciliation, OTLP test signals, Lucene or SQL queries, ESO and 1Password credential rotation, Renovate chart or operator bumps, the 2026-08-02 ADR 0028 review, or ClickStack teardown. Keywords: clickstack, hyperdx, clickhouse, keeper, mongodb, otel, otlp, logs, traces, wide events, temporal traces, review-by, ADR 0028.

ClickStack Ops

Goal: Operate the ClickStack learning experiment on Anton without letting it become production observability.

Success means:

Logs and traces questions are answered with ClickStack evidence.
Metrics stay entirely on kube-prometheus-stack.
Source-of-truth manifests and ADR 0028 remain the basis for any change.
Live cluster mutations are presented for explicit operator approval before they run.

Stop when: the requested ClickStack task is handled, the next approval-only action is named, or the review/teardown evidence is recorded.

Read First

Read root AGENTS.md for Anton safety rules.
Read context/adrs/0028-clickstack-learning-experiment.md for the experiment contract.
If editing manifests under kubernetes/apps/clickstack/, read kubernetes/apps/AGENTS.md and load anton-repo-conventions.
Load only the reference needed:
- references/usage.md for HyperDX access, OTLP test signals, and queries.
- references/tailscale-access.md for off-LAN HyperDX access and login redirects.
- references/operations.md for health checks, Flux triage, and credential rotation.
- references/maintenance.md for Renovate posture, the review-by checklist, and teardown.

Use QMD only when the task needs Anton history beyond the ADR and manifests. Treat QMD snippets as leads; retrieve the actual context/ file before citing it.

Safety Rules

Run read-only checks freely: kubectl get, kubectl describe, kubectl logs, flux get, and file reads.
Do not run live mutations without explicit operator approval. This includes flux reconcile, flux suspend, kubectl annotate, kubectl rollout restart, namespace deletion, CRD deletion, Temporal OTLP wiring, and credential rotation.
Before asking for approval, show the exact command, target namespace/resource, expected effect, and verification command.
Never hardcode the literal tailnet name or cluster domain. Use <tailnet-name>.ts.net, ${TAILNET_SUFFIX}, and ${SECRET_DOMAIN} in committed files.
Never print or commit ClickStack credential values. Log field names and file paths only.

Containment Rules

Own only the clickstack namespace.
Keep metrics 100% on kube-prometheus-stack. Do not bridge Prometheus metrics into ClickHouse, add ClickStack ServiceMonitors, or make non-ClickStack apps depend on ClickStack.
Evaluate ClickStack as shipped: bundled ClickHouse, Keeper, MongoDB, OTel collector, and HyperDX.
Keep HyperDX internal-only. Current manifests expose it through envoy-internal and a Tailscale Ingress, never Cloudflare or envoy-external.
Keep ClickHouse resource limits explicit and all chart default passwords overridden through ESO.

Anton Facts

Namespace: clickstack; namespace prune is disabled.
Install phases:
- clickstack-operators: platform Kustomization with wait: true; installs ClickHouse and MongoDB operators. Chart clickstack-operators version 1.0.0.
- clickstack-app: depends on operators, external-secrets, and envoy-gateway; installs HyperDX, the OTel collector, and the ClickHouse/Keeper/MongoDB custom resources. Chart clickstack version 3.0.0, appVersion 2.27.0.
Chart source: HTTP HelmRepository at https://clickhouse.github.io/ClickStack-helm-charts, not OCI.
HyperDX release name quirk: release clickstack renders HyperDX Deployment and Service as clickstack-app; do not set a top-level fullnameOverride.
Collector mode: Deployment, not DaemonSet. It accepts OTLP on 4317 and 4318 but does not tail pod logs until a test-signal change wires that path.
Credentials: ExternalSecret clickstack-credentials reads the 1Password item clickstack and Flux injects four fields into hyperdx.secrets.*. The current manifest comments mark the 1Password item as an open setup item; verify live ESO status before claiming it exists.

Source Files

ADR: context/adrs/0028-clickstack-learning-experiment.md
Operators HelmRelease: kubernetes/apps/clickstack/clickstack-operators/app/helmrelease.yaml
Main chart values: kubernetes/apps/clickstack/clickstack-app/app/helmrelease.yaml
ESO: kubernetes/apps/clickstack/clickstack-app/app/externalsecret.yaml
On-LAN HTTPRoute: kubernetes/apps/clickstack/clickstack-app/app/httproute.yaml
Off-LAN Tailscale Ingress: kubernetes/apps/clickstack/hyperdx-tailscale-ingress/app/ingress.yaml

Quick Read-Only Pulse

flux get ks -A | rg clickstack
flux get hr -n clickstack
kubectl -n clickstack get externalsecret,secret
kubectl -n clickstack get clickhousecluster,keepercluster,mongodbcommunity
kubectl -n clickstack get deploy,sts,pods -o wide
kubectl -n clickstack get httproute,ingress

If a mutating action is needed after this pulse, stop and ask for approval with the exact command.

Related Skills

anton-repo-conventions for Flux app shape, sources, substitutions, and secret conventions.
debug-flux-reconciliation for stuck Kustomizations, HelmReleases, SOPS, and substitutions.
anton-remote-access for kubeconfig, Tailscale, and Talos access paths.
rotate-credential for broader credential rotation discipline.
anton-upgrade-audit for Renovate PR triage.
adr for the ADR 0008 successor at review time.
observability-integrate for the metrics boundary ClickStack must not cross.
expose-service for Gateway API and Tailscale exposure mechanics.