Kubernetes

A reusable Kustomize base lives under deploy/kubernetes/base in the q15 repo.

What the base includes

• Deployments for q15-agent, q15-exec, and q15-proxy (all replicas: 1)
• Services for q15-exec (:50051) and q15-proxy (:50052, :18080)
• ConfigMap generators for agent config and proxy policy examples

Supported topology

One namespace per q15 stack. Each stack contains:

• One q15-agent, one q15-exec, one q15-proxy
• Stack-local ConfigMaps and Secrets
• Stack-owned persistent volumes for /workspace, /memory, /skills, /nix, and /var/lib/q15/proxy

The namespace is the isolation boundary. Downstream multi-stack deployments repeat this stack in separate namespaces.

Required PVCs

PVC	Mount	Purpose
q15-workspace	/workspace	Durable project tree
q15-memory	/memory	Agent memory
q15-skills	/skills	Skill artifacts
q15-exec-nix	/nix	Nix store (must preserve bootstrap on first mount)
q15-proxy-state	/var/lib/q15/proxy	Proxy state

Caution

Fresh /nix PVCs must preserve the image-provided bootstrap Nix runtime on first mount. An empty /nix hides the image’s shell, cert bundle, profiles, and nix binary. The checked-in exec deployment seeds a fresh /nix PVC from the image in an init container when bootstrap markers are missing.

Image tags

The checked-in base uses the moving :main tag as a placeholder:

ghcr.io/q15co/q15-agent:main
ghcr.io/q15co/q15-exec:main
ghcr.io/q15co/q15-proxy:main

For production, replace with one pinned sha-<short-sha> tag across all three services.

Validate the base

kubectl kustomize deploy/kubernetes/base

Intended workflow

1. The q15 repo publishes images to GHCR on verified pushes to main.
2. A separate deployment repo pins those images and owns environment-specific overlays.
3. The deployment repo rolls out the updated pod set.