docs: align resource policy and status page docs

Author: xnoto

AGENTS.md

@@ -78,36 +78,39 @@ Expected .onion addresses are documented in `../www/onion.makeitwork.cloud/index
 
 ## Resource Management
 
-**Do NOT set resource limits** - only set requests. This is a single-node CRC cluster where limits cause problems:
+**Single-node CRC policy:** avoid container CPU/memory reservations by default.
 
-- **CPU limits** cause throttling even when the node has spare capacity
-- **Memory limits** prevent pods from using available memory and cause unnecessary OOMs
-- **Requests** are sufficient for scheduling and QoS classification
+- Prefer `resources: {}` or no `resources` block on app containers
+- Avoid both `requests` and `limits` unless a workload has a proven stability need
+- High requests on single-node CRC commonly trigger `Insufficient cpu/memory` scheduling failures
+- CPU limits cause throttling; memory limits can cause avoidable OOM kills
 
-When adding new workloads:
+When adding new workloads, default to no container requests/limits:
 ```yaml
-resources:
-  requests:
-    cpu: "100m"
-    memory: "128Mi"
-  # NO limits section
+containers:
+  - name: app
+    image: example/image:tag
+    resources: {}
 ```
 
-For operators installed via OLM (Subscription), limits are baked into the CSV and cannot be easily changed. For operators installed via kustomize remote refs, use JSON patches to remove limits:
+For operators installed via OLM (Subscription), tune through supported CR/Subscription fields where available (for example `spec.config.resources: {}` or operator-specific `*_resource_requirements: {}`). If the operator ignores these fields, accept operator defaults.
+
+For operators installed via kustomize remote refs, use JSON patches to remove the entire `resources` block:
 
 ```yaml
 patches:
   - patch: |
       - op: remove
-        path: /spec/template/spec/containers/0/resources/limits/cpu
+        path: /spec/template/spec/containers/0/resources
     target:
       kind: Deployment
       name: controller-manager
 ```
 
-Add KubeLinter ignore annotation when removing limits:
+If KubeLinter checks require explicit ignores for this cluster policy:
 ```yaml
 annotations:
+  ignore-check.kube-linter.io/unset-cpu-requirements: "No requests on single-node cluster"
   ignore-check.kube-linter.io/unset-memory-requirements: "No limits on single-node cluster"
 ```
 

README.md

@@ -23,9 +23,9 @@ workloads/              # CRs and resources that depend on operator CRDs
 ├── ansible/            # AWX instance + GitHub SSO + Tor + TunnelBinding
 ├── arc/                # DinD runners + image registry + pull-through cache
 ├── argocd-proxy/       # Tor hidden service + TunnelBinding for ArgoCD
-├── grafana/            # Grafana instance + GitHub SSO + Tor + TunnelBinding
+├── grafana/            # Internal Grafana + public status Grafana + probes + TunnelBindings
 ├── makeitwork-proxy/   # Tor hidden service for makeitwork.cloud
-├── uptime-kuma/        # Uptime monitoring + Tor + TunnelBinding
+├── uptime-kuma/        # Legacy uptime stack (status host migrated to Grafana)
 └── warp/               # Cloudflare WARP connector for private network access
 ```
 
@@ -55,13 +55,15 @@ Operators must be installed before workloads to ensure CRDs exist.
 - **Cloudflare Tunnels**: External apps via cloudflare-operator with TunnelBindings per app
 - **Tor Hidden Services**: Centralized tor-controller with OnionService CRDs per workload
 - **Let's Encrypt Certs**: Wildcard `*.apps.makeitwork.cloud` via cert-manager DNS-01 (Cloudflare)
+- **Public Status Page**: `status.makeitwork.cloud` served by dedicated anonymous Grafana instance with blackbox probe metrics
 - **Pull-Through Cache**: Docker registry mirror for ARC runners to reduce rate limits
 - **App-of-Apps**: Each workload is a separate ArgoCD Application for independent sync
 
 ## Requirements
 
 - OpenShift GitOps operator
 - OpenShift cert-manager operator
+- CRC with monitoring enabled (`crc config set enable-cluster-monitoring true`)
 - `sops-age-keys` secret in `openshift-gitops` namespace (for SOPS decryption)
 
 ## CI/CD
@@ -75,11 +77,11 @@ The `ci-deployer` service account provides cluster-admin access for CI/CD workfl
 
 ## Resource Management
 
-This is a single-node CRC cluster. **Do not set resource limits** - only requests:
+This is a single-node CRC cluster. Prefer **no container requests/limits** unless there is a proven stability need:
 
+- High requests commonly trigger `Insufficient cpu/memory` and block scheduling
 - CPU limits cause throttling even with spare capacity
-- Memory limits cause unnecessary OOMs
-- Requests are sufficient for scheduling
+- Memory limits can cause avoidable OOM kills
 
 See `AGENTS.md` for detailed guidance on resource configuration.