feat: add GitOps deployment via OpenShift GitOps (ArgoCD) #314
Conversation
fe3a1e7 to
5f519bc
Compare
r2dedios
left a comment
There was a problem hiding this comment.
Just a few observations, but looks great :)
fd4573b to
2caf03e
Compare
e2bde5a to
25c5592
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Helm chart and setup scripts for ArgoCD-managed deployment of the Lightspeed Agent on Google Cloud (Cloud Run). ArgoCD manages intermediate K8s resources on OpenShift; a PostSync hook Job triggers Cloud Build to deploy Cloud Run services. Key design decisions: - Uses --no-source with an injected git clone build step to avoid VPC Service Controls blocking the default Cloud Build bucket - Cloud Build logging set to CLOUD_LOGGING_ONLY (no GCS log bucket needed) - _SCAN_SEVERITY patched via sed (commas conflict with --substitutions) - ESO CRD defaults added explicitly to prevent ArgoCD perpetual diffs Includes: - deploy/gitops/google-cloud/ — Helm chart (templates, values, helpers) - deploy/gitops/setup/ — prerequisite scripts (GitOps operator, ESO, GCP SA) - deploy/gitops/README.md — architecture, setup, secrets management docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Store the service account key in GCP Secret Manager so ESO can pull it automatically when externalSecrets.enabled=true. If the secret already exists, a new version is added. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The bootstrap K8s secret (gcp-sa-bootstrap) already contains the GCP SA key needed by the deploy Job. ESO was just pulling a redundant copy of the same key from GCP Secret Manager. Removed: - external-secret.yaml, secret-store.yaml templates - install-eso-operator.sh setup script - externalSecrets values block and secretmanager.secretAccessor role - GCP Secret Manager upload step from setup-gcp-sa.sh The deploy Job now mounts gcp-sa-bootstrap directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix GitOps repo URL inconsistency in CLAUDE.md (luis5tb -> RHEcosystemAppEng) - Remove incorrect ESO mention in CLAUDE.md - Fix --help sed pattern in both setup scripts to show full help text - Fix setup/README.md Quick Start paths to clarify GitOps repo origin - Move bootstrap secret from 'Resources created' to 'Prerequisites' in NOTES.txt - Add _SCAN_SEVERITY input validation and post-sed verification - Add GIT_BRANCH character validation - Add post-sed verification for clone step injection - Add git token exposure warning for private repos - Add readOnlyRootFilesystem with emptyDir for /tmp - Remove unnecessary secrets access from RBAC Role - Add nameOverride/fullnameOverride to values.yaml - Add key rotation guidance to setup-gcp-sa.sh Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Document what collides when deploying multiple agent instances to the same GCP project, what is shared by design, and step-by-step instructions for setting up staging + prod instances with independent ArgoCD Applications and per-instance resource names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Parameterize GEMINI_MODEL and AGENT_LOGGING_DETAIL in Cloud Run service.yaml so they can be overridden via Cloud Build substitutions and GitOps values. Make the MCP --debug flag conditional in both OpenShift (Helm) and Cloud Run (sed-based placeholder) deployments. Cloud Run / GitOps pipeline: - service.yaml: replace hardcoded values with substitution variables - cloudbuild.yaml: add _GEMINI_MODEL, _AGENT_LOGGING_DETAIL, _MCP_DEBUG - deploy.sh: add matching sed substitutions for manual deploys - gitops chart: wire new values through values.yaml, ConfigMap, and deploy Job SUBSTITUTIONS OpenShift chart: - Wrap --debug in conditional (mcp.debug, defaults to true to preserve current behavior) - GEMINI_MODEL and AGENT_LOGGING_DETAIL were already parameterized Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
25c5592 to
1ce7396
Compare
|
All fixes are implemented, tested, and committed locally on Review of #314 — GitOps deployment via OpenShift GitOps (ArgoCD)Reviewed by Claude (Anthropic) via automated code review at the requester's direction. Each comment includes a fix commit created on the PR branch — SHAs below, not yet pushed. 🔴 Critical1. PostSync deploy Job cannot start — 🟠 Important2. 3. IAM role grants silently swallow failures 4. 5. Git PAT exposure is broader than the existing warning acknowledges 6. Unused RBAC grant on the deploy Job's ServiceAccount 7. New 🟡 Suggestions8. Helm Job name has no truncation headroom for its appended suffix 9. 10. PR description's test-plan checklist references a path that doesn't exist in this repo ✅ Strengths
Verdict: Request ChangesThe Critical finding (#1) means the deploy Job as shipped cannot run at all — this alone blocks merge. #2–#7 are real correctness/security gaps worth fixing before this becomes the standard deployment path. All fixes above are implemented as separate commits on this branch, each verified ( |
Summary
deploy/gitops/with ArgoCD-managed deployment configs for two targets:OpenShift (syncs existing Helm chart) and Google Cloud (triggers Cloud Build for Cloud Run)
OpenShift target (
deploy/gitops/openshift/)deploy/openshift/Helm chartvalues-override.yamlfor image tags, deployment mode, provider URLGoogle Cloud target (
deploy/gitops/google-cloud/)values.yamltocloudbuild.yamlvariablesgcloud builds submitrunAsNonRoot,seccompProfile, resource limits, optional git token for private reposTest plan
oc apply -f deploy/gitops/openshift/application.yamlhelm template test deploy/gitops/google-cloud/ --set project.id=test