Skip to content

[Epic] Deploy StreamOps-Agent to OKE at production maturity (ForeclosureBase level) #54

Description

@atomicdragonranch

Epic. Bring StreamOps-Agent to the production maturity ForeclosureBase is at, deployed to the existing OKE cluster via GitOps. Largely a matter of applying the ForeclosureBase deployment template (the cluster, Argo, the build/pin pipeline, External Secrets, Grafana all already exist). This is also the first project run through the StreamWright Production Playbook (dogfood + validate it).

Repo structure (the open-source vs sensitive question)

StreamOps-Agent is public, so the rule is: app stays public, deployment specifics go private, secrets go to the vault (never any repo).

  • This repo (public): app code, Dockerfile, and a generic example deployment (k8s/compose with placeholders). Helps adoption and signals the project is production-deployable. No real infra values, no secrets.
  • A new private repo (e.g. streamops-deploy, or a shared private infra/gitops repo): the real cluster wiring, the Argo CD Application, Kustomize overlay with this cluster's values, External Secrets config (vault paths, not values), internal hostnames. Argo syncs from the private repo. This is the standard GitOps app-repo / config-repo split.
  • Secrets (Claude API key, Kafka/Flink creds): OCI Vault + External Secrets, in no repo ever.

Tasks

  • Containerize: multi-arch (arm64, for the Ampere nodes) image to GHCR via GitHub Actions, SHA-pinned with CI tag write-back (the deploy-gap fix pattern).
  • k8s manifests: Deployment + Service for the agent and its MCP server; resource requests/limits; readiness/liveness probes.
  • GitOps: add a second Argo CD Application in the existing OKE cluster (selfHeal). No new cluster needed.
  • Secrets: OCI Vault + External Secrets for the Claude API key and any Kafka/Flink creds.
  • Observability: OTel traces + RED metrics to the existing Grafana Cloud (reuse the telemetry middleware pattern).
  • CI gates: lint/type/test/coverage (the 234-test suite is the hard part, already done) + image build + pin.
  • What it monitors: decide the target Kafka/Flink (external/demo vs an in-cluster Flink, the latter is a heavier separate decision) and wire network access + creds.
  • MCP server: deploy as a Deployment + Service; default internal-only (no ingress) unless external access is required.
  • AI-in-cluster security (important): an LLM-driven ops agent that recommends scaling/config actions must run least-privilege (read-only/scoped creds), recommend-not-auto-act, with human approval on anything destructive. Never give it a token that can mutate infra on its own judgment. (Same principle as the AI-log-triage epic in ForeclosureBase #293.)

Cost impact

~$0 infra: rides the existing OKE cluster + Grafana free tier; OSS tooling. The one metered cost is the Claude API usage the agent itself makes (per-call), bound it with a budget alert like the Street View key.

Acceptance

StreamOps-Agent is deployed and serving in OKE via GitOps (Argo synced, healthy), observable in Grafana, secrets from the vault, CI-gated and SHA-pinned; the public repo carries only a generic example deployment while the real cluster config lives in the private deploy repo. Validates the StreamWright Playbook end to end.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions