Provision infrastructure in pal-e-services #1

Closed
opened 2026-03-28 19:14:19 +00:00 by forgejo_admin · 5 comments

Type

Feature

Lineage

Standalone — scoped from westside-ai-assistant design spec (2026-03-28). Note: #2 (kustomize overlay) must also merge before ArgoCD can sync, but the two PRs are to different repos and can be developed in parallel.

Repo

forgejo_admin/pal-e-services

User Story

As Marcus (admin)
I want the AI assistant infrastructure provisioned
So that the service can be deployed to the cluster and authenticate to basketball-api

Context

The westside-ai-assistant is a new FastAPI service that needs a var.services entry in pal-e-services to create its namespace, Harbor project, ArgoCD application, and Tailscale funnel. It also needs a Keycloak confidential client (westside-ai-bot) in the westside-basketball realm with a service account that has admin role. The current keycloak_clients variable type and keycloak.tf resource do NOT support service accounts — both need to be extended. The valid_redirect_uris field is required by the variable type but a service-account-only client needs an empty list [].

File Targets

Files the agent should modify:

  • terraform/k3s.tfvars — add westside-ai-assistant to services map; add westside-ai-bot to keycloak_clients with valid_redirect_uris: []
  • terraform/variables.tf — extend keycloak_clients type to include service_accounts_enabled = optional(bool, false) and service_account_realm_roles = optional(list(string), [])
  • terraform/keycloak.tf — add service_accounts_enabled to keycloak_openid_client resource; add new keycloak_openid_client_service_account_realm_role resource to map roles to the service account

Files the agent should NOT touch:

  • terraform/services.tf — the for_each loop handles new services automatically
  • terraform/main.tf — shared infra, no changes needed
  • terraform/cnpg.tf — no database needed for this service

Acceptance Criteria

  • var.services entry exists with forgejo_repo: "forgejo_admin/westside-ai-assistant", image_repo: "westside-ai-assistant/api", port: 8000, funnel: true, source_repo: "forgejo_admin/pal-e-deployments", source_path: "overlays/westside-ai-assistant/prod"
  • keycloak_clients entry for westside-ai-bot: confidential, service_accounts_enabled: true, service_account_realm_roles: ["admin"], direct access grants enabled, valid_redirect_uris: []
  • variables.tf type extended with service_accounts_enabled and service_account_realm_roles fields (optional with defaults, backward-compatible)
  • keycloak.tf keycloak_openid_client resource includes service_accounts_enabled = each.value.service_accounts_enabled
  • New keycloak_openid_client_service_account_realm_role resource created, conditionally applied when service_account_realm_roles is non-empty
  • tofu plan -lock=false shows expected resources (namespace, Harbor project, ArgoCD app, funnel, Keycloak client with service account + role mapping)

Test Expectations

  • tofu validate passes
  • tofu plan -lock=false output included in PR (no errors)
  • Plan shows the new service account role resource for westside-ai-bot
  • Run command: cd terraform && tofu validate && tofu plan -lock=false -var-file=k3s.tfvars

Constraints

  • Follow existing var.services pattern (see basketball-api entry as reference)
  • Follow existing keycloak_clients pattern (see westside-app entry) but extend for service accounts
  • image_repo uses /api suffix (FastAPI convention), NOT /app (SvelteKit convention)
  • The service_accounts_enabled and service_account_realm_roles variable extensions must be backward-compatible (optional with defaults) so existing clients are unaffected
  • Do NOT run tofu apply — Lucas must approve
  • PR goes to pal-e-services repo, not westside-ai-assistant

Checklist

  • PR opened on pal-e-services
  • tofu plan output in PR
  • No unrelated changes
  • project-westside-ai-assistant — parent project
  • service-onboarding-sop — onboarding procedure
### Type Feature ### Lineage Standalone — scoped from westside-ai-assistant design spec (2026-03-28). Note: #2 (kustomize overlay) must also merge before ArgoCD can sync, but the two PRs are to different repos and can be developed in parallel. ### Repo `forgejo_admin/pal-e-services` ### User Story As Marcus (admin) I want the AI assistant infrastructure provisioned So that the service can be deployed to the cluster and authenticate to basketball-api ### Context The westside-ai-assistant is a new FastAPI service that needs a var.services entry in pal-e-services to create its namespace, Harbor project, ArgoCD application, and Tailscale funnel. It also needs a Keycloak confidential client (`westside-ai-bot`) in the `westside-basketball` realm with a service account that has admin role. The current keycloak_clients variable type and keycloak.tf resource do NOT support service accounts — both need to be extended. The `valid_redirect_uris` field is required by the variable type but a service-account-only client needs an empty list `[]`. ### File Targets Files the agent should modify: - `terraform/k3s.tfvars` — add westside-ai-assistant to services map; add westside-ai-bot to keycloak_clients with `valid_redirect_uris: []` - `terraform/variables.tf` — extend keycloak_clients type to include `service_accounts_enabled = optional(bool, false)` and `service_account_realm_roles = optional(list(string), [])` - `terraform/keycloak.tf` — add `service_accounts_enabled` to `keycloak_openid_client` resource; add new `keycloak_openid_client_service_account_realm_role` resource to map roles to the service account Files the agent should NOT touch: - `terraform/services.tf` — the for_each loop handles new services automatically - `terraform/main.tf` — shared infra, no changes needed - `terraform/cnpg.tf` — no database needed for this service ### Acceptance Criteria - [ ] var.services entry exists with forgejo_repo: "forgejo_admin/westside-ai-assistant", image_repo: "westside-ai-assistant/api", port: 8000, funnel: true, source_repo: "forgejo_admin/pal-e-deployments", source_path: "overlays/westside-ai-assistant/prod" - [ ] keycloak_clients entry for westside-ai-bot: confidential, service_accounts_enabled: true, service_account_realm_roles: ["admin"], direct access grants enabled, valid_redirect_uris: [] - [ ] variables.tf type extended with service_accounts_enabled and service_account_realm_roles fields (optional with defaults, backward-compatible) - [ ] keycloak.tf keycloak_openid_client resource includes `service_accounts_enabled = each.value.service_accounts_enabled` - [ ] New keycloak_openid_client_service_account_realm_role resource created, conditionally applied when service_account_realm_roles is non-empty - [ ] `tofu plan -lock=false` shows expected resources (namespace, Harbor project, ArgoCD app, funnel, Keycloak client with service account + role mapping) ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` output included in PR (no errors) - [ ] Plan shows the new service account role resource for westside-ai-bot - Run command: `cd terraform && tofu validate && tofu plan -lock=false -var-file=k3s.tfvars` ### Constraints - Follow existing var.services pattern (see basketball-api entry as reference) - Follow existing keycloak_clients pattern (see westside-app entry) but extend for service accounts - image_repo uses `/api` suffix (FastAPI convention), NOT `/app` (SvelteKit convention) - The service_accounts_enabled and service_account_realm_roles variable extensions must be backward-compatible (optional with defaults) so existing clients are unaffected - Do NOT run `tofu apply` — Lucas must approve - PR goes to pal-e-services repo, not westside-ai-assistant ### Checklist - [ ] PR opened on pal-e-services - [ ] tofu plan output in PR - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — parent project - `service-onboarding-sop` — onboarding procedure
Author
Owner

Scope Review: NEEDS_REFINEMENT

Review note: review-593-2026-03-28

The issue's file targets only list k3s.tfvars, but the Keycloak service account and role mapping requirements demand changes to variables.tf and keycloak.tf as well — neither the variable type nor the resource currently supports service_accounts_enabled or service account role assignments.

  • Missing file targets: terraform/variables.tf (add service_accounts_enabled + service_account_realm_roles to keycloak_clients type) and terraform/keycloak.tf (wire attribute into resource + add keycloak_openid_client_service_account_realm_role resource)
  • Missing required fields in AC1: forgejo_repo and image_repo are required by the services variable but not listed in acceptance criteria
  • Undocumented dependency: Issue #2 (kustomize overlay) must be merged before tofu apply — ArgoCD source_path doesn't exist yet
  • AC2 + AC3 not achievable: Current codebase has no service account support in the keycloak_clients variable or keycloak_openid_client resource
## Scope Review: NEEDS_REFINEMENT Review note: `review-593-2026-03-28` The issue's file targets only list `k3s.tfvars`, but the Keycloak service account and role mapping requirements demand changes to `variables.tf` and `keycloak.tf` as well — neither the variable type nor the resource currently supports `service_accounts_enabled` or service account role assignments. - **Missing file targets**: `terraform/variables.tf` (add `service_accounts_enabled` + `service_account_realm_roles` to keycloak_clients type) and `terraform/keycloak.tf` (wire attribute into resource + add `keycloak_openid_client_service_account_realm_role` resource) - **Missing required fields in AC1**: `forgejo_repo` and `image_repo` are required by the services variable but not listed in acceptance criteria - **Undocumented dependency**: Issue #2 (kustomize overlay) must be merged before `tofu apply` — ArgoCD source_path doesn't exist yet - **AC2 + AC3 not achievable**: Current codebase has no service account support in the keycloak_clients variable or keycloak_openid_client resource
Author
Owner

Scope refinement (review-593-2026-03-28):

  1. Added terraform/variables.tf and terraform/keycloak.tf to file targets — service account support requires type extension and new resource
  2. Added forgejo_repo and image_repo to AC1 (required fields)
  3. Documented ordering dependency with #2
  4. Updated ACs to cover service_accounts_enabled variable extension and keycloak_openid_client_service_account_realm_role resource
**Scope refinement (review-593-2026-03-28):** 1. Added `terraform/variables.tf` and `terraform/keycloak.tf` to file targets — service account support requires type extension and new resource 2. Added `forgejo_repo` and `image_repo` to AC1 (required fields) 3. Documented ordering dependency with #2 4. Updated ACs to cover service_accounts_enabled variable extension and keycloak_openid_client_service_account_realm_role resource
Author
Owner

Scope Re-Review: NEEDS_REFINEMENT

Review note: review-593-2026-03-28-v2
Previous review: review-593-2026-03-28 (5 findings — all 5 addressed in this update)

Re-review found 2 new issues in acceptance criteria:

  • AC1 image_repo naming: "westside-ai-assistant/app" should be "westside-ai-assistant/api" — all FastAPI services (port 8000) use /api suffix per established convention (basketball-api/api, pal-e-docs/api, mcd-tracker/api, pal-e-mail/api). The /app suffix is for SvelteKit frontends (port 80).
  • AC2 missing valid_redirect_uris: The keycloak_clients variable type requires valid_redirect_uris = list(string) with no default. The westside-ai-bot entry needs valid_redirect_uris: [] specified, or the variable type needs valid_redirect_uris made optional. Without this, the agent will hit a validation error or guess.

Both are [BODY] fixes — quick issue body edits.

## Scope Re-Review: NEEDS_REFINEMENT Review note: `review-593-2026-03-28-v2` Previous review: `review-593-2026-03-28` (5 findings — all 5 addressed in this update) Re-review found 2 new issues in acceptance criteria: - **AC1 image_repo naming**: `"westside-ai-assistant/app"` should be `"westside-ai-assistant/api"` — all FastAPI services (port 8000) use `/api` suffix per established convention (basketball-api/api, pal-e-docs/api, mcd-tracker/api, pal-e-mail/api). The `/app` suffix is for SvelteKit frontends (port 80). - **AC2 missing valid_redirect_uris**: The `keycloak_clients` variable type requires `valid_redirect_uris = list(string)` with no default. The westside-ai-bot entry needs `valid_redirect_uris: []` specified, or the variable type needs `valid_redirect_uris` made optional. Without this, the agent will hit a validation error or guess. Both are `[BODY]` fixes — quick issue body edits.
Author
Owner

Scope refinement v2 (review-593-2026-03-28-v2):

  1. Fixed image_repo to westside-ai-assistant/api/api suffix is the FastAPI convention, /app is for SvelteKit frontends
  2. Added valid_redirect_uris: [] to AC2 and Context — required field in variable type, service-account-only clients need empty list
**Scope refinement v2 (review-593-2026-03-28-v2):** 1. Fixed image_repo to `westside-ai-assistant/api` — `/api` suffix is the FastAPI convention, `/app` is for SvelteKit frontends 2. Added `valid_redirect_uris: []` to AC2 and Context — required field in variable type, service-account-only clients need empty list
Author
Owner

Scope Review: READY

Review note: review-593-2026-03-28-v3

Round 3 re-review — both v2 findings addressed:

  • image_repo corrected to westside-ai-assistant/api (FastAPI convention)
  • valid_redirect_uris: [] explicitly specified for service-account-only client

All template sections complete, all 3 file targets verified against codebase, traceability triangle intact, 6 acceptance criteria testable. Ready for dispatch.

## Scope Review: READY Review note: `review-593-2026-03-28-v3` Round 3 re-review — both v2 findings addressed: - image_repo corrected to `westside-ai-assistant/api` (FastAPI convention) - `valid_redirect_uris: []` explicitly specified for service-account-only client All template sections complete, all 3 file targets verified against codebase, traceability triangle intact, 6 acceptance criteria testable. Ready for dispatch.
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-ai-assistant#1
No description provided.