Provision infrastructure in pal-e-services #1

New issue

Closed

opened 2026-03-28 19:14:19 +00:00 by forgejo_admin · 5 comments

forgejo_admin commented 2026-03-28 19:14:19 +00:00

Owner

Copy link

Type

Feature

Lineage

Standalone — scoped from westside-ai-assistant design spec (2026-03-28). Note: #2 (kustomize overlay) must also merge before ArgoCD can sync, but the two PRs are to different repos and can be developed in parallel.

Repo

forgejo_admin/pal-e-services

User Story

As Marcus (admin)
I want the AI assistant infrastructure provisioned
So that the service can be deployed to the cluster and authenticate to basketball-api

Context

The westside-ai-assistant is a new FastAPI service that needs a var.services entry in pal-e-services to create its namespace, Harbor project, ArgoCD application, and Tailscale funnel. It also needs a Keycloak confidential client (westside-ai-bot) in the westside-basketball realm with a service account that has admin role. The current keycloak_clients variable type and keycloak.tf resource do NOT support service accounts — both need to be extended. The valid_redirect_uris field is required by the variable type but a service-account-only client needs an empty list [].

File Targets

Files the agent should modify:

• terraform/k3s.tfvars — add westside-ai-assistant to services map; add westside-ai-bot to keycloak_clients with valid_redirect_uris: []
• terraform/variables.tf — extend keycloak_clients type to include service_accounts_enabled = optional(bool, false) and service_account_realm_roles = optional(list(string), [])
• terraform/keycloak.tf — add service_accounts_enabled to keycloak_openid_client resource; add new keycloak_openid_client_service_account_realm_role resource to map roles to the service account

Files the agent should NOT touch:

• terraform/services.tf — the for_each loop handles new services automatically
• terraform/main.tf — shared infra, no changes needed
• terraform/cnpg.tf — no database needed for this service

Acceptance Criteria

• var.services entry exists with forgejo_repo: "forgejo_admin/westside-ai-assistant", image_repo: "westside-ai-assistant/api", port: 8000, funnel: true, source_repo: "forgejo_admin/pal-e-deployments", source_path: "overlays/westside-ai-assistant/prod"
• keycloak_clients entry for westside-ai-bot: confidential, service_accounts_enabled: true, service_account_realm_roles: ["admin"], direct access grants enabled, valid_redirect_uris: []
• variables.tf type extended with service_accounts_enabled and service_account_realm_roles fields (optional with defaults, backward-compatible)
• keycloak.tf keycloak_openid_client resource includes service_accounts_enabled = each.value.service_accounts_enabled
• New keycloak_openid_client_service_account_realm_role resource created, conditionally applied when service_account_realm_roles is non-empty
• tofu plan -lock=false shows expected resources (namespace, Harbor project, ArgoCD app, funnel, Keycloak client with service account + role mapping)

Test Expectations

• tofu validate passes
• tofu plan -lock=false output included in PR (no errors)
• Plan shows the new service account role resource for westside-ai-bot
• Run command: cd terraform && tofu validate && tofu plan -lock=false -var-file=k3s.tfvars

Constraints

• Follow existing var.services pattern (see basketball-api entry as reference)
• Follow existing keycloak_clients pattern (see westside-app entry) but extend for service accounts
• image_repo uses /api suffix (FastAPI convention), NOT /app (SvelteKit convention)
• The service_accounts_enabled and service_account_realm_roles variable extensions must be backward-compatible (optional with defaults) so existing clients are unaffected
• Do NOT run tofu apply — Lucas must approve
• PR goes to pal-e-services repo, not westside-ai-assistant

Checklist

• PR opened on pal-e-services
• tofu plan output in PR
• No unrelated changes

Related

• project-westside-ai-assistant — parent project
• service-onboarding-sop — onboarding procedure

### Type Feature ### Lineage Standalone — scoped from westside-ai-assistant design spec (2026-03-28). Note: #2 (kustomize overlay) must also merge before ArgoCD can sync, but the two PRs are to different repos and can be developed in parallel. ### Repo `forgejo_admin/pal-e-services` ### User Story As Marcus (admin) I want the AI assistant infrastructure provisioned So that the service can be deployed to the cluster and authenticate to basketball-api ### Context The westside-ai-assistant is a new FastAPI service that needs a var.services entry in pal-e-services to create its namespace, Harbor project, ArgoCD application, and Tailscale funnel. It also needs a Keycloak confidential client (`westside-ai-bot`) in the `westside-basketball` realm with a service account that has admin role. The current keycloak_clients variable type and keycloak.tf resource do NOT support service accounts — both need to be extended. The `valid_redirect_uris` field is required by the variable type but a service-account-only client needs an empty list `[]`. ### File Targets Files the agent should modify: - `terraform/k3s.tfvars` — add westside-ai-assistant to services map; add westside-ai-bot to keycloak_clients with `valid_redirect_uris: []` - `terraform/variables.tf` — extend keycloak_clients type to include `service_accounts_enabled = optional(bool, false)` and `service_account_realm_roles = optional(list(string), [])` - `terraform/keycloak.tf` — add `service_accounts_enabled` to `keycloak_openid_client` resource; add new `keycloak_openid_client_service_account_realm_role` resource to map roles to the service account Files the agent should NOT touch: - `terraform/services.tf` — the for_each loop handles new services automatically - `terraform/main.tf` — shared infra, no changes needed - `terraform/cnpg.tf` — no database needed for this service ### Acceptance Criteria - [ ] var.services entry exists with forgejo_repo: "forgejo_admin/westside-ai-assistant", image_repo: "westside-ai-assistant/api", port: 8000, funnel: true, source_repo: "forgejo_admin/pal-e-deployments", source_path: "overlays/westside-ai-assistant/prod" - [ ] keycloak_clients entry for westside-ai-bot: confidential, service_accounts_enabled: true, service_account_realm_roles: ["admin"], direct access grants enabled, valid_redirect_uris: [] - [ ] variables.tf type extended with service_accounts_enabled and service_account_realm_roles fields (optional with defaults, backward-compatible) - [ ] keycloak.tf keycloak_openid_client resource includes `service_accounts_enabled = each.value.service_accounts_enabled` - [ ] New keycloak_openid_client_service_account_realm_role resource created, conditionally applied when service_account_realm_roles is non-empty - [ ] `tofu plan -lock=false` shows expected resources (namespace, Harbor project, ArgoCD app, funnel, Keycloak client with service account + role mapping) ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` output included in PR (no errors) - [ ] Plan shows the new service account role resource for westside-ai-bot - Run command: `cd terraform && tofu validate && tofu plan -lock=false -var-file=k3s.tfvars` ### Constraints - Follow existing var.services pattern (see basketball-api entry as reference) - Follow existing keycloak_clients pattern (see westside-app entry) but extend for service accounts - image_repo uses `/api` suffix (FastAPI convention), NOT `/app` (SvelteKit convention) - The service_accounts_enabled and service_account_realm_roles variable extensions must be backward-compatible (optional with defaults) so existing clients are unaffected - Do NOT run `tofu apply` — Lucas must approve - PR goes to pal-e-services repo, not westside-ai-assistant ### Checklist - [ ] PR opened on pal-e-services - [ ] tofu plan output in PR - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — parent project - `service-onboarding-sop` — onboarding procedure

forgejo_admin referenced this issue 2026-03-28 19:15:51 +00:00

GroupMe bot registration + secrets + go-live validation #7

forgejo_admin referenced this issue 2026-03-28 19:21:03 +00:00

Create kustomize overlay in pal-e-deployments #2

forgejo_admin commented 2026-03-28 19:21:17 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-593-2026-03-28

The issue's file targets only list k3s.tfvars, but the Keycloak service account and role mapping requirements demand changes to variables.tf and keycloak.tf as well — neither the variable type nor the resource currently supports service_accounts_enabled or service account role assignments.

• Missing file targets: terraform/variables.tf (add service_accounts_enabled + service_account_realm_roles to keycloak_clients type) and terraform/keycloak.tf (wire attribute into resource + add keycloak_openid_client_service_account_realm_role resource)
• Missing required fields in AC1: forgejo_repo and image_repo are required by the services variable but not listed in acceptance criteria
• Undocumented dependency: Issue #2 (kustomize overlay) must be merged before tofu apply — ArgoCD source_path doesn't exist yet
• AC2 + AC3 not achievable: Current codebase has no service account support in the keycloak_clients variable or keycloak_openid_client resource

## Scope Review: NEEDS_REFINEMENT Review note: `review-593-2026-03-28` The issue's file targets only list `k3s.tfvars`, but the Keycloak service account and role mapping requirements demand changes to `variables.tf` and `keycloak.tf` as well — neither the variable type nor the resource currently supports `service_accounts_enabled` or service account role assignments. - **Missing file targets**: `terraform/variables.tf` (add `service_accounts_enabled` + `service_account_realm_roles` to keycloak_clients type) and `terraform/keycloak.tf` (wire attribute into resource + add `keycloak_openid_client_service_account_realm_role` resource) - **Missing required fields in AC1**: `forgejo_repo` and `image_repo` are required by the services variable but not listed in acceptance criteria - **Undocumented dependency**: Issue #2 (kustomize overlay) must be merged before `tofu apply` — ArgoCD source_path doesn't exist yet - **AC2 + AC3 not achievable**: Current codebase has no service account support in the keycloak_clients variable or keycloak_openid_client resource

forgejo_admin referenced this issue 2026-03-28 19:22:03 +00:00

Basketball-API client with Keycloak auth #5

forgejo_admin referenced this issue 2026-03-28 19:24:03 +00:00

Create kustomize overlay in pal-e-deployments #2

forgejo_admin referenced this issue 2026-03-28 19:24:33 +00:00

Basketball-API client with Keycloak auth #5

forgejo_admin commented 2026-03-28 19:26:00 +00:00

Author

Owner

Copy link

Scope refinement (review-593-2026-03-28):

1. Added terraform/variables.tf and terraform/keycloak.tf to file targets — service account support requires type extension and new resource
2. Added forgejo_repo and image_repo to AC1 (required fields)
3. Documented ordering dependency with #2
4. Updated ACs to cover service_accounts_enabled variable extension and keycloak_openid_client_service_account_realm_role resource

**Scope refinement (review-593-2026-03-28):** 1. Added `terraform/variables.tf` and `terraform/keycloak.tf` to file targets — service account support requires type extension and new resource 2. Added `forgejo_repo` and `image_repo` to AC1 (required fields) 3. Documented ordering dependency with #2 4. Updated ACs to cover service_accounts_enabled variable extension and keycloak_openid_client_service_account_realm_role resource

forgejo_admin referenced this issue 2026-03-28 19:26:09 +00:00

Basketball-API client with Keycloak auth #5

forgejo_admin referenced this issue 2026-03-28 19:30:53 +00:00

Create kustomize overlay in pal-e-deployments #2

forgejo_admin commented 2026-03-28 19:31:30 +00:00

Author

Owner

Copy link

Scope Re-Review: NEEDS_REFINEMENT

Review note: review-593-2026-03-28-v2
Previous review: review-593-2026-03-28 (5 findings — all 5 addressed in this update)

Re-review found 2 new issues in acceptance criteria:

• AC1 image_repo naming: "westside-ai-assistant/app" should be "westside-ai-assistant/api" — all FastAPI services (port 8000) use /api suffix per established convention (basketball-api/api, pal-e-docs/api, mcd-tracker/api, pal-e-mail/api). The /app suffix is for SvelteKit frontends (port 80).
• AC2 missing valid_redirect_uris: The keycloak_clients variable type requires valid_redirect_uris = list(string) with no default. The westside-ai-bot entry needs valid_redirect_uris: [] specified, or the variable type needs valid_redirect_uris made optional. Without this, the agent will hit a validation error or guess.

Both are [BODY] fixes — quick issue body edits.

## Scope Re-Review: NEEDS_REFINEMENT Review note: `review-593-2026-03-28-v2` Previous review: `review-593-2026-03-28` (5 findings — all 5 addressed in this update) Re-review found 2 new issues in acceptance criteria: - **AC1 image_repo naming**: `"westside-ai-assistant/app"` should be `"westside-ai-assistant/api"` — all FastAPI services (port 8000) use `/api` suffix per established convention (basketball-api/api, pal-e-docs/api, mcd-tracker/api, pal-e-mail/api). The `/app` suffix is for SvelteKit frontends (port 80). - **AC2 missing valid_redirect_uris**: The `keycloak_clients` variable type requires `valid_redirect_uris = list(string)` with no default. The westside-ai-bot entry needs `valid_redirect_uris: []` specified, or the variable type needs `valid_redirect_uris` made optional. Without this, the agent will hit a validation error or guess. Both are `[BODY]` fixes — quick issue body edits.

forgejo_admin referenced this issue 2026-03-28 19:31:59 +00:00

Basketball-API client with Keycloak auth #5

forgejo_admin commented 2026-03-28 19:32:16 +00:00

Author

Owner

Copy link

Scope refinement v2 (review-593-2026-03-28-v2):

1. Fixed image_repo to westside-ai-assistant/api — /api suffix is the FastAPI convention, /app is for SvelteKit frontends
2. Added valid_redirect_uris: [] to AC2 and Context — required field in variable type, service-account-only clients need empty list

**Scope refinement v2 (review-593-2026-03-28-v2):** 1. Fixed image_repo to `westside-ai-assistant/api` — `/api` suffix is the FastAPI convention, `/app` is for SvelteKit frontends 2. Added `valid_redirect_uris: []` to AC2 and Context — required field in variable type, service-account-only clients need empty list

forgejo_admin commented 2026-03-28 19:35:22 +00:00

Author

Owner

Copy link

Scope Review: READY

Review note: review-593-2026-03-28-v3

Round 3 re-review — both v2 findings addressed:

• image_repo corrected to westside-ai-assistant/api (FastAPI convention)
• valid_redirect_uris: [] explicitly specified for service-account-only client

All template sections complete, all 3 file targets verified against codebase, traceability triangle intact, 6 acceptance criteria testable. Ready for dispatch.

## Scope Review: READY Review note: `review-593-2026-03-28-v3` Round 3 re-review — both v2 findings addressed: - image_repo corrected to `westside-ai-assistant/api` (FastAPI convention) - `valid_redirect_uris: []` explicitly specified for service-account-only client All template sections complete, all 3 file targets verified against codebase, traceability triangle intact, 6 acceptance criteria testable. Ready for dispatch.

forgejo_admin closed this issue 2026-03-28 22:35:43 +00:00

forgejo_admin referenced this issue 2026-03-28 22:40:32 +00:00

feat: basketball-api HTTP client with Keycloak auth #11

forgejo_admin referenced this issue 2026-03-28 22:43:16 +00:00

feat: basketball-api HTTP client with Keycloak auth #11

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-ai-assistant#1

No description provided.