forgejo_admin/westside-ai-assistant
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Create kustomize overlay in pal-e-deployments #2

New issue
Closed
opened 2026-03-28 19:14:34 +00:00 by forgejo_admin · 3 comments
forgejo_admin commented 2026-03-28 19:14:34 +00:00
Owner
Copy link

Type

Feature

Lineage

Standalone — scoped from westside-ai-assistant design spec (2026-03-28). Note: #1 (pal-e-services infra) creates the namespace and Harbor project. Both PRs can be developed in parallel but #1 must be applied first for ArgoCD sync and CI dry-run validation.

Repo

forgejo_admin/pal-e-deployments

User Story

As Marcus (admin)
I want the kustomize deployment overlay created
So that ArgoCD can deploy and manage the AI assistant pod

Context

Every service in the platform gets a kustomize overlay in pal-e-deployments. The westside-ai-assistant uses the standard base (Deployment, Service, health probes) with env var patches for its config. Secrets are injected using individual env[].valueFrom.secretKeyRef entries (matching the basketball-api pattern). The overlay follows the exact same pattern as basketball-api/prod.

File Targets

Files the agent should create:

  • overlays/westside-ai-assistant/prod/kustomization.yaml — reference standard base, image spec using harbor.tail5b443a.ts.net/westside-ai-assistant/api, name/port patches
  • overlays/westside-ai-assistant/prod/deployment-patch.yaml — env vars (BASKETBALL_API_URL, GROUPME_ALLOWED_GROUP_IDS, ANTHROPIC_MODEL, KEYCLOAK_REALM_URL, KEYCLOAK_CLIENT_ID as plain values) and secrets (ANTHROPIC_API_KEY, GROUPME_BOT_ID, KEYCLOAK_CLIENT_SECRET as individual secretKeyRef from westside-ai-assistant-secrets)
  • overlays/westside-ai-assistant/prod/harbor-creds.enc.yaml — SOPS-encrypted image pull secret (use sops --encrypt)

Files the agent should NOT touch:

  • bases/standard/* — shared base, no changes
  • Other service overlays

Acceptance Criteria

  • kubectl kustomize overlays/westside-ai-assistant/prod/ renders valid manifests
  • Deployment named westside-ai-assistant with port 8000
  • Service named westside-ai-assistant with port 8000
  • Plain env vars set for config values (BASKETBALL_API_URL, GROUPME_ALLOWED_GROUP_IDS, ANTHROPIC_MODEL, KEYCLOAK_REALM_URL, KEYCLOAK_CLIENT_ID)
  • Secret values injected via individual env[].valueFrom.secretKeyRef referencing secret westside-ai-assistant-secrets (matching basketball-api pattern)
  • harbor-creds.enc.yaml is SOPS-encrypted (not plaintext)
  • Image uses external Harbor URL: harbor.tail5b443a.ts.net/westside-ai-assistant/api

Test Expectations

  • kubectl kustomize overlays/westside-ai-assistant/prod/ succeeds
  • Rendered output shows correct secretKeyRef entries
  • Run command: kubectl kustomize overlays/westside-ai-assistant/prod/

Constraints

  • Follow basketball-api/prod overlay as reference pattern exactly
  • Use external Harbor URL for image: harbor.tail5b443a.ts.net (NOT internal URL — internal is only for CI push)
  • Image path: westside-ai-assistant/api (FastAPI convention, /api suffix)
  • Port 8000 consistently across Deployment, Service, probes
  • Secret injection via individual secretKeyRef (NOT envFrom secretRef)
  • PR goes to pal-e-deployments repo, not westside-ai-assistant

Checklist

  • PR opened on pal-e-deployments
  • kustomize renders cleanly
  • No unrelated changes

Related

  • project-westside-ai-assistant — parent project
  • convention-kustomize-overlay — overlay conventions
### Type Feature ### Lineage Standalone — scoped from westside-ai-assistant design spec (2026-03-28). Note: #1 (pal-e-services infra) creates the namespace and Harbor project. Both PRs can be developed in parallel but #1 must be applied first for ArgoCD sync and CI dry-run validation. ### Repo `forgejo_admin/pal-e-deployments` ### User Story As Marcus (admin) I want the kustomize deployment overlay created So that ArgoCD can deploy and manage the AI assistant pod ### Context Every service in the platform gets a kustomize overlay in pal-e-deployments. The westside-ai-assistant uses the standard base (Deployment, Service, health probes) with env var patches for its config. Secrets are injected using individual `env[].valueFrom.secretKeyRef` entries (matching the basketball-api pattern). The overlay follows the exact same pattern as basketball-api/prod. ### File Targets Files the agent should create: - `overlays/westside-ai-assistant/prod/kustomization.yaml` — reference standard base, image spec using `harbor.tail5b443a.ts.net/westside-ai-assistant/api`, name/port patches - `overlays/westside-ai-assistant/prod/deployment-patch.yaml` — env vars (BASKETBALL_API_URL, GROUPME_ALLOWED_GROUP_IDS, ANTHROPIC_MODEL, KEYCLOAK_REALM_URL, KEYCLOAK_CLIENT_ID as plain values) and secrets (ANTHROPIC_API_KEY, GROUPME_BOT_ID, KEYCLOAK_CLIENT_SECRET as individual secretKeyRef from `westside-ai-assistant-secrets`) - `overlays/westside-ai-assistant/prod/harbor-creds.enc.yaml` — SOPS-encrypted image pull secret (use `sops --encrypt`) Files the agent should NOT touch: - `bases/standard/*` — shared base, no changes - Other service overlays ### Acceptance Criteria - [ ] `kubectl kustomize overlays/westside-ai-assistant/prod/` renders valid manifests - [ ] Deployment named `westside-ai-assistant` with port 8000 - [ ] Service named `westside-ai-assistant` with port 8000 - [ ] Plain env vars set for config values (BASKETBALL_API_URL, GROUPME_ALLOWED_GROUP_IDS, ANTHROPIC_MODEL, KEYCLOAK_REALM_URL, KEYCLOAK_CLIENT_ID) - [ ] Secret values injected via individual `env[].valueFrom.secretKeyRef` referencing secret `westside-ai-assistant-secrets` (matching basketball-api pattern) - [ ] harbor-creds.enc.yaml is SOPS-encrypted (not plaintext) - [ ] Image uses external Harbor URL: `harbor.tail5b443a.ts.net/westside-ai-assistant/api` ### Test Expectations - [ ] `kubectl kustomize overlays/westside-ai-assistant/prod/` succeeds - [ ] Rendered output shows correct secretKeyRef entries - Run command: `kubectl kustomize overlays/westside-ai-assistant/prod/` ### Constraints - Follow basketball-api/prod overlay as reference pattern exactly - Use external Harbor URL for image: `harbor.tail5b443a.ts.net` (NOT internal URL — internal is only for CI push) - Image path: `westside-ai-assistant/api` (FastAPI convention, `/api` suffix) - Port 8000 consistently across Deployment, Service, probes - Secret injection via individual secretKeyRef (NOT envFrom secretRef) - PR goes to pal-e-deployments repo, not westside-ai-assistant ### Checklist - [ ] PR opened on pal-e-deployments - [ ] kustomize renders cleanly - [ ] No unrelated changes ### Related - `project-westside-ai-assistant` — parent project - `convention-kustomize-overlay` — overlay conventions
forgejo_admin commented 2026-03-28 19:21:03 +00:00
Author
Owner
Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-594-2026-03-28
Ticket is well-structured with all template sections present, but has 4 body-level issues that need fixing before dispatch.

  • Undocumented dependency: #1 (Provision infrastructure in pal-e-services) must complete first — namespace required for CI server-side dry-run
  • Harbor image URL wrong: Constraints say harbor-core.harbor.svc.cluster.local but convention is harbor.tail5b443a.ts.net (all existing overlays use external Tailscale URL)
  • Secret injection pattern ambiguous: AC4 says "envFrom secretRef" but basketball-api reference uses individual env[].valueFrom.secretKeyRef — clarify which pattern to follow
  • Missing cross-repo PR instruction: Agent needs explicit guidance to open PR on pal-e-deployments and reference this issue
## Scope Review: NEEDS_REFINEMENT Review note: `review-594-2026-03-28` Ticket is well-structured with all template sections present, but has 4 body-level issues that need fixing before dispatch. - **Undocumented dependency:** #1 (Provision infrastructure in pal-e-services) must complete first — namespace required for CI server-side dry-run - **Harbor image URL wrong:** Constraints say `harbor-core.harbor.svc.cluster.local` but convention is `harbor.tail5b443a.ts.net` (all existing overlays use external Tailscale URL) - **Secret injection pattern ambiguous:** AC4 says "envFrom secretRef" but basketball-api reference uses individual `env[].valueFrom.secretKeyRef` — clarify which pattern to follow - **Missing cross-repo PR instruction:** Agent needs explicit guidance to open PR on pal-e-deployments and reference this issue
forgejo_admin commented 2026-03-28 19:26:04 +00:00
Author
Owner
Copy link

Scope refinement (review-594-2026-03-28):

  1. Documented dependency on #593 (namespace/Harbor must exist for CI dry-run)
  2. Fixed Harbor URL to external harbor.tail5b443a.ts.net (internal URL is for CI push only, not image pull in overlays)
  3. Clarified secret injection: individual secretKeyRef entries, NOT envFrom secretRef (matches basketball-api pattern)
  4. Added cross-repo PR instruction in Constraints
**Scope refinement (review-594-2026-03-28):** 1. Documented dependency on #593 (namespace/Harbor must exist for CI dry-run) 2. Fixed Harbor URL to external `harbor.tail5b443a.ts.net` (internal URL is for CI push only, not image pull in overlays) 3. Clarified secret injection: individual `secretKeyRef` entries, NOT `envFrom secretRef` (matches basketball-api pattern) 4. Added cross-repo PR instruction in Constraints
forgejo_admin commented 2026-03-28 19:30:53 +00:00
Author
Owner
Copy link

Scope Review: READY (re-review)

Review note: review-594-2026-03-28-v2
Previous review: review-594-2026-03-28 (NEEDS_REFINEMENT)

All 4 previous findings addressed:

  • Dependency on #1 documented in Lineage
  • Harbor image URL corrected to external harbor.tail5b443a.ts.net
  • Secret injection pattern clarified as individual secretKeyRef (not envFrom)
  • PR placement instruction added to Constraints

Ticket is ready for dispatch.

## Scope Review: READY (re-review) Review note: `review-594-2026-03-28-v2` Previous review: `review-594-2026-03-28` (NEEDS_REFINEMENT) All 4 previous findings addressed: - [x] Dependency on #1 documented in Lineage - [x] Harbor image URL corrected to external `harbor.tail5b443a.ts.net` - [x] Secret injection pattern clarified as individual `secretKeyRef` (not envFrom) - [x] PR placement instruction added to Constraints Ticket is ready for dispatch.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-ai-assistant#2
No description provided.