Skip to content

Use umbrella chart for platform Argo app#525

Open
casey-brooks wants to merge 8 commits into
mainfrom
noa/issue-524
Open

Use umbrella chart for platform Argo app#525
casey-brooks wants to merge 8 commits into
mainfrom
noa/issue-524

Conversation

@casey-brooks
Copy link
Copy Markdown
Contributor

@casey-brooks casey-brooks commented May 25, 2026

Summary

  • Replaced per-microservice platform Argo CD Applications with one platform Application deploying agynio/charts/agyn-platform.
  • Kept platform DB Applications separate and added required Secret wiring for umbrella chart database URLs, S3 credentials, and cluster admin token.
  • Updated apply.sh and health verification expectations to wait on platform instead of individual platform microservice Applications.
  • Added a provision action step that disables platform autosync after health verification by patching spec.syncPolicy.automated.enabled=false.

Closes #524

Validation

  • terraform -chdir=stacks/apps validate
  • terraform -chdir=stacks/platform validate
  • terraform -chdir=stacks/platform fmt -check -diff
  • terraform -chdir=stacks/apps fmt -check -diff
  • bash -n apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • shellcheck apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • git diff --check

@casey-brooks casey-brooks requested a review from a team as a code owner May 25, 2026 03:01
@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented May 25, 2026

Test & Lint Summary

Commands run:

  • terraform -chdir=stacks/apps validate
  • terraform -chdir=stacks/platform validate
  • terraform -chdir=stacks/platform fmt -check -diff
  • terraform -chdir=stacks/apps fmt -check -diff
  • bash -n apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • shellcheck apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • git diff --check

Results:

  • Terraform validation: 2 passed / 0 failed / 0 skipped
  • Bash syntax checks: 4 passed / 0 failed / 0 skipped
  • Formatting/whitespace checks: passed
  • Linting: ShellCheck passed with no errors

noa-lucent
noa-lucent requested changes May 25, 2026
View reviewed changes
Copy link
Copy Markdown

@noa-lucent noa-lucent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found blocking issues in the umbrella chart wiring. Please address the inline comments before merge.

noa-lucent
noa-lucent reviewed May 25, 2026
View reviewed changes
Comment thread stacks/platform/main.tf
noa-lucent
noa-lucent reviewed May 25, 2026
View reviewed changes
Comment thread stacks/platform/main.tf
@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented May 25, 2026

Addressed Noa's requested changes:

  • Preserved authorization OpenFGA wiring by keeping extraEnvVarsCM = "agyn-platform-openfga" while overriding authorization.env.
  • Updated notifications Redis wiring to point at the umbrella Redis service: platform-notifications-redis-master.platform.svc.cluster.local:6379.

Test & Lint Summary

Commands run:

  • terraform -chdir=stacks/platform validate
  • terraform -chdir=stacks/apps validate
  • terraform -chdir=stacks/platform fmt -check -diff
  • terraform -chdir=stacks/apps fmt -check -diff
  • bash -n apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • shellcheck apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • git diff --check

Results:

  • Terraform validation: 2 passed / 0 failed / 0 skipped
  • Bash syntax checks: 4 passed / 0 failed / 0 skipped
  • Formatting/whitespace checks: passed
  • Linting: ShellCheck passed with no errors

noa-lucent
noa-lucent previously approved these changes May 25, 2026
View reviewed changes
Copy link
Copy Markdown

@noa-lucent noa-lucent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-review complete. The requested umbrella chart wiring fixes are present: authorization keeps the OpenFGA ConfigMap wiring, and notifications now points Redis at the umbrella release service. Approving.

@rowan-stein
Copy link
Copy Markdown
Collaborator

rowan-stein commented May 25, 2026

CI failed: Argo rejected Application because Helm render hit agyn-platform secret contract check: (agyn-platform/templates/secret-contract-checks.yaml:123). Likely the Secret isn’t created in the platform namespace before the Application is created/rendered. Fix: ensure is in namespace and add it to (and/or ensure namespace creation ordering).

@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented May 25, 2026

Addressed the CI failures on this PR.

Summary

  • Kept the agyn-platform secret contract from blocking Argo CD repo-server rendering when the Secret is created externally by Terraform.
  • Corrected notifications Redis wiring to the umbrella chart's rendered notifications-redis-master Service.
  • Updated platform VirtualService destinations and apps stack gateway environment values to the umbrella chart's gateway / llm-proxy Service names.
  • Re-ran CI; latest run passed: https://github.com/agynio/bootstrap/actions/runs/26383317158

Test & Lint Summary

Commands run:

  • terraform -chdir=stacks/platform validate
  • terraform -chdir=stacks/apps validate
  • terraform -chdir=stacks/platform fmt -check -diff
  • terraform -chdir=stacks/apps fmt -check -diff
  • bash -n apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • shellcheck apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • git diff --check
  • gh run watch 26383317158 --repo agynio/bootstrap --exit-status

Results:

  • Terraform validation: 2 passed / 0 failed / 0 skipped
  • Bash syntax checks: 4 passed / 0 failed / 0 skipped
  • Formatting/whitespace checks: passed
  • Linting: ShellCheck passed with no errors
  • CI: 1 passed / 0 failed / 0 skipped

@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented May 25, 2026

Addressed the secret prerequisite ordering called out in the CI failure thread.

Summary

  • Centralized the platform database and files S3 Secret names in stacks/platform/main.tf so the Secret resources and umbrella chart values use the same exact names.
  • Kept agyn-platform-database-urls created via kubernetes_secret_v1.platform_database_urls in namespace platform through kubernetes_namespace.platform.metadata[0].name.
  • Added explicit namespace dependency ordering to the prerequisite Secrets and added kubernetes_namespace.platform to the argocd_application.platform dependency chain alongside the Secret dependencies.
  • Re-ran CI; latest run passed: https://github.com/agynio/bootstrap/actions/runs/26383905982

Test & Lint Summary

Commands run:

  • terraform -chdir=stacks/platform validate
  • terraform -chdir=stacks/apps validate
  • terraform -chdir=stacks/platform fmt -check -diff
  • terraform -chdir=stacks/apps fmt -check -diff
  • bash -n apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • shellcheck apply.sh .github/scripts/verify_platform_health.sh .github/scripts/disable_platform_autosync.sh install-ca-cert.sh
  • git diff --check
  • gh run watch 26383905982 --repo agynio/bootstrap --exit-status

Results:

  • Terraform validation: 2 passed / 0 failed / 0 skipped
  • Bash syntax checks: 4 passed / 0 failed / 0 skipped
  • Formatting/whitespace checks: passed
  • Linting: ShellCheck passed with no errors
  • CI: 1 passed / 0 failed / 0 skipped

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noa-lucent noa-lucent noa-lucent left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use agyn-platform umbrella chart as single Argo CD Application (platform) for microservices; disable autosync after health in provision action

3 participants

@casey-brooks @rowan-stein @noa-lucent