Skip to content

feat: v0.13.0-rc0#716

Open
OisinKyne wants to merge 27 commits into
mainfrom
integration/v0.13.0-rc0
Open

feat: v0.13.0-rc0#716
OisinKyne wants to merge 27 commits into
mainfrom
integration/v0.13.0-rc0

Conversation

@OisinKyne

Copy link
Copy Markdown
Contributor

Summary

OisinKyne and others added 27 commits July 6, 2026 00:10
Phase 1 of the zero-downtime work for #321:

- obol model prefer no longer rolls the LiteLLM deployment. model_list
  order is an obol convention (Rank reads the ConfigMap); LiteLLM's
  router does not use it, so the restart was pure downtime.
- RestartLiteLLM now fails loudly when the rollout does not converge
  within 90s instead of warning and reporting success (#321 item 3).
- ReconcileRecorded's ConfigMap-only branch restarts explicitly now
  that Reloader no longer watches litellm-config.
- New drift safety net: obol model status compares the ConfigMap
  model_list against the live router /v1/models (CheckRouterDrift /
  DiffRouterModels) and reports missing/extra entries, replacing the
  Reloader annotation as the guard against silently-failed hot calls.

Claude-Session: https://claude.ai/code/session_01YLuXwN1A4tG3xmEMKvAzeD
…rollouts

Phase 2 of #321. The buyer's RWO consumed-auth PVC forced the litellm
Deployment onto replicas:1 + Recreate, turning every rollout (Reloader
secret rotation, image bump, config reload) into a full inference gap —
and the Reloader annotation on litellm-config triggered such a rollout
on every model add/remove/prefer and first-time purchase, defeating the
hot /model/new path shipped in #320.

- x402-buyer becomes its own Deployment (1 replica, Recreate, keeps the
  PVC and single-writer auth semantics) + ClusterIP Service. Buyer CM
  changes still hot-reload via /admin/reload; only buyer image bumps
  briefly gap paid/* routes.
- litellm is now stateless: RollingUpdate maxSurge:1 maxUnavailable:0 —
  a new pod must be Ready before the old one terminates. Reloader
  watches litellm-secrets only; litellm-config changes are hot-applied.
- Paid-route api_base moves to http://x402-buyer.llm.svc.cluster.local:8402/v1.
  The controller migrates legacy 127.0.0.1:8402 entries at startup and
  on per-purchase reconcile (upgraded-in-place clusters), hot-syncing
  the live router.
- Controller buyer probes (reload/remove/status) and buy.py target the
  x402-buyer pods; flow scripts reach the buyer via its Service.
- PodMonitor keeps its historical name but targets the buyer pods.

NetworkPolicy for :8402 is deliberately deferred: agent namespaces have
no common label and buy.py legitimately reads /status from them; the
Service changes addressing, not exposure (pod IP was already
cluster-reachable).

Claude-Session: https://claude.ai/code/session_01YLuXwN1A4tG3xmEMKvAzeD
CLAUDE.md and obol-stack-dev references: buyer is a standalone
Deployment + Service (port-forward svc/x402-buyer), paid routes point
at the buyer Service with the mandatory /v1 suffix, and Reloader
watches litellm-secrets only — litellm-config changes are hot-applied
with drift surfaced by obol model status (#321).

Claude-Session: https://claude.ai/code/session_01YLuXwN1A4tG3xmEMKvAzeD
Replica-stance hardening for multi-node clusters, follow-up to the
LiteLLM zero-downtime work (#321):

- PodDisruptionBudgets (minAvailable: 1) for x402-verifier and eRPC —
  on multi-node clusters a kubectl drain would otherwise silently evict
  the only pod of the payment gate (every /services/* route 5xxs) or
  the RPC front door. Same stance as the existing litellm PDB; rollouts
  are unaffected (both surge gaplessly behind readiness probes). The
  eRPC PDB lives in base/templates/erpc.yaml because the ethereum/erpc
  chart (0.0.4) has no PDB template — its podDisruptionBudget value is
  unwired. cloudflared already ships a PDB gated on an active tunnel.

- remote-signer pinned to strategy: Recreate post-helmfile-sync (hermes
  and openclaw runtimes). The obol/remote-signer chart (0.3.3) cannot
  express spec.strategy, so the deployment defaulted to RollingUpdate —
  a surge pod over the RWO keystore PVC wedges on multi-node volume
  attach and briefly double-runs the signer anywhere. Patching
  spec.strategy does not touch the pod template, so the pin never rolls
  the pod itself. Upstream follow-up: add strategy support to the chart.

Reviewed and deliberately unchanged: serviceoffer-controller already
has Lease-based leader election (cmd/serviceoffer-controller/main.go),
so its RollingUpdate surge is safe — the new pod blocks on the Lease.

Claude-Session: https://claude.ai/code/session_01YLuXwN1A4tG3xmEMKvAzeD
…v2026.7.1

The v2026.7.1 bump in this PR hardened the dashboard: a non-loopback
(0.0.0.0) bind now REQUIRES an auth provider and the legacy --insecure
flag no longer bypasses it (the hermes-0day fix). The master agent binds
the dashboard on 0.0.0.0 for the k8s Service, so without this it crashloops
(hermes-dashboard CrashLoopBackOff → deployment never Ready → flow-04 fail).

Register the bundled basic-auth provider via env (user 'obol', password =
the agent's existing API token); probe path /api/status stays auth-exempt.
Child agents run 'gateway run' with no dashboard sidecar, so only the master
agent (internal/hermes) needs it.

Also update flow-04's dashboard check: the loopback-only inline
__HERMES_SESSION_TOKEN__ is disabled on a gated bind, so assert the
dashboard is up (public /api/status=200) and auth-gated (/api/sessions=401)
instead.

Validated on arm64 QA (spark): hermes pod 2/2 Running (was 1/2
CrashLoopBackOff); paid buy flow green.
…to integration/v0.13.0-rc0

# Conflicts:
#	internal/embed/infrastructure/base/templates/llm.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants