Rendered Branches from a Thin Lock

README.md

@@ -24,18 +24,22 @@ k8s-gitops/
       repos.yaml                  # configure application.yaml to load $app_name/*
 
     codeai/
-      applicationset.yaml         # define argocd apps for codeai deployments: deployments/*/deployment.yaml
+      applicationset.yaml         # define argocd apps for rendered CodeAI stage branches
 
       deployments/
         levelbuilder/             # codeai deployment levelbuilder
           deployment.yaml         # envType=levelbuilder, branch=levelbuilder
           values.yaml             # values.yaml for this deployment: dashboard_workers=27, RAILS_ENV=levelbuilder, etc
+          deploy/                 # rendered manifests committed to stage/levelbuilder
         ...
 
       envTypes/
         levelbuilder.values.yaml  # base values.yaml for all envType=levelbuilder
         ...
 
+    codeai-adhoc/
+      application.yaml           # adhoc deployment that still renders directly from source
+
     kargo/
       application.yaml            # argocd app for kargo itself
       values.yaml                 # helm values for kargo install
@@ -44,7 +48,7 @@ k8s-gitops/
       application.yaml            # argocd app for kargo project codeai
       project.yaml                # kargo project for codeai
       project-config.yaml         # kargo projectconfig for codeai
-      warehouse.yaml              # kargo warehouse for codeai
+      warehouse.yaml              # kargo warehouse for CodeAI build locks
       stages/
         levelbuilder.yaml         # kargo stage for codeai deployment levelbuilder
         ...
@@ -53,4 +57,3 @@ k8s-gitops/
 ## Bootstrap Cluster
 
 kubectl apply -f apps/app-of-apps/applicationset.yaml
-

apps/codeai-adhoc/application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: codeai-k8s-adhoc
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - repoURL: https://github.com/code-dot-org/code-dot-org.git
+      targetRevision: k8s/adhoc
+      path: k8s/helm
+      helm:
+        releaseName: k8s-adhoc
+        valueFiles:
+          - $values/apps/codeai/envTypes/staging.values.yaml
+          - $values/apps/codeai/deployments/k8s-adhoc/values.yaml
+    - repoURL: https://github.com/code-dot-org/k8s-gitops.git
+      targetRevision: main
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: adhoc-k8s-adhoc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - ServerSideApply=true

apps/codeai/README.md

@@ -1,3 +1,5 @@
-This app's deployment definitions live under `deployments/`.
+This app's deployment metadata lives under `deployments/` on `main`.
 
-Docker image tag writeback is done by the GitHub Actions workflow [`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml).
+Long-lived environments (`staging`, `test`, `levelbuilder`, and `production`) are rendered by Kargo into `apps/codeai/deployments/<deployment>/deploy/` on `stage/<deployment>` branches, and Argo CD deploys those rendered manifests directly.
+
+The thin build-lock and legacy gitflow gate records are written by the GitHub Actions workflow [`k8s-commit-to-kargo-warehouse.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-to-kargo-warehouse.yml).

apps/codeai/applicationset.yaml

@@ -9,7 +9,10 @@ spec:
         repoURL: https://github.com/code-dot-org/k8s-gitops.git
         revision: main
         files:
-          - path: apps/codeai/deployments/*/deployment.yaml
+          - path: apps/codeai/deployments/staging/deployment.yaml
+          - path: apps/codeai/deployments/test/deployment.yaml
+          - path: apps/codeai/deployments/levelbuilder/deployment.yaml
+          - path: apps/codeai/deployments/production/deployment.yaml
   template:
     metadata:
       name: codeai-{{path.basename}}
@@ -18,18 +21,10 @@ spec:
         kargo.akuity.io/project: kargo-project-codeai
     spec:
       project: default
-      sources:
-        - repoURL: https://github.com/code-dot-org/code-dot-org.git
-          targetRevision: '{{sourceRevision}}'
-          path: k8s/helm
-          helm:
-            releaseName: '{{path.basename}}'
-            valueFiles:
-              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
-              - $values/apps/codeai/deployments/{{path.basename}}/values.yaml
-        - repoURL: https://github.com/code-dot-org/k8s-gitops.git
-          targetRevision: main
-          ref: values
+      source:
+        repoURL: https://github.com/code-dot-org/k8s-gitops.git
+        targetRevision: stage/{{path.basename}}
+        path: apps/codeai/deployments/{{path.basename}}/deploy
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{namespace}}'

apps/codeai/deployments/levelbuilder/deploy/.gitkeep

@@ -0,0 +1 @@
+

apps/codeai/deployments/levelbuilder/deployment.yaml

@@ -0,0 +1,3 @@
+envType: levelbuilder
+namespace: levelbuilder
+branch: levelbuilder

apps/codeai/deployments/production/deploy/.gitkeep

@@ -0,0 +1 @@
+

apps/codeai/deployments/production/deployment.yaml

@@ -0,0 +1,3 @@
+envType: production
+namespace: production
+branch: production

apps/codeai/deployments/production/values.yaml

@@ -1,4 +1,4 @@
-image: ghcr.io/code-dot-org/code-dot-org:production
+image: ghcr.io/code-dot-org/code-dot-org:replace-me
 autoscaling:
   minReplicas: 1
   maxReplicas: 1

apps/codeai/deployments/staging/deploy/.gitkeep

@@ -0,0 +1 @@
+

apps/codeai/deployments/staging/values.yaml

@@ -1,4 +1,4 @@
-image: ghcr.io/code-dot-org/code-dot-org:staging # updated by k8s-commit-image-ref-to-argocd.yml
+image: ghcr.io/code-dot-org/code-dot-org:replace-me
 autoscaling:
   maxReplicas: 1
 locals.yml:

apps/codeai/deployments/test/deploy/.gitkeep

@@ -0,0 +1 @@
+

apps/codeai/deployments/test/deployment.yaml

@@ -1,5 +1,3 @@
 envType: test
 namespace: test
-# FIXME: for quicker testing, avoid waiting on DTTs and DTPs, let alone DTLs.
-# branch: test
-branch: staging
+branch: test

apps/codeai/deployments/test/values.yaml

@@ -1,4 +1,4 @@
-image: ghcr.io/code-dot-org/code-dot-org:test # updated by k8s-commit-image-ref-to-argocd.yml
+image: ghcr.io/code-dot-org/code-dot-org:replace-me
 autoscaling:
   maxReplicas: 1
 locals.yml:

apps/kargo-project-codeai/project-config.yaml

@@ -9,7 +9,9 @@ spec:
       autoPromotionEnabled: true
     - stage: test
       autoPromotionEnabled: false
-    - stage: production
-      autoPromotionEnabled: false
     - stage: levelbuilder
       autoPromotionEnabled: false
+    - stage: review-infra-changes
+      autoPromotionEnabled: false
+    - stage: production
+      autoPromotionEnabled: false

apps/kargo-project-codeai/stages/levelbuilder.yaml

@@ -7,33 +7,106 @@ spec:
   requestedFreight:
     - origin:
         kind: Warehouse
-        name: kargo-project-codeai
+        name: codeai-builds
       sources:
         stages:
           - test
+  vars:
+    - name: gitopsRepo
+      value: https://github.com/code-dot-org/k8s-gitops.git
+    - name: legacyEnv
+      value: levelbuilder
+    - name: renderDeployment
+      value: levelbuilder
+    - name: renderPath
+      value: apps/codeai/deployments/levelbuilder/deploy
+    - name: targetBranch
+      value: stage/levelbuilder
   promotionTemplate:
     spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/code-dot-org/k8s-gitops.git
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
+              - commit: ${{ commitFrom(vars.gitopsRepo, warehouse('codeai-builds')).ID }}
+                path: ./freight
+                sparse:
+                  - warehouses/codeai/builds/current.yaml
               - branch: main
-                path: ./gitops
-        - uses: yaml-update
+                path: ./meta
+                sparse:
+                  - apps/codeai/deployments/levelbuilder
+                  - apps/codeai/envTypes
+              - branch: main
+                path: ./gate
+                sparse:
+                  - warehouses/codeai/legacy-gitflow/levelbuilder/merged
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+                sparse:
+                  - ${{ vars.renderPath }}
+        - uses: yaml-parse
+          as: build-lock
+          config:
+            path: ./freight/warehouses/codeai/builds/current.yaml
+            outputs:
+              - name: releaseId
+                fromExpression: releaseId
+              - name: gitCommit
+                fromExpression: gitCommit
+              - name: imageRef
+                fromExpression: image.ref
+              - name: imageDigest
+                fromExpression: image.digest
+              - name: sourceRepo
+                fromExpression: packaging.sourceRepo
+              - name: sourcePath
+                fromExpression: packaging.sourcePath
+        - uses: yaml-parse
+          as: legacy-gate
+          config:
+            path: ./gate/warehouses/codeai/legacy-gitflow/${{ vars.legacyEnv }}/merged/${{ outputs['build-lock'].releaseId }}.yaml
+            outputs:
+              - name: mergedAt
+                fromExpression: mergedAt
+        - uses: yaml-parse
+          as: deployment-meta
+          config:
+            path: ./meta/apps/codeai/deployments/${{ vars.renderDeployment }}/deployment.yaml
+            outputs:
+              - name: envType
+                fromExpression: envType
+        - uses: git-clone
+          config:
+            repoURL: ${{ outputs['build-lock'].sourceRepo }}
+            checkout:
+              - commit: ${{ outputs['build-lock'].gitCommit }}
+                path: ./src
+                sparse:
+                  - ${{ outputs['build-lock'].sourcePath }}
+        - uses: git-clear
+          config:
+            path: ./out/${{ vars.renderPath }}
+        - uses: helm-template
           config:
-            path: ./gitops/apps/codeai/deployments/levelbuilder/values.yaml
-            updates:
+            path: ./src/${{ outputs['build-lock'].sourcePath }}
+            outPath: ./out/${{ vars.renderPath }}
+            outLayout: flat
+            releaseName: ${{ vars.renderDeployment }}
+            valuesFiles:
+              - ./meta/apps/codeai/envTypes/${{ outputs['deployment-meta'].envType }}.values.yaml
+              - ./meta/apps/codeai/deployments/${{ vars.renderDeployment }}/values.yaml
+            setValues:
               - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
+                value: ${{ outputs['build-lock'].imageRef }}@${{ outputs['build-lock'].imageDigest }}
+                literal: true
         - uses: git-commit
           config:
-            path: ./gitops
-            message: |
-              Promote levelbuilder to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
+            path: ./out
+            message: Render ${{ vars.renderDeployment }} for ${{ outputs['build-lock'].releaseId }}
         - uses: git-push
           config:
-            path: ./gitops
+            path: ./out
+            targetBranch: ${{ vars.targetBranch }}

apps/kargo-project-codeai/stages/production.yaml

@@ -7,33 +7,49 @@ spec:
   requestedFreight:
     - origin:
         kind: Warehouse
-        name: kargo-project-codeai
+        name: codeai-builds
       sources:
         stages:
-          - test
+          - review-infra-changes
+  vars:
+    - name: gitopsRepo
+      value: https://github.com/code-dot-org/k8s-gitops.git
+    - name: legacyEnv
+      value: production
+    - name: targetBranch
+      value: stage/production
+    - name: renderPath
+      value: apps/codeai/deployments/production/deploy
   promotionTemplate:
     spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/code-dot-org/k8s-gitops.git
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
+              - commit: ${{ commitFrom(vars.gitopsRepo, warehouse('codeai-builds')).ID }}
+                path: ./freight
+                sparse:
+                  - warehouses/codeai/builds/current.yaml
               - branch: main
-                path: ./gitops
-        - uses: yaml-update
+                path: ./gate
+                sparse:
+                  - warehouses/codeai/legacy-gitflow/production/merged
+              - branch: ${{ vars.targetBranch }}
+                path: ./out
+                sparse:
+                  - ${{ vars.renderPath }}
+        - uses: yaml-parse
+          as: build-lock
           config:
-            path: ./gitops/apps/codeai/deployments/production/values.yaml
-            updates:
-              - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
-        - uses: git-commit
+            path: ./freight/warehouses/codeai/builds/current.yaml
+            outputs:
+              - name: releaseId
+                fromExpression: releaseId
+        - uses: yaml-parse
+          as: legacy-gate
           config:
-            path: ./gitops
-            message: |
-              Promote production to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
-        - uses: git-push
-          config:
-            path: ./gitops
+            path: ./gate/warehouses/codeai/legacy-gitflow/${{ vars.legacyEnv }}/merged/${{ outputs['build-lock'].releaseId }}.yaml
+            outputs:
+              - name: mergedAt
+                fromExpression: mergedAt