Source Snapshot (Helm) + Rendered Branches

apps/app-of-apps/applicationset.yaml

@@ -21,7 +21,7 @@ spec:
         repoURL: https://github.com/code-dot-org/k8s-gitops.git
         revision: main
         files:
-          - path: apps/*/applicationset.yaml
+          - path: apps/*/applicationset*.yaml
         # This fixed template is applied to applicationset.yaml, they do not support
         # passthrough.
         template:
@@ -36,7 +36,7 @@ spec:
               targetRevision: main
               path: 'apps/{{.path.basename}}'
               directory:
-                include: "applicationset.yaml"
+                include: "applicationset*.yaml"
             syncPolicy:
               automated:
                 prune: true

apps/codeai/README.md

@@ -1,3 +1,12 @@
 This app's deployment definitions live under `deployments/`.
 
-Docker image tag writeback is done by the GitHub Actions workflow [`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml).
+Staging, test, levelbuilder, and production are rendered-branch deployments:
+
+- `main` holds the environment policy and Kargo configuration.
+- `stage/<env>` holds the fully rendered manifests Argo CD syncs.
+- Kargo renders those branches from `warehouses/codeai/freight/current/helm/` plus the values files in this directory.
+
+`k8s-adhoc` remains a live-source Helm deployment so ad hoc work can keep following a source branch directly.
+
+Bootstrap note:
+- The first successful promotion to each staged environment creates its `stage/<env>` branch. Until that first render lands, the corresponding Argo CD `Application` will report a missing target revision.

apps/codeai/applicationset-adhoc.yaml

@@ -0,0 +1,41 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: codeai-adhoc
+  namespace: argocd
+spec:
+  generators:
+    - git:
+        repoURL: https://github.com/code-dot-org/k8s-gitops.git
+        revision: main
+        files:
+          - path: apps/codeai/deployments/k8s-adhoc/deployment.yaml
+  template:
+    metadata:
+      name: codeai-{{name}}
+      labels:
+        app.kubernetes.io/managed-by: kargo
+        kargo.akuity.io/project: kargo-project-codeai
+    spec:
+      project: default
+      sources:
+        - repoURL: https://github.com/code-dot-org/code-dot-org.git
+          targetRevision: '{{branch}}'
+          path: k8s/helm
+          helm:
+            releaseName: '{{name}}'
+            valueFiles:
+              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
+              - $values/apps/codeai/deployments/{{name}}/values.yaml
+        - repoURL: https://github.com/code-dot-org/k8s-gitops.git
+          targetRevision: main
+          ref: values
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{namespace}}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - ServerSideApply=true

apps/codeai/applicationset.yaml

@@ -1,35 +1,34 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
-  name: codeai
+  name: codeai-rendered-stages
   namespace: argocd
 spec:
   generators:
     - git:
         repoURL: https://github.com/code-dot-org/k8s-gitops.git
         revision: main
         files:
-          - path: apps/codeai/deployments/*/deployment.yaml
+          - path: apps/codeai/deployments/staging/deployment.yaml
+          - path: apps/codeai/deployments/test/deployment.yaml
+          - path: apps/codeai/deployments/levelbuilder/deployment.yaml
+          - path: apps/codeai/deployments/production/deployment.yaml
   template:
     metadata:
-      name: codeai-{{path.basename}}
+      name: codeai-{{name}}
+      annotations:
+        kargo.akuity.io/authorized-stage: 'kargo-project-codeai:{{name}}'
       labels:
         app.kubernetes.io/managed-by: kargo
         kargo.akuity.io/project: kargo-project-codeai
     spec:
       project: default
-      sources:
-        - repoURL: https://github.com/code-dot-org/code-dot-org.git
-          targetRevision: '{{sourceRevision}}'
-          path: k8s/helm
-          helm:
-            releaseName: '{{path.basename}}'
-            valueFiles:
-              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
-              - $values/apps/codeai/deployments/{{path.basename}}/values.yaml
-        - repoURL: https://github.com/code-dot-org/k8s-gitops.git
-          targetRevision: main
-          ref: values
+      source:
+        repoURL: https://github.com/code-dot-org/k8s-gitops.git
+        targetRevision: '{{renderedBranch}}'
+        path: .
+        directory:
+          recurse: true
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{namespace}}'

apps/codeai/deployments/k8s-adhoc/deployment.yaml

@@ -1,3 +1,5 @@
+name: k8s-adhoc
+sourceMode: live-source
 envType: staging
 namespace: adhoc-k8s-adhoc
 branch: k8s/adhoc

apps/codeai/deployments/levelbuilder/deployment.yaml

@@ -0,0 +1,5 @@
+name: levelbuilder
+sourceMode: rendered
+envType: levelbuilder
+namespace: levelbuilder
+renderedBranch: stage/levelbuilder

apps/codeai/deployments/production/deployment.yaml

@@ -0,0 +1,5 @@
+name: production
+sourceMode: rendered
+envType: production
+namespace: production
+renderedBranch: stage/production

apps/codeai/deployments/staging/deployment.yaml

@@ -1,3 +1,5 @@
+name: staging
+sourceMode: rendered
 envType: staging
 namespace: staging
-branch: staging
+renderedBranch: stage/staging

apps/codeai/deployments/staging/values.yaml

@@ -1,4 +1,4 @@
-image: ghcr.io/code-dot-org/code-dot-org:staging # updated by k8s-commit-image-ref-to-argocd.yml
+image: ghcr.io/code-dot-org/code-dot-org:staging
 autoscaling:
   maxReplicas: 1
 locals.yml:

apps/codeai/deployments/test/deployment.yaml

@@ -1,5 +1,5 @@
+name: test
+sourceMode: rendered
 envType: test
 namespace: test
-# FIXME: for quicker testing, avoid waiting on DTTs and DTPs, let alone DTLs.
-# branch: test
-branch: staging
+renderedBranch: stage/test

apps/codeai/deployments/test/values.yaml

@@ -1,4 +1,4 @@
-image: ghcr.io/code-dot-org/code-dot-org:test # updated by k8s-commit-image-ref-to-argocd.yml
+image: ghcr.io/code-dot-org/code-dot-org:test
 autoscaling:
   maxReplicas: 1
 locals.yml:

apps/codeai/envTypes/levelbuilder.values.yaml

@@ -3,3 +3,5 @@ RAILS_ENV: levelbuilder
 healthChecks:
   enabled: true
 require_external_secrets: true
+renderedBranches:
+  deterministicLocalSecrets: true

apps/codeai/envTypes/production.values.yaml

@@ -3,6 +3,8 @@ RAILS_ENV: production
 healthChecks:
   enabled: true
 require_external_secrets: true
+renderedBranches:
+  deterministicLocalSecrets: true
 autoscaling:
   enabled: true
   minReplicas: 1

apps/codeai/envTypes/staging.values.yaml

@@ -3,3 +3,5 @@ RAILS_ENV: staging
 healthChecks:
   enabled: true
 require_external_secrets: true
+renderedBranches:
+  deterministicLocalSecrets: true

apps/codeai/envTypes/test.values.yaml

@@ -3,3 +3,5 @@ RAILS_ENV: test
 healthChecks:
   enabled: true
 require_external_secrets: true
+renderedBranches:
+  deterministicLocalSecrets: true

apps/kargo-project-codeai/project-config.yaml

@@ -9,7 +9,9 @@ spec:
       autoPromotionEnabled: true
     - stage: test
       autoPromotionEnabled: false
-    - stage: production
-      autoPromotionEnabled: false
     - stage: levelbuilder
       autoPromotionEnabled: false
+    - stage: review-infra-changes
+      autoPromotionEnabled: false
+    - stage: production
+      autoPromotionEnabled: false

apps/kargo-project-codeai/stages/levelbuilder.yaml

@@ -16,24 +16,69 @@ spec:
       vars:
         - name: gitopsRepo
           value: https://github.com/code-dot-org/k8s-gitops.git
+        - name: renderedBranch
+          value: stage/levelbuilder
+        - name: envType
+          value: levelbuilder
+        - name: deployment
+          value: levelbuilder
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
+              - commit: ${{ commitFrom(vars.gitopsRepo).ID }}
+                path: ./freight
+                sparse:
+                  - warehouses/codeai/freight/current
               - branch: main
-                path: ./gitops
-        - uses: yaml-update
+                path: ./meta
+                sparse:
+                  - apps/codeai
+              - branch: ${{ vars.renderedBranch }}
+                create: true
+                path: ./out
+        - uses: yaml-parse
+          as: freight
           config:
-            path: ./gitops/apps/codeai/deployments/levelbuilder/values.yaml
-            updates:
+            path: ./freight/warehouses/codeai/freight/current/freight.yaml
+            outputs:
+              - name: revision
+                fromExpression: revision
+              - name: releaseTag
+                fromExpression: tag
+              - name: packageType
+                fromExpression: packageType
+              - name: imageRef
+                fromExpression: image.ref
+        - uses: git-clear
+          config:
+            path: ./out
+        - uses: helm-template
+          config:
+            path: ./freight/warehouses/codeai/freight/current/helm
+            releaseName: ${{ vars.deployment }}
+            valuesFiles:
+              - ./meta/apps/codeai/envTypes/${{ vars.envType }}.values.yaml
+              - ./meta/apps/codeai/deployments/${{ vars.deployment }}/values.yaml
+            setValues:
               - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
+                value: ${{ outputs['freight'].imageRef }}
+            outPath: ./out/manifests.yaml
         - uses: git-commit
+          as: rendered-commit
           config:
-            path: ./gitops
+            path: ./out
             message: |
-              Promote levelbuilder to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
+              Render levelbuilder from ${{ outputs['freight'].releaseTag }} [skip ci]
         - uses: git-push
           config:
-            path: ./gitops
+            path: ./out
+        - uses: argocd-update
+          config:
+            apps:
+              - name: codeai-${{ vars.deployment }}
+                namespace: argocd
+                sources:
+                  - repoURL: ${{ vars.gitopsRepo }}
+                    desiredRevision: ${{ outputs['rendered-commit'].commit }}

apps/kargo-project-codeai/stages/production.yaml

@@ -10,30 +10,4 @@ spec:
         name: kargo-project-codeai
       sources:
         stages:
-          - test
-  promotionTemplate:
-    spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/code-dot-org/k8s-gitops.git
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: main
-                path: ./gitops
-        - uses: yaml-update
-          config:
-            path: ./gitops/apps/codeai/deployments/production/values.yaml
-            updates:
-              - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
-        - uses: git-commit
-          config:
-            path: ./gitops
-            message: |
-              Promote production to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
-        - uses: git-push
-          config:
-            path: ./gitops
+          - review-infra-changes