Skip to content

Commit 27ec429

Browse files
committed
fix: deply
1 parent ec63f78 commit 27ec429

6 files changed

Lines changed: 340 additions & 41 deletions

File tree

CONTRIBUTING.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -188,8 +188,8 @@ L'orchestrateur est dans `app/app.py` (FastAPI).
188188
python -c "import ast; ast.parse(open('app/app.py').read())"
189189

190190
# Rebuild + deploiement
191-
docker build -f images/orchestrator/Dockerfile -t ghcr.io/<your-org>/orchestrator:latest .
192-
docker save ghcr.io/<your-org>/orchestrator:latest | sudo k3s ctr images import -
191+
docker build -f images/orchestrator/Dockerfile -t ghcr.io/hey-intent/orchestrator:latest .
192+
docker save ghcr.io/hey-intent/orchestrator:latest | sudo k3s ctr images import -
193193
kubectl -n ai-bot rollout restart deployment/orchestrator
194194

195195
# Verifier les logs

README.md

Lines changed: 16 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -8,20 +8,17 @@ This project automates the **Issue -> Label -> Pull Request** flow: an `ai-pr-*`
88

99
It avoids vendor lock-in with 3 built-in providers:
1010

11-
| Label | Provider | Backend |
12-
|-------|----------|---------|
13-
| `ai-pr-claude` | Claude Code | Anthropic |
14-
| `ai-pr-codex` | Codex | OpenAI |
15-
| `ai-pr-aider` | Aider | OpenRouter (extensible) |
11+
| Label | Provider | Backend |
12+
| -------------- | ----------- | ----------------------- |
13+
| `ai-pr-claude` | Claude Code | Anthropic |
14+
| `ai-pr-codex` | Codex | OpenAI |
15+
| `ai-pr-aider` | Aider | OpenRouter (extensible) |
1616

1717
The architecture is designed to easily add more providers (see `CONTRIBUTING.md`).
1818

1919
Tested on: VPS / 8 GB RAM / 4 vCPU / k3s single-node.
2020

21-
> [!IMPORTANT]
22-
> **This repo is a POC and a serious working base.**
23-
> It demonstrates a fully functional flow, but is not production-ready without hardening.
24-
> See the [Security](#security) section and `SECURITY.md` for details.
21+
> [!IMPORTANT] **This repo is a POC and a serious working base.** It demonstrates a fully functional flow, but is not production-ready without hardening. See the [Security](#security) section and `SECURITY.md` for details.
2522
2623
---
2724

@@ -151,8 +148,8 @@ Add a label `ai-pr-claude`, `ai-pr-codex`, or `ai-pr-aider` to a GitHub issue. T
151148
### Kubernetes Secrets
152149

153150
| Secret | Keys | Used by |
154-
|--------|------|---------|
155-
| `github-app` | `GITHUB_APP_ID`, `GITHUB_PRIVATE_KEY` | orchestrator |
151+
| --- | --- | --- |
152+
| `github-app` | `GITHUB_APP_ID`, `GITHUB_PRIVATE_KEY` | orchestrator |
156153
| `github-webhook-secret` | `WEBHOOK_SECRET` | orchestrator |
157154
| `orchestrator-config` | `JOB_TTL_SECONDS`, `ADMIN_TOKEN` | orchestrator |
158155
| `anthropic-api-key` | `ANTHROPIC_API_KEY` | worker-claude |
@@ -175,12 +172,12 @@ kubectl -n ai-bot get secret anthropic-api-key -o jsonpath='{.data.ANTHROPIC_API
175172

176173
### Docker Images
177174

178-
| Image | Dockerfile |
179-
|-------|-----------|
180-
| `ghcr.io/<your-org>/orchestrator:latest` | `images/orchestrator/Dockerfile` |
181-
| `worker-claude:latest` | `images/worker-claude/Dockerfile` |
182-
| `worker-codex:latest` | `images/worker-codex/Dockerfile` |
183-
| `worker-aider:latest` | `images/worker-aider/Dockerfile` |
175+
| Image | Dockerfile |
176+
| ---------------------------------------- | --------------------------------- |
177+
| `ghcr.io/hey-intent/orchestrator:latest` | `images/orchestrator/Dockerfile` |
178+
| `worker-claude:latest` | `images/worker-claude/Dockerfile` |
179+
| `worker-codex:latest` | `images/worker-codex/Dockerfile` |
180+
| `worker-aider:latest` | `images/worker-aider/Dockerfile` |
184181

185182
Rebuild and reimport after changes:
186183

@@ -249,7 +246,7 @@ curl -s -X POST http://127.0.0.1:8080/jobs/run -H "Authorization: Bearer <ADMIN_
249246
### Threat Model
250247

251248
| Surface | Risk | Mitigation |
252-
|---------|------|------------|
249+
| --- | --- | --- |
253250
| **Incoming webhook** | Fake webhook to trigger a job | HMAC-SHA256 signature (`WEBHOOK_SECRET`) verified on every request |
254251
| **Admin endpoints** | Unauthorized access | Bearer token (`ADMIN_TOKEN`), not exposed via Ingress |
255252
| **GitHub App private key** | Theft = full access | PEM in orchestrator pod only, workers receive an ephemeral token (1h) |
@@ -272,7 +269,7 @@ curl -s -X POST http://127.0.0.1:8080/jobs/run -H "Authorization: Bearer <ADMIN_
272269
## Troubleshooting
273270

274271
| Symptom | Diagnostic |
275-
|---------|-----------|
272+
| --- | --- |
276273
| `ErrImageNeverPull` | Image not imported into k3s (`docker save ... \| sudo k3s ctr images import -`) |
277274
| `CrashLoopBackOff` | `kubectl logs pod/<pod> --previous` |
278275
| `Not logged in` | Missing API secret (depends on provider) |

ansible/group_vars/vps.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
# --- Cluster ---
2-
k3s_version: "v1.31.4+k3s1" # pin a stable version
2+
k3s_version: "v1.31.4+k3s1" # pin a stable version
33
kubeconfig_path: /etc/rancher/k3s/k3s.yaml
44

55
# --- Project ---
66
project_dir: /opt/patchwork-agent
7-
repo_url: "https://github.com/<your-org>/k3-github-pr.git"
7+
repo_url: "https://github.com/hey-intent/patchwork-agents.git"
88
repo_branch: main
99

1010
# --- Images ---
11-
orchestrator_image: "ghcr.io/<your-org>/orchestrator:latest"
11+
orchestrator_image: "ghcr.io/hey-intent/orchestrator:latest"
1212
worker_images:
1313
- name: worker-claude
1414
dockerfile: images/worker-claude/Dockerfile

ansible/playbook.yml

Lines changed: 38 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,29 @@
1919
name:
2020
- git
2121
- curl
22-
- docker.io
2322
- jq
2423
state: present
2524
update_cache: true
25+
- name: Add Docker GPG key
26+
shell: |
27+
install -m 0755 -d /etc/apt/keyrings
28+
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
29+
chmod a+r /etc/apt/keyrings/docker.asc
30+
args:
31+
creates: /etc/apt/keyrings/docker.asc
32+
33+
- name: Add Docker repository
34+
shell: |
35+
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo $VERSION_CODENAME) stable" > /etc/apt/sources.list.d/docker.list
36+
args:
37+
creates: /etc/apt/sources.list.d/docker.list
38+
39+
- name: Install Docker CE
40+
apt:
41+
name: [docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin]
42+
state: present
43+
update_cache: true
44+
notify: Restart docker
2645

2746
- name: Enable and start Docker
2847
ansible.builtin.systemd_service:
@@ -86,10 +105,9 @@
86105
- name: Build orchestrator image
87106
ansible.builtin.command:
88107
cmd: >
89-
docker build
90-
-f {{ project_dir }}/images/orchestrator/Dockerfile
91-
-t {{ orchestrator_image }}
92-
{{ project_dir }}
108+
docker build -f {{ project_dir }}/images/orchestrator/Dockerfile -t {{ orchestrator_image }} {{ project_dir }}
109+
110+
93111
changed_when: true
94112

95113
- name: Import orchestrator image into k3s
@@ -103,10 +121,9 @@
103121
- name: Build worker images
104122
ansible.builtin.command:
105123
cmd: >
106-
docker build
107-
-f {{ project_dir }}/{{ item.dockerfile }}
108-
-t {{ item.name }}:latest
109-
{{ project_dir }}
124+
docker build -f {{ project_dir }}/{{ item.dockerfile }} -t {{ item.name }}:latest {{ project_dir }}
125+
126+
110127
loop: "{{ worker_images }}"
111128
changed_when: true
112129

@@ -144,10 +161,10 @@
144161
stringData:
145162
GITHUB_APP_ID: "{{ github_app_id }}"
146163
GITHUB_PRIVATE_KEY: |
147-
{{ lookup('ansible.builtin.file', github_private_key_path) | indent(14, true) }}
164+
{{ lookup('ansible.builtin.file', github_private_key_path) | indent(14, false) }}
148165
register: apply_secret_github_app
149166
changed_when: "'created' in apply_secret_github_app.stdout or 'configured' in apply_secret_github_app.stdout"
150-
no_log: true
167+
# no_log: true
151168

152169
- name: Apply github-webhook-secret
153170
ansible.builtin.command:
@@ -163,7 +180,7 @@
163180
WEBHOOK_SECRET: "{{ webhook_secret }}"
164181
register: apply_secret_webhook
165182
changed_when: "'created' in apply_secret_webhook.stdout or 'configured' in apply_secret_webhook.stdout"
166-
no_log: true
183+
# no_log: true
167184

168185
- name: Apply orchestrator-config secret
169186
ansible.builtin.command:
@@ -180,7 +197,7 @@
180197
ADMIN_TOKEN: "{{ admin_token }}"
181198
register: apply_secret_orchestrator_cfg
182199
changed_when: "'created' in apply_secret_orchestrator_cfg.stdout or 'configured' in apply_secret_orchestrator_cfg.stdout"
183-
no_log: true
200+
# no_log: true
184201

185202
- name: Apply anthropic-api-key secret
186203
ansible.builtin.command:
@@ -197,7 +214,7 @@
197214
register: apply_secret_anthropic
198215
changed_when: "'created' in apply_secret_anthropic.stdout or 'configured' in apply_secret_anthropic.stdout"
199216
when: anthropic_api_key | length > 0
200-
no_log: true
217+
# no_log: true
201218

202219
- name: Apply openai-api-key secret
203220
ansible.builtin.command:
@@ -214,7 +231,7 @@
214231
register: apply_secret_openai
215232
changed_when: "'created' in apply_secret_openai.stdout or 'configured' in apply_secret_openai.stdout"
216233
when: openai_api_key | length > 0
217-
no_log: true
234+
# no_log: true
218235

219236
- name: Apply openrouter-api-key secret
220237
ansible.builtin.command:
@@ -231,7 +248,7 @@
231248
register: apply_secret_openrouter
232249
changed_when: "'created' in apply_secret_openrouter.stdout or 'configured' in apply_secret_openrouter.stdout"
233250
when: openrouter_api_key | length > 0
234-
no_log: true
251+
# no_log: true
235252

236253
- name: Copy orchestrator manifest to temporary file
237254
ansible.builtin.copy:
@@ -276,3 +293,8 @@
276293
- name: Print status
277294
ansible.builtin.debug:
278295
var: status.stdout_lines
296+
handlers:
297+
- name: Restart docker
298+
ansible.builtin.systemd_service:
299+
name: docker
300+
state: restarted

0 commit comments

Comments
 (0)