feat(gitops): config-as-code via .tinyforge.yml for repo-backed workloads
A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.
Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.
Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
deep merge + validate-the-merged-result-then-commit — never a partial
config), declared-only Drift with normalization, and Fetch with
ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
per-workload locked read->merge->validate->write, audited to event_log).
Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
.tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).
Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.
This commit is contained in:
@@ -0,0 +1,83 @@
|
||||
package gitops
|
||||
|
||||
// source_config JSON keys this package can overlay. Kept as constants so the
|
||||
// apply, merge, and drift paths agree on the exact key strings.
|
||||
const (
|
||||
keyPort = "port"
|
||||
keyHealthcheck = "healthcheck"
|
||||
keyDeployStrategy = "deploy_strategy"
|
||||
)
|
||||
|
||||
// Source kinds eligible for GitOps in v1 (git-backed sources only).
|
||||
const (
|
||||
SourceDockerfile = "dockerfile"
|
||||
SourceStatic = "static"
|
||||
)
|
||||
|
||||
// supportedKeys returns the source_config keys a given source kind accepts
|
||||
// from a .tinyforge.yml overlay. A field declared in the file but not in this
|
||||
// set is ignored (not applied, not drift-compared) so a shared file can target
|
||||
// either source without producing dead keys or false drift.
|
||||
//
|
||||
// dockerfile: port + healthcheck + deploy_strategy (its real run knobs).
|
||||
// static: deploy_strategy only (a static site has no port/healthcheck).
|
||||
func supportedKeys(sourceKind string) map[string]bool {
|
||||
switch sourceKind {
|
||||
case SourceDockerfile:
|
||||
return map[string]bool{keyPort: true, keyHealthcheck: true, keyDeployStrategy: true}
|
||||
case SourceStatic:
|
||||
return map[string]bool{keyDeployStrategy: true}
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// IsEligibleSource reports whether GitOps may be enabled for a source kind.
|
||||
func IsEligibleSource(sourceKind string) bool {
|
||||
return supportedKeys(sourceKind) != nil
|
||||
}
|
||||
|
||||
// ApplyPlan is the typed, multi-target plan for applying an overlay. In v1 only
|
||||
// SourceConfigPatch is populated; EnvUpserts/Faces are reserved so env (the
|
||||
// workload_env table) and faces (the public_faces column) can be added later
|
||||
// without reshaping the apply path — they are NOT in v1 (env would re-open the
|
||||
// secrets-in-repo hole; faces live in a sibling store).
|
||||
type ApplyPlan struct {
|
||||
// SourceConfigPatch holds the source_config keys to overlay onto the live
|
||||
// config. Only keys supported by the target source are present.
|
||||
SourceConfigPatch map[string]any
|
||||
|
||||
// reserved for future phases — see package doc.
|
||||
// EnvUpserts []store.WorkloadEnv
|
||||
// Faces []plugin.PublicFace
|
||||
}
|
||||
|
||||
// declaredValues returns the present (non-nil) overlay fields keyed by their
|
||||
// source_config JSON key, before the per-source filter. Shared by BuildPlan and
|
||||
// Drift so they agree on what the file declared.
|
||||
func declaredValues(spec Spec) map[string]any {
|
||||
out := map[string]any{}
|
||||
if spec.Deploy.Port != nil {
|
||||
out[keyPort] = *spec.Deploy.Port
|
||||
}
|
||||
if spec.Deploy.Healthcheck != nil {
|
||||
out[keyHealthcheck] = *spec.Deploy.Healthcheck
|
||||
}
|
||||
if spec.Deploy.DeployStrategy != nil {
|
||||
out[keyDeployStrategy] = *spec.Deploy.DeployStrategy
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// BuildPlan maps the present, source-supported overlay fields to a patch for
|
||||
// the given source kind. Unsupported/absent fields are dropped.
|
||||
func BuildPlan(spec Spec, sourceKind string) ApplyPlan {
|
||||
allowed := supportedKeys(sourceKind)
|
||||
patch := map[string]any{}
|
||||
for k, v := range declaredValues(spec) {
|
||||
if allowed[k] {
|
||||
patch[k] = v
|
||||
}
|
||||
}
|
||||
return ApplyPlan{SourceConfigPatch: patch}
|
||||
}
|
||||
Reference in New Issue
Block a user