alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c47030854c5a42e86bd79bcdddb263089d67c65
tiny-forge/plans/gitops/phase-1-core.md
T
alexei.dolgolyov 7733e64b08 feat(gitops): config-as-code via .tinyforge.yml for repo-backed workloads 
A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.

Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.

Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
  source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
  deep merge + validate-the-merged-result-then-commit — never a partial
  config), declared-only Drift with normalization, and Fetch with
  ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
  reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
  so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
  PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
  per-workload locked read->merge->validate->write, audited to event_log).

Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
  .tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
  statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).

Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.
2026-06-21 23:32:02 +03:00

3.6 KiB
Raw Blame History

Phase 1 — GitOps core (backend, no UI, no mutations)

Pure logic + fetch. No HTTP endpoints, no DB writes to workloads yet (migration only).

Tasks

  • Migration: append 4 additive columns to the workloads-table migration list in internal/store/store.go (idempotent ALTER TABLE workloads ADD COLUMN):
    • gitops_enabled INTEGER NOT NULL DEFAULT 0
    • gitops_path TEXT NOT NULL DEFAULT '.tinyforge.yml'
    • gitops_last_sync_at TEXT NOT NULL DEFAULT ''
    • gitops_commit_sha TEXT NOT NULL DEFAULT ''
    • Add the fields to the Workload struct in internal/store/models.go + the scan/insert/update column lists in internal/store/workloads.go (read path now; write path for the setters lands in Phase 2).
  • internal/gitops package — spec.go: Spec struct mirroring the v1 schema (Version int, Deploy DeploySpec{Port *int, Healthcheck *string, DeployStrategy *string, Resources *ResourceSpec{CpuLimit *float64, MemoryLimit *int}, MaxInstances *int}). Pointers so "omitted" is distinguishable from "zero". ParseSpec([]byte) (Spec, error) using gopkg.in/yaml.v3 with KnownFields(true) to reject unknown keys; reject version != 1.
  • apply.go: typed ApplyPlan{ SourceConfigPatch map[string]any } (env/faces slots reserved in a comment). BuildPlan(spec) ApplyPlan maps only the present (non-nil) declared fields to their source_config JSON keys (port, healthcheck, deploy_strategy, cpu_limit, memory_limit, max_instances).
  • merge.go: MergeAndValidate(liveConfig json.RawMessage, plan ApplyPlan, validate func(json.RawMessage) error) (json.RawMessage, error) — deep-copy live → overlay only the patch keys (omitted-field-preserving) → marshal → run validate on the merged result → return merged or error. Never returns a partial/empty config.
  • drift.go: Drift(spec Spec, liveConfig json.RawMessage) ([]DriftEntry, error) where DriftEntry{Field string /*dotted path*/, RepoValue string, LiveValue string}. Compare only declared leaves, post-normalization:
    • deploy_strategy via the source's effective-default rule ("" == "recreate" for dockerfile/static) — import or replicate effectiveStrategy semantics.
    • numeric coercion (YAML int vs JSON number) compared by value, not raw string.
  • Provider DownloadFile: add DownloadFile(ctx, owner, repo, ref, path string, maxBytes int64) ([]byte, error) to the GitProvider interface in internal/staticsite/provider.go and implement for Gitea, GitHub, GitLab using each provider's existing raw-file endpoint + the safe HTTP client. Cap at 64 KiB. Distinguish 404 (file absent) from transport/5xx errors.
  • fetch.go: Fetch(ctx, deps, w) (Result, error) where Result{ Raw []byte, Spec Spec, CommitSHA string, Status string /* ok|no_file|fetch_failed */ }. Decrypt access_token, build provider via NewGitProvider, GetLatestCommitSHA, then DownloadFile(gitops_path). Missing file → no_file (NOT an error). All errors routed through the existing sanitizeError(msg, token) so the token never leaks.
  • Unit tests (*_test.go): ParseSpec (valid/unknown-key/bad-version); MergeAndValidate (omitted-field preserved, invalid merged config rejected, no clobber); Drift (declared-only, deploy_strategy normalization, numeric coercion, no false positive on undeclared keys); a redaction test mirroring static/helpers_test.go.

Verify

  • go build ./..., go vet ./internal/..., go test ./internal/... green.

Handoff notes

(filled after implementation)

Reference in New Issue View Git Blame Copy Permalink