feat(applicationsets): GitOps install of the eks-agent-platform operator#24
Merged
Conversation
Closes the gap where the operator existed only in eks-agent-platform's own (never-bridged) ApplicationSet and had to be helm-installed by hand: eks-gitops now carries it as an ai-platform addon, deployed to every cluster opted in via the eks-agent-platform/enabled=true label cluster-bootstrap sets. The operator needs per-cluster IRSA values (config.oidc.* + a role-arn ServiceAccount annotation) that embed the AWS account ID. To keep that out of this public repo, cluster-bootstrap publishes them as annotations on the in-cluster ArgoCD Secret and this ApplicationSet reads them through ArgoCD's cluster generator, injecting them via Helm valuesObject; config.environment / region come from the Secret's labels. The static config (self-signed webhook issuer, cilium NetworkPolicy engine) lives in addons/ai-platform/operator/values.yaml + per-env files. The account ID never lands in git. The chart is sourced from git (the public eks-agent-platform charts/operator) so no chart release is required; the comment notes switching to the OCI registry once the chart is published, and that the operator image must be published multi-arch (incl. arm64) for the pods to start. Pairs with landing-zone "publish agent-platform IRSA wiring on the cluster Secret". Verified offline: yamllint clean; helm template of charts/operator with the injected valuesObject paths renders the role-arn annotation, --oidc-* flags, --environment, and the self-signed ClusterIssuer. Live ArgoCD render confirmed on the next cluster bring-up.
CI Results
All validations passed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the gap where the operator existed only in eks-agent-platform's never-bridged ApplicationSet and had to be helm-installed by hand. eks-gitops now carries it as an ai-platform addon, deployed to clusters opted in via the
eks-agent-platform/enabled=truelabel cluster-bootstrap sets.Per-cluster IRSA values (
config.oidc.*+ the role-arn SA annotation) embed the account ID, so cluster-bootstrap publishes them as in-cluster Secret annotations and this AppSet reads them via ArgoCD's cluster generator → HelmvaluesObject.config.environment/regionfrom the Secret labels. Static config (self-signed webhook issuer, cilium NetworkPolicy engine) inaddons/ai-platform/operator/values.yaml+ per-env files. Account ID never in git.Chart is git-sourced (public
eks-agent-platform/charts/operator) so no chart release needed — switch to OCI once published. The operator image must be published multi-arch (arm64) for pods to start.Pairs with landing-zone #22 (publishes the annotations). Verified offline: yamllint clean;
helm templateof the chart with the injectedvaluesObjectrenders the role-arn annotation,--oidc-*,--environment, and the ClusterIssuer. Live ArgoCD render confirmed on next bring-up.