cf8832c79c
- 19 agent definition files with role, responsibilities, secrets, tools, constraints - k8s manifests: namespace, ServiceAccounts, RBAC, NetworkPolicies, Job template, dispatcher CronJob - dispatcher: Python CronJob that claims Vikunja Todo tasks and spawns agent Jobs - container: Dockerfile + entrypoint bootstrapping OpenBao auth and opencode runtime - Separate Dockerfile.dispatcher for the lightweight dispatcher image
205 lines
3.9 KiB
YAML
205 lines
3.9 KiB
YAML
---
|
|
# ServiceAccount per agent role
|
|
# One SA per role — bound to its own OpenBao AppRole secret
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-pm
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: pm
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-coder
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: coder
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-code-reviewer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: code-reviewer
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-test-engineer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: test-engineer
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-devsecops
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: devsecops
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-secops
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: secops
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-sre
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: sre
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-kubernetes-pilot
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: kubernetes-pilot
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-linux-admin
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: linux-admin
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-systems-engineer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: systems-engineer
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-networking
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: networking
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-dba
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: dba
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-prometheus-expert
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: prometheus-expert
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-tofu-engineer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: tofu-engineer
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-release-manager
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: release-manager
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-doc-updater
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: doc-updater
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-doc-writer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: doc-writer
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-technical-writer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: technical-writer
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: agent-cost-optimizer
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: cost-optimizer
|
|
---
|
|
# Dispatcher ServiceAccount — runs the CronJob that claims tasks
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: dispatcher
|
|
namespace: autojanet
|
|
labels:
|
|
autojanet/role: dispatcher
|
|
---
|
|
# Role: agents can create/manage Jobs in their own namespace
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: agent-job-runner
|
|
namespace: autojanet
|
|
rules:
|
|
- apiGroups: ["batch"]
|
|
resources: ["jobs"]
|
|
verbs: ["create", "get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["pods", "pods/log"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
# Dispatcher gets broader job management
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: dispatcher
|
|
namespace: autojanet
|
|
rules:
|
|
- apiGroups: ["batch"]
|
|
resources: ["jobs"]
|
|
verbs: ["create", "get", "list", "watch", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["pods", "pods/log", "configmaps"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: dispatcher
|
|
namespace: autojanet
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: dispatcher
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: dispatcher
|
|
namespace: autojanet
|