Skip to content

feat: update for latest OpenShell with Helm chart and provider system#1

Merged
robbycochran merged 3 commits into
mainfrom
update-latest-openshell
May 28, 2026
Merged

feat: update for latest OpenShell with Helm chart and provider system#1
robbycochran merged 3 commits into
mainfrom
update-latest-openshell

Conversation

@robbycochran

Copy link
Copy Markdown
Collaborator

Summary

Modernize the harness to use the official OpenShell Helm chart and provider-based credential management:

  • deploy.sh: Helm pkiInitJob for TLS (no manual OpenSSL), supervisor sideloading via init-container (no DaemonSet), configurable images with upstream defaults
  • setup-providers.sh (new): Register credentials via openshell provider create instead of raw K8s secrets
  • ocp-sandbox.sh: Use --provider flags for credential injection, auto-detect registered providers, keep file uploads for ADC/GWS

Removed

  • Manual TLS certificate generation
  • Supervisor DaemonSet (Helm handles init-container sideloading)
  • Manual K8s secret extraction for credentials
  • Obsolete docs: openshift-deploy.md, agent-observability-spike.md, quay-pull-secret.yaml.template

Updated

  • README, sandbox-CLAUDE.md, sandbox-harness.md for new workflow

Test plan

  • Run deploy.sh on OpenShift cluster — gateway comes up, certgen job completes
  • Run setup-providers.sh with env vars set — openshell provider list shows providers
  • Run ocp-sandbox.sh --name test — sandbox starts with credentials available
  • Inside sandbox: gh auth status, Jira MCP query, gws CLI all work
  • verify-integrations.py passes

…r system

Modernize the deployment to use the official OpenShell Helm chart and
provider-based credential management instead of manual TLS generation,
DaemonSet supervisor installation, and raw K8s secret extraction.

Changes:
- deploy.sh: use Helm pkiInitJob for TLS, remove DaemonSet supervisor
  (Helm handles init-container sideloading), remove manual credential
  secrets, make images configurable with upstream defaults
- setup-providers.sh: new script to register credentials via
  `openshell provider create` instead of storing them as K8s secrets
- ocp-sandbox.sh: use --provider flags for credential injection,
  auto-detect registered providers, keep file uploads for ADC/GWS
- Remove obsolete docs (openshift-deploy.md, agent-observability-spike.md,
  quay-pull-secret.yaml.template)
- Update README, sandbox-CLAUDE.md, sandbox-harness.md for new workflow
The local Helm chart uses appVersion 0.0.0 as a dev placeholder, which
causes ImagePullBackOff for certgen and supervisor images. Auto-resolve
the latest release tag from GitHub when no GATEWAY_IMAGE_TAG is set.

Also set supervisor.image.tag to match the gateway tag and enable
allowUnauthenticatedUsers for single-user dev clusters where the
Helm chart does not render the mTLS auth config section.
ADC secrets (client_secret, refresh_token) are stored as provider
credentials and resolved by the proxy during OAuth token exchange.
Non-secret fields are injected as literal env vars since they're
read locally by Google's auth library.

Atlassian credentials use base64-encoded literal env vars (Basic auth
hides placeholders from the proxy). MCP config written via python3
to prevent JSON injection.

Network policy splits Google endpoints: L7 with body rewrite on
oauth2.googleapis.com only, plain L4 passthrough for Vertex AI
streaming. Adds downloads.claude.ai for skill/plugin installs.
@robbycochran robbycochran merged commit 0f32554 into main May 28, 2026
@robbycochran robbycochran deleted the update-latest-openshell branch June 13, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant