You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
workspace RBAC: deploy/platform/workspace-rbac.yaml (Role + RoleBinding in coder-workspaces).
gp3 StorageClass: live only, not in git today.
namespaces: partly created via Helm --create-namespace / ad hoc.
Tasks
Author the missing manifests into git first: reconstruct the gp3 StorageClass from kubectl get sc gp3 -o yaml (strip runtime fields, keep storageclass.kubernetes.io/is-default-class); author explicit Namespace manifests for coder, coder-workspaces, keycloak, gitlab, ingress-nginx, external-secrets (and the new monitoring).
keycloak: Argo Application (Kustomize). The generated ConfigMap name keycloak-realm-coder is stable, so adoption is clean. Realm content is API state, handled in the keycloak-config-cli issue, not here.
gitlab: annotation tracking + ServerSideApply=true, Replace=false, never prune the 3 volumeClaimTemplates PVCs (the only copy of GitLab + embedded Postgres data). Treat the StatefulSet selector and volumeClaimTemplates as immutable.
provisioner Deployments: adopt after ESO so coder-provisioner-{alpha,bravo} secrets exist; the org-scoped provisioner keys are create-once API state (Coder API issue).
workspace RBAC, gp3 StorageClass, namespaces: adopt in place; cluster-scoped objects have immutable key fields, never delete/recreate.
Render, diff (metadata-only), sync per workload.
Landmines
gitlab data PVCs (never Replace/prune).
gp3 StorageClass and namespaces missing from git (author first).
Goal
Adopt the kubectl-applied (non-Helm) manifests into GitOps in place. Plan:
docs/plans/gitops-adoption.md.Workloads and sources
deploy/keycloak/(deployment, service, ingress +configMapGeneratorofrealm-coder.json,disableNameSuffixHash: true).deploy/gitlab/statefulset.yaml,service.yaml,ingress.yaml, ServiceAccount.deploy/coder/provisioners.yaml(coder-provisioner-alpha,coder-provisioner-bravo, nscoder).deploy/platform/workspace-rbac.yaml(Role + RoleBinding incoder-workspaces).gp3StorageClass: live only, not in git today.--create-namespace/ ad hoc.Tasks
gp3StorageClass fromkubectl get sc gp3 -o yaml(strip runtime fields, keepstorageclass.kubernetes.io/is-default-class); author explicit Namespace manifests forcoder,coder-workspaces,keycloak,gitlab,ingress-nginx,external-secrets(and the newmonitoring).keycloak-realm-coderis stable, so adoption is clean. Realm content is API state, handled in the keycloak-config-cli issue, not here.ServerSideApply=true,Replace=false, never prune the 3volumeClaimTemplatesPVCs (the only copy of GitLab + embedded Postgres data). Treat the StatefulSet selector and volumeClaimTemplates as immutable.coder-provisioner-{alpha,bravo}secrets exist; the org-scoped provisioner keys are create-once API state (Coder API issue).gp3StorageClass, namespaces: adopt in place; cluster-scoped objects have immutable key fields, never delete/recreate.Landmines
Generated by Coder Agents.