Initial scaffold: API service, K8s operator, and CRDs

Forgebot is a K8s operator + API service for dispatching AI agent
jobs from git forge commands. Includes:

- CRDs: AgentPool, AgentTask, ProviderQueue, RepositoryBinding
- API server with webhook handler, task queue, and comment proxy
- Operator controllers for task scheduling and job management
- Gitea provider with webhook parsing and signature verification
- PostgreSQL database with auto-migration
- Woodpecker CI pipelines and multi-stage Dockerfiles
This commit is contained in:
2026-06-08 22:49:18 +10:00
parent fd1a4956ed
commit 49d514c050
46 changed files with 3139 additions and 0 deletions
@@ -0,0 +1,57 @@
package controller
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
forgebotv1alpha1 "git.unkin.net/unkin/forgebot/api/v1alpha1"
)
type AgentPoolReconciler struct {
client.Client
Scheme *runtime.Scheme
}
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=agentpools,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=agentpools/status,verbs=get;update;patch
func (r *AgentPoolReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
logger := log.FromContext(ctx)
var pool forgebotv1alpha1.AgentPool
if err := r.Get(ctx, req.NamespacedName, &pool); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
var taskList forgebotv1alpha1.AgentTaskList
if err := r.List(ctx, &taskList, client.InNamespace(req.Namespace)); err != nil {
return ctrl.Result{}, err
}
active := 0
for _, task := range taskList.Items {
if task.Spec.PoolRef == pool.Name && task.Status.Phase == forgebotv1alpha1.TaskRunning {
active++
}
}
if pool.Status.ActiveJobs != active {
pool.Status.ActiveJobs = active
if err := r.Status().Update(ctx, &pool); err != nil {
return ctrl.Result{}, err
}
logger.Info("updated pool status", "pool", pool.Name, "active", active)
}
return ctrl.Result{}, nil
}
func (r *AgentPoolReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&forgebotv1alpha1.AgentPool{}).
Complete(r)
}
+186
View File
@@ -0,0 +1,186 @@
package controller
import (
"context"
"fmt"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
forgebotv1alpha1 "git.unkin.net/unkin/forgebot/api/v1alpha1"
)
type AgentTaskReconciler struct {
client.Client
Scheme *runtime.Scheme
}
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=agenttasks,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=agenttasks/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;delete
func (r *AgentTaskReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
logger := log.FromContext(ctx)
var task forgebotv1alpha1.AgentTask
if err := r.Get(ctx, req.NamespacedName, &task); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
switch task.Status.Phase {
case forgebotv1alpha1.TaskPending, "":
return r.handlePending(ctx, &task)
case forgebotv1alpha1.TaskRunning:
return r.handleRunning(ctx, &task)
default:
logger.V(1).Info("task in terminal state", "phase", task.Status.Phase)
return ctrl.Result{}, nil
}
}
func (r *AgentTaskReconciler) handlePending(ctx context.Context, task *forgebotv1alpha1.AgentTask) (ctrl.Result, error) {
logger := log.FromContext(ctx)
var pool forgebotv1alpha1.AgentPool
if err := r.Get(ctx, client.ObjectKey{Namespace: task.Namespace, Name: task.Spec.PoolRef}, &pool); err != nil {
return ctrl.Result{}, fmt.Errorf("get pool %s: %w", task.Spec.PoolRef, err)
}
if pool.Status.ActiveJobs >= pool.Spec.MaxConcurrent {
logger.Info("pool at capacity, requeueing", "pool", pool.Name, "active", pool.Status.ActiveJobs)
return ctrl.Result{RequeueAfter: 10_000_000_000}, nil // 10s
}
job := r.buildJob(task, &pool)
if err := ctrl.SetControllerReference(task, job, r.Scheme); err != nil {
return ctrl.Result{}, err
}
if err := r.Create(ctx, job); err != nil {
return ctrl.Result{}, fmt.Errorf("create job: %w", err)
}
now := metav1.Now()
task.Status.Phase = forgebotv1alpha1.TaskRunning
task.Status.JobName = job.Name
task.Status.StartTime = &now
if err := r.Status().Update(ctx, task); err != nil {
return ctrl.Result{}, err
}
logger.Info("created job for task", "job", job.Name, "task", task.Name)
return ctrl.Result{}, nil
}
func (r *AgentTaskReconciler) handleRunning(ctx context.Context, task *forgebotv1alpha1.AgentTask) (ctrl.Result, error) {
logger := log.FromContext(ctx)
var job batchv1.Job
if err := r.Get(ctx, client.ObjectKey{Namespace: task.Namespace, Name: task.Status.JobName}, &job); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
if job.Status.Succeeded > 0 {
now := metav1.Now()
task.Status.Phase = forgebotv1alpha1.TaskSucceeded
task.Status.EndTime = &now
if err := r.Status().Update(ctx, task); err != nil {
return ctrl.Result{}, err
}
logger.Info("task succeeded", "task", task.Name)
return ctrl.Result{}, nil
}
if job.Status.Failed > 0 {
now := metav1.Now()
task.Status.Phase = forgebotv1alpha1.TaskFailed
task.Status.EndTime = &now
task.Status.Message = "job failed"
if err := r.Status().Update(ctx, task); err != nil {
return ctrl.Result{}, err
}
logger.Info("task failed", "task", task.Name)
return ctrl.Result{}, nil
}
return ctrl.Result{RequeueAfter: 15_000_000_000}, nil // 15s
}
func (r *AgentTaskReconciler) buildJob(task *forgebotv1alpha1.AgentTask, pool *forgebotv1alpha1.AgentPool) *batchv1.Job {
backoffLimit := int32(0)
ttl := int32(3600)
env := []corev1.EnvVar{
{Name: "FORGEBOT_REPO", Value: task.Spec.Repository},
{Name: "FORGEBOT_REF", Value: task.Spec.Ref},
{Name: "FORGEBOT_COMMAND", Value: task.Spec.Command},
{Name: "FORGEBOT_SKILL", Value: task.Spec.Skill},
{Name: "FORGEBOT_TASK_ID", Value: task.Name},
{Name: "FORGEBOT_MODEL", Value: pool.Spec.Model},
{Name: "FORGEBOT_BODY", Value: task.Spec.Context.Body},
{Name: "FORGEBOT_AUTHOR", Value: task.Spec.Context.Author},
{Name: "FORGEBOT_ISSUE_NUMBER", Value: fmt.Sprintf("%d", task.Spec.Context.IssueNumber)},
{Name: "FORGEBOT_PR_NUMBER", Value: fmt.Sprintf("%d", task.Spec.Context.PRNumber)},
{Name: "ANTHROPIC_BASE_URL", Value: pool.Spec.Endpoint},
}
if pool.Spec.CredentialSecretRef.Name != "" {
env = append(env, corev1.EnvVar{
Name: "ANTHROPIC_API_KEY",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: pool.Spec.CredentialSecretRef,
Key: "api-key",
},
},
})
}
return &batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("forgebot-%s", task.Name),
Namespace: task.Namespace,
Labels: map[string]string{
"app.kubernetes.io/managed-by": "forgebot",
"forgebot.unkin.net/task": task.Name,
"forgebot.unkin.net/pool": pool.Name,
"forgebot.unkin.net/command": task.Spec.Command,
},
},
Spec: batchv1.JobSpec{
BackoffLimit: &backoffLimit,
TTLSecondsAfterFinished: &ttl,
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{
"app.kubernetes.io/managed-by": "forgebot",
"forgebot.unkin.net/task": task.Name,
},
},
Spec: corev1.PodSpec{
ServiceAccountName: pool.Spec.ServiceAccountName,
RestartPolicy: corev1.RestartPolicyNever,
Containers: []corev1.Container{
{
Name: "agent",
Image: pool.Spec.Image,
Env: env,
Resources: pool.Spec.Resources,
},
},
},
},
},
}
}
func (r *AgentTaskReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&forgebotv1alpha1.AgentTask{}).
Owns(&batchv1.Job{}).
Complete(r)
}
@@ -0,0 +1,171 @@
package controller
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
forgebotv1alpha1 "git.unkin.net/unkin/forgebot/api/v1alpha1"
"git.unkin.net/unkin/forgebot/pkg/models"
)
type ProviderQueueReconciler struct {
client.Client
Scheme *runtime.Scheme
HTTPClient *http.Client
}
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=providerqueues,verbs=get;list;watch;update;patch
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=providerqueues/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=agenttasks,verbs=create
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=repositorybindings,verbs=get;list;watch
func (r *ProviderQueueReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
logger := log.FromContext(ctx)
var queue forgebotv1alpha1.ProviderQueue
if err := r.Get(ctx, req.NamespacedName, &queue); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
pollInterval, err := time.ParseDuration(queue.Spec.PollInterval)
if err != nil {
pollInterval = 30 * time.Second
}
httpClient := r.HTTPClient
if httpClient == nil {
httpClient = &http.Client{Timeout: 10 * time.Second}
}
resp, err := httpClient.Get(queue.Spec.Endpoint + "/tasks?status=pending")
if err != nil {
now := metav1.Now()
queue.Status.LastPoll = &now
queue.Status.LastError = err.Error()
_ = r.Status().Update(ctx, &queue)
logger.Error(err, "failed to poll API")
return ctrl.Result{RequeueAfter: pollInterval}, nil
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return ctrl.Result{RequeueAfter: pollInterval}, err
}
var tasks []models.Task
if err := json.Unmarshal(body, &tasks); err != nil {
return ctrl.Result{RequeueAfter: pollInterval}, err
}
var bindings forgebotv1alpha1.RepositoryBindingList
if err := r.List(ctx, &bindings, client.InNamespace(req.Namespace)); err != nil {
return ctrl.Result{RequeueAfter: pollInterval}, err
}
bindingMap := map[string]*forgebotv1alpha1.RepositoryBinding{}
for i := range bindings.Items {
b := &bindings.Items[i]
if b.Spec.ProviderQueueRef == queue.Name {
bindingMap[b.Spec.Repository] = b
}
}
for _, task := range tasks {
binding, ok := bindingMap[task.Repository]
if !ok {
continue
}
if !isAllowed(binding, task.Author, task.Command) {
continue
}
agentTask := &forgebotv1alpha1.AgentTask{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("task-%s", task.ID[:8]),
Namespace: req.Namespace,
},
Spec: forgebotv1alpha1.AgentTaskSpec{
PoolRef: binding.Spec.AgentPoolRef,
Command: task.Command,
Skill: resolveSkill(binding, task.Command),
Repository: task.Repository,
Ref: task.Ref,
Context: forgebotv1alpha1.TaskContext{
IssueNumber: task.IssueNumber,
PRNumber: task.PRNumber,
CommentID: task.CommentID,
Body: task.Body,
Author: task.Author,
},
ExtraTools: task.ExtraTools,
ParentTaskRef: task.ParentTaskID,
},
}
if err := r.Create(ctx, agentTask); err != nil {
logger.Error(err, "failed to create AgentTask", "task", task.ID)
continue
}
queue.Status.TasksCreated++
logger.Info("created AgentTask", "task", agentTask.Name, "command", task.Command)
}
now := metav1.Now()
queue.Status.LastPoll = &now
queue.Status.LastError = ""
_ = r.Status().Update(ctx, &queue)
return ctrl.Result{RequeueAfter: pollInterval}, nil
}
func isAllowed(binding *forgebotv1alpha1.RepositoryBinding, author, command string) bool {
if len(binding.Spec.AllowedUsers) > 0 {
found := false
for _, u := range binding.Spec.AllowedUsers {
if u == author {
found = true
break
}
}
if !found {
return false
}
}
if len(binding.Spec.AllowedCommands) > 0 {
for _, c := range binding.Spec.AllowedCommands {
if c == command {
return true
}
}
return false
}
return true
}
func resolveSkill(binding *forgebotv1alpha1.RepositoryBinding, command string) string {
for _, m := range binding.Spec.SkillMapping {
if m.Command == command {
return m.Skill
}
}
return command
}
func (r *ProviderQueueReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&forgebotv1alpha1.ProviderQueue{}).
Complete(r)
}
@@ -0,0 +1,41 @@
package controller
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
forgebotv1alpha1 "git.unkin.net/unkin/forgebot/api/v1alpha1"
)
type RepositoryBindingReconciler struct {
client.Client
Scheme *runtime.Scheme
}
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=repositorybindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=forgebot.unkin.net,resources=repositorybindings/status,verbs=get;update;patch
func (r *RepositoryBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
logger := log.FromContext(ctx)
var binding forgebotv1alpha1.RepositoryBinding
if err := r.Get(ctx, req.NamespacedName, &binding); err != nil {
return ctrl.Result{}, client.IgnoreNotFound(err)
}
// TODO: Validate that referenced pool and queue exist
// TODO: Register webhook with Gitea for this repository
logger.V(1).Info("reconciled binding", "repo", binding.Spec.Repository)
return ctrl.Result{}, nil
}
func (r *RepositoryBindingReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&forgebotv1alpha1.RepositoryBinding{}).
Complete(r)
}
+37
View File
@@ -0,0 +1,37 @@
package controller
import (
ctrl "sigs.k8s.io/controller-runtime"
)
func SetupAll(mgr ctrl.Manager) error {
if err := (&AgentPoolReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
}).SetupWithManager(mgr); err != nil {
return err
}
if err := (&AgentTaskReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
}).SetupWithManager(mgr); err != nil {
return err
}
if err := (&ProviderQueueReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
}).SetupWithManager(mgr); err != nil {
return err
}
if err := (&RepositoryBindingReconciler{
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
}).SetupWithManager(mgr); err != nil {
return err
}
return nil
}