Skip to content

Design: run AAQ scraper as an ArgoCD CronJob on the workloads cluster#44

Draft
aatchison wants to merge 17 commits into
mainfrom
k8s-argocd-scraper-deployment
Draft

Design: run AAQ scraper as an ArgoCD CronJob on the workloads cluster#44
aatchison wants to merge 17 commits into
mainfrom
k8s-argocd-scraper-deployment

Conversation

@aatchison

Copy link
Copy Markdown

What

Design spec (brainstorming output) for moving the scraper off GitHub Actions onto the workloads EKS cluster as an ArgoCD CronJob, sharing bitergia's static NAT egress IP so Mozilla can allowlist a single IP for both SUMO /api/2/ consumers.

This PR is the design doc only — no implementation yet. It's here for review before I write the implementation plan.

docs/superpowers/specs/2026-07-13-k8s-argocd-scraper-deployment-design.md

Key decisions captured

  • Scope: egress-IP-first scaffolding — build the full deployment now so it (1) produces the known static egress IP we hand Mozilla and (2) starts scraping the instant that IP is allowlisted.
  • Cluster: workloads (mzla-eks-workloads01, eu-central-1), co-located with bitergia-deploy to share one egress IP.
  • Image: lean, browser-free (httpx, arm64, distroless/slim). Includes a modest sumo.py refactor dropping Playwright for plain HTTP, preserving the existing fetch_json retry/deferral contract.
  • Persistence: stateless pod keeps the "CSVs in git" model — clones the repo, runs run_refresh.py, commits 20*/ back to main. .refresh-hwm moves from the Actions cache into the repo.
  • Push credential: fine-grained GitHub PAT via External Secrets Operator → AWS Secrets Manager.
  • schema-check.yml: out of scope; this effort disables it with a reviewer note (parked for its own migration). kitsune-api-watch.yml unaffected. scrape.yml stays live until cutover.

Reviewer callouts

  • §1 the whole effort hinges on the workloads cluster having a stable, allowlistable NAT EIP — first thing to verify.
  • §6 moving the high-water mark out of the Actions cache and into the repo.
  • Two-repo split: scraper/image/refactor here; manifests + Pulumi in platform-infrastructure.

Relates to #28, #27.

🤖 Generated with Claude Code

Egress-IP-first scaffolding to move the scraper off GitHub Actions
(blocked by the Fastly bot-challenge, #28) onto the workloads EKS
cluster, sharing bitergia's static NAT egress IP for the Mozilla
allowlist ask (#27). Plain-HTTP image, CSVs stay in git, fine-grained
PAT for pushes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aatchison aatchison marked this pull request as draft July 13, 2026 17:40
aatchison and others added 16 commits July 13, 2026 10:46
Two-phase, TDD where testable: Phase A (this repo) swaps sumo.py's
Playwright engine for httpx behind the frozen SumoBrowser API, packages
a browser-free arm64 image whose entrypoint clones/refreshes/commits,
and builds it in CI; Phase B (platform-infrastructure) adds the Pulumi
ECR+OIDC, the deploy manifests, and the ArgoCD app.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The sandbox default is Python 3.14, against which playwright's greenlet
dependency has no wheel and fails to build, breaking `uv sync`/`uv run`.
Pin to 3.12 (within requires-python >=3.10) so the mandated `uv run
pytest` works. (greenlet/playwright are removed in the next task, but the
pin keeps the toolchain reproducible regardless of the host default.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The CronJob commits the high-water mark to the repo each active run
instead of the (unavailable) GitHub Actions cache. run_refresh.py's 26h
lookback covers its initial absence, so no seed file is needed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pass the workflow_dispatch tag input via an env var instead of
interpolating github.event.* into the run script, and validate its
charset. Flagged HIGH (ci-cd-script-injection) by review; the job holds
ECR-push OIDC creds. Behavior unchanged for the default git-<sha> path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…oint verification

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant