11 KiB
Desired Deploy Reconciler
UniDesk deployment is driven by a desired-state manifest. The manifest answers only one question: which service should run which repository commit. Runtime topology, ports, providers, compose files, Kubernetes manifests, health paths and proxy policy remain in config.json and the existing service manifests.
Manifest
The root deploy.json is intentionally minimal:
{
"schemaVersion": 1,
"services": [
{
"id": "code-queue",
"repo": "https://github.com/pikasTech/unidesk",
"commitId": "0c3cdb4ee06a23361ed511a2da033d67b53d16f4"
}
]
}
deploy.json must not contain provider IDs, ports, compose service names, Kubernetes namespace, health paths, environment variables, Dockerfile paths or build commands. The deploy reconciler joins each id with config.json.microservices[] and existing k3s manifests to resolve those details. A service listed in deploy.json but missing from config.json is an error. A service with no Dockerfile source artifact is reported as unsupported rather than silently skipped. commitId may be a unique pushed short SHA or a full SHA; every deploy command resolves it through the remote repository to a full 40-character commit before target-side build or rollout, and fails immediately if the SHA is missing or ambiguous.
config.json.microservices[].repository.commitId is retained for catalog compatibility, but deploy.json is the deployment version authority for the reconciler.
CLI
bun scripts/cli.ts deploy check [--file deploy.json] [--service <id>] checks the live runtime against the desired repo and commit without changing the system.
bun scripts/cli.ts deploy plan [--file deploy.json] [--service <id>] prints the same live state plus the intended action: noop, deploy or unsupported.
bun scripts/cli.ts deploy apply [--file deploy.json] [--service <id>] [--dry-run] [--force] starts an asynchronous job. Use bun scripts/cli.ts job status <jobId> --tail-bytes 30000 to observe progress. --dry-run resolves the same plan but does not build or replace runtime objects. --force rebuilds even when the live commit matches.
All deploy commands output JSON. Long operations must use .state/jobs/ and bounded log tails; no deploy path may succeed with missing progress output.
Target-Side Build
Target-side build is the only standard deployment mode. The controller may run on the main server, but source materialization, compile/build, Docker image creation and deployment happen on the target node that will run the service.
- Main server services are fetched, built and deployed on the main server.
- D601 services are fetched, built and deployed on D601.
- D518 services are fetched, built and deployed on D518.
- k3s managed services are built on the active control target and then imported into that target's Kubernetes container runtime.
The reconciler distributes only repository URL, commit ID, Dockerfile path, build context and the existing deployment manifest/compose declaration. It must not distribute large Docker images between hosts as the default path, and it must not accept docker commit images, dirty worktrees or hand-mutated runtime containers as deployment truth.
Each target fetches the remote repository, resolves the requested commit to a full 40 character SHA and exports tracked files with git archive. Build contexts are created from that archive, not from the operator's current working tree.
One-Shot Build Proxy
Target-side source fetches and Docker builds that need external network access use a one-shot proxy scope through provider-gateway WS egress. Provider targets connect only to their node-local provider-gateway egress endpoint, normally http://127.0.0.1:18789; provider-gateway carries the TCP stream over the already-authenticated provider WebSocket to the main server, and the main server opens the final outbound TCP connection. This is the only allowed proxy channel for provider-side deploy source fetches and builds. The deploy path must not mutate host-global proxy settings:
- Do not edit
/etc/docker/daemon.json. - Do not edit shell profiles or global Docker CLI config.
- Do not leave long-lived host
HTTP_PROXY,HTTPS_PROXYorALL_PROXY. - Do not silently fall back to target local direct internet.
- Do not create a separate SSH SOCKS proxy, public master proxy port, or direct backend-core/provider-ingress connection for deploy egress.
The standard implementation first probes GitHub through the node-local egress proxy, then runs target-side git clone/git fetch and the Docker build in that scoped environment. It also uses the target Docker daemon's local BuildKit builder so target-side base image and layer caches are reused. Proxy variables are scoped to the current deploy step and passed as matching --build-arg values for Dockerfile RUN steps; they are not written to daemon or shell configuration. Provider targets also use docker buildx build --network host so 127.0.0.1:<proxy-port> inside RUN resolves to the target host's loopback provider-gateway egress proxy. Each deploy must log the proxy channel and probe result, for example target_source_proxy=provider-gateway-ws-egress:http://127.0.0.1:18789, target_build_proxy=provider-gateway-ws-egress:http://127.0.0.1:18789 and target_build_proxy_probe=ok.
Build cache is part of the deployment contract, not an optimization left to Docker defaults. The deploy reconciler must pass inline BuildKit cache metadata (--cache-to type=inline) and import the current target image as cache source when it exists (--cache-from <image>). Dockerfiles that intentionally expose a warm build-base argument, such as Code Queue's CODE_QUEUE_BASE_IMAGE, may use the target-local <image>-build-base image to avoid re-running large apt/npm/Playwright setup layers; this is still target-local build cache and must be logged as target_build_base_image=<image>-build-base. If a service later needs an isolated docker-container builder or a local cache directory backend, it may use one only as a service-specific fallback and must still log proxy resolution, proxy probe result, cache source, cache destination and builder cleanup. The default path must not discard target-local image cache by creating a fresh builder for every deploy.
Main server targets may build without a proxy unless a service explicitly requires one. Provider targets must not bypass provider-gateway WS egress for GitHub, Debian apt, npm, Playwright, model downloads or any other external build dependency.
Deployment Executors
The reconciler selects the executor from config.json:
deployment.mode=unidesk-directonmain-server: build the image on the main server, then use the fixed UniDesk Compose project andup -d --no-build --no-deps --force-recreate <service>.deployment.mode=internal-sidecaronmain-server: use the same main-server target-side source export, Docker build, image label stamping, fixed Compose project replacement and live commit verification as direct Compose services. This class is for private sidecars such ascode-queue-mgr; it is still versioned bydeploy.json.commitId, not by the operator's current worktree.deployment.mode=unidesk-directon a provider: dispatchhost.sshto that provider, build on the provider, then use the service's provider-local compose file and project. The executor resolves the actual Compose project, image name, build context, Dockerfile and target from the running container labels anddocker compose config; it must not guess an image tag that the service will not actually run.- Control bridges that UniDesk needs in order to inspect or repair an orchestrator must stay in this direct class. In particular,
k3sctl-adapteris a UniDesk-managed bridge to native k3s and must remain outside k3s; Docker packaging on Docker Desktop/WSL must create an explicit host-local bridge, currently an adapter-container SSH local tunnel, to reach/etc/rancher/k3s/k3s.yamland WSL127.0.0.1:6443. deployment.mode=k3sctl-managed: dispatch to the active control target, build on that target, verify or install native k3s on the host OS/WSL distro, import the image into native k3s/containerd, apply the existing Kubernetes manifest, stamp the Deployment and wait for rollout. The executor must use the native kubeconfig and containerd socket, for example/etc/rancher/k3s/k3s.yamland/run/k3s/containerd/containerd.sock; running k3s itself in Docker is forbidden for both control-plane and worker nodes. Arancher/k3simage or legacy container may only be used as a temporary artifact source during migration, and any active containerized k3s control plane must be stopped before verification succeeds. The executor must preload a validrancher/mirrored-pause:3.6sandbox image into native k3s containerd through the provider-gateway one-shot egress path, verify its entrypoint is/pause, and reject fake or sleep-based replacement images. Code Queue's k3s migration executor must also stop/remove the legacy direct Dockercode-queue-backendafter k3s rollout, so there is never a second scheduler running beside the native k3s scheduler.
Existing service-specific commands such as Code Queue deploy should converge onto this reconciler path instead of keeping a parallel implementation.
Decision Center is a standard k3sctl-managed service in this model. deploy apply --service decision-center must build src/components/microservices/decision-center/Dockerfile on D601, import unidesk-decision-center:d601 into native k3s containerd, apply src/components/microservices/k3sctl-adapter/k3s/decision-center.k8s.yaml, stamp the Deployment, and verify health through /api/microservices/decision-center/health. It must not add a main-server Compose service, NodePort, hostPort, or provider-gateway direct HTTP backend for Decision Center.
Version Stamping And Verification
Every successful deployment must stamp the source version in the runtime:
- Docker image labels:
unidesk.ai/service-id,unidesk.ai/source-repo,unidesk.ai/source-commitandunidesk.ai/dockerfile. - Runtime env or Kubernetes annotations:
UNIDESK_DEPLOY_SERVICE_ID,UNIDESK_DEPLOY_REPO,UNIDESK_DEPLOY_COMMITandUNIDESK_DEPLOY_REQUESTED_COMMIT. - Service health response should expose
deploy.repoanddeploy.commitwhen practical. Existing service-specific health contracts such as Code Queue'sdeploy.commitremain valid.
The deploy job is not complete until live verification proves the running service matches the requested commit. For Docker services this includes image label inspection on the running container. For k3s services this includes Deployment annotation/env inspection and service health through the same UniDesk microservice proxy path used by the frontend. A healthy old service must fail verification.
Unsupported Services
Image-only services, such as a service declared directly as docker.io/vendor/image:tag without a Dockerfile source artifact, do not satisfy target-side build policy. They must be converted to a source repository with a Dockerfile wrapper before the reconciler can manage them. Until then, deploy check and deploy plan should report them as unsupported.