openchoreo-developer-gitops
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOpenChoreo Developer GitOps Guide
OpenChoreo 开发者GitOps指南
Git is the source of truth; the cluster is its reflection. This skill writes OpenChoreo application resources to Git (Project / Component / Workload / ComponentRelease / ReleaseBinding), lets Flux reconcile them, and reads cluster state with to verify.
occThis skill is scoped to application-developer GitOps work. Repo scaffolding, Flux wiring, and authoring platform CRDs (ComponentTypes, Traits, Workflows, Environments, DeploymentPipelines, SecretReferences, AuthzRoles, planes) are out of scope — they're done by whoever owns the platform side. Don't edit GitOps-managed resources via or any other direct write path; Flux will revert them on the next reconcile.
occ apply -fGit是事实来源;集群是其映射。本技能将OpenChoreo的应用资源写入Git(Project / Component / Workload / ComponentRelease / ReleaseBinding),由Flux进行同步,并通过读取集群状态以验证。
occ本技能的适用范围为应用开发者的GitOps工作。仓库脚手架搭建、Flux配置、平台CRD(ComponentTypes、Traits、Workflows、Environments、DeploymentPipelines、SecretReferences、AuthzRoles、planes)编写均不在本技能范围内——这些由平台侧负责人完成。请勿通过或其他直接写入方式编辑GitOps管理的资源;Flux会在下一次同步时将其还原。
occ apply -fStep 0 — Hard preconditions
步骤0 — 硬性前置条件
Two checks; both must pass before proceeding.
bash
undefined需完成两项检查,且均通过后方可继续。
bash
undefined0a — occ configured against the right cluster
0a — 确认occ已针对正确集群配置
command -v occ && occ config context list && occ namespace list
command -v occ && occ config context list && occ namespace list
0b — cwd is inside a scaffolded GitOps repo
0b — 当前工作目录位于脚手架生成的GitOps仓库内
ls flux 2>/dev/null && ls platform-shared 2>/dev/null && ls namespaces 2>/dev/null
If `occ` is missing / unconfigured, stop and tell the user to install + configure it. If the cwd isn't a scaffolded repo (no `flux/` or `clusters/<name>/`, no `platform-shared/`, no `namespaces/`), ask the user for the repo path; if no repo exists, the repo needs scaffolding upstream of this skill — don't start creating components in a non-scaffolded directory.
**Always show the active `occ` context and confirm with the user** before any cluster-touching action.ls flux 2>/dev/null && ls platform-shared 2>/dev/null && ls namespaces 2>/dev/null
若`occ`未安装/未配置,请停止操作并告知用户安装并配置它。若当前工作目录不是脚手架生成的仓库(无`flux/`或`clusters/<name>/`、`platform-shared/`、`namespaces/`目录),请询问用户仓库路径;若仓库不存在,则需要在本技能上游完成仓库脚手架搭建——不要在非脚手架目录中开始创建组件。
**在执行任何涉及集群的操作前,务必展示当前`occ`上下文并与用户确认**。Step 1 — Load concepts (MANDATORY)
步骤1 — 加载概念(必填)
Read in full before anything else. Not optional, even if the task looks simple — you'll get the two-resource deploy model / immutability / workload-descriptor tradeoffs / verification ladder wrong from memory. Load once per session; if you catch yourself acting without it, stop and load now.
references/concepts.mdLoad other references on-demand:
- —
references/authoring.mdfile-mode generators, docs lookup viaocc, repo paths, git workflow, DCO.scripts/fetch-page.sh - — fetch any OpenChoreo docs page by title (resolves against
scripts/fetch-page.sh, picks a stable version). Use this for full CRD schemas with optional fields.llms.txtdumps the full index../scripts/fetch-page.sh --list - — first-time deploys (no Project yet, or first time the user touches this repo).
references/getting-started.md
在进行任何操作前,请完整阅读。这并非可选步骤,即使任务看似简单——仅凭记忆会错误理解双资源部署模型、不可变性、工作负载描述权衡、验证流程。每个会话只需加载一次;若发现自己未加载就开始操作,请立即停止并加载。
references/concepts.md按需加载其他参考文档:
- —
references/authoring.md文件模式生成器、通过occ查找文档、仓库路径、Git工作流、DCO。scripts/fetch-page.sh - — 根据标题获取任意OpenChoreo文档页面(基于
scripts/fetch-page.sh解析,选择稳定版本)。可用于获取包含可选字段的完整CRD schema。执行llms.txt可导出完整索引。./scripts/fetch-page.sh --list - — 首次部署(尚无Project,或用户首次接触本仓库)。
references/getting-started.md
What this skill can do
本技能可完成的操作
- Onboard a Component — BYO image or source-build → ,
recipes/onboard-component-byo.mdrecipes/onboard-component-source-build.md - Update a Workload — edit YAML (BYO) or push + rebuild (source-build) →
recipes/update-workload.md - Configure a Workload — endpoints, env, files, secrets →
recipes/configure-workload.md - Attach a PE-authored Trait →
recipes/attach-trait.md - Wire component dependencies — with env-var injection →
dependencies.endpoints[]recipes/connect-components.md - Generate ComponentReleases / ReleaseBindings via file-mode — produced through the onboard recipes.
occ - Promote releases — single component or bulk (project / all) → ,
recipes/promote.mdrecipes/bulk-promote.md - Per-environment overrides — replicas, resources, env vars, trait config →
recipes/override-per-environment.md - Soft-undeploy / rollback — flip or repoint at a prior
spec.state: Undeploy→ComponentReleaseRollbackrecipes/promote.md - Verify Flux + ReleaseBinding reconciliation →
recipes/verify-and-debug.md
- 接入组件 — 自带镜像或源码构建 → 、
recipes/onboard-component-byo.mdrecipes/onboard-component-source-build.md - 更新工作负载 — 编辑YAML(自带镜像)或推送并重建(源码构建) →
recipes/update-workload.md - 配置工作负载 — 端点、环境变量、文件、密钥 →
recipes/configure-workload.md - 附加PE编写的特性 →
recipes/attach-trait.md - 连接组件依赖 — 通过注入环境变量 →
dependencies.endpoints[]recipes/connect-components.md - 通过文件模式生成ComponentReleases / ReleaseBindings — 由接入流程生成。
occ - 发布版本 — 单个组件或批量(项目/全部) → 、
recipes/promote.mdrecipes/bulk-promote.md - 按环境配置覆盖 — 副本数、资源配置、环境变量、特性配置 →
recipes/override-per-environment.md - 软卸载/回滚 — 将或重新指向之前的
spec.state: Undeploy→ComponentRelease回滚部分recipes/promote.md - 验证Flux + ReleaseBinding同步状态 →
recipes/verify-and-debug.md
What this skill cannot do
本技能无法完成的操作
- Repo scaffolding or Flux wiring. Out of scope; assumes the repo is already scaffolded and Flux is wired.
- Authoring ComponentTypes / Traits / Workflows. Platform-side. Pick from what /
occ clustercomponenttype list/occ clustertrait listshow; the developer attaches what the platform offers.occ clusterworkflow list - Plane registration, AuthzRole / SecretReference authoring. Platform-side.
- Imperative ops — triggering a , runtime log tail, pod-level debugging via
WorkflowRun.kubectl execdoes not go in Git (perWorkflowRun); trigger via the UI, webhook, orgitops/overview.md. For pod-level runtime debugging, useocc component workflow rundirectly against the data plane or the cluster's observability backend.kubectl - Editing GitOps-managed resources via or any other direct write path — Flux reverts them on the next reconcile. Always go through Git.
occ apply -f
- 仓库脚手架搭建或Flux配置。不在范围内;假设仓库已完成脚手架搭建且Flux已配置。
- 编写ComponentTypes / Traits / Workflows。属于平台侧操作。从/
occ clustercomponenttype list/occ clustertrait list的结果中选择;开发者仅能附加平台提供的内容。occ clusterworkflow list - Plane注册、AuthzRole / SecretReference编写。属于平台侧操作。
- 命令式操作 — 触发、实时日志查看、通过
WorkflowRun进行Pod级调试。kubectl exec不应存入Git(参考WorkflowRun);需通过UI、Webhook或gitops/overview.md触发。对于Pod级实时调试,请直接针对数据平面或集群可观测性后端使用occ component workflow run。kubectl - 通过或其他直接写入方式编辑GitOps管理的资源 — Flux会在下一次同步时将其还原。请始终通过Git进行操作。
occ apply -f
Working style
工作风格
- Git is the source of truth. Application resources change only through Git. is reserved for pre-Flux bootstrap (which is a PE concern; this skill rarely needs it).
occ apply -f - Use file-mode generators for the four kinds they own (Workload, ComponentRelease, ReleaseBinding, Component scaffold). For everything else (Project, dependency wiring on a Workload, ReleaseBinding overrides), fetch the full schema with
occ../scripts/fetch-page.sh --exact --title "<Kind>" - Always (DCO is required upstream; harmless on forks).
git commit -s - Verify, don't assume. Reconciliation is interval-based (,
GitRepository: 1m). Read the result back withKustomization: 5mafter merge.occ <kind> get - Don't open a PR or push without explicit user confirmation. Local commits are reversible; remote-visible actions are not.
- Path A vs Path B for source-build Workloads. Decide once whether in the source repo is the source of truth (Path A) or direct edits to the Workload CR in the GitOps repo are (Path B). Mixing them is a one-way migration trap. See
workload.yaml.recipes/onboard-component-source-build.md
- Git是事实来源。应用资源仅能通过Git变更。仅用于Flux引导前的场景(属于PE职责;本技能极少需要使用)。
occ apply -f - 对四种资源使用文件模式生成器(Workload、ComponentRelease、ReleaseBinding、Component脚手架)。对于其他所有资源(Project、工作负载的依赖连接、ReleaseBinding覆盖),使用
occ获取完整schema。./scripts/fetch-page.sh --exact --title "<Kind>" - 始终执行(上游要求DCO;在分支上执行无影响)。
git commit -s - 验证而非假设。同步是基于时间间隔的(,
GitRepository: 1分钟)。合并后通过Kustomization: 5分钟读取结果。occ <kind> get - 未经用户明确确认,请勿推送或提交PR。本地提交可撤销;远程可见操作不可撤销。
- 源码构建工作负载的路径A与路径B。需一次性决定是将源码仓库中的作为事实来源(路径A),还是直接编辑GitOps仓库中的Workload CR(路径B)。混合使用会陷入单向迁移陷阱。参考
workload.yaml。recipes/onboard-component-source-build.md
Stable guardrails
稳定准则
- is immutable. Regenerate with
ComponentRelease; never hand-edit.occ componentrelease generate - (projectName + componentName) is immutable after creation. Pick names carefully.
Workload.spec.owner - and
Component.spec.componentTypekinds default to cluster-scoped when omitted. Setspec.workflow/kind: ComponentTypeexplicitly when referencing namespace-scoped variants.kind: Workflow - is an object (since v1.0.0), not a plain string.
Project.spec.deploymentPipelineRefdefaults tokind.DeploymentPipeline - For third-party / public apps: default to BYO image, not source build. Multi-platform Dockerfiles () commonly fail in the buildah-based builder. If you see exit-125
ARG BUILDPLATFORMerrors, switch to BYO.BUILDPLATFORM - No plaintext secrets in Git. Use a PE-authored ; consume from a Workload via
SecretReference.valueFrom.secretKeyRef - Workload /
enventries need exactly one offilesorvalue— not both, not neither. Validation fails otherwise.valueFrom
- 是不可变的。需通过
ComponentRelease重新生成;切勿手动编辑。occ componentrelease generate - (projectName + componentName)创建后不可变。请谨慎选择名称。
Workload.spec.owner - 当省略时,与
Component.spec.componentType类型默认为集群级。引用命名空间级变体时,请显式设置spec.workflow/kind: ComponentType。kind: Workflow - 是一个对象(自v1.0.0起),而非纯字符串。
Project.spec.deploymentPipelineRef默认为kind。DeploymentPipeline - 对于第三方/公共应用:默认使用自带镜像,而非源码构建。多平台Dockerfile()在基于buildah的构建器中常失败。若遇到exit-125
ARG BUILDPLATFORM错误,请切换为自带镜像。BUILDPLATFORM - Git中不得包含明文密钥。使用PE编写的;通过Workload的
SecretReference引用。valueFrom.secretKeyRef - Workload的/
env条目必须且仅能包含files或value中的一个 — 不可同时存在,也不可都不存在。否则验证会失败。valueFrom
Anti-patterns
反模式
- Creating a Component without first reading the available /
ClusterComponentType/ComponentType/Traitlists on the cluster. Author the spec against the live platform shape.Workflow - Hand-authoring a Workload spec when could do it from a descriptor + image.
occ workload create --mode file-system - Hand-editing a file (it's immutable; regenerate instead).
ComponentRelease - Adding to a source repo whose Component's Workload has been iterated on directly (Path B) without first dumping the live Workload and reconstructing the descriptor (one-way destructive migration — overwrites the cluster spec).
workload.yaml - Setting on a service-to-service dependency between Components in the same project —
visibility: externalis the right default.projectis for public-internet ingress only.external - Pushing or opening a PR before the user has seen the commit list.
- Assuming a deployment is healthy because —
Ready=Truemeans reconciled, not necessarily working. Curl anReadyendpoint or pull logs viaexternalwhen in doubt.occ component logs <component> -n <ns> --env <env>
- 在未先查看集群上可用的/
ClusterComponentType/ComponentType/Trait列表的情况下创建组件。需根据平台实际形态编写spec。Workflow - 当可通过描述文件+镜像生成时,手动编写Workload spec。
occ workload create --mode file-system - 手动编辑文件(它是不可变的;应重新生成)。
ComponentRelease - 直接迭代组件的Workload后(路径B),将添加到源码仓库,而未先导出当前Workload并重建描述文件(单向破坏性迁移——会覆盖集群spec)。
workload.yaml - 对同一项目内组件间的服务依赖设置—
visibility: external是正确的默认值。project仅适用于公网入口。external - 在用户查看提交列表前推送或提交PR。
- 仅因就假设部署健康 —
Ready=True表示已同步,而非一定可用。若有疑问,请调用Ready端点或通过external拉取日志。occ component logs <component> -n <ns> --env <env>