chore(deploy): remove DIND — all execution now via K8s Jobs#303
chore(deploy): remove DIND — all execution now via K8s Jobs#303betterclever wants to merge 1 commit intofeat/gcs-fuse-volumesfrom
Conversation
Docker-in-Docker is no longer needed since the K8s Job runner handles all component container execution natively. - Delete dind-deployment.yaml, dind-pvc.yaml, dind-service.yaml - Delete values/dind.yaml and values/no-dind.yaml - Remove execution.dind and workerDockerHost from values.yaml - Remove execution.dind block from values/cloud-generic.yaml - Remove workerDockerHost DOCKER_HOST env branch from worker-deployment.yaml Closes ENG-209 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a249e41ccb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: INTERNAL_SERVICE_TOKEN | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: {{ .Values.secrets.name }} | ||
| key: INTERNAL_SERVICE_TOKEN |
There was a problem hiding this comment.
The worker Deployment now requires INTERNAL_SERVICE_TOKEN from the app secret, but the chart’s generated secret template still only defines DATABASE_URL, MinIO keys, and SECRET_STORE_MASTER_KEY (see deploy/helm/shipsec/templates/app-secret.local.yaml). With default secrets.create: true, this leaves the key missing and causes worker pods to fail startup with a missing secret key (CreateContainerConfigError), which blocks worker execution in default installs.
Useful? React with 👍 / 👎.
| @@ -1,5 +0,0 @@ | |||
| execution: | |||
There was a problem hiding this comment.
This commit deletes values/dind.yaml, but repo-wide search still shows install paths passing that exact file to Helm (deploy/scripts/gcp/install.sh:80,122, deploy/scripts/vps/install.sh:72, deploy/scripts/orbstack/install.sh:24). Because those scripts run with set -euo pipefail, they abort when Helm is invoked with a non-existent values file, so deployment automation fails before chart rollout.
Useful? React with 👍 / 👎.
| @@ -1,48 +0,0 @@ | |||
| {{- if .Values.execution.dind.enabled }} | |||
There was a problem hiding this comment.
Removing the shipsec-dind Deployment makes current smoke checks stale: deploy/scripts/gcp/smoke.sh:25 and deploy/scripts/vps/smoke.sh:23 still wait for deployment/shipsec-dind. With this chart version that resource is never created, so those smoke scripts fail even when backend/frontend/infra are otherwise healthy.
Useful? React with 👍 / 👎.
|
Closing — branch merged via internal process. |
1 participant
Summary
Stacked on #299 (GCS FUSE volumes / K8s runner).
Docker-in-Docker is no longer needed — all component container execution goes through the native K8s Job runner. This removes the DIND pod, its PVC, service, and all related Helm config.
dind-deployment.yaml,dind-pvc.yaml,dind-service.yamlvalues/dind.yamlandvalues/no-dind.yamlexecution.dindblock andworkerDockerHostfromvalues.yamlexecution.dindblock fromvalues/cloud-generic.yamlworkerDockerHost→DOCKER_HOSTenv branch fromworker-deployment.yamlDIND previously required a privileged container (
securityContext.privileged: true), which is a security risk. With K8s Jobs, component containers run as unprivileged workloads inshipsec-workloadsnamespace.Closes ENG-209
Test plan
helm templaterenders cleanly withgke-managed.yaml— no DIND resources emittedvalues.yamlexecution.mode: dockerstill works for local dev (uses local Docker socket, not DIND)🤖 Generated with Claude Code