Skip to content

feat(oabctl): fix bootstrap, create, apply, and exec commands#1160

Open
chaodu-agent wants to merge 23 commits into
mainfrom
fix/bootstrap-sg-description
Open

feat(oabctl): fix bootstrap, create, apply, and exec commands#1160
chaodu-agent wants to merge 23 commits into
mainfrom
fix/bootstrap-sg-description

Conversation

@chaodu-agent

@chaodu-agent chaodu-agent commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

Multiple fixes and improvements to oabctl CLI:

Bootstrap

  • Fix non-ASCII em dash in SG description (AWS rejects non-ASCII)

Create (oabctl create)

  • Use GHCR image URIs (ghcr.io/openabdev/openab*) instead of ECR
  • Add all backends: kiro, claude, codex, gemini, copilot, opencode, hermes, grok, cursor, mimocode, antigravity
  • Add CPU/memory sizing selection with Fargate-valid combinations
  • Always create dedicated SG per agent (no selection prompt)
  • Reuse existing SG if duplicate name exists

Apply (oabctl apply)

  • Inject config.toml as base64 env var (CONFIG_B64) — no aws CLI needed in container
  • Add awslogs log configuration to container definition
  • Add execution role and task role ARNs to task definition
  • Enable ECS Exec on service create/update
  • Use ecsctl's wait_for_stable (better progress output, no 5-min timeout)

Exec (oabctl exec)

  • Resolve agent name directly from ECS (no ecsctl alias dependency)
  • oabctl exec kiro-demo -- bash finds running task automatically

Other

  • Default --cluster to oab for get/delete commands
  • Add Rust build cache to CI workflow

Build

gh workflow run build-oabctl.yml --ref fix/bootstrap-sg-description -f target=macos-arm64

@chaodu-agent chaodu-agent requested a review from thepagent as a code owner June 20, 2026 01:59
@chaodu-agent chaodu-agent force-pushed the fix/bootstrap-sg-description branch from 30d4d48 to 23dce45 Compare June 20, 2026 03:14
@chaodu-agent chaodu-agent changed the title fix(bootstrap): replace em dash with ASCII in SG description feat(oabctl): fix bootstrap, create, apply, and exec commands Jun 20, 2026
@chaodu-agent

This comment has been minimized.

Sign in to view
@chaodu-agent
fix(review): address PR review findings
b325bed 
- F1: SG creation now matches InvalidGroup.Duplicate specifically, propagates other errors
- F2: CONFIG_B64 size check (8KB limit) with clear error message
- F3: IAM role pre-flight validation before register_task_definition
- F4: Replace too_many_arguments with ManifestParams struct
@chaodu-agent

This comment has been minimized.

Sign in to view
@chaodu-agent

This comment has been minimized.

Sign in to view
fix(review): address PR review findings
97d1875 
- Fix cp/sync broken by alias removal: use resolve_remote_path with
  dynamic ECS task lookup instead of ecsctl::alias::resolve_remote
- Add --cluster/--namespace to Exec, Cp, Sync commands (default: oab/prod)
- Update resolve_agent to accept cluster/namespace parameters
- Handle iam:GetRole AccessDenied gracefully (warn + proceed)
@github-actions github-actions Bot added the closing-soon PR missing Discord Discussion URL — will auto-close in 24 hours. label Jun 22, 2026
@chaodu-agent

This comment has been minimized.

Sign in to view
1 similar comment
@chaodu-agent

This comment has been minimized.

Sign in to view
fix(operator): add [workspace] to isolate from root workspace
7892b32 
Cargo discovers the root Cargo.toml as workspace root and fails because
operator is not listed as a member. Adding an empty [workspace] table
makes operator a standalone package.
@openab-app openab-app Bot removed the closing-soon PR missing Discord Discussion URL — will auto-close in 24 hours. label Jun 23, 2026
@chaodu-agent

This comment has been minimized.

Sign in to view
@chaodu-agent

This comment has been minimized.

Sign in to view
fix(operator): use config-based cluster name and consistent service p…
ce49f80 
…refix

- resolve_agent: use 'oab-{namespace}-{name}' to match ecs_service_name()
- apply_ecs: load cluster from OabConfig instead of hardcoding 'oab'
@chaodu-agent

chaodu-agent commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

LGTM ✅ — Solid multi-faceted improvement to oabctl covering config injection, logging, IAM role validation, ECS Exec support, and dynamic task resolution.

What This PR Does

Fixes and improves multiple oabctl subcommands: replaces S3-dependent config delivery with base64 env injection, adds awslogs, IAM role pre-flight checks, ECS Exec enablement, GHCR image URIs, Fargate sizing selection, and removes the ecsctl alias dependency for exec/cp/sync.

How It Works

  • Config injection: reads config.toml (local or S3), base64-encodes it into CONFIG_B64 env var, and uses an entrypoint wrapper to decode at runtime — eliminating the need for aws CLI in the container.
  • IAM validation: calls iam:GetRole before registering the task definition, gracefully handling AccessDenied (proceeds with warning) while failing hard on NoSuchEntity.
  • Dynamic exec: resolves agent name → ECS task via list_tasks API rather than relying on ecsctl alias state.
  • Fargate sizing: exposes CPU/memory selection with validated Fargate-compatible combinations.

Findings

# Severity Finding Location
1 🟢 Good defensive pattern — check_iam_role handles AccessDenied gracefully apply.rs:340-363
2 🟢 Proper 8 KiB guard on env-injected config prevents silent ECS failures apply.rs:190
3 🟢 Clean resolution of agent → cluster/task/container without external state main.rs:210-234
4 🟢 Reuse of ecsctl's wait_for_stable avoids duplicated polling logic apply.rs:336
5 🟢 SG duplicate detection with fallback lookup is user-friendly create.rs:108-138
What's Good (🟢)
  • Config-as-env pattern removes a significant operational dependency (no aws CLI in container, no IAM permissions for S3 GetObject at runtime for the container itself)
  • IAM pre-flight catches misconfiguration early with a clear error message directing users to oabctl bootstrap
  • Fargate sizing table with compile-time validation prevents invalid CPU/memory combos reaching the API
  • Entrypoint wrapper correctly uses exec to replace the shell process, preserving signal handling
  • CI passesoperator job builds successfully
Baseline Check
  • PR opened: by chaodu-agent on branch fix/bootstrap-sg-description
  • Main already has: basic apply flow with S3 config sync, hardcoded cluster name, no logging, no IAM checks
  • Net-new value: config injection without runtime S3 access, awslogs, IAM validation, ECS Exec, dynamic task resolution, GHCR images, Fargate sizing, rust-cache in CI
Minor Observations (non-blocking)
  • OabConfig::load() is called twice in apply.rs (lines 127 and 130) — could be consolidated into a single load, but not a correctness issue since it's idempotent
  • Cargo.toml has no trailing newline ([workspace]\ without \n) — cosmetic only, doesn't affect builds
  • The echo $CONFIG_B64 | base64 -d entrypoint approach works correctly since base64 output contains no shell-special characters, and ECS env vars don't undergo word splitting in the sh -c context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thepagent thepagent Awaiting requested review from thepagent thepagent is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

pending-maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaodu-agent