feat: add optional marketplace handler to OpenShift Helm chart

luis5tb · claude · luis5tb · commit 4d3e15378168 · 2026-03-13T10:55:41.000+01:00
Add support for deploying the marketplace handler alongside the agent on
OpenShift clusters running inside Google Cloud. The handler receives
Pub/Sub events, approves entitlements via the Procurement API, and
handles DCR from Gemini Enterprise.

All handler resources are conditional on handler.enabled (default false),
so existing deployments are unaffected. When enabled, a GCP service
account key is mounted for ADC and the agent gains DATABASE_URL for
order validation.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/deploy/openshift/README.md b/deploy/openshift/README.md
diff --git a/deploy/openshift/templates/_helpers.tpl b/deploy/openshift/templates/_helpers.tpl
@@ -70,3 +70,18 @@ Redis service name
 {{- define "lightspeed-agent.redisServiceName" -}}
 {{- include "lightspeed-agent.fullname" . }}-redis
 {{- end }}
+
+{{/*
+Selector labels for the marketplace handler
+*/}}
+{{- define "lightspeed-agent.handlerSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "lightspeed-agent.fullname" . }}-handler
+app.kubernetes.io/component: handler
+{{- end }}
+
+{{/*
+Handler service name
+*/}}
+{{- define "lightspeed-agent.handlerServiceName" -}}
+{{- include "lightspeed-agent.fullname" . }}-handler
+{{- end }}
diff --git a/deploy/openshift/templates/agent-deployment.yaml b/deploy/openshift/templates/agent-deployment.yaml
@@ -57,6 +57,13 @@ spec:
                   name: {{ include "lightspeed-agent.fullname" . }}-secrets
                   key: SESSION_DATABASE_URL
                   optional: true
+            {{- if .Values.handler.enabled }}
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: DATABASE_URL
+            {{- end }}
           resources:
             {{- toYaml .Values.agent.resources | nindent 12 }}
           startupProbe:
diff --git a/deploy/openshift/templates/configmap.yaml b/deploy/openshift/templates/configmap.yaml
@@ -42,8 +42,15 @@ data:
   RATE_LIMIT_REQUESTS_PER_MINUTE: {{ .Values.rateLimit.requestsPerMinute | quote }}
   RATE_LIMIT_REQUESTS_PER_HOUR: {{ .Values.rateLimit.requestsPerHour | quote }}
 
-  # Google Cloud Service Control (disabled for OpenShift)
-  SERVICE_CONTROL_ENABLED: "false"
+  # Google Cloud Service Control
+  SERVICE_CONTROL_ENABLED: {{ .Values.serviceControl.enabled | quote }}
+
+  # Marketplace Handler
+  HANDLER_HOST: {{ .Values.handler.host | quote }}
+  HANDLER_PORT: {{ .Values.handler.port | quote }}
+  DCR_ENABLED: {{ .Values.handler.dcr.enabled | quote }}
+  DCR_CLIENT_NAME_PREFIX: {{ .Values.handler.dcr.clientNamePrefix | quote }}
+  SERVICE_CONTROL_SERVICE_NAME: {{ .Values.handler.serviceControlServiceName | quote }}
 
   # Authentication
   SKIP_JWT_VALIDATION: {{ .Values.auth.skipJwtValidation | quote }}
diff --git a/deploy/openshift/templates/gcp-sa-secret.yaml b/deploy/openshift/templates/gcp-sa-secret.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.handler.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "lightspeed-agent.fullname" . }}-gcp-sa-key
+  labels:
+    {{- include "lightspeed-agent.labels" . | nindent 4 }}
+type: Opaque
+data:
+  sa-key.json: {{ .Values.secrets.gcpServiceAccountKey }}
+{{- end }}
diff --git a/deploy/openshift/templates/handler-deployment.yaml b/deploy/openshift/templates/handler-deployment.yaml
@@ -0,0 +1,98 @@
+{{- if .Values.handler.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "lightspeed-agent.handlerServiceName" . }}
+  labels:
+    {{- include "lightspeed-agent.labels" . | nindent 4 }}
+    app.kubernetes.io/component: handler
+spec:
+  replicas: {{ .Values.handler.replicas }}
+  selector:
+    matchLabels:
+      {{- include "lightspeed-agent.handlerSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "lightspeed-agent.handlerSelectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: marketplace-handler
+          image: {{ printf "%s:%s" .Values.handler.image.repository .Values.handler.image.tag }}
+          imagePullPolicy: {{ .Values.handler.image.pullPolicy }}
+          ports:
+            - containerPort: {{ .Values.handler.port }}
+              protocol: TCP
+              name: http
+          envFrom:
+            - configMapRef:
+                name: {{ include "lightspeed-agent.fullname" . }}-config
+          env:
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: /var/run/secrets/gcp/sa-key.json
+            - name: GOOGLE_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: GOOGLE_API_KEY
+            - name: GOOGLE_CLOUD_PROJECT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: GOOGLE_CLOUD_PROJECT
+                  optional: true
+            - name: RED_HAT_SSO_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: RED_HAT_SSO_CLIENT_ID
+            - name: RED_HAT_SSO_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: RED_HAT_SSO_CLIENT_SECRET
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: DATABASE_URL
+            - name: DCR_INITIAL_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: DCR_INITIAL_ACCESS_TOKEN
+            - name: DCR_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "lightspeed-agent.fullname" . }}-secrets
+                  key: DCR_ENCRYPTION_KEY
+          volumeMounts:
+            - name: gcp-sa-key
+              mountPath: /var/run/secrets/gcp
+              readOnly: true
+          resources:
+            {{- toYaml .Values.handler.resources | nindent 12 }}
+          startupProbe:
+            httpGet:
+              path: /health
+              port: {{ .Values.handler.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: {{ .Values.handler.port }}
+            periodSeconds: 10
+            failureThreshold: 3
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: {{ .Values.handler.port }}
+            periodSeconds: 30
+            failureThreshold: 3
+      volumes:
+        - name: gcp-sa-key
+          secret:
+            secretName: {{ include "lightspeed-agent.fullname" . }}-gcp-sa-key
+{{- end }}
diff --git a/deploy/openshift/templates/handler-route.yaml b/deploy/openshift/templates/handler-route.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.handler.enabled .Values.handler.route.enabled }}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ include "lightspeed-agent.handlerServiceName" . }}
+  labels:
+    {{- include "lightspeed-agent.labels" . | nindent 4 }}
+    app.kubernetes.io/component: handler
+spec:
+  to:
+    kind: Service
+    name: {{ include "lightspeed-agent.handlerServiceName" . }}
+    weight: 100
+  port:
+    targetPort: http
+  tls:
+    termination: {{ .Values.route.tls.termination }}
+    insecureEdgeTerminationPolicy: {{ .Values.route.tls.insecureEdgeTerminationPolicy }}
+  wildcardPolicy: None
+{{- end }}
diff --git a/deploy/openshift/templates/handler-service.yaml b/deploy/openshift/templates/handler-service.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.handler.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "lightspeed-agent.handlerServiceName" . }}
+  labels:
+    {{- include "lightspeed-agent.labels" . | nindent 4 }}
+    app.kubernetes.io/component: handler
+spec:
+  selector:
+    {{- include "lightspeed-agent.handlerSelectorLabels" . | nindent 4 }}
+  ports:
+    - port: {{ .Values.handler.port }}
+      targetPort: {{ .Values.handler.port }}
+      protocol: TCP
+      name: http
+  type: ClusterIP
+{{- end }}
diff --git a/deploy/openshift/templates/secret.yaml b/deploy/openshift/templates/secret.yaml
@@ -13,4 +13,7 @@ stringData:
   RED_HAT_SSO_CLIENT_SECRET: {{ .Values.secrets.redHatSsoClientSecret | quote }}
   SESSION_DB_PASSWORD: {{ .Values.secrets.sessionDbPassword | quote }}
   SESSION_DATABASE_URL: {{ .Values.secrets.sessionDatabaseUrl | quote }}
+  DATABASE_URL: {{ .Values.secrets.databaseUrl | quote }}
+  DCR_INITIAL_ACCESS_TOKEN: {{ .Values.secrets.dcrInitialAccessToken | quote }}
+  DCR_ENCRYPTION_KEY: {{ .Values.secrets.dcrEncryptionKey | quote }}
 {{- end }}
diff --git a/deploy/openshift/values.yaml b/deploy/openshift/values.yaml
@@ -139,6 +139,41 @@ redis:
       cpu: 500m
       memory: 256Mi
 
+# ---------------------------------------------------------------------------
+# Marketplace Handler (optional — enable for GCP deployments with
+# Google Cloud Marketplace integration)
+# ---------------------------------------------------------------------------
+handler:
+  enabled: false
+  image:
+    repository: quay.io/ecosystem-appeng/lightspeed-agent-handler
+    tag: latest
+    pullPolicy: Always
+  replicas: 1
+  host: "0.0.0.0"
+  port: 8001
+  # Marketplace product identifier (managed service name from Producer Portal).
+  # Required for entitlement approval and product-level Pub/Sub event filtering.
+  serviceControlServiceName: ""
+  dcr:
+    enabled: true
+    clientNamePrefix: "gemini-order-"
+  route:
+    enabled: true
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: "1"
+      memory: 512Mi
+
+# ---------------------------------------------------------------------------
+# Google Cloud Service Control (usage reporting)
+# ---------------------------------------------------------------------------
+serviceControl:
+  enabled: false
+
 # ---------------------------------------------------------------------------
 # Route
 # ---------------------------------------------------------------------------
@@ -164,3 +199,13 @@ secrets:
   sessionDbPassword: "sessions"
   # Full connection URL (contains credentials, stored in the Secret)
   sessionDatabaseUrl: "postgresql+asyncpg://sessions:sessions@lightspeed-agent-postgresql:5432/agent_sessions"
+  # --- Handler secrets (only needed when handler.enabled=true) ---
+  # Marketplace database URL (shared with agent for order validation).
+  # Points to the same PostgreSQL instance by default.
+  databaseUrl: "postgresql+asyncpg://sessions:sessions@lightspeed-agent-postgresql:5432/agent_sessions"
+  # Keycloak Initial Access Token for Dynamic Client Registration
+  dcrInitialAccessToken: ""
+  # Fernet key for encrypting stored client secrets
+  dcrEncryptionKey: ""
+  # Base64-encoded GCP service account key JSON (for ADC outside Cloud Run)
+  gcpServiceAccountKey: ""
