Merge branch 'main' into dev-add-a2a-protocol-example

Author: Wojciech-Rebisz

agents/crewai/websearch_agent/.dockerignore

@@ -0,0 +1,18 @@
+.env
+.env.*
+!.env.example
+.venv
+__pycache__
+*.pyc
+*.pyo
+.pytest_cache
+.mypy_cache
+.ruff_cache
+.git
+.gitignore
+.helm-secrets.yaml
+.DS_Store
+tests/
+examples/
+docs/
+*.md

agents/crewai/websearch_agent/.env.example

@@ -0,0 +1,20 @@
+# Required
+API_KEY=
+BASE_URL=
+MODEL_ID=
+
+# Deployment
+CONTAINER_IMAGE=
+
+# Optional — MLflow Tracing
+# MLFLOW_TRACKING_URI=
+# MLFLOW_EXPERIMENT_NAME=
+# MLFLOW_HEALTH_CHECK_TIMEOUT=5
+# MLFLOW_HTTP_REQUEST_TIMEOUT=2
+# MLFLOW_HTTP_REQUEST_MAX_RETRIES=0
+# MLFLOW_TRACKING_TOKEN=
+# MLFLOW_TRACKING_INSECURE_TLS=
+# MLFLOW_WORKSPACE=default
+# LLM_PROVIDER=litellm
+# MLFLOW_TRACKING_AUTH= # Use Kubernetes service account for authentication (if running inside the cluster)
+

agents/crewai/websearch_agent/Dockerfile

@@ -1,23 +1,26 @@
-# Use Python 3.12 slim image as base
-FROM python:3.12-slim
+# Use Red Hat UBI9 Python 3.12 image (no Docker Hub rate limits on OpenShift)
+# To update: docker pull registry.access.redhat.com/ubi9/python-312:latest
+#            docker inspect --format='{{index .RepoDigests 0}}' registry.access.redhat.com/ubi9/python-312:latest
+FROM registry.access.redhat.com/ubi9/python-312@sha256:e95978812895b9abb2bdc109b501078da2a47c8dbb9fa23758af40ed50ab6023
+WORKDIR /opt/app-root/src
 
-# Set working directory
-WORKDIR /app
+# Switch to root for installing dependencies
+USER 0
 
-# Create a non-privileged user for OpenShift
-# UID 1001 is commonly used in OpenShift deployments
-# Adding to root group (GID 0) is the OpenShift convention for arbitrary UIDs
-RUN groupadd -r appuser && useradd -r -u 1001 -g 0 -m -d /home/appuser appuser
-
-# Install uv for fast dependency management
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+# Install uv for fast dependency management (v0.11.1)
+# To update: docker pull ghcr.io/astral-sh/uv:latest
+#            docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/astral-sh/uv:latest
+COPY --from=ghcr.io/astral-sh/uv@sha256:fc93e9ecd7218e9ec8fba117af89348eef8fd2463c50c13347478769aaedd0ce /uv /usr/local/bin/uv
 
 # Copy project files for dependency installation
 COPY pyproject.toml .
 COPY src/ ./src/
 
 # Install the project and its dependencies using uv
-RUN uv pip install --system --no-cache .
+# pysqlite3-binary (installed inline) provides SQLite >= 3.35 for ChromaDB on UBI9
+RUN uv pip install --no-cache ".[tracing]" pysqlite3-binary \
+    && SITE=$(python3 -c "import site; print(site.getsitepackages()[0])") \
+    && printf '__import__("pysqlite3")\nimport sys\nsys.modules["sqlite3"] = sys.modules.pop("pysqlite3")\n' > "$SITE/sitecustomize.py"
 
 # Copy the application entrypoint, playground UI, and images
 COPY main.py .
@@ -27,20 +30,20 @@ COPY images/ ./images/
 # Pre-create the directory that CrewAI writes to at import time
 # (crewai.utilities.paths.db_storage_path -> ~/.local/share/app/)
 # Make everything group-writable (GID 0) for OpenShift arbitrary UID support
-RUN mkdir -p /home/appuser/.local/share/app \
-    && chown -R appuser:0 /app /home/appuser \
-    && chmod -R g=u /app /home/appuser
+RUN mkdir -p /opt/app-root/.local/share/app \
+    && chown -R 1001:0 /opt/app-root/src /opt/app-root/.local \
+    && chmod -R g=u /opt/app-root/src /opt/app-root/.local
 
-# Switch to non-privileged user
-USER appuser
+# Switch back to default non-root user
+USER 1001
 
 # Expose port 8080 (OpenShift standard)
 EXPOSE 8080
 
 # Set environment variables
 ENV PORT=8080
-ENV HOME=/home/appuser
-ENV PYTHONPATH=/app:/app/src
+ENV HOME=/opt/app-root
+ENV PYTHONPATH=/opt/app-root/src
 
-# Run the application
-CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]
+# Run the application — reads PORT at runtime
+CMD ["sh", "-c", "uvicorn main:app --host 0.0.0.0 --port ${PORT}"]

agents/crewai/websearch_agent/Makefile

@@ -0,0 +1,107 @@
+SHELL          := bash
+AGENT_NAME     := $(shell python3 -c "import re; print(re.search(r'^name:\s*(.+)', open('agent.yaml').read(), re.M).group(1).strip())")
+CHART_DIR      := ../../../charts/agent
+VALUES_FILE    := values.yaml
+CONTAINER_CLI  := $(shell command -v podman 2>/dev/null || command -v docker 2>/dev/null)
+
+.PHONY: init run run-cli build push build-openshift deploy undeploy test dry-run help
+
+help: ## Show this help
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "  %-12s %s\n", $$1, $$2}'
+
+init: ## Copy .env.example to .env for configuration
+	@if [ ! -f .env ]; then cp .env.example .env && echo "Created .env from .env.example — edit it with your configuration"; else echo ".env already exists — skipping"; fi
+
+run: ## Run agent locally with hot-reload
+	@set -a && source .env && set +a && \
+	  uv run uvicorn main:app --host 0.0.0.0 --port $${PORT:-8000} --reload --reload-exclude .venv
+
+run-cli: ## Run interactive CLI chat (no web server)
+	@set -a && source .env && set +a && \
+	  cd examples && uv run python execute_ai_service_locally.py
+
+build: ## Build container image locally (podman/docker)
+	@[ -n "$(CONTAINER_CLI)" ] || { echo "ERROR: neither podman nor docker found in PATH"; exit 1; } && \
+	  source .env && \
+	  [ -n "$${CONTAINER_IMAGE}" ] || { echo "ERROR: CONTAINER_IMAGE is not set in .env"; exit 1; } && \
+	  cp -r ../../../images ./images && trap 'rm -rf ./images' EXIT && \
+	  $(CONTAINER_CLI) build --platform linux/amd64 -t "$${CONTAINER_IMAGE}" -f Dockerfile .
+
+push: ## Push container image to registry
+	@[ -n "$(CONTAINER_CLI)" ] || { echo "ERROR: neither podman nor docker found in PATH"; exit 1; } && \
+	  source .env && \
+	  [ -n "$${CONTAINER_IMAGE}" ] || { echo "ERROR: CONTAINER_IMAGE is not set in .env"; exit 1; } && \
+	  $(CONTAINER_CLI) push "$${CONTAINER_IMAGE}"
+
+build-openshift: ## Build image in-cluster via OpenShift BuildConfig (no podman/docker needed)
+	@cp -r ../../../images ./images && trap 'rm -rf ./images' EXIT && \
+	  oc new-build --strategy=docker --binary --name=$(AGENT_NAME) --to=$(AGENT_NAME):latest 2>/dev/null || true && \
+	  oc start-build $(AGENT_NAME) --from-dir=. --follow && \
+	  NS=$$(oc project -q) && \
+	  echo "" && \
+	  echo "Image built. To deploy, set in .env:" && \
+	  echo "  CONTAINER_IMAGE=image-registry.openshift-image-registry.svc:5000/$$NS/$(AGENT_NAME):latest"
+
+_check-env:
+	@set -a && source .env 2>/dev/null && set +a; \
+	  missing=""; \
+	  for var in $$(sed -n '/^ *required:/,/^ *[a-z]/{ /^ *- /s/^ *- *//p; }' agent.yaml); do \
+	    eval val="\$$$$var"; \
+	    [ -n "$$val" ] || missing="$$missing $$var"; \
+	  done; \
+	  [ -z "$$missing" ] || { echo "ERROR: Missing required env vars:$$missing"; exit 1; }
+
+deploy: _check-env ## Deploy to OpenShift/K8s via Helm
+	@source .env && \
+	  [ -n "$${CONTAINER_IMAGE}" ] || { echo "ERROR: CONTAINER_IMAGE is not set in .env"; exit 1; } && \
+	  case "$${CONTAINER_IMAGE}" in *:*) IMAGE_REPO="$${CONTAINER_IMAGE%:*}"; IMAGE_TAG="$${CONTAINER_IMAGE##*:}";; *) IMAGE_REPO="$${CONTAINER_IMAGE}"; IMAGE_TAG="latest";; esac && \
+	  trap 'rm -f .helm-secrets.yaml' EXIT && \
+	  umask 077 && \
+	  { printf 'secrets:\n  apiKey: "%s"\n' "$${API_KEY}"; \
+	    [ -z "$${MLFLOW_TRACKING_TOKEN}" ] || printf '  mlflowTrackingToken: "%s"\n' "$${MLFLOW_TRACKING_TOKEN}"; \
+	  } > .helm-secrets.yaml && \
+	  helm upgrade --install $(AGENT_NAME) $(CHART_DIR) \
+	    -f $(VALUES_FILE) \
+	    -f .helm-secrets.yaml \
+	    --set image.repository="$${IMAGE_REPO}" \
+	    --set image.tag="$${IMAGE_TAG}" \
+	    --set env.BASE_URL="$${BASE_URL}" \
+	    --set env.MODEL_ID="$${MODEL_ID}" \
+	    $${MLFLOW_TRACKING_URI:+--set env.MLFLOW_TRACKING_URI="$${MLFLOW_TRACKING_URI}"} \
+	    $${MLFLOW_EXPERIMENT_NAME:+--set env.MLFLOW_EXPERIMENT_NAME="$${MLFLOW_EXPERIMENT_NAME}"} \
+	    $${MLFLOW_TRACKING_INSECURE_TLS:+--set env.MLFLOW_TRACKING_INSECURE_TLS="$${MLFLOW_TRACKING_INSECURE_TLS}"} \
+	    $${MLFLOW_WORKSPACE:+--set env.MLFLOW_WORKSPACE="$${MLFLOW_WORKSPACE}"} && \
+	  if command -v oc >/dev/null 2>&1; then \
+	    echo "" && echo "Waiting for rollout to complete..." && \
+	    if oc rollout status deployment/$(AGENT_NAME) --timeout=120s; then \
+	      ROUTE=$$(oc get route $(AGENT_NAME) -o jsonpath='{.spec.host}' 2>/dev/null || true); \
+	      if [ -n "$$ROUTE" ]; then echo "" && echo "Agent is available at: https://$$ROUTE"; fi; \
+	    else \
+	      echo "" && echo "WARNING: Rollout did not complete successfully. Check pod status with:" && \
+	      echo "  oc get pods -l app.kubernetes.io/name=$(AGENT_NAME)" && \
+	      echo "  oc logs deployment/$(AGENT_NAME)"; \
+	    fi; \
+	  fi
+
+dry-run: _check-env ## Render Helm templates without deploying
+	@source .env && \
+	  [ -n "$${CONTAINER_IMAGE}" ] || { echo "ERROR: CONTAINER_IMAGE is not set in .env"; exit 1; } && \
+	  case "$${CONTAINER_IMAGE}" in *:*) IMAGE_REPO="$${CONTAINER_IMAGE%:*}"; IMAGE_TAG="$${CONTAINER_IMAGE##*:}";; *) IMAGE_REPO="$${CONTAINER_IMAGE}"; IMAGE_TAG="latest";; esac && \
+	  helm template $(AGENT_NAME) $(CHART_DIR) \
+	    -f $(VALUES_FILE) \
+	    --set secrets.apiKey="REDACTED" \
+	    --set image.repository="$${IMAGE_REPO}" \
+	    --set image.tag="$${IMAGE_TAG}" \
+	    --set env.BASE_URL="$${BASE_URL}" \
+	    --set env.MODEL_ID="$${MODEL_ID}" \
+	    $${MLFLOW_TRACKING_URI:+--set env.MLFLOW_TRACKING_URI="$${MLFLOW_TRACKING_URI}"} \
+	    $${MLFLOW_TRACKING_TOKEN:+--set secrets.mlflowTrackingToken="REDACTED"} \
+	    $${MLFLOW_EXPERIMENT_NAME:+--set env.MLFLOW_EXPERIMENT_NAME="$${MLFLOW_EXPERIMENT_NAME}"} \
+	    $${MLFLOW_TRACKING_INSECURE_TLS:+--set env.MLFLOW_TRACKING_INSECURE_TLS="$${MLFLOW_TRACKING_INSECURE_TLS}"} \
+	    $${MLFLOW_WORKSPACE:+--set env.MLFLOW_WORKSPACE="$${MLFLOW_WORKSPACE}"}
+
+undeploy: ## Remove deployment from cluster
+	helm uninstall $(AGENT_NAME)
+
+test: ## Run tests
+	uv run --extra dev python -m pytest tests/