feat: add OGX gateway deployment manifests for Claude Code

[hmoghani]

Summary

Add parameterized OGX deployment manifests for the Claude Code + vLLM setup. The existing deployment README already documents the OGX+vLLM path (env vars, model aliasing, vLLM flags). This PR adds the missing OGX infrastructure manifests that the README references.

What's Included

OGX Manifests (agents/claude-code/ogx/)

• ogx-configmap.yaml — OGX runtime configuration enabling the Anthropic Messages API (/v1/messages) passthrough via inline::builtin provider
• ogx-deployment.yaml — Standalone OGX Deployment (no LlamaStack operator required), with security hardening
• ogx-service.yaml — ClusterIP Service (named ogx-service to avoid Kubernetes env var collision)
• ogx-network-policy.yaml — NetworkPolicy allowing ingress on port 8321
• README.md — Configuration reference, quick start, verification steps, and known issues

All manifests use parameterized placeholders (<VLLM_SERVICE>, <NAMESPACE>, <VLLM_PORT>, <MODEL_ID>).

Key Findings

• OGX requires the messages API and inline::builtin provider in its config to enable /v1/messages — the default vLLM-only config does not expose this endpoint
• The OGX service must not be named ogx due to a Kubernetes env var collision (OGX_PORT)
• A network policy is needed to allow traffic on port 8321

Test plan

• Deployed OGX with these manifests on OpenShift (ROSA HCP)
• Verified /v1/health, /v1/models, /v1/messages (non-streaming + streaming)
• Verified full path: Claude Code → OGX → vLLM → gpt-oss-120b
• All SSE event types present in streaming responses

[coderabbitai]

Warning

Review limit reached

@hmoghani, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f3145360-5f91-43f8-b249-4a664a745d97

📥 Commits

Reviewing files that changed from the base of the PR and between 49ee188 and d183cca.

📒 Files selected for processing (2)

• agents/claude-code/ogx/ogx-configmap.yaml
• agents/claude-code/ogx/ogx-deployment.yaml

📝 Walkthrough

Walkthrough

This PR adds a complete OGX (API gateway) deployment package for Claude Code integration with vLLM on Kubernetes. It includes documentation, configuration, and all required manifests to deploy a single-replica OGX service that translates Anthropic Messages API requests to OpenAI-compatible vLLM calls.

Changes

OGX Deployment Configuration

Layer / File(s)	Summary
Architecture, Configuration, and Deployment agents/claude-code/ogx/README.md, agents/claude-code/ogx/ogx-configmap.yaml, agents/claude-code/ogx/ogx-deployment.yaml	README documents the request flow (Claude Code → OGX → vLLM), prerequisites, quick-start, verification steps including SSE streaming expectations, and configuration details. ConfigMap enables inference and messages APIs, persists state to SQLite, configures a remote::vllm inference provider with templated base URL routing to vLLM, and an inline::builtin messages provider for API translation. Deployment runs OGX with security hardening (dropped Linux capabilities, no privilege escalation, non-root), mounts ConfigMap at /etc/ogx/config.yaml, exposes port 8321, and includes readiness/liveness probes on /v1/health.
Network Exposure and Access Control agents/claude-code/ogx/ogx-service.yaml, agents/claude-code/ogx/ogx-network-policy.yaml	Service named ogx-service exposes the pod as ClusterIP on port 8321 to avoid Kubernetes environment variable collisions. NetworkPolicy restricts ingress to port 8321 from OpenShift ingress namespaces and a configurable target namespace placeholder.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the primary change: adding OGX gateway deployment manifests for Claude Code integration.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, clearly explaining what manifests are added, their purpose, key findings, and test validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/claude-code/ogx/ogx-network-policy.yaml`:
- Around line 26-28: The NetworkPolicy currently uses namespaceSelector to allow
all pods in <NAMESPACE> to access OGX on port 8321; change the ingress rule to
restrict traffic to only the Claude Code and router pods by replacing the broad
namespaceSelector with a podSelector that matches the specific labels used by
those deployments (e.g., the Claude Code pod label and the router pod label) or
by using both namespaceSelector + podSelector (namespace: <NAMESPACE> and
podSelector: matchLabels: { <claude-label-key>: <claude-label-value> } and
another peer for the router); ensure the ingress rule still targets port 8321
for the OGX service and remove the open namespace-wide matchLabels entry under
namespaceSelector.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 29b76491-e767-4b0f-9fbf-d70fa55353e8

📥 Commits

Reviewing files that changed from the base of the PR and between 10108dd and 008a589.

📒 Files selected for processing (5)

• agents/claude-code/ogx/README.md
• agents/claude-code/ogx/ogx-configmap.yaml
• agents/claude-code/ogx/ogx-deployment.yaml
• agents/claude-code/ogx/ogx-network-policy.yaml
• agents/claude-code/ogx/ogx-service.yaml

[msager27]

@hmoghani LGTM. I added one more comment.

[aakankshaduggal]

Looks good overall — well-documented, properly parameterized, and the OGX_PORT service naming collision catch is a nice find.

A few items:

1. Missing seccompProfile in the deployment security context — restricted SCC requires seccompProfile: RuntimeDefault alongside runAsNonRoot and drop ALL. Should add:

   seccompProfile:
     type: RuntimeDefault

2. api_token: fake in the configmap — works because vLLM doesn't validate tokens by default, but someone copying this for a setup with --api-key enabled would get silently broken auth. A one-line comment like # vLLM default: no auth. Replace with a real token or Secret reference if vLLM is configured with --api-key would help.

3. Minor (non-blocking): no pod-level securityContext — only the container-level context is set. For full restricted SCC compliance you'd typically also set runAsNonRoot and seccompProfile at spec.template.spec.securityContext. Not blocking for a starter kit.

---

Reviewed by @aakankshaduggal with Claude Code

[hmoghani]

Looks good overall — well-documented, properly parameterized, and the OGX_PORT service naming collision catch is a nice find.

A few items:

1. Missing seccompProfile in the deployment security context — restricted SCC requires seccompProfile: RuntimeDefault alongside runAsNonRoot and drop ALL. Should add:

   seccompProfile:
     type: RuntimeDefault

2. api_token: fake in the configmap — works because vLLM doesn't validate tokens by default, but someone copying this for a setup with --api-key enabled would get silently broken auth. A one-line comment like # vLLM default: no auth. Replace with a real token or Secret reference if vLLM is configured with --api-key would help.
3. Minor (non-blocking): no pod-level securityContext — only the container-level context is set. For full restricted SCC compliance you'd typically also set runAsNonRoot and seccompProfile at spec.template.spec.securityContext. Not blocking for a starter kit.

Reviewed by @aakankshaduggal with Claude Code

I updated the manifests. Thanks for the review.

[msager27]

LGTM, thanks!