feat: Add containerized Claude agent

[msager27]

Description

Add containerized Claude agent. This is the first in a series of building blocks to enable Claude Code agent deployment and operation on RHOAI with vLLM/OGX interoperability. With this PR, a user can build, deploy, and run Claude on RHOAI. A user can also run locally with podman. Some additional notes:

• Either an Anthropic api key or Vertex AI (with a service account key) is needed to use Claude. This PR includes deployment yamls for both, plus setup and usage instructions in README.md. Since I don't have an api key, I've only tested it with Vertex.
• Initial support for skills and mcp config is provided, but is mainly a placeholder for now. More to come.
• Non-Anthropic backends like vLLM/OGX are not yet tested. This will also come later.

cc @aakankshaduggal

Jira Ticket

RHAIENG-4737

Testing

After deploying Claude on RHOAI, testing can be done using oc exec (see README for full commands and instructions). Longer term, we need to investigate some type of UI on RHOAI.

• Test claude interactively on RHOAI
• Test claude non-interactively (-p option) on RHOAI
• Test claude in debug mode on RHOAI and monitor logs

[coderabbitai]

Warning

Rate limit exceeded

@msager27 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 40 minutes and 45 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f9bb50da-8027-4095-8d8a-9e9d6532aa9a

📥 Commits

Reviewing files that changed from the base of the PR and between eea4bed and 20a601d.

📒 Files selected for processing (1)

• agents/claude-code/deployment/entrypoint.sh

📝 Walkthrough

Walkthrough

Adds a UBI10-minimal Containerfile that installs a pinned Claude Code CLI for non-root runtime, an entrypoint script that assembles runtime args (auth, MCP, skills, workspace) and dispatches to claude, OpenShift Build/ImageStream + Deployment manifests for Anthropic and Vertex modes, and step-by-step deployment documentation.

Changes

Claude Code OpenShift deployment

Layer / File(s)	Summary
Container image and entrypoint agents/claude-code/deployment/Containerfile, agents/claude-code/deployment/entrypoint.sh	Creates a UBI10-based image with configurable non-root user, installs pinned Claude Code CLI and minimal utilities, prepares /opt/skills and /workspace, copies entrypoint.sh, disables auto-updater, and sets entrypoint/CMD. Entrypoint validates Anthropic vs Vertex auth, builds MCP and skills args, persists ~/.claude helper files, and executes claude or provided commands.
Anthropic API deployment manifest agents/claude-code/deployment/deployment.yaml	Defines ImageStream and BuildConfig for binary Containerfile builds, ConfigMaps for MCP and skills, a ReadWriteOnce PVC for /workspace, and a Deployment that mounts claude-credentials for ANTHROPIC_API_KEY, sets SKIP_PERMISSIONS=true, and applies pod/container security hardening (runAsNonRoot, seccomp, dropped capabilities).
Vertex AI deployment manifest agents/claude-code/deployment/deployment-vertex.yaml	Parallel manifest that builds/uses the same image but enables Vertex mode (CLAUDE_CODE_USE_VERTEX=1), injects Vertex project/region via ConfigMap, mounts a GCP service-account secret at /var/secrets/google with GOOGLE_APPLICATION_CREDENTIALS, and includes the same PVC and security contexts.
Deployment documentation agents/claude-code/deployment/README.md	Step-by-step OpenShift deployment guide for Option A (Anthropic API key) and Option B (Vertex AI): prerequisites, local build/test commands, secret and ConfigMap setup, oc/oc start-build usage, rollout verification, interactive/debug examples, security considerations, and cleanup commands.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Add containerized Claude agent' directly summarizes the main change—adding container deployment artifacts for Claude Code.
Description check	✅ Passed	The description is related to the changeset, explaining the purpose of containerized Claude agent deployment on RHOAI, supported backends, testing instructions, and known limitations.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude-agent

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

agents/claude/claude_agent/entrypoint.sh (1)

102-103: ⚡ Quick win

Array serialized as space-joined string causes word-splitting fragility

MCP_ARGS="${mcp_args[*]:-}" flattens the array into a single space-delimited string. It is then re-expanded unquoted (args+=(${MCP_ARGS})) to recover the elements. This breaks silently if any element (e.g., a file path) contains a space. The same pattern repeats with CLAUDE_EXTRA_ARGS (lines 163, 191).

Since all functions run in the same shell process, exporting through env vars is unnecessary. Using a global array avoids the serialization entirely:

♻️ Proposed refactor: use global arrays instead of exported strings

+# Global arrays shared across functions (avoids word-splitting via export)
+MCP_ARGS_ARRAY=()
+CLAUDE_EXTRA_ARGS_ARRAY=()
+
 setup_mcp() {
-    local mcp_args=()
+    MCP_ARGS_ARRAY=()
     ...
-    mcp_args+=("--mcp-config" "${MCP_CONFIG_FILE}")
+    MCP_ARGS_ARRAY+=("--mcp-config" "${MCP_CONFIG_FILE}")
     ...
-    export MCP_ARGS="${mcp_args[*]:-}"
 }

 build_claude_args() {
     local args=()
-    if [[ -n "${MCP_ARGS:-}" ]]; then
-        # shellcheck disable=SC2206
-        args+=(${MCP_ARGS})
-    fi
+    if [[ ${`#MCP_ARGS_ARRAY`[@]} -gt 0 ]]; then
+        args+=("${MCP_ARGS_ARRAY[@]}")
+    fi
     ...
-    export CLAUDE_EXTRA_ARGS="${args[*]:-}"
+    CLAUDE_EXTRA_ARGS_ARRAY=("${args[@]}")
 }

 # In main():
-    exec claude ${CLAUDE_EXTRA_ARGS} "$@"
+    exec claude "${CLAUDE_EXTRA_ARGS_ARRAY[@]}" "$@"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/claude/claude_agent/entrypoint.sh` around lines 102 - 103, The code
flattens arrays into space-joined env strings (MCP_ARGS, CLAUDE_EXTRA_ARGS) and
later re-expands them unquoted causing word-splitting; instead stop exporting
those env vars and keep/use bash arrays directly: remove export MCP_ARGS and
export CLAUDE_EXTRA_ARGS/claude_extra_args, retain the original arrays (mcp_args
and claude_extra_args) in the shared shell and change all re-expansions to
preserve elements with args+=("${mcp_args[@]}") and
args+=("${claude_extra_args[@]}") (and any other places using
args+=(${MCP_ARGS}) or args+=(${CLAUDE_EXTRA_ARGS}) ), ensuring elements with
spaces are preserved.

agents/claude/claude_agent/Containerfile (1)

37-38: ⚡ Quick win

NODE_VERSION ARG is defined but never used

ARG NODE_VERSION=22 has no effect on the microdnf install nodejs invocation, so --build-arg NODE_VERSION=18 (or any value) is silently ignored. The Node version installed is whatever UBI 10's repos provide.

Either remove the ARG, or wire it into the install step (e.g., via a NodeSource/NVM setup or a nodejs:${NODE_VERSION} module stream call with microdnf module enable).

-# Node.js version (major version, installs latest in that series)
-ARG NODE_VERSION=22
-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@agents/claude/claude_agent/Containerfile` around lines 37 - 38, ARG
NODE_VERSION is declared but unused; either remove it or wire it into the
install. To fix, either delete the ARG NODE_VERSION=22 from the Containerfile,
or change the install sequence to use the argument (for example by running the
module stream command that binds to the arg: use "microdnf module enable
nodejs:${NODE_VERSION}" then "microdnf install nodejs" or otherwise source Node
from NodeSource/NVM using NODE_VERSION). Update the Containerfile lines around
the existing "ARG NODE_VERSION=22" and the "microdnf install nodejs" invocation
to reflect the chosen approach so --build-arg NODE_VERSION takes effect.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/claude/claude_agent/deployment.yaml`:
- Around line 122-123: The SKIP_PERMISSIONS environment variable is currently
hardcoded to "true", enabling --dangerously-skip-permissions by default; change
the default value to "false" for the SKIP_PERMISSIONS env var in the manifest(s)
(look for the SKIP_PERMISSIONS env entry in the deployment YAML and the
equivalent in the vertex deployment) so operators must explicitly opt-in to
dangerous behavior, and add a README note documenting that setting
SKIP_PERMISSIONS to "true" enables --dangerously-skip-permissions (risk:
filesystem write bypass) and must be used only in sandboxed environments.

In `@agents/claude/claude_agent/entrypoint.sh`:
- Around line 96-99: MCP_CONFIG_JSON is treated as inline JSON but is passed
directly to mcp_args as "--mcp-config" which expects a filesystem path; instead,
create a temporary file (e.g., via mktemp), write MCP_CONFIG_JSON into it, push
that temp path onto mcp_args (same place you currently append
"${MCP_CONFIG_JSON}"), and ensure the temp file is removed on exit (use trap to
unlink). Also preserve existing validation logic by checking the temp file
exists before appending and reference the symbols MCP_CONFIG_JSON, mcp_args,
--mcp-config, and MCP_CONFIG_FILE so the change mirrors the established
file-based flow.

In `@agents/claude/claude_agent/README.md`:
- Around line 281-291: Update the Cleanup section in README.md to include the
Vertex AI (Option B) resource names and commands in addition to the existing
Option A names; specifically add oc delete commands for the Vertex-specific
deployment, buildconfig, imagestream, secret(s), configmap(s) and PVC (e.g.,
names prefixed or suffixed with "vertex" such as claude-vertex-deployment,
claude-vertex-buildconfig, claude-vertex-imagestream, claude-vertex-credentials,
claude-vertex-mcp-config, claude-vertex-skills, claude-vertex-workspace) and
clarify which commands apply to Option A (claude-code, claude-credentials,
claude-mcp-config, claude-skills, claude-workspace) vs Option B so users run the
correct oc delete lines for their chosen option.

---

Nitpick comments:
In `@agents/claude/claude_agent/Containerfile`:
- Around line 37-38: ARG NODE_VERSION is declared but unused; either remove it
or wire it into the install. To fix, either delete the ARG NODE_VERSION=22 from
the Containerfile, or change the install sequence to use the argument (for
example by running the module stream command that binds to the arg: use
"microdnf module enable nodejs:${NODE_VERSION}" then "microdnf install nodejs"
or otherwise source Node from NodeSource/NVM using NODE_VERSION). Update the
Containerfile lines around the existing "ARG NODE_VERSION=22" and the "microdnf
install nodejs" invocation to reflect the chosen approach so --build-arg
NODE_VERSION takes effect.

In `@agents/claude/claude_agent/entrypoint.sh`:
- Around line 102-103: The code flattens arrays into space-joined env strings
(MCP_ARGS, CLAUDE_EXTRA_ARGS) and later re-expands them unquoted causing
word-splitting; instead stop exporting those env vars and keep/use bash arrays
directly: remove export MCP_ARGS and export CLAUDE_EXTRA_ARGS/claude_extra_args,
retain the original arrays (mcp_args and claude_extra_args) in the shared shell
and change all re-expansions to preserve elements with args+=("${mcp_args[@]}")
and args+=("${claude_extra_args[@]}") (and any other places using
args+=(${MCP_ARGS}) or args+=(${CLAUDE_EXTRA_ARGS}) ), ensuring elements with
spaces are preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 959e1b61-76bd-418b-8cb3-6676b921c807

📥 Commits

Reviewing files that changed from the base of the PR and between 49f1245 and 55cd3a2.

📒 Files selected for processing (5)

• agents/claude/claude_agent/Containerfile
• agents/claude/claude_agent/README.md
• agents/claude/claude_agent/deployment-vertex.yaml
• agents/claude/claude_agent/deployment.yaml
• agents/claude/claude_agent/entrypoint.sh

[aakankshaduggal]

Review by Claude with Aakanksha's manual approval

Tested this PR on ROSA using the Vertex AI path for RHAIENG-4739. Image builds cleanly, runs under restricted-v2 SCC, and Claude Code responds to prompts. Nice work on the Containerfile and entrypoint structure.

4 inline comments below with issues found during testing. OGX integration testing is blocked on RHAIENG-4743.

Test Results (RHAIENG-4739 partial)

Criteria	Result
Image deployed as pod on OpenShift	PASS
Pod runs under restricted-v2 SCC	PASS
Claude Code starts and accepts input	PASS
No security policy violations in logs	PASS
Process spawning (bash) works	PASS
Non-root user (OpenShift random UID)	PASS
Workspace writable via PVC	PASS
OGX backend integration	BLOCKED (waiting on RHAIENG-4743)

[msager27]

@aakankshaduggal Thanks for the review! I've pushed some fixes that should address everything.

[hmoghani]

Could you also update the main directory README file and add reference to the claude agent?

[jwm4]

Licensing note: README should warn against distributing built images

The Containerfile installs Claude Code at build time, so the resulting container image contains Anthropic's proprietary binary (the license is "All rights reserved," subject to their commercial terms). Users building the image themselves is fine, but the README should explicitly note that the built images should not be redistributed, since they contain proprietary closed-source software.

npm install is no longer the recommended method

Anthropic now recommends their native installer over npm. The CLI itself warns users to switch when launched from an npm install. They also publish a dnf repo for RHEL/Fedora, which might be a more natural fit for a UBI base. See also anthropics/claude-code#24568, which flagged the same npm issue in Anthropic's own devcontainer reference.

The Containerfile should replace:

npm install -g @anthropic-ai/claude-code@${CLAUDE_CODE_VERSION}

with the native installer:

curl -fsSL https://claude.ai/install.sh | bash

This also removes the need for npm as a build dependency.

---

This comment was drafted by Claude Code under the supervision of Bill Murdock.

[jwm4]

See earlier comment.

[msager27]

@jwm4 We now use the native installer. Also, I've added a licensing notice. Thanks for the review!

[jwm4]

I haven't tested this myself, but all my concerns are addressed so it looks good to me.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/claude-code/deployment/Containerfile`:
- Around line 101-110: The ENV PATH currently hardcodes /home/claude-agent which
mismatches the build ARG USER_NAME and can break installs; update the Dockerfile
to derive the user's home directory from USER_NAME (or from $HOME set for that
user) and use that value when setting ENV PATH so the native installer location
(~/.local/bin) is added dynamically; locate the USER ${USER_UID} and RUN curl
... install.sh lines and replace the hardcoded /home/claude-agent in the ENV
PATH declaration with a reference that uses USER_NAME or $HOME (ensuring
USER_NAME is set as a build ARG and exported to the environment before ENV PATH
is evaluated) so the path points to the actual user's ~/.local/bin at
build/runtime.

In `@agents/claude-code/deployment/deployment.yaml`:
- Around line 171-186: Remove the misleading ClusterIP Service resource that
targets port 8080 (metadata.name: claude-code, spec.ports.targetPort: 8080)
since the pod runs a CLI/sleep and does not open that port; delete the entire
"kind: Service" block from this manifest (and apply the same removal in
deployment-vertex.yaml) so the deployment won't appear network-addressable until
an actual listener is added.

In `@agents/claude-code/deployment/entrypoint.sh`:
- Around line 250-260: The log currently prints the full Claude command and
arguments (CLAUDE_EXTRA_ARGS and "$*"), leaking prompt text; change the logging
in the claude branch to only log the subcommand/mode (the first argument after
the initial "claude") instead of the full argv. Concretely, after the shift
capture the mode into a variable (e.g., mode="$1" || mode="default") and call
log_info with that mode (do not expand CLAUDE_EXTRA_ARGS or "$*"), then exec
claude ${CLAUDE_EXTRA_ARGS} "$@" as before; update the log line that currently
references CLAUDE_EXTRA_ARGS and "$*" so it only references the mode variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 40fbe50d-0dfd-4b2d-9fb1-d5ae382c1d8f

📥 Commits

Reviewing files that changed from the base of the PR and between d3dc149 and b226182.

📒 Files selected for processing (5)

• agents/claude-code/deployment/Containerfile
• agents/claude-code/deployment/README.md
• agents/claude-code/deployment/deployment-vertex.yaml
• agents/claude-code/deployment/deployment.yaml
• agents/claude-code/deployment/entrypoint.sh

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@agents/claude-code/deployment/deployment-vertex.yaml`:
- Around line 166-170: The manifest currently sets the environment variable
SKIP_PERMISSIONS to "true", making permission checks disabled by default; change
the default to "false" (or remove the variable so checks remain enabled) in the
Vertex deployment manifest so operators must explicitly opt in to skip
permission checks, updating the SKIP_PERMISSIONS env var value and any related
docs or comments to reflect this new secure-by-default behaviour.

In `@agents/claude-code/deployment/deployment.yaml`:
- Around line 129-133: The manifest currently sets the environment variable
SKIP_PERMISSIONS to "true", which disables Claude’s permission checks by
default; change this to the safe default by setting SKIP_PERMISSIONS to "false"
(or remove the variable so the application defaults to safe behavior) and update
the comment to instruct operators to explicitly opt-in per environment or via a
deployment overlay; locate the SKIP_PERMISSIONS env entry in deployment.yaml and
make the value change and adjust documentation/comments accordingly.

In `@agents/claude-code/deployment/entrypoint.sh`:
- Around line 91-93: The current code logs the full ANTHROPIC_BASE_URL via
log_info, which may leak credentials; change the behavior in the entrypoint.sh
block that checks ANTHROPIC_BASE_URL so it does not print the entire
value—either log a generic message like "Using custom API endpoint" (no URL) or
redact sensitive parts (e.g., show only scheme and host or replace token/query
with "[REDACTED]") before passing to log_info; update the conditional that
references ANTHROPIC_BASE_URL and the log_info call accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 0ecb3c94-b033-421d-b3c6-d58e09116feb

📥 Commits

Reviewing files that changed from the base of the PR and between b226182 and eea4bed.

📒 Files selected for processing (4)

• agents/claude-code/deployment/Containerfile
• agents/claude-code/deployment/deployment-vertex.yaml
• agents/claude-code/deployment/deployment.yaml
• agents/claude-code/deployment/entrypoint.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• agents/claude-code/deployment/Containerfile

[mpk-droid]

Overall looks good. Acceptance criterion #10 of RHAIENG-4737 ("Image size documented and compared against MR !12 image") asks for the image size to be documented. The built image comes in at ~427 MB — consider adding that to the README.

[mpk-droid]

LGTM

[robinnarsinghranabhat]

Some problems detected :

• Docs on skills is incorrect. For claude to find skills, need to create .claude/skills/ inside the directory that's added through --add-dir.

• Repo/project memory is not presisted. It’s saved at ~/claude/ .Only User level memory is persisted atm (the workspace folder) which is used for CLAUDE.md, AGENT.md kind of files.

[msager27]

@robinnarsinghranabhat Yep, I ran into the skills issue while working on https://redhat.atlassian.net/browse/RHAIENG-4740. For purposes of this PR, the skills mount point was a placeholder. A subsequent PR will address this (and not even use --add-dir).

I'll touch base with you on the second item to better understand what you mean.

Thanks for noting these.