{"id":48877846,"url":"https://github.com/qwedsazxc78/devops-ai-skill","last_synced_at":"2026-04-16T01:07:18.005Z","repository":{"id":343238300,"uuid":"1176871557","full_name":"qwedsazxc78/devops-ai-skill","owner":"qwedsazxc78","description":"⚡ Cross-platform DevOps AI Skill Pack — Horus (IaC) + Zeus (GitOps) agents for Claude Code, OpenAI Codex CLI, and Google Gemini CLI","archived":false,"fork":false,"pushed_at":"2026-04-13T13:38:17.000Z","size":15223,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T14:27:51.616Z","etag":null,"topics":["agent-skills","ai-skills","argocd","claude-code","codex-cli","devops","gemini-cli","gitops","helm","infrastructure-as-code","kustomize","terraform"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/devops-ai-skill","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qwedsazxc78.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-09T13:15:55.000Z","updated_at":"2026-04-13T13:38:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/qwedsazxc78/devops-ai-skill","commit_stats":null,"previous_names":["qwedsazxc78/devops-ai-skill"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/qwedsazxc78/devops-ai-skill","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qwedsazxc78%2Fdevops-ai-skill","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qwedsazxc78%2Fdevops-ai-skill/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qwedsazxc78%2Fdevops-ai-skill/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qwedsazxc78%2Fdevops-ai-skill/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qwedsazxc78","download_url":"https://codeload.github.com/qwedsazxc78/devops-ai-skill/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qwedsazxc78%2Fdevops-ai-skill/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31866381,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"ssl_error","status_checked_at":"2026-04-15T15:24:39.138Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-skills","ai-skills","argocd","claude-code","codex-cli","devops","gemini-cli","gitops","helm","infrastructure-as-code","kustomize","terraform"],"created_at":"2026-04-16T01:07:16.989Z","updated_at":"2026-04-16T01:07:17.994Z","avatar_url":"https://github.com/qwedsazxc78.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ⚡ DevOps AI Skill Pack\n\n[![npm version](https://img.shields.io/npm/v/devops-ai-skill?style=flat-square\u0026color=cb3837)](https://www.npmjs.com/package/devops-ai-skill)\n[![GitHub Release](https://img.shields.io/github/v/release/qwedsazxc78/devops-ai-skill?style=flat-square\u0026color=2ea44f)](https://github.com/qwedsazxc78/devops-ai-skill/releases)\n[![DEVOPS](https://img.shields.io/badge/DEVOPS-SKILL-blue?style=flat-square)](https://github.com/qwedsazxc78/devops-ai-skill)\n[![LICENSE](https://img.shields.io/badge/LICENSE-MIT-green?style=flat-square)](https://github.com/qwedsazxc78/devops-ai-skill/blob/main/LICENSE)\n[![FILES](https://img.shields.io/badge/FILES-65+-orange?style=flat-square)](#project-structure)\n[![SKILLS](https://img.shields.io/badge/SKILLS-10-blueviolet?style=flat-square)](#skills)\n[![PIPELINES](https://img.shields.io/badge/PIPELINES-15-ff6f61?style=flat-square)](#horus-pipelines-iac)\n[![AGENTS](https://img.shields.io/badge/AGENTS-2-critical?style=flat-square)](#agents)\n[![PLATFORMS](https://img.shields.io/badge/PLATFORMS-4-teal?style=flat-square)](#platform-support)\n\n\u003e Cross-platform DevOps AI Skill Pack — two AI-powered DevOps agents and shared pipeline workflows for **Claude Code**, **OpenAI Codex CLI**, **Google Gemini CLI**, and **Google Antigravity**.\n\n🚀 [Quick Start](#quick-start) · 🤖 [Agents](#agents) · 🔧 [Tool Installation](#tool-installation) · 🛠️ [Skills](#skills) · 📖 [Setup Guide](docs/setup.md) · ⚡ [5-Min Guide](docs/quick-start.md) · 🌐 [GitHub Repo](https://github.com/qwedsazxc78/devops-ai-skill)\n\nEnglish | [繁體中文](docs/README.zh-TW.md) | [简体中文](docs/README.zh-CN.md)\n\n---\n\n## Agents\n\n| Agent | Focus | Platforms |\n|-------|-------|-----------|\n| **Horus** — IaC Operations Engineer | Terraform + Helm + GKE | All |\n| **Zeus** — GitOps Engineer | Kustomize + ArgoCD | All |\n\n## Quick Start\n\n### Global Install (recommended)\n\nInstall once, available across ALL projects:\n\n```bash\ngit clone https://github.com/qwedsazxc78/devops-ai-skill.git\ncd devops-ai-skill\nbash scripts/install-global.sh          # Auto-detect installed CLIs\n```\n\nAuto-detects Claude Code / Codex CLI / Gemini CLI / Antigravity and installs to their global config paths.\n\n![Global Install](docs/guide/01-install-global-run.png)\n\n\u003e 🆕 **New here?** Check out the [5-minute quick start guide](docs/quick-start.md) — zero prior knowledge required!\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eGlobal Install Options\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\nbash scripts/install-global.sh --all            # Force all platforms\nbash scripts/install-global.sh --claude         # Claude Code only\nbash scripts/install-global.sh --codex          # Codex CLI only\nbash scripts/install-global.sh --gemini         # Gemini CLI only\nbash scripts/install-global.sh --antigravity    # Antigravity only\nbash scripts/install-global.sh --status         # Check install status\nbash scripts/install-global.sh --uninstall      # Remove global installs\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eUpdating Installed Skills\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\ncd devops-ai-skill\ngit pull origin main                          # Pull latest\nbash scripts/install-global.sh                # Re-run (skips unchanged files)\n```\n\n\u003e Re-run `install-global.sh` after updating source files to sync changes to all platforms.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePer-repo Install (legacy)\u003c/strong\u003e\u003c/summary\u003e\n\nRun from your project root:\n\n```bash\ngit clone https://github.com/qwedsazxc78/devops-ai-skill.git\nbash devops-ai-skill/scripts/setup.sh --all    # Install all platforms\nbash devops-ai-skill/scripts/setup.sh          # Or interactive selection\n```\n\n```bash\nbash devops-ai-skill/scripts/setup.sh --claude\nbash devops-ai-skill/scripts/setup.sh --codex\nbash devops-ai-skill/scripts/setup.sh --gemini\nbash devops-ai-skill/scripts/setup.sh --antigravity\nbash devops-ai-skill/scripts/setup.sh --uninstall\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eMarketplace (Claude Code only)\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\n/plugin marketplace add qwedsazxc78/devops-ai-skill\n/plugin install devops@devops-ai-skill\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eCross-Platform (npx skills) — Skills only\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\n# Auto-detects installed AI agents and routes skills accordingly\nnpx skills add qwedsazxc78/devops-ai-skill\n\n# Update\nnpx skills update\n```\n\n\u003e **⚠️ Note: This method installs only the 9 Skills (SKILL.md), not the full pack:**\n\u003e\n\u003e | Feature | npx skills | Global Install |\n\u003e |---------|:----------:|:--------------:|\n\u003e | 9 Skills (SKILL.md) | ✅ | ✅ |\n\u003e | 2 Agents (Horus / Zeus) | ❌ | ✅ |\n\u003e | 14 Pipelines (`*full`, `*security`, etc.) | ❌ | ✅ |\n\u003e | Command palette (Gemini CLI) | ❌ | ✅ |\n\u003e | Workflows (Antigravity) | ❌ | ✅ |\n\u003e\n\u003e For the full experience, use **Global Install** or **Marketplace** above.\n\n\u003c/details\u003e\n\n## Platform Support\n\n| Feature | Claude Code | OpenAI Codex | Gemini CLI | Antigravity |\n|---------|-------------|--------------|------------|-------------|\n| Global Agents | `~/.claude/agents/` | `~/.codex/instructions.md` | `~/.gemini/agents/` | `~/.agents/skills/` |\n| Global Skills | `~/.claude/skills/` | `~/.codex/skills/` | `~/.gemini/skills/` | shared `~/.gemini/skills/` |\n| Command palette | — | — | `~/.gemini/commands/devops/` | — |\n| Workflows | — | — | — | `~/.agents/workflows/` |\n| Entry file | `CLAUDE.md` | `AGENTS.md` | `GEMINI.md` | `.agents/rules/` |\n| Skills format | SKILL.md (native) | SKILL.md (native) | SKILL.md (native) | SKILL.md (native) |\n| Pipeline trigger | `*cmd` | `*cmd` | command palette `devops:` | `/workflow-name` |\n| Bash execution | Yes | Yes (`!cmd`) | Yes (`run_shell_command`) | Yes |\n\n## Tool Installation\n\nOne-command installer supporting macOS (Homebrew), Linux (apt/snap), Windows (winget/choco/scoop), and Python (uv/pip):\n\n```bash\n# Interactive: check + prompt install\n./scripts/install-tools.sh\n\n# Check tool status only\n./scripts/install-tools.sh check\n\n# Install all missing tools\n./scripts/install-tools.sh install\n\n# Install tools for a specific agent\n./scripts/install-tools.sh install horus   # IaC tools\n./scripts/install-tools.sh install zeus    # GitOps tools\n```\n\n\u003e **Windows users**: Run via Git Bash, WSL, or MSYS2. The script auto-detects your package manager (winget / Chocolatey / Scoop):\n\u003e\n\u003e ```powershell\n\u003e # Git Bash (recommended)\n\u003e bash scripts/install-tools.sh\n\u003e\n\u003e # WSL\n\u003e wsl bash scripts/install-tools.sh\n\u003e ```\n\n### Shared Tools\n\n| Tool | Tier | macOS (brew) | Linux (apt/snap) | Windows (winget) | Purpose |\n|------|------|-------------|-------------------|------------------|---------|\n| node | Required | `brew install node` | `apt-get install nodejs` | `winget install OpenJS.NodeJS.LTS` | postinstall runtime |\n| git | Required | `brew install git` | `apt-get install git` | `winget install Git.Git` | Version control |\n| kubectl | Required | `brew install kubectl` | `snap install kubectl` | `winget install Kubernetes.kubectl` | K8s CLI |\n| jq | Required | `brew install jq` | `apt-get install jq` | `winget install jqlang.jq` | JSON processor |\n| yq | Recommended | `brew install yq` | `snap install yq` | `winget install MikeFarah.yq` | YAML processor |\n| python3 | Recommended | `brew install python3` | `apt-get install python3` | `winget install Python.Python.3.12` | Version check scripts |\n| curl | Recommended | `brew install curl` | `apt-get install curl` | `winget install cURL.cURL` | Remote version check |\n\n### Horus Tools (IaC)\n\n| Tool | Tier | macOS (brew) | Windows (winget/choco) | pip | Purpose |\n|------|------|-------------|------------------------|-----|---------|\n| terraform | Required | `brew install terraform` | `winget install Hashicorp.Terraform` | — | IaC engine |\n| helm | Required | `brew install helm` | `winget install Helm.Helm` | — | Helm chart management |\n| tflint | Recommended | `brew install tflint` | `choco install tflint` | — | Terraform linter |\n| tfsec | Recommended | `brew install tfsec` | `choco install tfsec` | — | Terraform security scanner |\n| pre-commit | Recommended | — | — | `pip install pre-commit` | Git hook manager |\n\n### Zeus Tools (GitOps)\n\n| Tool | Tier | macOS (brew) | Windows (choco/scoop) | pip | Purpose |\n|------|------|-------------|------------------------|-----|---------|\n| kustomize | Required | `brew install kustomize` | `scoop install kustomize` | — | Kustomize build |\n| yamllint | Recommended | — | — | `pip install yamllint` | YAML linter |\n| kubeconform | Recommended | `brew install kubeconform` | `scoop install kubeconform` | — | K8s resource validation |\n| kube-score | Recommended | `brew install kube-score` | — | — | K8s best practices |\n| kube-linter | Recommended | `brew install kube-linter` | — | — | K8s linter |\n| polaris | Recommended | `brew install FairwindsOps/tap/polaris` | — | — | K8s policy check |\n| pluto | Recommended | `brew install FairwindsOps/tap/pluto` | — | — | Deprecated API detection |\n| conftest | Recommended | `brew install conftest` | — | — | Policy testing |\n| checkov | Recommended | — | — | `pip install checkov` | IaC security scanner |\n| trivy | Recommended | `brew install trivy` | `choco install trivy` | — | Vulnerability scanner |\n| gitleaks | Recommended | `brew install gitleaks` | `choco install gitleaks` | — | Secret detection |\n| d2 | Recommended | `brew install d2` | `scoop install d2` | — | Architecture diagrams |\n\n## Horus Pipelines (IaC)\n\n| Pipeline | Description |\n|----------|-------------|\n| `*help` | Show available pipelines |\n| `*full` | Full check (RUNS CLI tools) + report |\n| `*upgrade` | Upgrade Helm chart versions |\n| `*security` | Security audit (file analysis) |\n| `*validate` | Validation (fmt + file analysis) |\n| `*scaffold` | Scaffold new Helm module |\n| `*cicd` | Improve CI/CD pipeline |\n| `*health` | Platform health check |\n\n## Zeus Pipelines (GitOps)\n\n| Pipeline | Description |\n|----------|-------------|\n| `*help` | Show available pipelines |\n| `*full` | Full pipeline + YAML/MD reports |\n| `*pre-merge` | Pre-MR essential checks |\n| `*health` | Repository health assessment |\n| `*review` | MR review pipeline |\n| `*scaffold` | Service scaffold (interactive) |\n| `*diagram` | Generate architecture diagrams |\n| `*status` | Tool installation check |\n| `*gateway-migrate` | NGINX Ingress → Gateway API migration (default Traefik, opt-in GKE via `--gateway-class gke-l7-*`; master/minion or standalone) |\n\n## Skills\n\nAll skills follow the [Open Agent Skills](https://agentskills.io/specification) standard (SKILL.md with YAML frontmatter):\n\n| Skill | Used By | Purpose |\n|-------|---------|---------|\n| terraform-validate | Horus | Validation and linting |\n| terraform-security | Horus | Security scanning |\n| helm-version-upgrade | Horus | Helm chart version management |\n| helm-scaffold | Horus | New module generation |\n| cicd-enhancer | Horus | CI/CD pipeline improvement |\n| kustomize-resource-validation | Zeus | Kustomize build + validation |\n| yaml-fix-suggestions | Zeus | YAML formatting |\n| gateway-api-migration | Zeus | NGINX Ingress → Gateway API migration with state tracking. Dual-target since v1.2.0: default Traefik, opt-in GKE Gateway. |\n| repo-detect | Both | Repository type detection |\n| release-validate | Shared | Release readiness validation |\n\n## Example: NGINX → Gateway API Migration\n\nThe `*gateway-migrate` pipeline migrates an NGINX Ingress GitOps repo to Gateway API resources. **Dual-target since v1.2.0**: the default GatewayClass is `traefik` (Traefik v3.1+), and `--gateway-class gke-l7-global-external-managed` opts into GKE Gateway. Both targets share the same pipeline; the skill emits provider-specific CRDs (Traefik `Middleware` / `ServersTransport`, or GKE `GCPBackendPolicy` / `HealthCheckPolicy`) only when the target family is one it knows. It handles the common **master/minion** topology where:\n\n- `common.ingress/` declares hosts + TLS (the \"master\")\n- `common.service/overlays/\u003cenv\u003e/\u003csvc\u003e-nginx-ingress.yaml` declares paths + backends per service (the \"minions\")\n\nThis pattern maps cleanly onto Gateway API's persona model: the master becomes a `Gateway` resource, each minion becomes an `HTTPRoute`.\n\n### Prerequisites\n\nBefore running `*gateway-migrate`, ensure:\n\n**On the GKE cluster**\n- Gateway API CRDs installed (the skill checks but does not install them):\n  ```bash\n  kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml\n  ```\n- GKE Gateway controller add-on enabled (applies to Standard or Autopilot):\n  ```bash\n  gcloud container clusters update \u003cCLUSTER\u003e --region \u003cREGION\u003e --gateway-api=standard\n  ```\n\n**On your workstation** (the machine running Zeus)\n- `kustomize` — required. `brew install kustomize`\n- `yq` — required (used for idempotent in-place kustomization.yaml edits). `brew install yq`\n- `kubeconform` — optional, for schema validation. `brew install kubeconform`\n- `ingress2gateway` — optional, for cross-check validation. `brew install ingress2gateway`\n- `devops-ai-skill` installed via [one-click install](#global-install-recommended) or per-repo `setup.sh`\n\n**In the target GitOps repo**\n- Kustomize `base/` + `overlays/{dev,stg,prd}/` layout (standard pattern)\n- At least one `kind: Ingress` manifest with `apiVersion: networking.k8s.io/v1`\n- For master/minion topology: master declares hosts only (no `http.paths`), minions have paths + backends in separate Kustomize modules\n\n### Workflow\n\n```bash\n# 1. cd into your GitOps repo\ncd /path/to/your-gitops-repo\nclaude    # or gemini / codex / antigravity\n\n# 2. Run the pipeline (interactive)\n\u003e *gateway-migrate\n\n# Zeus will:\n#   - Detect master/minion or standalone topology\n#   - Show annotation classification (portable / convertible / manual review)\n#   - Ask for confirmation before generating any files\n#   - Create a new `common.gateway/` Kustomize module (Gateway resource)\n#   - Add HTTPRoutes alongside existing minions in `common.service/overlays/`\n#   - Run `kustomize build` validation\n#   - Write a state YAML + markdown report under `docs/reports/gateway-migration/`\n#   - Print a per-hostname DNS cutover runbook\n\n# 3. Review the generated module\nls common.gateway/\ncat docs/reports/gateway-migration/\u003cmodule\u003e/report.md\n\n# 4. Stage and commit\ngit add common.gateway/ common.service/overlays/ docs/reports/gateway-migration/\ngit commit\n```\n\n### Session walkthrough\n\nWhen you run `*gateway-migrate` inside a Zeus session, expect output like this:\n\n```\nZeus › *gateway-migrate\n\nStep 0 · Tool check\n  ✓ kustomize v5.4.2\n  ✓ yq v4.44.1\n  ✓ kubeconform v0.6.7\n  ✓ ingress2gateway v0.3.0\n\nStep 1 · Discovery\n\nDiscovered migration unit: master/minion topology\n  Master:  common.ingress/                 (4 files, 14 hostnames declared)\n  Minions: common.service/overlays/        (11 services × 3 envs = 33 files)\n    ✓ argocd      → dev/stg/prd-argocd.awoo.org     → argocd-server:80\n    ✓ grafana     → dev/stg/prd-grafana.awoo.org    → grafana:80\n    ✓ airflow     → dev/stg/prd-airflow.awoo.org    → airflow-webserver:8080\n    ... (11 services total)\n  Orphan hosts:   2  (dev-alertmanager, dev-n8n — declared in master, no minion)\n  Orphan minions: 0\n\nProceed with end-to-end master + minion migration? [y/N] y\n\nStep 2 · Annotation analysis\n  portable:              3\n  portable-GKE:          4  (ManagedCertificate refs)\n  convertible:           4  (→ GCPBackendPolicy resources)\n  split-category (auto): 3  (X-* headers → responseHeaderModifier filter)\n  split-category (stub): 2  (Set-Cookie rewrites, path denylists)\n  drop-info:             1  (mergeable-ingress-type)\n\nProceed with conversion? [y/N] y\n\nStep 3 · Convert\n  Phase 3A: generating common.gateway/...\n    ✓ common.gateway/base/kustomization.yaml\n    ✓ common.gateway/base/gateway.yaml              (14 listeners)\n    ✓ common.gateway/overlays/{dev,stg,prd}/...\n    ✓ common.gateway/argocd/{dev,stg,prd}.yaml\n    ✓ common.gateway/MIGRATION.md\n  Phase 3B: HTTPRoutes + kustomization.yaml edits\n    ✓ common.service/overlays/dev/argocd-httproute.yaml\n    ✓ common.service/overlays/dev/kustomization.yaml (in-place, idempotent)\n    ... (33 HTTPRoutes across 3 envs)\n\nStep 4 · Validate\n  ✓ kustomize build common.gateway/overlays/dev\n  ✓ kustomize build common.gateway/overlays/stg\n  ✓ kustomize build common.gateway/overlays/prd\n  ✓ kustomize build common.service/overlays/dev\n  ✓ kustomize build common.service/overlays/stg\n  ✓ kustomize build common.service/overlays/prd\n  ✓ kubeconform: 0 errors\n  ✓ ingress2gateway second-opinion: 2 divergences (GKE-specific extensions)\n\nStep 5 · Render report\n  ✓ docs/reports/gateway-migration/common-ingress/state.yaml\n  ✓ docs/reports/gateway-migration/common-ingress/report.md\n\nStep 6 · Runbook\n  See common.gateway/MIGRATION.md for per-hostname DNS cutover steps.\n\nStep 7 · Pre-commit hints\n  Suggested commit message ready. Files to stage listed below.\n```\n\n### Invocation forms\n\n| Form | What it does |\n|------|--------------|\n| `*gateway-migrate` | Interactive discovery — Zeus finds Ingress modules and asks which to migrate |\n| `*gateway-migrate \u003cmodule-path\u003e` | Skip discovery, target a known module directly |\n| `*gateway-migrate \u003cmodule-path\u003e --resume` | Resume from a previously failed run via the state YAML |\n| `*gateway-migrate \u003cmodule-path\u003e --force` | Bypass the never-clobber check on the target module |\n\n### What gets generated\n\n- **`common.gateway/`** — new Kustomize module with the Gateway resource, per-env overlays, ArgoCD `Application` manifests\n- **`common.service/overlays/\u003cenv\u003e/\u003csvc\u003e-httproute.yaml`** — one HTTPRoute per minion, side-by-side with existing minion files\n- **`common.service/overlays/\u003cenv\u003e/kustomization.yaml`** — idempotent in-place edit registering the new HTTPRoute resources\n- **`docs/reports/gateway-migration/\u003cmodule\u003e/state.yaml`** — resumable migration state (audit trail)\n- **`docs/reports/gateway-migration/\u003cmodule\u003e/report.md`** — human report with cutover runbook + manual-review TODO list\n\n### Before / After — concrete YAML example\n\n**Input — master Ingress (`common.ingress/overlays/prd/app.ingress.yaml`):**\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: ingress-nginx\n  annotations:\n    kubernetes.io/ingress.class: nginx\n    nginx.ingress/mergeable-ingress-type: master\n    networking.gke.io/managed-certificates: prd-argocd-ingress-nginx-crt\n    nginx.ingress.kubernetes.io/server-snippet: |\n      add_header X-Content-Type-Options \"nosniff\" always;\n      add_header X-Frame-Options \"SAMEORIGIN\" always;\nspec:\n  rules:\n    - host: argocd.awoo.org    # host-only, no paths (this is the \"master\" pattern)\n  tls:\n    - hosts: [argocd.awoo.org]\n      secretName: prd-argocd-ingress-nginx-crt\n```\n\n**Input — minion Ingress (`common.service/overlays/prd/argocd-nginx-ingress.yaml`):**\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  name: argocd-server-nginx-ingress\n  namespace: argocd\n  annotations:\n    kubernetes.io/ingress.class: nginx\nspec:\n  rules:\n    - host: argocd.awoo.org\n      http:\n        paths:\n          - path: /\n            pathType: Prefix\n            backend:\n              service:\n                name: argocd-server\n                port: { number: 80 }\n```\n\n**Output — generated Gateway (`common.gateway/base/gateway.yaml`):**\n\n```yaml\napiVersion: gateway.networking.k8s.io/v1\nkind: Gateway\nmetadata:\n  name: common-gateway\n  namespace: ingress-nginx\nspec:\n  gatewayClassName: gke-l7-global-external-managed\n  listeners:\n    - name: argocd-https\n      port: 443\n      protocol: HTTPS\n      hostname: argocd.awoo.org\n      allowedRoutes:\n        namespaces:\n          from: Selector\n          selector:\n            matchLabels:\n              gateway-access: ingress-nginx\n      tls:\n        mode: Terminate\n        certificateRefs:\n          - group: networking.gke.io\n            kind: ManagedCertificate\n            name: prd-argocd-ingress-nginx-crt\n```\n\n**Output — generated HTTPRoute (`common.service/overlays/prd/argocd-httproute.yaml`):**\n\n```yaml\napiVersion: gateway.networking.k8s.io/v1\nkind: HTTPRoute\nmetadata:\n  name: argocd-server\n  namespace: argocd\nspec:\n  parentRefs:\n    - group: gateway.networking.k8s.io\n      kind: Gateway\n      name: common-gateway\n      namespace: ingress-nginx\n      sectionName: argocd-https\n  hostnames:\n    - argocd.awoo.org\n  rules:\n    - matches:\n        - path: { type: PathPrefix, value: / }\n      filters:\n        - type: ResponseHeaderModifier\n          responseHeaderModifier:\n            add:\n              - name: X-Content-Type-Options\n                value: nosniff\n              - name: X-Frame-Options\n                value: SAMEORIGIN\n      backendRefs:\n        - name: argocd-server\n          port: 80\n```\n\n**Notes on the transformation:**\n\n- `mergeable-ingress-type: master` **dropped** — HTTPRoute attachment via `parentRef` is the native Gateway API equivalent\n- `networking.gke.io/managed-certificates` **preserved** — the same `ManagedCertificate` resource is referenced from the listener's `certificateRefs`\n- `server-snippet` X-* headers **auto-converted** to a `responseHeaderModifier` filter (loss-free)\n- Any `add_header Set-Cookie \"...\"` or `location ~ ... { return 404; }` blocks in the snippet would be **stubbed** with `# TODO(gateway-migrate):` comments pointing at `docs/reports/gateway-migration/\u003cmodule\u003e/report.md` for manual review (Cloud Armor territory)\n- Cross-namespace routing (`ingress-nginx` Gateway → `argocd` namespace HTTPRoute) is enabled via `allowedRoutes.namespaces.from: Selector` with the `gateway-access: ingress-nginx` label — **you must label target namespaces before the HTTPRoutes attach** (see \"Post-migration steps\" below)\n\n### Cutover strategy\n\nThe skill never modifies the master Ingress and never overwrites minion Ingress files — both stacks coexist. The runbook walks through a **per-hostname DNS cutover**: deploy the new Gateway, deploy HTTPRoutes alongside minions, then flip DNS one hostname at a time. Rollback is a DNS flip back; old stack remains live throughout.\n\n### Post-migration steps\n\nAfter `*gateway-migrate` exits successfully, the generated files are on disk but **nothing has been deployed yet**. Here's the operational sequence:\n\n**1. Label target namespaces** (required for cross-namespace routing to work)\n\n```bash\n# List all namespaces the HTTPRoutes live in (derived from your minions)\nkubectl label namespace argocd monitoring airflow --overwrite \\\n  gateway-access=ingress-nginx\n```\n\nThe exact namespace list appears in `common.gateway/MIGRATION.md`'s \"Pre-cutover setup\" section with the correct `kubectl` command pre-filled.\n\n**2. Review the generated report**\n\n```bash\nless docs/reports/gateway-migration/\u003cmodule\u003e/report.md\n```\n\nPay attention to the **Manual Review Required** section — any `TODO(gateway-migrate)` stubs need to be addressed before traffic-flipping (typically Cloud Armor policies for `server-snippet` path denylists).\n\n**3. Commit the generated changes**\n\nThe skill's Step 7 prints a suggested commit message. Or:\n\n```bash\ngit add common.gateway/ \\\n        common.service/overlays/ \\\n        docs/reports/gateway-migration/\ngit commit -m \"feat(ingress): migrate common.ingress to Gateway API\"\ngit push\n```\n\n**4. Deploy the Gateway first** (Phase 1 of the runbook)\n\nSync the `common.gateway/` ArgoCD Application for the target environment. The Gateway resource will acquire an external IP:\n\n```bash\nkubectl get gateway common-gateway -n ingress-nginx -o wide\n# NAME             CLASS                             ADDRESS          READY\n# common-gateway   gke-l7-global-external-managed    34.120.XX.XX     True\n```\n\nNothing points at this IP yet — safe to deploy without traffic impact.\n\n**5. Deploy the HTTPRoutes** (Phase 2)\n\nSync the `common.service/` ArgoCD Application. HTTPRoutes attach to the Gateway listeners. Both stacks now serve the same hostnames: old stack via DNS, new stack via the new Gateway IP only.\n\n```bash\nkubectl get httproute -A\nkubectl describe httproute argocd-server -n argocd\n# Look for: `Parents: ... Conditions: Accepted=True, ResolvedRefs=True`\n```\n\nIf you see `Accepted=False` with a reason like `NotAllowedByListeners`, the target namespace is missing the `gateway-access=ingress-nginx` label (see step 1).\n\n**6. Per-hostname DNS cutover** (Phase 3, gradual)\n\nFor each hostname, one at a time:\n\n```bash\n# Smoke-test the new path via curl before touching DNS\ncurl --resolve argocd.awoo.org:443:\u003cnew-gateway-ip\u003e https://argocd.awoo.org\n\n# If healthy, update the DNS A/AAAA record to point at the new Gateway IP\n# Wait for TTL + 15 minutes of monitoring (error rates, latency, cert serving)\n\n# If unhealthy, DNS-revert to the old ingress-nginx LB — old stack is still live\n```\n\n**7. Clean up** (Phase 4, after 1+ week stable)\n\nDelete the old `common.ingress/` module and remove the minion `*-nginx-ingress.yaml` files from `common.service/overlays/`. Update `common.service/overlays/\u003cenv\u003e/kustomization.yaml` to drop those entries. Commit.\n\n### Reference docs\n\n- [`docs/gateway/annotation-map.md`](docs/gateway/annotation-map.md) — Canonical 13-row Ingress → Gateway API translation table\n- [`docs/gateway/master-minion-topology.md`](docs/gateway/master-minion-topology.md) — Detection rules and pairing algorithm\n- [`docs/gateway/gke-gateway-notes.md`](docs/gateway/gke-gateway-notes.md) — GKE GatewayClasses, GCPBackendPolicy, ManagedCertificate\n- [`docs/gateway/http-routing-guide.md`](docs/gateway/http-routing-guide.md) — HTTPRoute reference\n- [`docs/gateway/migrate-from-ingress.md`](docs/gateway/migrate-from-ingress.md) — Concepts and worked example\n- [`docs/gateway/ingress2gateway-integration.md`](docs/gateway/ingress2gateway-integration.md) — Optional second-opinion tool\n- [`docs/gateway/ingress-nginx-welcome.md`](docs/gateway/ingress-nginx-welcome.md) — Migration welcome page\n\n### Optional second opinion\n\nInstall the upstream [`kubernetes-sigs/ingress2gateway`](https://github.com/kubernetes-sigs/ingress2gateway) tool and the skill will run it as a cross-check during validation, surfacing any divergence between its output and the skill's output in the report:\n\n```bash\nbrew install ingress2gateway\n```\n\nWithout it, the skill still works fine — the second-opinion check is just skipped (graceful degradation).\n\n### Troubleshooting\n\n**`kustomize build` fails after in-place edit**\n- The skill automatically restores `common.service/overlays/\u003cenv\u003e/kustomization.yaml` from the pre-edit SHA256 snapshot and halts. Read the error output, fix the underlying issue (usually a stale resource ref), then re-run with `--resume`.\n\n**HTTPRoute shows `Accepted=False` after deploy**\n- Check the condition's `Reason` and `Message`:\n  - `NotAllowedByListeners` → target namespace missing the `gateway-access=ingress-nginx` label. Run `kubectl label namespace \u003cns\u003e gateway-access=ingress-nginx`.\n  - `InvalidKind` → verify the Gateway's listener `allowedRoutes.kinds` accepts HTTPRoute (default does).\n  - `HostnameNotMatching` → the HTTPRoute's `hostnames[]` doesn't match any listener's `hostname`. Usually means the master declared the host but the minion's declared host differs (typo).\n\n**ManagedCertificate stays in `Provisioning` state**\n- GKE `ManagedCertificate` needs DNS validation. Check `kubectl describe managedcertificate \u003cname\u003e -n ingress-nginx` — usually shows \"Waiting for DNS records\". Ensure the domain's A record points at something routable during provisioning.\n\n**State YAML says `status: failed` at Step 3B**\n- The in-place edit failed post-validation. Look at `state.yaml` → `steps[3].modified[]` for the pre-edit hash and the env where failure occurred. Fix the source minion's YAML, then `*gateway-migrate \u003cmodule\u003e --resume`.\n\n**Re-running the skill on an already-migrated module**\n- Use `--resume` if you want to pick up from the last successful step. Use `--force` if you want to regenerate everything (the skill's never-clobber check will be bypassed). Without flags, the skill refuses to proceed if `common.gateway/` already exists.\n\n**Gemini CLI users: skill not appearing in the skills list**\n- `gateway-api-migration` needs to be registered in `.gemini/extensions/devops/gemini-extension.json`. v1.7.0 shipped with a gap — fixed on `main` post-release. Update to the next published version, or manually run `scripts/setup/setup-gemini.sh` which re-syncs the extension.\n\n## Project Structure\n\n```\ndevops-ai-skill/\n├── CLAUDE.md                    # Claude Code entry\n├── AGENTS.md                    # OpenAI Codex entry\n├── GEMINI.md                    # Gemini CLI entry\n├── VERSION                      # Version source\n│\n├── .claude/                     # Claude Code platform\n│   ├── settings.json\n│   ├── agents/\n│   │   ├── horus.md\n│   │   └── zeus.md\n│   └── skills/ → symlink to skills/\n│\n├── .codex/                      # OpenAI Codex platform\n│   ├── config.toml\n│   └── skills/ → symlink to skills/\n│\n├── .gemini/                     # Google Gemini platform\n│   ├── settings.json\n│   ├── agents/\n│   │   ├── horus.md\n│   │   └── zeus.md\n│   ├── commands/devops/          # Command palette TOML\n│   │   ├── agents/               # 2 agent start commands\n│   │   └── pipelines/            # 17 pipeline commands\n│   └── extensions/devops/\n│       └── gemini-extension.json\n│\n├── .agents/                     # Google Antigravity platform\n│   ├── rules/devops.md\n│   ├── skills/\n│   │   ├── horus/SKILL.md\n│   │   ├── zeus/SKILL.md\n│   │   └── (10 skill symlinks)\n│   └── workflows/               # symlinks → prompts/\n│\n├── skills/                      # Shared skills (Open Agent Skills standard)\n│   ├── terraform-validate/\n│   ├── terraform-security/\n│   ├── helm-version-upgrade/\n│   ├── helm-scaffold/\n│   ├── cicd-enhancer/\n│   ├── kustomize-resource-validation/\n│   ├── yaml-fix-suggestions/\n│   ├── gateway-api-migration/\n│   └── repo-detect/\n│\n├── prompts/                     # Platform-neutral pipeline definitions\n│   ├── horus/                   # 7 pipelines\n│   ├── zeus/                    # 8 pipelines\n│   └── shared/                  # repo-detect, report-format, tool-check, help\n│\n├── docs/\n│   ├── quick-start.md           # 5-minute quick start\n│   ├── setup.md                 # Detailed setup guide\n│   ├── gateway/                 # NGINX → Gateway API migration reference\n│   ├── guide/                   # Tutorial screenshots\n│   ├── reports/                 # Generated pipeline reports (*full output)\n│   └── diagrams/                # Generated architecture diagrams (*diagram output)\n│\n├── scripts/\n│   ├── setup.sh                    # Unified install script (recommended)\n│   ├── install-tools.sh\n│   ├── version-check.sh\n│   └── setup/\n│       ├── setup-claude.sh         # Platform-specific (internal)\n│       ├── setup-codex.sh\n│       ├── setup-gemini.sh\n│       └── setup-antigravity.sh\n│\n├── .claude-plugin/              # Claude Code marketplace\n│   ├── plugin.json\n│   └── marketplace.json\n│\n└── tests/\n    └── test-structure.sh        # 334 structure + parity tests\n```\n\n## Version Check\n\n```bash\nbash scripts/version-check.sh\n```\n\n## Update\n\n```bash\n# Git\ngit pull origin main\n\n# Or specific version\ngit checkout v\u003cversion\u003e\n\n# Or npx skills\nnpx skills update\n```\n\n## Design Principles\n\n- **No hardcoded paths** — Both agents discover directories dynamically\n- **Graceful degradation** — Missing tools skip the check and show install commands\n- **User-controlled** — Critical operations (e.g., terraform init) always ask the user\n- **Dynamic discovery** — Each skill defines \"Step 0: Discover Repository Layout\"\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqwedsazxc78%2Fdevops-ai-skill","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqwedsazxc78%2Fdevops-ai-skill","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqwedsazxc78%2Fdevops-ai-skill/lists"}