Xutongr/sync

.coderabbit.yaml

@@ -3,3 +3,6 @@ reviews:
   profile: chill # assertive / chill profile
   auto_review:
     enabled: true # Enable auto-review for this repository
+  path_instructions:
+    - path: "src/**"
+      instructions: "If this PR adds, removes, or renames a service, module, or major component, check that AGENTS.md is updated accordingly."

CLAUDE.md

@@ -0,0 +1,7 @@
+@AGENTS.md
+
+## Tool Usage Preferences
+
+- Use specialized tools (Read, Edit, Write, Grep, Glob) instead of Bash commands whenever possible
+- Bash tools require user intervention to allow and should only be used as a last resort
+- Prefer Read over cat, Edit over sed, Write over echo/heredoc, Grep over grep, and Glob over find

README.md

@@ -141,6 +141,7 @@ Select one of the deployment options below depending on your needs and environme
   </a>
 </div>
 
+**Deploying on Microsoft Azure?** Get started with [Azure NVIDIA Reference Architecture](https://github.com/microsoft/physical-ai-toolchain). This jointly published architecture delivers a production-ready Physical AI pipeline on Microsoft Azure, integrating OSMO, Isaac Lab, and Isaac Sim with GPU-accelerated RL training, auto-scaling compute, and enterprise-grade Kubernetes security.
 
 
 ## Documentation

bzl/py.bzl

@@ -139,10 +139,14 @@ import glob
 pythonpath = ["{runfiles_dir}/_main"]
 local_runfiles_dir = "{runfiles_dir}"
 local_main_dir = "{runfiles_dir}/_main"
+
 if os.path.isdir("/osmo_workspace+"):
     local_runfiles_dir = "/osmo_workspace+" + local_runfiles_dir
     local_main_dir = local_runfiles_dir + "/osmo_workspace+"
-    pythonpath.append(local_runfiles_dir + "/osmo_workspace+")
+
+osmo_ws_path = local_runfiles_dir + "/osmo_workspace+"
+if os.path.isdir(osmo_ws_path):
+    pythonpath.append(osmo_ws_path)
 
 # Add all site-packages directories
 site_packages = glob.glob(local_runfiles_dir + "/rules_python++pip+*/site-packages")

deployments/charts/router/templates/_sidecar-helpers.tpl

@@ -119,7 +119,7 @@ OAuth2 Proxy sidecar container
   ports:
   - name: http
     containerPort: {{ .Values.sidecars.oauth2Proxy.httpPort }}
-  - name: metrics
+  - name: oauth2-metrics
     containerPort: {{ .Values.sidecars.oauth2Proxy.metricsPort }}
   livenessProbe:
     httpGet:

deployments/charts/service/templates/_sidecar-helpers.tpl

@@ -245,7 +245,7 @@ OAuth2 Proxy sidecar container
   ports:
   - name: http
     containerPort: {{ .Values.sidecars.oauth2Proxy.httpPort }}
-  - name: metrics
+  - name: oauth2-metrics
     containerPort: {{ .Values.sidecars.oauth2Proxy.metricsPort }}
   livenessProbe:
     httpGet:

deployments/charts/service/templates/api-monitor.yaml

@@ -28,6 +28,11 @@ spec:
     port: envoy-admin
     path: /stats/prometheus
   {{- end }}
+  {{- if .Values.sidecars.oauth2Proxy.enabled }}
+  - interval: 15s
+    port: oauth2-metrics
+    path: /metrics
+  {{- end }}
   selector:
     matchExpressions:
     - { key: app,

deployments/charts/web-ui/templates/_sidecar-helpers.tpl

@@ -169,7 +169,7 @@ OAuth2 Proxy sidecar container
   ports:
   - name: http
     containerPort: {{ .Values.sidecars.oauth2Proxy.httpPort }}
-  - name: metrics
+  - name: oauth2-metrics
     containerPort: {{ .Values.sidecars.oauth2Proxy.metricsPort }}
   livenessProbe:
     httpGet:

deployments/scripts/README.md

@@ -74,6 +74,7 @@ The main entry point for deploying OSMO. This script orchestrates:
 | `--destroy` | Destroy all resources |
 | `--dry-run` | Show what would be done without making changes |
 | `--non-interactive` | Fail if required parameters are missing (for CI/CD) |
+| `--ngc-api-key` | NGC API key for pulling images and Helm charts from `nvcr.io` (optional) |
 | `-h, --help` | Show help message |
 
 #### Azure-specific Options
@@ -221,18 +222,47 @@ The script will prompt for:
   --aws-region "us-west-2" \
   --cluster-name "osmo-aws" \
   --postgres-password "SecurePass123!" \
+  --redis-password "SecureRedisToken123!" \
   --non-interactive
 ```
 
 > **Note:** Keep cluster names short (≤12 characters) to avoid AWS IAM role name length limits.
 
+### Deployment with NGC Registry Credentials
+
+Required when pulling OSMO images and Helm charts from a private registry in `nvcr.io`.
+
+```bash
+# Via flag
+./deploy-osmo-minimal.sh --provider aws \
+  --aws-region "us-west-2" \
+  --cluster-name "osmo-aws" \
+  --postgres-password "SecurePass123!" \
+  --redis-password "SecureRedisToken123!" \
+  --ngc-api-key "$NGC_API_KEY"
+
+# Via environment variable
+export NGC_API_KEY="your-ngc-api-key"
+./deploy-osmo-minimal.sh --provider aws \
+  --aws-region "us-west-2" \
+  --cluster-name "osmo-aws" \
+  --postgres-password "SecurePass123!" \
+  --redis-password "SecureRedisToken123!"
+```
+
+When an NGC API key is provided, the script:
+1. Authenticates `helm repo add` with `--username='$oauthtoken' --password=<NGC_API_KEY>`
+2. Creates a `nvcr-secret` docker-registry secret in all three namespaces
+3. Configures all Helm charts to use `nvcr-secret` as the image pull secret
+
 ## Environment Variables
 
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `OSMO_IMAGE_REGISTRY` | OSMO Docker image registry | `nvcr.io/nvidia/osmo` |
 | `OSMO_IMAGE_TAG` | OSMO Docker image tag | `latest` |
 | `BACKEND_TOKEN_EXPIRY` | Backend operator token expiry | `2027-01-01` |
+| `NGC_API_KEY` | NGC API key for `nvcr.io` image and Helm chart pulls | - |
 | `TF_SUBSCRIPTION_ID` | Azure subscription ID | - |
 | `TF_RESOURCE_GROUP` | Azure resource group | - |
 | `TF_POSTGRES_PASSWORD` | PostgreSQL password | - |

deployments/scripts/aws/terraform.sh

@@ -204,7 +204,7 @@ node_group_max_size    = 5
 node_group_desired_size = 3
 
 # RDS Configuration
-rds_engine_version = "15.4"
+rds_engine_version = "15.12"
 rds_instance_class = "db.t3.medium"
 rds_db_name        = "osmo"
 rds_username       = "postgres"

deployments/scripts/deploy-k8s.sh

@@ -53,6 +53,8 @@ OSMO_WORKFLOWS_NAMESPACE="${OSMO_WORKFLOWS_NAMESPACE:-osmo-workflows}"
 OSMO_IMAGE_REGISTRY="${OSMO_IMAGE_REGISTRY:-nvcr.io/nvidia/osmo}"
 OSMO_IMAGE_TAG="${OSMO_IMAGE_TAG:-latest}"
 BACKEND_TOKEN_EXPIRY="${BACKEND_TOKEN_EXPIRY:-2027-01-01}"
+NGC_API_KEY="${NGC_API_KEY:-}"
+NGC_SECRET_NAME="nvcr-secret"
 
 # Provider-specific settings (set by loading provider script)
 PROVIDER=""
@@ -94,6 +96,10 @@ parse_k8s_args() {
                 DRY_RUN=true
                 shift
                 ;;
+            --ngc-api-key)
+                NGC_API_KEY="$2"
+                shift 2
+                ;;
             *)
                 shift
                 ;;
@@ -286,6 +292,34 @@ data:
     log_success "Secrets created"
 }
 
+create_image_pull_secrets() {
+    if [[ -z "$NGC_API_KEY" ]]; then
+        log_info "NGC_API_KEY not set, skipping image pull secret creation"
+        return
+    fi
+
+    log_info "Creating NGC image pull secrets..."
+
+    if [[ "$DRY_RUN" == true ]]; then
+        log_info "[DRY-RUN] Would create $NGC_SECRET_NAME in namespaces: $OSMO_NAMESPACE, $OSMO_OPERATOR_NAMESPACE, $OSMO_WORKFLOWS_NAMESPACE"
+        return
+    fi
+
+    for namespace in "$OSMO_NAMESPACE" "$OSMO_OPERATOR_NAMESPACE" "$OSMO_WORKFLOWS_NAMESPACE"; do
+        local secret_yaml
+        secret_yaml=$(kubectl create secret docker-registry "$NGC_SECRET_NAME" \
+            --docker-server=nvcr.io \
+            --docker-username='$oauthtoken' \
+            --docker-password="$NGC_API_KEY" \
+            --namespace "$namespace" \
+            --dry-run=client -o yaml)
+        $RUN_KUBECTL_APPLY_STDIN "$secret_yaml"
+        log_info "  Applied $NGC_SECRET_NAME in namespace $namespace"
+    done
+
+    log_success "NGC image pull secrets created"
+}
+
 ###############################################################################
 # Helm Functions
 ###############################################################################
@@ -301,7 +335,12 @@ add_helm_repos() {
     if [[ "$IS_PRIVATE_CLUSTER" == "true" ]]; then
         $RUN_HELM "repo add osmo https://helm.ngc.nvidia.com/nvidia/osmo && helm repo update"
     else
-        helm repo add osmo https://helm.ngc.nvidia.com/nvidia/osmo || true
+        if [[ -n "$NGC_API_KEY" ]]; then
+            helm repo add osmo https://helm.ngc.nvidia.com/nvidia/osmo \
+                --username='$oauthtoken' --password="$NGC_API_KEY" || true
+        else
+            helm repo add osmo https://helm.ngc.nvidia.com/nvidia/osmo || true
+        fi
         helm repo update
     fi
 
@@ -311,12 +350,18 @@ add_helm_repos() {
 create_helm_values() {
     log_info "Creating OSMO Helm values files..."
 
+    local ngc_pull_secret_yaml=""
+    if [[ -n "$NGC_API_KEY" ]]; then
+        ngc_pull_secret_yaml="  imagePullSecret: ${NGC_SECRET_NAME}"
+    fi
+
     # Service values
     cat > "$VALUES_DIR/service_values.yaml" <<EOF
 # OSMO Service Values - Auto-generated
 global:
   osmoImageLocation: ${OSMO_IMAGE_REGISTRY}
   osmoImageTag: ${OSMO_IMAGE_TAG}
+${ngc_pull_secret_yaml}
 
 services:
   configFile:
@@ -376,6 +421,7 @@ EOF
 global:
   osmoImageLocation: ${OSMO_IMAGE_REGISTRY}
   osmoImageTag: ${OSMO_IMAGE_TAG}
+${ngc_pull_secret_yaml}
 
 services:
   ui:
@@ -398,6 +444,7 @@ EOF
 global:
   osmoImageLocation: ${OSMO_IMAGE_REGISTRY}
   osmoImageTag: ${OSMO_IMAGE_TAG}
+${ngc_pull_secret_yaml}
 
 services:
   configFile:
@@ -433,6 +480,7 @@ EOF
 global:
   osmoImageLocation: ${OSMO_IMAGE_REGISTRY}
   osmoImageTag: ${OSMO_IMAGE_TAG}
+${ngc_pull_secret_yaml}
   serviceUrl: http://osmo-agent.${OSMO_NAMESPACE}.svc.cluster.local
   agentNamespace: ${OSMO_OPERATOR_NAMESPACE}
   backendNamespace: ${OSMO_WORKFLOWS_NAMESPACE}
@@ -523,7 +571,7 @@ setup_backend_operator() {
     else
         # Port forward to OSMO service
         log_info "Starting port-forward to OSMO service..."
-        kubectl port-forward service/osmo-service 9000:80 -n "$OSMO_NAMESPACE" &
+        $RUN_KUBECTL "port-forward service/osmo-service 9000:80 -n $OSMO_NAMESPACE" &
         local port_forward_pid=$!
         sleep 5
 
@@ -540,10 +588,12 @@ setup_backend_operator() {
                 -t json 2>/dev/null | jq -r '.token' || echo "")
 
             if [[ -n "$backend_token" && "$backend_token" != "null" ]]; then
-                kubectl create secret generic osmo-operator-token \
+                local token_secret_yaml
+                token_secret_yaml=$(kubectl create secret generic osmo-operator-token \
                     --from-literal=token="$backend_token" \
                     --namespace "$OSMO_OPERATOR_NAMESPACE" \
-                    --dry-run=client -o yaml | kubectl apply -f -
+                    --dry-run=client -o yaml)
+                $RUN_KUBECTL_APPLY_STDIN "$token_secret_yaml"
 
                 log_success "Backend token created"
                 token_created=true
@@ -585,6 +635,10 @@ cleanup_osmo() {
     $RUN_HELM "uninstall router-minimal --namespace $OSMO_NAMESPACE" 2>/dev/null || true
     $RUN_HELM "uninstall osmo-operator --namespace $OSMO_OPERATOR_NAMESPACE" 2>/dev/null || true
 
+    for namespace in "$OSMO_NAMESPACE" "$OSMO_OPERATOR_NAMESPACE" "$OSMO_WORKFLOWS_NAMESPACE"; do
+        $RUN_KUBECTL "delete secret $NGC_SECRET_NAME --namespace $namespace --ignore-not-found=true" 2>/dev/null || true
+    done
+
     $RUN_KUBECTL "delete namespace $OSMO_NAMESPACE" 2>/dev/null || true
     $RUN_KUBECTL "delete namespace $OSMO_OPERATOR_NAMESPACE" 2>/dev/null || true
     $RUN_KUBECTL "delete namespace $OSMO_WORKFLOWS_NAMESPACE" 2>/dev/null || true
@@ -667,16 +721,17 @@ deploy_k8s_main() {
     add_helm_repos
     create_database
     create_secrets
+    create_image_pull_secrets
     create_helm_values
 
     deploy_osmo_service
     deploy_osmo_ui
     deploy_osmo_router
 
-    wait_for_pods "$OSMO_NAMESPACE" 300 "" "kubectl"
+    wait_for_pods "$OSMO_NAMESPACE" 300 "" "$RUN_KUBECTL"
 
     setup_backend_operator
-    wait_for_pods "$OSMO_OPERATOR_NAMESPACE" 180 "" "kubectl"
+    wait_for_pods "$OSMO_OPERATOR_NAMESPACE" 180 "" "$RUN_KUBECTL"
 
     verify_deployment
     print_access_instructions