Add Kubernetes deployment docs and refactor Claude skills

[t0mdavid-m]

Summary

• New docs/kubernetes-deployment.md — 5-section reference (overview, architecture with ASCII diagram, per-manifest reference, fork-and-deploy guide, CI/CD pipeline). Registered in content/documentation.py so it surfaces as a Streamlit Documentation page.
• Refactor the configure-deployment Claude skill into three focused skills: configure-app-settings (shared app metadata, Dockerfile, README), configure-docker-compose-deployment (docker-compose.yml, cleanup script), configure-k8s-deployment (overlay creation, kubectl apply). The original was renamed via git mv first so git log --follow traces the docker-compose history.
• Reconcile k8s/overlays/template-app/kustomization.yaml with the production cluster's working version — drop two stale patches (one targeting a Deployment with an Ingress-shaped JSON path, one duplicating the IngressRoute service-name patch).
• Cross-link docs/deployment.md to the new K8s page via a short preamble.

Test Plan

• kubectl kustomize k8s/overlays/template-app/ succeeds; rendered output has the expected Redis URL, hostname, and service-name substitutions.
• pytest tests/ — 28 pass.
• pytest test_gui.py -k documentation — 8 pass (including the new "Developers Guide: Kubernetes Deployment" smoke test).
• Manual UI check: streamlit run app.py → Documentation → "Developers Guide: Kubernetes Deployment" — confirm ASCII diagram renders as monospace, tables + code blocks render, no stray backslashes or broken inline code.
• Manual UI check: Documentation → "Developers Guide: Deployment" — confirm new preamble + ## Docker Compose heading + existing body all render.
• CI: k8s-manifests-ci.yml green (kubeconform + kustomize build + kind integration test with both Dockerfile variants).

Notes

• A pre-existing failing test (test_gui.py::test_launch[content/raw_data_viewer.py]) is caused by an unrelated uncommitted modification in src/view.py that predates this branch. Not caused by these changes.
• 15 commits on the branch — the two follow-up fix commits (01cf85af settings.json key-field inconsistency, 7c7556bb nested-backtick rendering bug, bd832588 PR-blocking nuance) resolve issues surfaced in inline code review.

Summary by CodeRabbit

• Documentation

  • Reorganized deployment guides with separate app configuration and deployment-specific instructions
  • Added comprehensive Kubernetes deployment documentation with step-by-step configuration guidance
  • Updated deployment documentation with cross-references to automation guides

• New Features

  • Added "Developers Guide: Kubernetes Deployment" to documentation navigation

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR reorganizes deployment documentation by splitting monolithic configuration steps into focused guides for app settings, Docker Compose deployment, and Kubernetes deployment. It introduces new documentation pages for Kubernetes deployment architecture and updates the documentation navigation UI to surface the new Kubernetes guide. Kustomize template patches are removed, presuming dynamic configuration via the new deployment guides.

Changes

Cohort / File(s)	Summary
Claude Skills Documentation .claude/skills/configure-app-settings.md, .claude/skills/configure-docker-compose-deployment.md, .claude/skills/configure-k8s-deployment.md	Splits deployment configuration from single guide into three focused skills: app-level settings (common to both deployment paths), Docker Compose-specific setup, and Kubernetes-specific setup with Kustomize overlays.
Deployment Documentation docs/deployment.md, docs/kubernetes-deployment.md	Adds introductory overview of two supported deployment paths (Kubernetes and Docker Compose) with cross-references to corresponding Claude skills. Introduces detailed Kubernetes deployment guide covering Kustomize architecture, pod affinity, CI workflows, and step-by-step deployment instructions.
Documentation Navigation content/documentation.py, test_gui.py	Adds new "Developers Guide: Kubernetes Deployment" menu entry to documentation page selector and extends test coverage to include the new page option.
Kustomize Template Overlay k8s/overlays/template-app/kustomization.yaml	Removes two JSON patches (Deployment and IngressRoute) that hardcoded template hostnames and service names, likely delegating these edits to the new configuration guides.

Possibly related PRs

• Claude/kubernetes migration plan kq jw d #358: Directly modifies the same Kubernetes manifests and Traefik IngressRoute resources targeted by this PR's Kustomize overlay changes.
• Claude/kubernetes migration plan kq jw d #359: Directly alters patches in k8s/overlays/template-app/kustomization.yaml, creating potential overlap with this PR's removal of template patches.
• Add CLAUDE.md and Claude Code skills for MS webapp development #357: Adds deployment-related Claude Code skills that appear to be the predecessor work being split and expanded in this PR.

Poem

🐰 A rabbit's ode to cleaner docs

Configuration scattered, now it flows,
App, then Docker, K8s—the path now shows,
Overlays dance without their chains,
Each deployment guide explains,
Three little skills to light the way,
For forked apps that run today! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding Kubernetes deployment documentation and refactoring the Claude skill into three focused, purpose-specific skills.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/k8s-deployment-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/configure-app-settings.md:
- Around line 21-26: The example in this doc hardcodes "online_deployment":
false which can lead to deploying online/both modes with local-only settings;
update the guidance and example so the "online_deployment" flag is explicitly
tied to the requested deployment mode (local/online/both), e.g., instruct users
to set "online_deployment": true for online or both deployments and to adjust
the nested max_threads keys in settings.json (local vs online) accordingly, and
update the sample block that contains "online_deployment" and the explanatory
text around "app-name", "github-user", "repository-name", "version",
"enable_workspaces", and "max_threads" to make this mapping clear.

In @.claude/skills/configure-docker-compose-deployment.md:
- Around line 13-26: Update the example Docker Compose snippet so the service
and volume placeholders consistently use the repository name instead of
"your-app-name"; specifically replace the service identifier "your-app-name" and
the volume name "workspaces-your-repo-name" with the repo-based placeholder
(e.g., a single consistent repository-name placeholder) and update any
corresponding references in the YAML (service key, ports block, and volumes
mapping) so the service key and volume key match the same repo-based identifier.

In `@docs/kubernetes-deployment.md`:
- Around line 180-190: Add a pre-deploy manifest render check by running
"kubectl kustomize k8s/overlays/<your-app-name>/" before the existing "kubectl
apply -k k8s/overlays/<your-app-name>/" step so users can catch patch/image/name
errors locally; update the flow so the rendered-manifest step appears directly
before the apply step and increment the following "Verify" section header
(change Step 6 to Step 7) that contains "kubectl -n openms get pods -l
app=<your-app-name>" and "kubectl -n openms rollout status
deployment/<your-app-name>-streamlit --timeout=120s".
- Line 20: The markdown code fence used for the ASCII architecture diagram
should be labeled with a language to satisfy markdownlint; update the
architecture code fence from an unlabeled block to a text-labeled block by
changing the opening fence to ```text so the ASCII diagram is treated as plain
text.
- Line 210: Update the docs to stop recommending passing GITHUB_TOKEN as a
Docker build-arg and instead instruct using BuildKit secrets; replace the
sentence referencing the workflow's `GITHUB_TOKEN` being passed as a build
argument with guidance to use BuildKit secret mounts (e.g., `--secret
id=github_token,src=/run/secrets/github_token` and `RUN
--mount=type=secret,id=github_token ...`) for in-image private-resource access
and GHCR login, and mention that this prevents credentials from appearing in
image history and keeps them out of build metadata.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 06f113dc-278c-461a-a4fe-e14b730c9492

📥 Commits

Reviewing files that changed from the base of the PR and between 4069e11 and 56d808e.

📒 Files selected for processing (8)

• .claude/skills/configure-app-settings.md
• .claude/skills/configure-docker-compose-deployment.md
• .claude/skills/configure-k8s-deployment.md
• content/documentation.py
• docs/deployment.md
• docs/kubernetes-deployment.md
• k8s/overlays/template-app/kustomization.yaml
• test_gui.py

💤 Files with no reviewable changes (1)

• k8s/overlays/template-app/kustomization.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Tie online_deployment to the requested deployment mode.

The skill asks for deployment mode, but the example hardcodes "online_deployment": false. Add explicit guidance so online/both deployments do not accidentally get local-only settings.

Proposed clarification

-    Key fields: `app-name`, `github-user`, `repository-name`, `version`, `online_deployment`, `enable_workspaces`. `max_threads` (a nested object with `local`/`online` keys in `settings.json`) caps worker parallelism — tune it if your cluster or host has specific CPU constraints.
+    Set `online_deployment` from the requested deployment mode (`true` for online/both, `false` for local-only). Key fields: `app-name`, `github-user`, `repository-name`, `version`, `online_deployment`, `enable_workspaces`. `max_threads` (a nested object with `local`/`online` keys in `settings.json`) caps worker parallelism — tune it if your cluster or host has specific CPU constraints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"online_deployment": false,
	"enable_workspaces": true
	}
	```
	Key fields: `app-name`, `github-user`, `repository-name`, `version`, `online_deployment`, `max_threads`.
	Key fields: `app-name`, `github-user`, `repository-name`, `version`, `online_deployment`, `enable_workspaces`. `max_threads` (a nested object with `local`/`online` keys in `settings.json`) caps worker parallelism — tune it if your cluster or host has specific CPU constraints.
	"online_deployment": false,
	"enable_workspaces": true
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/configure-app-settings.md around lines 21 - 26, The example
in this doc hardcodes "online_deployment": false which can lead to deploying
online/both modes with local-only settings; update the guidance and example so
the "online_deployment" flag is explicitly tied to the requested deployment mode
(local/online/both), e.g., instruct users to set "online_deployment": true for
online or both deployments and to adjust the nested max_threads keys in
settings.json (local vs online) accordingly, and update the sample block that
contains "online_deployment" and the explanatory text around "app-name",
"github-user", "repository-name", "version", "enable_workspaces", and
"max_threads" to make this mapping clear.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Make the service-name placeholder match the naming rule.

Line 26 says the service and volume names should use the repository name, but the example service uses your-app-name. This can lead the skill to generate mixed Compose identifiers.

Proposed documentation fix

 services:
-  your-app-name:
+  your-repo-name:
     build: .
     ports:
       - "8501:8501"
     volumes:
       - workspaces-your-repo-name:/workspaces-your-repo-name

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	```yaml
	services:
	your-app-name:
	build: .
	ports:
	- "8501:8501"
	volumes:
	- workspaces-your-repo-name:/workspaces-your-repo-name
	volumes:
	workspaces-your-repo-name:
	```
	Service name and volume name should use the repository name.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/configure-docker-compose-deployment.md around lines 13 - 26,
Update the example Docker Compose snippet so the service and volume placeholders
consistently use the repository name instead of "your-app-name"; specifically
replace the service identifier "your-app-name" and the volume name
"workspaces-your-repo-name" with the repo-based placeholder (e.g., a single
consistent repository-name placeholder) and update any corresponding references
in the YAML (service key, ports block, and volumes mapping) so the service key
and volume key match the same repo-based identifier.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language to the architecture code fence.

markdownlint flags this fence; use text for the ASCII diagram.

Proposed fix

-```
+```text

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 20-20: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/kubernetes-deployment.md` at line 20, The markdown code fence used for
the ASCII architecture diagram should be labeled with a language to satisfy
markdownlint; update the architecture code fence from an unlabeled block to a
text-labeled block by changing the opening fence to ```text so the ASCII diagram
is treated as plain text.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add render validation before applying the overlay.

The guide jumps straight to kubectl apply -k; include kubectl kustomize first so users catch patch/image/name errors before touching the cluster.

Proposed flow update

-### Step 5 — Deploy
+### Step 5 — Validate
+
+```bash
+kubectl kustomize k8s/overlays/<your-app-name>/
+```
+
+This should print the rendered manifests with no errors.
+
+### Step 6 — Deploy
 
 ```bash
 kubectl apply -k k8s/overlays/<your-app-name>/

-### Step 6 — Verify
+### Step 7 — Verify

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion
### Step 5 — Validate

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/kubernetes-deployment.md` around lines 180 - 190, Add a pre-deploy
manifest render check by running "kubectl kustomize
k8s/overlays/<your-app-name>/" before the existing "kubectl apply -k
k8s/overlays/<your-app-name>/" step so users can catch patch/image/name errors
locally; update the flow so the rendered-manifest step appears directly before
the apply step and increment the following "Verify" section header (change Step
6 to Step 7) that contains "kubectl -n openms get pods -l app=<your-app-name>"
and "kubectl -n openms rollout status deployment/<your-app-name>-streamlit
--timeout=120s".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect workflow usage around Docker build/push and token handling.
rg -n -C3 --iglob '*.yml' --iglob '*.yaml' \
  '(docker/build-push-action|build-args|GITHUB_TOKEN|secrets:)' .github || true

# Inspect Dockerfiles for token ARG/ENV usage or BuildKit secret mounts.
rg -n -C3 --iglob 'Dockerfile*' \
  '(^\s*(ARG|ENV)\s+GITHUB_TOKEN\b|GITHUB_TOKEN|--mount=type=secret)' . || true

Repository: OpenMS/streamlit-template

Length of output: 5111

---

Update documentation to recommend BuildKit secrets instead of build arguments for passing credentials.

The workflow currently passes GITHUB_TOKEN via Docker build arguments (visible in image history and not secret-safe). Recommend updating the documentation to specify BuildKit secrets (--mount=type=secret) as the secure approach for private resource access during builds.

Proposed documentation wording

-- **Auth:** uses the workflow's `GITHUB_TOKEN` for GHCR login; also passes it as a build argument for in-image private-resource access.
+- **Auth:** uses the workflow's `GITHUB_TOKEN` for GHCR login. If private resources are needed during the image build, pass credentials via BuildKit secrets rather than Docker build arguments.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- **Auth:** uses the workflow's `GITHUB_TOKEN` for GHCR login; also passes it as a build argument for in-image private-resource access.
	- **Auth:** uses the workflow's `GITHUB_TOKEN` for GHCR login. If private resources are needed during the image build, pass credentials via BuildKit secrets rather than Docker build arguments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/kubernetes-deployment.md` at line 210, Update the docs to stop
recommending passing GITHUB_TOKEN as a Docker build-arg and instead instruct
using BuildKit secrets; replace the sentence referencing the workflow's
`GITHUB_TOKEN` being passed as a build argument with guidance to use BuildKit
secret mounts (e.g., `--secret id=github_token,src=/run/secrets/github_token`
and `RUN --mount=type=secret,id=github_token ...`) for in-image private-resource
access and GHCR login, and mention that this prevents credentials from appearing
in image history and keeps them out of build metadata.