Deployment & Operations

Docker, Kubernetes, CI/CD, IaC, SBOM tooling, mission kits, and release channels

OMEN is designed for edge-first deployment — containers run on disconnected hardware as easily as cloud clusters. The infrastructure layer (ops/) provides everything needed for reproducible, signed, and auditable deployments.

Directory Structure

Docker Development Environment

Docker Compose Stack — ops/docker/docker-compose.dev.yaml

A complete development environment with five services:

Launch:

cd ops/docker
docker-compose -f docker-compose.dev.yaml up

Access Points:

• Engine API: http://localhost:8000
• CAL Service: http://localhost:8001
• Map Application: http://localhost:5173
• Prometheus: http://localhost:9090
• Grafana: http://localhost:3000

Engine Container — ops/docker/Dockerfile.engine

FROM python:3.11-slim
WORKDIR /app
RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
COPY engine/requirements.txt ./engine/requirements.txt
RUN pip install --no-cache-dir -r engine/requirements.txt
COPY engine/ ./engine/
COPY sdk/ ./sdk/
RUN useradd -r -u 1001 omen
USER omen
EXPOSE 8000
HEALTHCHECK --interval=10s --timeout=5s --retries=3 \
  CMD curl -f http://localhost:8000/healthz
CMD ["python", "-m", "engine.service", "--host", "0.0.0.0", "--port", "8000"]

Security:

• Non-root user (omen, UID 1001)
• Minimal base image (python:3.11-slim)
• Health check endpoint (/healthz)
• No secrets baked into image

CAL Container — ops/docker/Dockerfile.cal

FROM python:3.11-slim
WORKDIR /app
RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
COPY cal/requirements.txt ./cal/requirements.txt
COPY adapters/requirements.txt ./adapters/requirements.txt 2>/dev/null || true
RUN pip install --no-cache-dir -r cal/requirements.txt
COPY cal/ ./cal/
COPY adapters/ ./adapters/
COPY sdk/ ./sdk/
RUN useradd -r -u 1001 omen
USER omen
EXPOSE 8001
HEALTHCHECK --interval=10s --timeout=5s --retries=3 \
  CMD curl -f http://localhost:8001/healthz
CMD ["python", "-m", "cal.service", "--host", "0.0.0.0", "--port", "8001"]

CI/CD Pipeline

GitHub Actions — ops/ci/ci.yaml

The CI pipeline runs on push to main/develop and on pull requests:

Linting Rules:

• E — PEP 8 style errors
• W — PEP 8 warnings
• F — PyFlakes logical errors
• E501 ignored — line length is not enforced

Kubernetes Deployment

K3s / Kubernetes — ops/k8s/

Edge-capable orchestration manifests for production deployment:

• Namespace isolation for engine, CAL, and presentation tiers
• Network policies restricting pod-to-pod communication to declared dependencies
• Resource limits on CPU/memory per container
• Health/readiness probes on all services
• Rolling update strategy with configurable surge/unavailable counts

Infrastructure as Code

Terraform / OpenTofu — ops/terraform/

IaC modules for provisioning:

• Cloud environments (CI/CD runners, artifact registries)
• Edge hardware configurations
• Network topology and security groups
• DNS and certificate management

SBOM & Artifact Signing

SBOM Generation — ops/sbom/

Every build generates a Software Bill of Materials:

• Format: CycloneDX or SPDX
• Tools: syft, cdxgen
• Published alongside release artifacts
• Enables downstream dependency auditing

Artifact Signing

Build → SBOM Generation → Container Build → Cosign Sign
                                                   │
                                                   ▼
                                        OCI Registry + Sigstore Log

• All container images signed with Cosign
• Transparency log entries in Sigstore
• Verification at deployment time

Deployment Modes

Mission Kit

A mission kit is a pre-packaged, signed deployment artifact:

Release Channels

Observability Stack

All services expose health (/healthz) and readiness endpoints for orchestration probes.

Prerequisites