Deployment¶
All components are managed by FluxCD via the rig-gitops repo.
GitOps Structure¶
rig-gitops/
├── clusters/gcp/
│ └── conductor-e.yaml FluxCD Kustomization (entrypoint)
└── apps/conductor-e/
├── namespace.yaml conductor-e namespace
├── rig-agent-runtime-source.yaml GitRepository: rig-agent-runtime repo
├── rig-agent-runtime-helmrelease.yaml HelmRelease: Rig Agent Runtime agent + cron
├── conductor-e-api-source.yaml GitRepository: conductor-e repo
└── conductor-e-api-kustomization.yaml Kustomization: API + PostgreSQL
Components¶
| Component | Image | Managed By | Source |
|---|---|---|---|
| Conductor-E Agent | europe-north1-docker.pkg.dev/invotek-github-infra/dashecorp/rig-agent-runtime:latest |
HelmRelease | rig-agent-runtime repo |
| Conductor-E Cron | Same image | HelmRelease (CronJob) | rig-agent-runtime repo |
| Conductor-E API | europe-north1-docker.pkg.dev/invotek-github-infra/dashecorp/conductor-e:latest |
Kustomization | conductor-e repo |
| PostgreSQL 16 | postgres:16-alpine |
Kustomization | conductor-e repo |
Coordination Cron¶
Every 5 minutes, a CronJob runs the coordination loop:
- Check event store health
- Get current priority queue
- Search GitHub for
agent-readyissues across managed repos - Sync new issues to event store as
ISSUE_APPROVEDevents - Post summary to
#conductor-evia Discord webhook
Cost: ~$0.005 per run ($1.44/month with Haiku).
Secrets¶
The conductor-e-secrets secret (created manually, not in GitOps):
| Key | Purpose | Used By |
|---|---|---|
discord-bot-token |
Discord bot (Conductor-E, formerly ATL-E) | Rig Agent Runtime |
anthropic-api-key |
Conductor-E dedicated API key (see below) | Rig Agent Runtime |
github-token |
GitHub PAT for MCP tools | Rig Agent Runtime, Cron |
postgres-password |
PostgreSQL auth | API + PostgreSQL |
discord-webhook-url |
Cron results webhook for #conductor-e | Cron |
database-url |
Empty (in-memory mode for Rig Agent Runtime memory) | Rig Agent Runtime |
Per-Agent Anthropic API Keys¶
Each rig agent uses a dedicated Anthropic API key so usage is broken down per agent in the Anthropic Console. No shared keys.
| Agent | Secret Name | Key Name in Console |
|---|---|---|
| Conductor-E | conductor-e-secrets |
conductor-e |
| Dev-E | dev-e-secrets |
dev-e |
| Review-E | review-e-secrets |
review-e |
Why separate keys¶
The Anthropic Console shows token usage grouped by API key. With a single shared key, you cannot tell which agent spent what. With one key per agent, you get free per-agent cost tracking without any additional instrumentation.
Creating a dedicated key¶
- Go to console.anthropic.com/settings/keys
- Click Create Key, name it after the agent (e.g.
conductor-e) - Copy the key value — it is only shown once
- Update the agent's K8s secret:
# Create or update the secret
kubectl create secret generic conductor-e-secrets \
--namespace conductor-e \
--from-literal=anthropic-api-key=<new-key> \
--from-literal=discord-bot-token=<existing-value> \
--from-literal=github-token=<existing-value> \
--from-literal=postgres-password=<existing-value> \
--from-literal=discord-webhook-url=<existing-value> \
--from-literal=database-url="" \
--dry-run=client -o yaml | kubectl apply -f -
# Restart the agent to pick up the new key
kubectl rollout restart deployment/conductor-e-rig-agent-runtime -n conductor-e
Verifying key separation¶
After updating all secrets, verify in the Anthropic Console that usage is correctly attributed — each agent's calls should appear under its own key name.
FluxCD Commands¶
# Check status
flux get kustomizations
flux get helmreleases -A
# Force reconciliation
flux reconcile source git flux-system
flux reconcile kustomization conductor-e
# Check what FluxCD manages
kubectl get pods -n conductor-e
Building Images¶
Images are built automatically via GitHub Actions CI on push to main and published to Google Artifact Registry.
| Image | Registry Path |
|---|---|
| Conductor-E API | europe-north1-docker.pkg.dev/invotek-github-infra/dashecorp/conductor-e:latest |
| Rig Agent Runtime | europe-north1-docker.pkg.dev/invotek-github-infra/dashecorp/rig-agent-runtime:latest |
FluxCD picks up new images on reconciliation. To force a restart:
kubectl rollout restart deployment/conductor-e-api -n conductor-e
kubectl rollout restart deployment/conductor-e-rig-agent-runtime -n conductor-e
Verifying¶
# All pods
kubectl get pods -n conductor-e
# API health
kubectl port-forward -n conductor-e svc/conductor-e-api 18080:8080 &
curl http://localhost:18080/health
# API logs
kubectl logs -n conductor-e -l app=conductor-e-api --tail=20
# Rig Agent Runtime logs
kubectl logs -n conductor-e -l app.kubernetes.io/name=rig-agent-runtime --tail=20
# Cron job logs (last run)
kubectl logs -n conductor-e -l app.kubernetes.io/component=cron --tail=20