Service Creation¶
TL;DR — Scaffold a service with the internal CLI, create the repo in Bitbucket, then run the Jenkins "create service" job. Backend services auto-generate an
ops-scriptsPR; a few steps remain manual (K8s secrets, configmaps, ingress). WIP: a skill + Bitbucket MCP that automates the manual steps.
Overview¶
Creating a new microservice or MicroFrontend is a multi-step workflow that combines the internal CLI, Bitbucket, Jenkins, and manual K8s configuration. Each step has a clear owner.
Step 1 — Scaffold the code (internal CLI)¶
- The internal CLI generates the repo scaffolding, including the Bitbucket Pipelines file.
- Does not support mixed monorepos (frontend + backend in the same repo) — the per-repo Jenkins pipeline doesn't allow both types.
- Must be run before creating the Bitbucket repo.
- Add
AGENTS.md(canonical AI-readable project instructions) and a one-lineCLAUDE.mdpointer at the repo root — see mcp-and-ai-tooling.md → Per-repo AI instructions.
CLI documentation lives in Confluence — see the Securitize CLI page.
Step 2 — Create the Bitbucket repo¶
Create the repo in the appropriate Bitbucket project (see teams.md for team↔project mapping). The repo name is required for Step 3.
Step 3 — Run the Jenkins "create service" job¶
- A Jenkins job exists specifically for creating a new service.
- Pick:
- Type:
k8sfor backend,UI-SSTfor frontend, among others (see Jenkinsfile variants in ops-repos.md). - Repo name: must already exist in Bitbucket.
- Detects branches
dev,rc,master.
Behavior by type:
| Type | Result |
|---|---|
| Frontend | Modern frontends (UI-SST) deploy via SST/CDK; legacy frontends (UI) use Jenkinsfile-UI. See frontend-architecture.md. |
| Backend | Auto-creates a PR in ops-scripts with the service's K8s yamls. See deployment-yamls.md for yaml patterns. |
Step 4 — Manual steps (backend only)¶
Modern frontends (UI-SST) do not need any manual steps
If the infra/ folder is correctly configured, the Jenkinsfile-UI-SST pipeline handles everything end-to-end via SST/CDK. No K8s secrets, configmaps or ingress to set up.
After the Jenkins job and the auto-PR in ops-scripts, a few things still need manual work:
- Create K8s secrets — per-service secrets in Kubernetes Secrets. See secrets.md for how secrets are managed.
- Configure configmap env vars — edit the
.envfile insideops-scripts/k8s/{service-name}/. - Expose the service (if needed) — if the service must be reachable, go to the
ops-k8s-infrarepo and manually add a rule in the appropriate ingress YAML. The target file depends on the service type (internal,public, orgateway) and the environment. Full mapping and rule format in Ingress and DNS configuration.
WIP — Skill + Bitbucket MCP for automated ops PRs¶
A new skill is being built that, when a developer creates a new service, will:
- Automatically generate changes in
ops-k8s-infraandops-scriptsfor the new service. - Create PRs via the Bitbucket MCP — removing the need to edit yamls by hand.
Status: in progress.
Canonical Confluence docs¶
- Securitize CLI — Internal CLI documentation.
- Readme configuration — Required README sections and template for new repos.
See also¶
- Ops Repositories — Target repos for auto-PRs (
ops-scripts,ops-k8s-infra). - Deployment YAML Patterns — Patterns used in the auto-generated yamls.
- Bitbucket Pipelines (CI) — The CI pipeline generated by the CLI.
- Jenkins K8s Jobs — The Jenkins flow that deploys the new service.
- Secrets — K8s secrets setup.