Initial commit of the first production ready version of this helm chart

Author: maor-rozenfeld

.github/prlint.json

@@ -0,0 +1,23 @@
+{
+  "title": [
+    {
+      "pattern": "^[A-Z][a-z]+?\\s",
+      "message": "Your title must start with a capital letter, and a real word, e.g. \"Add GO support\""
+    },
+    {
+      "pattern": "^\\S+\\s+\\S+\\s+\\S+",
+      "message": "Your title must have at least three words"
+    },
+    {
+      "pattern": "^(?!\\S+ing )(?!\\S+ed )|Embed ",
+      "message": "Use imperative mood (i.e write \"Fix\", not \"Fixed\" or \"Fixing\")"
+    }
+  ],
+  "body": [
+    {
+      "pattern": "(?:Fixes|Resolves|Closes|Part of) (?:#|OPS-|OPC-|CI-|DOC-)[1-9]\\d*|Dependabot commands and options",
+      "message": "Add a GitHub or Linear issue ID to your PR body, e.g. \"Fixes #1002\""
+    }
+  ]
+}
+

.github/workflows/helm-e2e.yaml

@@ -0,0 +1,92 @@
+name: Helm Chart End-to-End Test
+
+on:
+  pull_request:
+    paths:
+      - 'chart/**'
+      - '.github/workflows/**'
+  push:
+    branches: [main]
+    paths:
+      - 'chart/**'
+      - '.github/workflows/**'
+
+jobs:
+  e2e:
+    runs-on: ubuntu-large
+    permissions:
+      contents: read
+    env:
+      RELEASE_NAME: openops
+      NAMESPACE: openops
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.4
+
+      - name: Cache Docker images
+        uses: actions/cache@v4
+        with:
+          path: /var/lib/docker
+          key: docker-${{ runner.os }}-${{ hashFiles('chart/values.yaml', 'chart/values.ci.yaml') }}
+          restore-keys: |
+            docker-${{ runner.os }}-
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.9.0
+        with:
+          cluster_name: openops-e2e
+          wait: 180s
+
+      - name: Verify cluster
+        run: |
+          set -euo pipefail
+          kubectl cluster-info
+          kubectl get nodes -o wide
+
+      - name: Deploy chart
+        run: |
+          set -euo pipefail
+          helm upgrade --install "$RELEASE_NAME" chart \
+            --namespace "$NAMESPACE" \
+            --create-namespace \
+            -f chart/values.ci.yaml \
+            --set nginx.service.type=ClusterIP \
+            --wait \
+            --timeout 15m
+
+      - name: Wait for workloads
+        run: |
+          set -euo pipefail
+          kubectl get pods -n "$NAMESPACE" -o wide
+          kubectl wait --for=condition=Available deployment --all -n "$NAMESPACE" --timeout=900s
+
+      - name: Verify application health endpoint
+        run: |
+          set -euo pipefail
+          kubectl get svc -n "$NAMESPACE"
+          kubectl port-forward -n "$NAMESPACE" svc/openops-app 18080:80 >/tmp/port-forward.log 2>&1 &
+          pf_pid=$!
+          cleanup() {
+            kill "$pf_pid" >/dev/null 2>&1 || true
+          }
+          trap cleanup EXIT
+          for attempt in $(seq 1 12); do
+            if curl -fsS http://127.0.0.1:18080/api/v1/health; then
+              echo "Health endpoint responded on attempt $attempt"
+              exit 0
+            fi
+            sleep 5
+          done
+          echo "Health endpoint did not become ready" >&2
+          exit 1
+
+      - name: Gather diagnostics on failure
+        if: ${{ failure() }}
+        run: |
+          kubectl get all -n "$NAMESPACE"
+          kubectl describe pods -n "$NAMESPACE" || true
+          kubectl logs -n "$NAMESPACE" deployment/openops-app --tail=200 || true

.github/workflows/helm-validate.yaml

@@ -0,0 +1,35 @@
+name: Helm Chart Validation
+
+on:
+  pull_request:
+    paths:
+      - 'chart/**'
+      - '.github/workflows/**'
+  push:
+    branches: [main]
+    paths:
+      - 'chart/**'
+      - '.github/workflows/**'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.4
+
+      - name: Lint chart
+        run: helm lint chart
+
+      - name: Template with default values
+        run: helm template openops chart --values chart/values.ci.yaml
+
+      - name: Template with example overrides
+        run: helm template openops chart -f chart/values.overrides-example.yaml

.gitignore

@@ -0,0 +1,12 @@
+#############################################
+# Helm chart artifacts
+#############################################
+*.tgz
+chart/charts/
+
+#############################################
+# IDE / OS files
+#############################################
+.DS_Store
+.idea/
+.vscode/

AGENTS.md

@@ -0,0 +1,60 @@
+# AGENTS
+
+## Repository structure
+- `/chart/Chart.yaml`: Helm chart metadata (name, version, description). **Do not bump the version manually**—it is updated automatically during release workflows.
+- `/chart/values.yaml`: Default configuration for all OpenOps components; use it to learn the expected keys before adding overrides.
+- `/chart/values.overrides-example.yaml`: Reference file that shows how to structure your own overrides file for deployments.
+- `/chart/values.ci.yaml`: Resource-constrained overlay for CI environments.
+- `/chart/values.dev.yaml`: Development overlay for local development environments.
+- `/chart/values.production.yaml`: Production overlay with externalized dependencies and cloud settings.
+- `/chart/templates/`: Kubernetes manifests rendered by Helm (43 files). Includes deployments/statefulsets, services, configmaps (`configmap-*.yaml`), secrets (`secret-env.yaml`, `external-secret.yaml`), service accounts, PodDisruptionBudgets, HorizontalPodAutoscalers, NetworkPolicy, LimitRange, ServiceMonitor for Prometheus, and Helm tests. Shared template helpers live in `_helpers.tpl` (561 lines with 49+ helper functions). Postgres and Redis use StatefulSets with volumeClaimTemplates for stable storage and safe rollouts.
+- `/chart/templates/NOTES.txt`: Helm installation notes displayed after deployment with important warnings and next steps.
+- `/chart/.helmignore`: Excludes development and repository files from packaged charts to reduce size and prevent leaking unnecessary files.
+- `/LICENSE`: Apache 2.0 license for this Helm chart repository.
+- `/README.md`: Comprehensive documentation covering installation, configuration, operational toggles (secrets, TLS, scaling, production hardening), and multi-environment deployments.
+- `/docs/`: Deployment guides including AWS EKS (EC2), AWS EKS Fargate, and platform-specific instructions.
+- `/.github/prlint.json`: Pull-request lint configuration (see below) that runs in CI to enforce title/body rules.
+- `/.github/workflows/`: Automation (tests, lint, release) triggered by pushes and pull requests. Update these only when you need to change CI behavior.
+
+## Stateful dependencies
+- **Postgres and Redis** are deployed as StatefulSets with volumeClaimTemplates for per-pod persistent storage, ordered rollouts, and stable network identities.
+- Both support optional authentication, TLS encryption, and backup annotations for production use.
+- Set `replicas: 0` in production overlays to use external managed services (AWS RDS, ElastiCache, etc.) instead of in-cluster instances.
+- **Tables** uses a PersistentVolumeClaim for `/baserow/data` and includes an init container to fix volume ownership (uid:gid 1000:1000) to ensure compatibility with non-root security contexts.
+
+## Production features
+- **Security-first design**: Security contexts enabled by default (runAsNonRoot, drop ALL capabilities, seccomp RuntimeDefault profile).
+- **Service accounts**: Dedicated service accounts for each component (app, engine, tables, analytics, nginx, postgres, redis) with configurable annotations for AWS IAM roles (IRSA), GCP Workload Identity, or Azure Managed Identity.
+- **External Secrets Operator**: Built-in support for AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, and Azure Key Vault integration.
+- **PodDisruptionBudgets (PDBs)**: Configured for all stateless components to ensure minimum availability during voluntary disruptions (node drains, upgrades).
+- **HorizontalPodAutoscalers (HPAs)**: Optional autoscaling for app, engine, analytics, and nginx based on CPU/memory metrics.
+- **NetworkPolicy**: Optional network segmentation to restrict pod-to-pod communication and enforce least-privilege networking with explicit allow rules.
+- **LimitRange**: Optional namespace-level resource defaults and constraints to prevent resource exhaustion.
+- **ServiceMonitor**: Prometheus Operator integration for scraping application metrics from `/metrics` endpoints.
+- **Helm tests**: Post-installation connectivity tests to validate deployment health.
+- **Validation helpers**: Runtime validation of required secrets (OPS_ENCRYPTION_KEY, OPS_JWT_SECRET, etc.) with helpful error messages at render time.
+
+## PR lint rules
+The `.github/prlint.json` ruleset runs on every pull request. To avoid CI failures:
+1. **Title requirements**
+   - Start with a capitalized real word (`Add`, `Fix`, `Update`, etc.).
+   - Contain at least three words so reviewers immediately understand the change.
+   - Use the imperative mood ("Add support for X" rather than "Added" or "Adding").
+2. **Body requirements**
+   - Reference the tracking item with one of `Fixes|Resolves|Closes|Part of` followed by either a GitHub issue (`#1234`) or a Linear ticket (`OPS-1234`, `OPC-1234`, `CI-1234`, `DOC-1234`).
+   - For dependency bumps, "Dependabot commands and options" is also accepted.
+
+## License
+This Helm chart repository is licensed under the Apache License 2.0. See the LICENSE file for full terms.
+
+## Documentation updates
+- **Update both AGENTS.md and README.md** with every PR if there are relevant changes to repository structure, workflows, guidelines, or usage instructions.
+- Keep documentation synchronized with code changes to ensure agents and users have accurate information.
+- The chart is production-ready and follows enterprise-grade best practices for security, high availability, and observability.
+
+## Commit guidelines
+- Write commit subjects in the imperative mood, mirroring the PR title rules (e.g., "Add Redis PVC annotations").
+- Capitalize the first word and keep the subject ≤ 72 characters; add a blank line before the body.
+- Use the body to explain *what* and *why*, wrapping at ~72 characters per line for readability.
+- Reference relevant issues in the body when closing or relating work (same keywords as PR bodies).
+- Prefer focused commits that touch a single logical change; this keeps review and potential rollbacks simple.