openops-cloud · bigfluffycookie · Mar 17, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/chart/templates/role-app-subagents.yaml b/chart/templates/role-app-subagents.yaml
@@ -0,0 +1,26 @@
+{{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "openops.fullname" . }}-subagent-manager
+  namespace: {{ .Values.subagents.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "openops.componentLabels" (dict "root" . "component" "app") | nindent 4 }}
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.global.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create", "get", "list", "delete"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+{{- end }}
diff --git a/chart/templates/rolebinding-app-subagents.yaml b/chart/templates/rolebinding-app-subagents.yaml
@@ -0,0 +1,24 @@
+{{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "openops.fullname" . }}-subagent-manager
+  namespace: {{ .Values.subagents.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "openops.componentLabels" (dict "root" . "component" "app") | nindent 4 }}
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.global.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "openops.fullname" . }}-subagent-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "openops.serviceAccountName" (dict "root" . "component" "app") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -143,6 +143,15 @@ openopsEnv:
   OPS_CODE_BLOCK_MEMORY_LIMIT_IN_MB: "256"
   OPS_SLACK_ENABLE_INTERACTIONS: "true"
 
+  # Subagent configuration
+  OPS_SUBAGENTS_ENABLED: "false"
+  OPS_SUBAGENT_EXECUTOR_TYPE: "k8s"
+  OPS_SUBAGENT_K8S_NAMESPACE: '{{ .Values.subagents.namespace | default .Release.Namespace }}'
+  OPS_SUBAGENT_S3_BUCKET: ""
+  OPS_SUBAGENT_S3_REGION: ""
+  OPS_SUBAGENT_S3_ENDPOINT: ""
+  OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:0fdbc6b1"
+
 # Secret environment variables
 # Any var in this section is treated as a secret (stored in K8s Secret, referenced via secretKeyRef).
 # Generate secure values with: openssl rand -hex 16
@@ -159,6 +168,8 @@ openopsEnvSecrets:
   OPS_LANGFUSE_PUBLIC_KEY: ""
   OPS_LANGFUSE_SECRET_KEY: ""
   OPS_SSO_FRONTEGG_PUBLIC_KEY: ""
+  OPS_SUBAGENT_S3_ACCESS_KEY: ""
+  OPS_SUBAGENT_S3_SECRET_KEY: ""
 
 secretEnv:
   create: true
@@ -629,3 +640,8 @@ externalSecrets:
     create: false
     name: external-secrets-sa
     annotations: {}
+
+# Subagent configuration
+subagents:
+  # Namespace where subagent pods run (defaults to same namespace as app)
+  namespace: ""