diff --git a/.github/workflows/preview-helm-charts.yml b/.github/workflows/preview-helm-charts.yml index c8c7aa98..35827960 100644 --- a/.github/workflows/preview-helm-charts.yml +++ b/.github/workflows/preview-helm-charts.yml @@ -19,6 +19,7 @@ jobs: image-loader: ${{ steps.changes.outputs.image-loader }} automation: ${{ steps.changes.outputs.automation }} plugin-directory: ${{ steps.changes.outputs.plugin-directory }} + service-template: ${{ steps.changes.outputs.service-template }} openhands: ${{ steps.changes.outputs.openhands }} openhands-secrets: ${{ steps.changes.outputs.openhands-secrets }} steps: @@ -39,7 +40,7 @@ jobs: echo "$CHANGED_FILES" # Check each chart for changes - for chart in crd-check runtime-api image-loader automation plugin-directory openhands openhands-secrets; do + for chart in crd-check runtime-api image-loader automation plugin-directory service-template openhands openhands-secrets; do if echo "$CHANGED_FILES" | grep -q "^charts/${chart}/"; then echo "${chart}=true" >> $GITHUB_OUTPUT echo "Changes detected in charts/${chart}" @@ -73,6 +74,8 @@ jobs: path: charts/runtime-api - name: image-loader path: charts/image-loader + - name: service-template + path: charts/service-template - name: openhands path: charts/openhands - name: openhands-secrets @@ -88,6 +91,7 @@ jobs: HAS_CHANGES_IMAGE_LOADER: ${{ needs.detect-changes.outputs.image-loader }} HAS_CHANGES_AUTOMATION: ${{ needs.detect-changes.outputs.automation }} HAS_CHANGES_PLUGIN_DIRECTORY: ${{ needs.detect-changes.outputs.plugin-directory }} + HAS_CHANGES_SERVICE_TEMPLATE: ${{ needs.detect-changes.outputs.service-template }} HAS_CHANGES_OPENHANDS: ${{ needs.detect-changes.outputs.openhands }} HAS_CHANGES_OPENHANDS_SECRETS: ${{ needs.detect-changes.outputs.openhands-secrets }} IS_PUBLISHABLE_CRD_CHECK: ${{ needs.validate-chart-versions.outputs.crd-check-publishable }} @@ -95,6 +99,7 @@ jobs: IS_PUBLISHABLE_IMAGE_LOADER: ${{ needs.validate-chart-versions.outputs.image-loader-publishable }} IS_PUBLISHABLE_AUTOMATION: ${{ needs.validate-chart-versions.outputs.automation-publishable }} IS_PUBLISHABLE_PLUGIN_DIRECTORY: ${{ needs.validate-chart-versions.outputs.plugin-directory-publishable }} + IS_PUBLISHABLE_SERVICE_TEMPLATE: ${{ needs.validate-chart-versions.outputs.service-template-publishable }} IS_PUBLISHABLE_OPENHANDS: ${{ needs.validate-chart-versions.outputs.openhands-publishable }} IS_PUBLISHABLE_OPENHANDS_SECRETS: ${{ needs.validate-chart-versions.outputs.openhands-secrets-publishable }} run: | @@ -120,6 +125,10 @@ jobs: HAS_CHANGES="$HAS_CHANGES_PLUGIN_DIRECTORY" IS_PUBLISHABLE="$IS_PUBLISHABLE_PLUGIN_DIRECTORY" ;; + service-template) + HAS_CHANGES="$HAS_CHANGES_SERVICE_TEMPLATE" + IS_PUBLISHABLE="$IS_PUBLISHABLE_SERVICE_TEMPLATE" + ;; openhands) HAS_CHANGES="$HAS_CHANGES_OPENHANDS" IS_PUBLISHABLE="$IS_PUBLISHABLE_OPENHANDS" @@ -279,6 +288,8 @@ jobs: path: charts/automation - name: plugin-directory path: charts/plugin-directory + - name: service-template + path: charts/service-template - name: openhands path: charts/openhands - name: openhands-secrets diff --git a/.github/workflows/publish-helm-charts.yml b/.github/workflows/publish-helm-charts.yml index ef7686e9..ba5e71ff 100644 --- a/.github/workflows/publish-helm-charts.yml +++ b/.github/workflows/publish-helm-charts.yml @@ -39,6 +39,8 @@ jobs: path: charts/automation - name: plugin-directory path: charts/plugin-directory + - name: service-template + path: charts/service-template - name: openhands path: charts/openhands - name: openhands-secrets diff --git a/.github/workflows/validate-chart-versions.yml b/.github/workflows/validate-chart-versions.yml index 64003041..a0d88748 100644 --- a/.github/workflows/validate-chart-versions.yml +++ b/.github/workflows/validate-chart-versions.yml @@ -35,6 +35,9 @@ on: openhands-secrets-publishable: description: 'Whether openhands-secrets chart is publishable (no changes or version bumped)' value: ${{ jobs.validate-chart-versions.outputs.openhands-secrets-publishable }} + service-template-publishable: + description: 'Whether service-template chart is publishable (no changes or version bumped)' + value: ${{ jobs.validate-chart-versions.outputs.service-template-publishable }} jobs: validate-chart-versions: @@ -49,6 +52,7 @@ jobs: plugin-directory-publishable: ${{ steps.validate.outputs.plugin-directory-publishable }} openhands-publishable: ${{ steps.validate.outputs.openhands-publishable }} openhands-secrets-publishable: ${{ steps.validate.outputs.openhands-secrets-publishable }} + service-template-publishable: ${{ steps.validate.outputs.service-template-publishable }} steps: - name: Checkout diff --git a/charts/openhands/Chart.yaml b/charts/openhands/Chart.yaml index b345d1a2..80f7b389 100644 --- a/charts/openhands/Chart.yaml +++ b/charts/openhands/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 description: OpenHands is an AI-driven autonomous software engineer name: openhands appVersion: cloud-1.25.1 -version: 0.7.6 +version: 0.7.5 maintainers: - name: rbren - name: xingyao @@ -44,6 +44,10 @@ dependencies: repository: oci://ghcr.io/all-hands-ai/helm-charts version: 0.1.5 condition: automation.enabled + - name: service-template + repository: oci://ghcr.io/all-hands-ai/helm-charts + version: 0.1.2-alpha.595 + condition: service-template.enabled - name: crd-check repository: oci://ghcr.io/all-hands-ai/helm-charts version: 0.1.0 diff --git a/charts/openhands/templates/_env.yaml b/charts/openhands/templates/_env.yaml index 75e8c861..1d7d334f 100644 --- a/charts/openhands/templates/_env.yaml +++ b/charts/openhands/templates/_env.yaml @@ -160,6 +160,7 @@ secretKeyRef: name: github-app key: client-secret +{{- if .Values.github.appSlugEnabled }} - name: GITHUB_APP_SLUG valueFrom: secretKeyRef: @@ -167,6 +168,7 @@ key: app-slug optional: true {{- end }} +{{- end }} {{- if .Values.gitlab.enabled }} - name: GITLAB_APP_CLIENT_ID valueFrom: diff --git a/charts/openhands/templates/ingress-service-template.yaml b/charts/openhands/templates/ingress-service-template.yaml new file mode 100644 index 00000000..b7c18edd --- /dev/null +++ b/charts/openhands/templates/ingress-service-template.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.ingress.enabled (index .Values "service-template" "enabled") }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: openhands-service-template-ingress + annotations: + {{- if .Values.ingress.root.annotations }} + {{ .Values.ingress.root.annotations | toYaml | nindent 4 }} + {{- else }} + {{ .Values.ingress.annotations | toYaml | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.class }} + {{- if .Values.tls.enabled }} + tls: + - hosts: + {{- if .Values.ingress.prefixWithBranch }} + - {{ .Values.branchSanitized }}.{{ .Values.ingress.host }} + {{- else }} + - {{ .Values.ingress.host }} + {{- end }} + secretName: app-all-hands-{{ .Values.tls.env }}-tls + {{- end }} + rules: + {{- if .Values.ingress.prefixWithBranch }} + - host: {{ .Values.branchSanitized }}.{{ .Values.ingress.host }} + {{- else }} + - host: {{ .Values.ingress.host }} + {{- end }} + http: + paths: + - path: /api/service-template + pathType: Prefix + backend: + service: + name: service-template + port: + number: 80 + - path: /service-template + pathType: Prefix + backend: + service: + name: service-template + port: + number: 80 +{{- end }} diff --git a/charts/openhands/values.yaml b/charts/openhands/values.yaml index 0f48c6eb..d63f2c50 100644 --- a/charts/openhands/values.yaml +++ b/charts/openhands/values.yaml @@ -62,6 +62,8 @@ filestore: github: enabled: false + # Set to true if you have configured github_app_slug in the github-app Secret + appSlugEnabled: false enrichUserInteractionData: enabled: false @@ -862,6 +864,91 @@ automation: postgresql: enabled: false +# Service Template subchart configuration +# When enabled, deploys the service-template service as a subchart +# Routing is handled by parent chart via /servicetemplate subpath +service-template: + enabled: false + + image: + repository: ghcr.io/openhands/service-template + # tag: set via helm args or override + + imagePullSecrets: [] + + deployment: + replicas: 1 + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 512Mi + cpu: 500m + + securityContext: + runAsUser: 42420 + runAsGroup: 42420 + runAsNonRoot: true + + serviceAccount: + create: true + name: service-template-sa + annotations: {} + + probes: + startup: + failureThreshold: 30 + periodSeconds: 10 + liveness: + initialDelaySeconds: 10 + periodSeconds: 30 + failureThreshold: 3 + readiness: + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + + # Service configuration + service: + baseUrl: "" + corsOrigins: "" + + # Authentication API URL for validating credentials + authApiBaseUrl: "" + + # PostgreSQL database configuration + database: + host: "" + port: "5432" + user: "service_template_user" + name: "service_template" + secretName: "service-template-db-secret" + secretKey: "db-password" + existingSecret: false + createDatabaseUser: false + superuserSecretName: "postgres-password" + superuserSecretKey: "password" + + # GCP Cloud SQL (leave empty for non-GCP) + gcp: + dbInstance: "" + project: "" + region: "" + + # Datadog configuration + datadog: + enabled: false + env: "dev" + serviceName: "service-template" + + # Env vars passed directly to the container + env: {} + + # PostgreSQL subchart - disabled when using parent's PostgreSQL + postgresql: + enabled: false + replicated: enabled: false @@ -870,6 +957,12 @@ global: # This allows using the bitnamilegacy image repo. # See: https://github.com/bitnami/containers/issues/83267 allowInsecureImages: true + # Ingress configuration shared with subcharts (for service-template auth URL) + # These should match the parent chart's ingress config + ingress: + host: "" # Set to ingress.host value (e.g., "app.all-hands.dev") + prefixWithBranch: false # Set to ingress.prefixWithBranch value + branchSanitized: "" # Set to branchSanitized value for feature envs vertexAI: enabled: false diff --git a/charts/service-template/Chart.lock b/charts/service-template/Chart.lock new file mode 100644 index 00000000..752f3f24 --- /dev/null +++ b/charts/service-template/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 15.5.38 +digest: sha256:f67c7612736803ece8a669f8ca6b0555f3b78557bc0ecb732aa2e43f0df7750d +generated: "2026-04-30T01:23:10.470395587Z" diff --git a/charts/service-template/Chart.yaml b/charts/service-template/Chart.yaml new file mode 100644 index 00000000..edaf7d47 --- /dev/null +++ b/charts/service-template/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: service-template +description: Template for FastAPI microservices with PostgreSQL backend +type: application +version: 0.1.2 +appVersion: "0.1.0" +dependencies: + - name: postgresql + version: 15.x.x + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled diff --git a/charts/service-template/templates/_env.yaml b/charts/service-template/templates/_env.yaml new file mode 100644 index 00000000..958b6ee4 --- /dev/null +++ b/charts/service-template/templates/_env.yaml @@ -0,0 +1,106 @@ +{{- define "service-template.env.defaults" }} +# Service configuration +{{- if .Values.service.baseUrl }} +- name: SERVICE_BASE_URL + value: {{ .Values.service.baseUrl | quote }} +{{- end }} +{{- if .Values.service.corsOrigins }} +- name: SERVICE_CORS_ORIGINS + value: {{ .Values.service.corsOrigins | quote }} +{{- end }} +# Authentication API URL +# Use explicit value if set, otherwise derive from global ingress config +{{- if .Values.authApiBaseUrl }} +- name: SERVICE_AUTH_API_BASE_URL + value: {{ .Values.authApiBaseUrl | quote }} +{{- else if .Values.global }} +{{- if .Values.global.ingress }} +{{- if .Values.global.ingress.host }} +{{- $host := .Values.global.ingress.host }} +{{- if and .Values.global.ingress.prefixWithBranch .Values.global.branchSanitized }} +{{- $host = printf "%s.%s" .Values.global.branchSanitized .Values.global.ingress.host }} +{{- end }} +- name: SERVICE_AUTH_API_BASE_URL + value: {{ printf "https://%s" $host | quote }} +{{- end }} +{{- end }} +{{- end }} +# PostgreSQL database configuration +- name: SERVICE_DB_HOST + value: {{ .Values.database.host | quote }} +- name: SERVICE_DB_PORT + value: {{ .Values.database.port | quote }} +- name: SERVICE_DB_USER + value: {{ .Values.database.user | quote }} +- name: SERVICE_DB_NAME + value: {{ .Values.database.name | quote }} +- name: SERVICE_DB_PASS + valueFrom: + secretKeyRef: + name: {{ .Values.database.secretName }} + key: {{ .Values.database.secretKey }} +{{- if .Values.gcp.dbInstance }} +- name: SERVICE_GCP_DB_INSTANCE + value: {{ .Values.gcp.dbInstance | quote }} +- name: SERVICE_GCP_PROJECT + value: {{ .Values.gcp.project | quote }} +- name: SERVICE_GCP_REGION + value: {{ .Values.gcp.region | quote }} +{{- end }} +{{- if .Values.datadog.enabled }} +# Datadog configuration +- name: DD_AGENT_HOST + value: "datadog-agent.all-hands-system.svc.cluster.local" +- name: DD_TRACE_AGENT_PORT + value: "8126" +- name: DD_SERVICE + value: {{ .Values.datadog.serviceName | quote }} +- name: DD_ENV + value: {{ .Values.datadog.env | quote }} +- name: DD_TRACE_ENABLED + value: "true" +{{- end }} +{{- end }} + +{{/* + service-template.env — Deduplicated environment variable list. + + This wrapper renders the default env vars from "service-template.env.defaults", + then removes any entries whose name conflicts with a key in .Values.env, + and finally appends the .Values.env overrides. The result is a clean list + with no duplicate names, which prevents: + - Helm warnings about duplicate env vars + - Strategic Merge Patch conflicts during helm upgrade + ("The order in patch list doesn't match $setElementOrder list") + + How it works: + 1. Render "service-template.env.defaults" via include (evaluates all conditionals) + 2. Parse the rendered YAML list into Go objects with fromYamlArray + 3. Filter out any default entries whose name appears in .Values.env + 4. Append .Values.env entries (user overrides always win) + 5. Re-render the deduplicated list with toYaml +*/}} +{{- define "service-template.env" }} +{{- $defaults := include "service-template.env.defaults" . | fromYamlArray }} +{{- /* Build a lookup dict of override keys for O(1) membership checks */}} +{{- $overrideKeys := dict }} +{{- if .Values.env }} +{{- range $key, $_ := .Values.env }} +{{- $_ := set $overrideKeys $key true }} +{{- end }} +{{- end }} +{{- /* Keep only default entries that are NOT overridden by .Values.env */}} +{{- $filtered := list }} +{{- range $entry := $defaults }} +{{- if not (hasKey $overrideKeys (get $entry "name")) }} +{{- $filtered = append $filtered $entry }} +{{- end }} +{{- end }} +{{- /* Append user overrides from .Values.env (these take precedence) */}} +{{- if .Values.env }} +{{- range $key, $value := .Values.env }} +{{- $filtered = append $filtered (dict "name" $key "value" ($value | toString)) }} +{{- end }} +{{- end }} +{{- $filtered | toYaml }} +{{- end }} diff --git a/charts/service-template/templates/deployment.yaml b/charts/service-template/templates/deployment.yaml new file mode 100644 index 00000000..a6daf1a5 --- /dev/null +++ b/charts/service-template/templates/deployment.yaml @@ -0,0 +1,146 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: service-template + labels: + app: service-template +spec: + replicas: {{ .Values.deployment.replicas }} + selector: + matchLabels: + app: service-template + template: + metadata: + labels: + app: service-template + spec: + serviceAccountName: {{ .Values.serviceAccount.name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + initContainers: + {{- if and .Values.database.createDatabaseUser (not .Values.gcp.dbInstance) }} + # Create database and user in PostgreSQL (non-GCP only) + # For GCP Cloud SQL, database and user are created via Terraform in the infra repo + - name: create-db-user + image: postgres:14 + env: + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.superuserSecretName }} + key: {{ .Values.database.superuserSecretKey }} + - name: DB_HOST + value: {{ .Values.database.host | quote }} + - name: DB_PORT + value: {{ .Values.database.port | quote }} + - name: DB_NAME + value: {{ .Values.database.name | quote }} + - name: DB_USER + value: {{ .Values.database.user | quote }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.secretName }} + key: {{ .Values.database.secretKey }} + command: + - sh + - -c + - | + echo "Waiting for PostgreSQL at $DB_HOST to be ready..." + for i in $(seq 1 60); do + # Try connecting and capture any error + if psql -h $DB_HOST -p $DB_PORT -U postgres -d postgres -c "SELECT 1;" 2>&1; then + echo "PostgreSQL is up!" + + echo "Creating the database $DB_NAME if it doesn't exist..." + psql -h $DB_HOST -p $DB_PORT -U postgres -d postgres -tc "SELECT 1 FROM pg_database WHERE datname='$DB_NAME'" | grep -q 1 || \ + psql -h $DB_HOST -p $DB_PORT -U postgres -d postgres -c "CREATE DATABASE $DB_NAME;" + + echo "Creating the user $DB_USER if it doesn't exist..." + psql -h $DB_HOST -p $DB_PORT -U postgres -d $DB_NAME -tc "SELECT 1 FROM pg_roles WHERE rolname='$DB_USER'" | grep -q 1 || \ + (psql -h $DB_HOST -p $DB_PORT -U postgres -d $DB_NAME -c "CREATE USER $DB_USER WITH PASSWORD '$DB_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $DB_USER; GRANT USAGE ON SCHEMA public TO $DB_USER; GRANT CREATE ON SCHEMA public TO $DB_USER; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $DB_USER;") + + echo "Database and user creation complete." + exit 0 + fi + echo "Waiting for PostgreSQL... ($i/60)" + sleep 5 + done + echo "PostgreSQL did not become available in time." + exit 1 + {{- else if .Values.postgresql.enabled }} + # Wait for the service's own PostgreSQL subchart to be ready + - name: wait-for-postgres + image: bitnamilegacy/postgresql:latest + command: ['sh', '-c'] + args: + - | + DB_HOST="{{ .Values.database.host }}" + echo "Waiting for PostgreSQL at $DB_HOST to be ready..." + until PGPASSWORD=$SERVICE_DB_PASS psql -h $DB_HOST -p {{ .Values.database.port }} -U {{ .Values.database.user }} -c '\q' > /dev/null 2>&1; do + echo "PostgreSQL is unavailable - sleeping for 2 seconds" + sleep 2 + done + echo "PostgreSQL is up and running!" + env: + {{- include "service-template.env" . | nindent 8 }} + {{- end }} + - name: migrate + image: '{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}' + command: ["alembic", "upgrade", "head"] + env: + {{- include "service-template.env" . | nindent 8 }} + containers: + - name: service-template + imagePullPolicy: Always + image: '{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}' + {{- if .Values.datadog.enabled }} + command: ["ddtrace-run"] + args: + - "uvicorn" + - "service.app:app" + - "--host" + - "0.0.0.0" + - "--port" + - "8000" + {{- else }} + args: + - "uvicorn" + - "service.app:app" + - "--host" + - "0.0.0.0" + - "--port" + - "8000" + {{- end }} + ports: + - containerPort: 8000 + resources: + {{- toYaml .Values.deployment.resources | nindent 12 }} + startupProbe: + httpGet: + path: /health + port: 8000 + failureThreshold: {{ .Values.probes.startup.failureThreshold }} + periodSeconds: {{ .Values.probes.startup.periodSeconds }} + livenessProbe: + httpGet: + path: /health + port: 8000 + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /ready + port: 8000 + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + env: + {{- include "service-template.env" . | nindent 8 }} diff --git a/charts/service-template/templates/service-account.yaml b/charts/service-template/templates/service-account.yaml new file mode 100644 index 00000000..4b44c769 --- /dev/null +++ b/charts/service-template/templates/service-account.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name }} + labels: + app: service-template + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/service-template/templates/service.yaml b/charts/service-template/templates/service.yaml new file mode 100644 index 00000000..de075b6c --- /dev/null +++ b/charts/service-template/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: service-template + labels: + app: service-template +spec: + ports: + - port: 80 + targetPort: 8000 + protocol: TCP + name: http + selector: + app: service-template diff --git a/charts/service-template/values.yaml b/charts/service-template/values.yaml new file mode 100644 index 00000000..47ae151e --- /dev/null +++ b/charts/service-template/values.yaml @@ -0,0 +1,117 @@ +image: + repository: ghcr.io/openhands/service-template + tag: latest + +imagePullSecrets: [] + +deployment: + replicas: 1 + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 512Mi + cpu: 500m + +securityContext: + runAsUser: 42420 + runAsGroup: 42420 + runAsNonRoot: true + +serviceAccount: + create: true + name: service-template-sa + annotations: {} + +probes: + startup: + failureThreshold: 30 + periodSeconds: 10 + liveness: + initialDelaySeconds: 10 + periodSeconds: 30 + failureThreshold: 3 + readiness: + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + +# Service configuration +service: + # Public base URL where this service is reachable + # Example: https://api.example.com or https://domain/myservice + baseUrl: "" + # CORS origins (comma-separated list) + corsOrigins: "" + +# Authentication API URL for validating credentials +authApiBaseUrl: "" + +# PostgreSQL database configuration +database: + # Full hostname of the PostgreSQL server + # Examples: + # - Cloud SQL: "my-project:us-central1:my-instance" + # - In-cluster: "service-template-postgresql" + # - Feature env: "service-template-feature-branch-postgresql" + host: "" + port: "5432" + user: "service_user" + name: "service" + # Secret containing the database password + secretName: "service-template-db-secret" + secretKey: "db-password" + # Use an existing secret instead of auto-generating one + # When true, the chart will not create the db secret + existingSecret: false + # Create database and user in an existing PostgreSQL instance (non-GCP only) + # When true, runs an init container to create the database and user + # Useful when sharing a PostgreSQL instance with other services + # NOTE: For GCP Cloud SQL, database and user are created via Terraform in the infra repo + # This setting is ignored when gcp.dbInstance is set + createDatabaseUser: false + # Secret containing the postgres superuser password (for creating the service user) + # Only used when createDatabaseUser=true and gcp.dbInstance is not set + superuserSecretName: "postgres-password" + superuserSecretKey: "password" + +# GCP Cloud SQL (leave empty for non-GCP) +# When gcp.dbInstance is set, the database and user must be pre-created via Terraform +gcp: + dbInstance: "" + project: "" + region: "" + +# Datadog configuration +datadog: + enabled: false + env: "dev" + serviceName: "service-template" + +# Env vars passed directly to the container +env: {} + +# PostgreSQL subchart configuration (for ephemeral/feature environments) +# When enabled, deploys an in-cluster PostgreSQL instance +# Service name will be "{release-name}-postgresql", secret name also "{release-name}-postgresql" +postgresql: + enabled: false + auth: + username: postgres + database: service + primary: + persistence: + enabled: false + initdb: + scriptsConfigMap: "" + service: + ports: + postgresql: 5432 + image: + repository: bitnamilegacy/postgresql + +global: + security: + # This allows using the bitnamilegacy image repo + allowInsecureImages: true