All-Hands-AI · chuckbutkus · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
diff --git a/.github/workflows/preview-helm-charts.yml b/.github/workflows/preview-helm-charts.yml
@@ -19,6 +19,7 @@ jobs:
       image-loader: ${{ steps.changes.outputs.image-loader }}
       automation: ${{ steps.changes.outputs.automation }}
       plugin-directory: ${{ steps.changes.outputs.plugin-directory }}
+      service-template: ${{ steps.changes.outputs.service-template }}
       openhands: ${{ steps.changes.outputs.openhands }}
       openhands-secrets: ${{ steps.changes.outputs.openhands-secrets }}
     steps:
@@ -39,7 +40,7 @@ jobs:
           echo "$CHANGED_FILES"
 
           # Check each chart for changes
-          for chart in crd-check runtime-api image-loader automation plugin-directory openhands openhands-secrets; do
+          for chart in crd-check runtime-api image-loader automation plugin-directory service-template openhands openhands-secrets; do
             if echo "$CHANGED_FILES" | grep -q "^charts/${chart}/"; then
               echo "${chart}=true" >> $GITHUB_OUTPUT
               echo "Changes detected in charts/${chart}"
@@ -73,6 +74,8 @@ jobs:
             path: charts/runtime-api
           - name: image-loader
             path: charts/image-loader
+          - name: service-template
+            path: charts/service-template
           - name: openhands
             path: charts/openhands
           - name: openhands-secrets
@@ -88,13 +91,15 @@ jobs:
           HAS_CHANGES_IMAGE_LOADER: ${{ needs.detect-changes.outputs.image-loader }}
           HAS_CHANGES_AUTOMATION: ${{ needs.detect-changes.outputs.automation }}
           HAS_CHANGES_PLUGIN_DIRECTORY: ${{ needs.detect-changes.outputs.plugin-directory }}
+          HAS_CHANGES_SERVICE_TEMPLATE: ${{ needs.detect-changes.outputs.service-template }}
           HAS_CHANGES_OPENHANDS: ${{ needs.detect-changes.outputs.openhands }}
           HAS_CHANGES_OPENHANDS_SECRETS: ${{ needs.detect-changes.outputs.openhands-secrets }}
           IS_PUBLISHABLE_CRD_CHECK: ${{ needs.validate-chart-versions.outputs.crd-check-publishable }}
           IS_PUBLISHABLE_RUNTIME_API: ${{ needs.validate-chart-versions.outputs.runtime-api-publishable }}
           IS_PUBLISHABLE_IMAGE_LOADER: ${{ needs.validate-chart-versions.outputs.image-loader-publishable }}
           IS_PUBLISHABLE_AUTOMATION: ${{ needs.validate-chart-versions.outputs.automation-publishable }}
           IS_PUBLISHABLE_PLUGIN_DIRECTORY: ${{ needs.validate-chart-versions.outputs.plugin-directory-publishable }}
+          IS_PUBLISHABLE_SERVICE_TEMPLATE: ${{ needs.validate-chart-versions.outputs.service-template-publishable }}
           IS_PUBLISHABLE_OPENHANDS: ${{ needs.validate-chart-versions.outputs.openhands-publishable }}
           IS_PUBLISHABLE_OPENHANDS_SECRETS: ${{ needs.validate-chart-versions.outputs.openhands-secrets-publishable }}
         run: |
@@ -120,6 +125,10 @@ jobs:
               HAS_CHANGES="$HAS_CHANGES_PLUGIN_DIRECTORY"
               IS_PUBLISHABLE="$IS_PUBLISHABLE_PLUGIN_DIRECTORY"
               ;;
+            service-template)
+              HAS_CHANGES="$HAS_CHANGES_SERVICE_TEMPLATE"
+              IS_PUBLISHABLE="$IS_PUBLISHABLE_SERVICE_TEMPLATE"
+              ;;
             openhands)
               HAS_CHANGES="$HAS_CHANGES_OPENHANDS"
               IS_PUBLISHABLE="$IS_PUBLISHABLE_OPENHANDS"
@@ -279,6 +288,8 @@ jobs:
             path: charts/automation
           - name: plugin-directory
             path: charts/plugin-directory
+          - name: service-template
+            path: charts/service-template
           - name: openhands
             path: charts/openhands
           - name: openhands-secrets

diff --git a/.github/workflows/publish-helm-charts.yml b/.github/workflows/publish-helm-charts.yml
@@ -39,6 +39,8 @@ jobs:
             path: charts/automation
           - name: plugin-directory
             path: charts/plugin-directory
+          - name: service-template
+            path: charts/service-template
           - name: openhands
             path: charts/openhands
           - name: openhands-secrets

diff --git a/.github/workflows/validate-chart-versions.yml b/.github/workflows/validate-chart-versions.yml
@@ -35,6 +35,9 @@ on:
       openhands-secrets-publishable:
         description: 'Whether openhands-secrets chart is publishable (no changes or version bumped)'
         value: ${{ jobs.validate-chart-versions.outputs.openhands-secrets-publishable }}
+      service-template-publishable:
+        description: 'Whether service-template chart is publishable (no changes or version bumped)'
+        value: ${{ jobs.validate-chart-versions.outputs.service-template-publishable }}
 
 jobs:
   validate-chart-versions:
@@ -49,6 +52,7 @@ jobs:
       plugin-directory-publishable: ${{ steps.validate.outputs.plugin-directory-publishable }}
       openhands-publishable: ${{ steps.validate.outputs.openhands-publishable }}
       openhands-secrets-publishable: ${{ steps.validate.outputs.openhands-secrets-publishable }}
+      service-template-publishable: ${{ steps.validate.outputs.service-template-publishable }}
 
     steps:
       - name: Checkout

diff --git a/charts/openhands/Chart.yaml b/charts/openhands/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 description: OpenHands is an AI-driven autonomous software engineer
 name: openhands
 appVersion: cloud-1.25.1
-version: 0.7.6
+version: 0.7.5
 maintainers:
   - name: rbren
   - name: xingyao
@@ -44,6 +44,10 @@ dependencies:
     repository: oci://ghcr.io/all-hands-ai/helm-charts
     version: 0.1.5
     condition: automation.enabled
+  - name: service-template
+    repository: oci://ghcr.io/all-hands-ai/helm-charts
+    version: 0.1.2-alpha.595
+    condition: service-template.enabled
   - name: crd-check
     repository: oci://ghcr.io/all-hands-ai/helm-charts
     version: 0.1.0

diff --git a/charts/openhands/templates/_env.yaml b/charts/openhands/templates/_env.yaml
@@ -160,13 +160,15 @@
     secretKeyRef:
       name: github-app
       key: client-secret
+{{- if .Values.github.appSlugEnabled }}
 - name: GITHUB_APP_SLUG
   valueFrom:
     secretKeyRef:
       name: github-app
       key: app-slug
       optional: true
 {{- end }}
+{{- end }}
 {{- if .Values.gitlab.enabled }}
 - name: GITLAB_APP_CLIENT_ID
   valueFrom:

diff --git a/charts/openhands/templates/ingress-service-template.yaml b/charts/openhands/templates/ingress-service-template.yaml
@@ -0,0 +1,46 @@
+{{- if and .Values.ingress.enabled (index .Values "service-template" "enabled") }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openhands-service-template-ingress
+  annotations:
+    {{- if .Values.ingress.root.annotations }}
+    {{ .Values.ingress.root.annotations | toYaml | nindent 4 }}
+    {{- else }}
+    {{ .Values.ingress.annotations | toYaml | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.class }}
+  {{- if .Values.tls.enabled }}
+  tls:
+  - hosts:
+    {{- if .Values.ingress.prefixWithBranch }}
+    - {{ .Values.branchSanitized }}.{{ .Values.ingress.host }}
+    {{- else }}
+    - {{ .Values.ingress.host }}
+    {{- end }}
+    secretName: app-all-hands-{{ .Values.tls.env }}-tls
+  {{- end }}
+  rules:
+  {{- if .Values.ingress.prefixWithBranch }}
+  - host: {{ .Values.branchSanitized }}.{{ .Values.ingress.host }}
+  {{- else }}
+  - host: {{ .Values.ingress.host }}
+  {{- end }}
+    http:
+      paths:
+      - path: /api/service-template
+        pathType: Prefix
+        backend:
+          service:
+            name: service-template
+            port:
+              number: 80
+      - path: /service-template
+        pathType: Prefix
+        backend:
+          service:
+            name: service-template
+            port:
+              number: 80
+{{- end }}
diff --git a/charts/openhands/values.yaml b/charts/openhands/values.yaml
@@ -62,6 +62,8 @@ filestore:
 
 github:
   enabled: false
+  # Set to true if you have configured github_app_slug in the github-app Secret
+  appSlugEnabled: false
 
 enrichUserInteractionData:
   enabled: false
@@ -862,6 +864,91 @@ automation:
   postgresql:
     enabled: false
 
+# Service Template subchart configuration
+# When enabled, deploys the service-template service as a subchart
+# Routing is handled by parent chart via /servicetemplate subpath
+service-template:
+  enabled: false
+
+  image:
+    repository: ghcr.io/openhands/service-template
+    # tag: set via helm args or override
+
+  imagePullSecrets: []
+
+  deployment:
+    replicas: 1
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 100m
+      limits:
+        memory: 512Mi
+        cpu: 500m
+
+  securityContext:
+    runAsUser: 42420
+    runAsGroup: 42420
+    runAsNonRoot: true
+
+  serviceAccount:
+    create: true
+    name: service-template-sa
+    annotations: {}
+
+  probes:
+    startup:
+      failureThreshold: 30
+      periodSeconds: 10
+    liveness:
+      initialDelaySeconds: 10
+      periodSeconds: 30
+      failureThreshold: 3
+    readiness:
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      failureThreshold: 3
+
+  # Service configuration
+  service:
+    baseUrl: ""
+    corsOrigins: ""
+
+  # Authentication API URL for validating credentials
+  authApiBaseUrl: ""
+
+  # PostgreSQL database configuration
+  database:
+    host: ""
+    port: "5432"
+    user: "service_template_user"
+    name: "service_template"
+    secretName: "service-template-db-secret"
+    secretKey: "db-password"
+    existingSecret: false
+    createDatabaseUser: false
+    superuserSecretName: "postgres-password"
+    superuserSecretKey: "password"
+
+  # GCP Cloud SQL (leave empty for non-GCP)
+  gcp:
+    dbInstance: ""
+    project: ""
+    region: ""
+
+  # Datadog configuration
+  datadog:
+    enabled: false
+    env: "dev"
+    serviceName: "service-template"
+
+  # Env vars passed directly to the container
+  env: {}
+
+  # PostgreSQL subchart - disabled when using parent's PostgreSQL
+  postgresql:
+    enabled: false
+
 replicated:
   enabled: false
 
@@ -870,6 +957,12 @@ global:
     # This allows using the bitnamilegacy image repo.
     # See: https://github.com/bitnami/containers/issues/83267
     allowInsecureImages: true
+  # Ingress configuration shared with subcharts (for service-template auth URL)
+  # These should match the parent chart's ingress config
+  ingress:
+    host: ""  # Set to ingress.host value (e.g., "app.all-hands.dev")
+    prefixWithBranch: false  # Set to ingress.prefixWithBranch value
+  branchSanitized: ""  # Set to branchSanitized value for feature envs
 
 vertexAI:
   enabled: false

diff --git a/charts/service-template/Chart.lock b/charts/service-template/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 15.5.38
+digest: sha256:f67c7612736803ece8a669f8ca6b0555f3b78557bc0ecb732aa2e43f0df7750d
+generated: "2026-04-30T01:23:10.470395587Z"
diff --git a/charts/service-template/Chart.yaml b/charts/service-template/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: service-template
+description: Template for FastAPI microservices with PostgreSQL backend
+type: application
+version: 0.1.2
+appVersion: "0.1.0"
+dependencies:
+  - name: postgresql
+    version: 15.x.x
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled