Adding a Helm Chart to Agent Registry#245
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a brand-new, production-grade Helm chart for deploying the Agent Registry application on Kubernetes (addressing issue #242). The chart follows Bitnami-style conventions and bundles a PostgreSQL/pgvector deployment alongside the main application, with strong defaults for security, observability, and operations.
Changes:
- New Helm chart at
charts/agentregistry/with full Kubernetes resource templates (Deployment, Service, Ingress, ConfigMap, Secrets, RBAC, HPA, PDB, NetworkPolicy, ServiceAccount, PostgreSQL sub-deployment) - Default values covering all configurable parameters including resource presets, security contexts, affinity presets, probes, and external database support
- Template helpers (
_helpers.tpl) providing reusable logic for image resolution, secret generation, affinity building, resource presets, and validation warnings
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
charts/agentregistry/Chart.yaml |
Chart metadata, versioning, ArtifactHub annotations |
charts/agentregistry/.helmignore |
Packaging exclusions for CI, IDE, VCS artifacts |
charts/agentregistry/values.yaml |
All default configuration values for the chart |
charts/agentregistry/templates/_helpers.tpl |
Reusable template helpers (naming, images, secrets, affinity, resources, validation) |
charts/agentregistry/templates/deployment.yaml |
Main application Deployment with init container, probes, security contexts |
charts/agentregistry/templates/configmap.yaml |
ConfigMap with application environment variable settings |
charts/agentregistry/templates/secrets.yaml |
Auto-generating credential Secret and kubeconfig Secret |
charts/agentregistry/templates/postgresql.yaml |
Bundled PostgreSQL PVC, Deployment, and Service |
charts/agentregistry/templates/rbac.yaml |
ClusterRole and ClusterRoleBinding (or cluster-admin binding) |
charts/agentregistry/templates/service.yaml |
HTTP and gRPC Service with NodePort/LoadBalancer support |
charts/agentregistry/templates/serviceaccount.yaml |
ServiceAccount resource |
charts/agentregistry/templates/ingress.yaml |
Optional Ingress with TLS and extra host support |
charts/agentregistry/templates/networkpolicy.yaml |
Optional NetworkPolicy with granular ingress/egress rules |
charts/agentregistry/templates/hpa.yaml |
Optional HorizontalPodAutoscaler |
charts/agentregistry/templates/pdb.yaml |
Optional PodDisruptionBudget |
charts/agentregistry/templates/extra-list.yaml |
Pass-through rendering of extraDeploy objects |
charts/agentregistry/templates/NOTES.txt |
Post-install instructions with port-forward commands and validation warnings |
charts/agentregistry/templates/tests/test-connection.yaml |
Helm test Pod that verifies HTTP connectivity to /docs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
…ding. The existingSecret being ignored through prioritizing and verying the existence. Added note and also allowExternalEgress with a comment.
timflannagan
left a comment
timflannagan
left a comment
There was a problem hiding this comment.
A quick review. Overall, very much appreciate the contribution. A couple of things: I'm wondering whether we should start "simpler" here and iterate on the chart over time? My main concern is having to maintain a chart that bloats in the long term.
Posted a couple of inline questions/comments. The next step would be onboarding this chart more throughout the repository, e.g. the "run" Makefile target can deploy it, and CI is able to test in a k8s environment. Just providing more context, not signing you up for more work 😆.
charts/agentregistry/values.yaml
Outdated
| verbs: ["get", "list", "watch"] | ||
|
|
||
| ## @section Ingress | ||
| ingress: |
There was a problem hiding this comment.
My preference would be removing this section entirely and the ingress.yaml manifest.
There was a problem hiding this comment.
Sure. Removed.
| ## Agent Registry manages MCP servers, agents, deployments, and supporting resources across namespaces, | ||
| ## so cluster-scoped RBAC is the default. Set to false to restrict permissions to the release namespace only | ||
| ## (suitable for single-namespace or multi-tenant deployments, but cross-namespace operations will fail). | ||
| clusterScoped: true |
There was a problem hiding this comment.
This looks like it's documented but ignored by the template?
There was a problem hiding this comment.
It was fixed in 8184a2d I am not sure why it is still there.
charts/agentregistry/values.yaml
Outdated
| extraEgress: [] | ||
|
|
||
| ## @section Pod Disruption Budget | ||
| pdb: |
There was a problem hiding this comment.
For PDB/HPA, I'd almost lean towards ripping this out until we formalize the operational story here.
There was a problem hiding this comment.
Understood. Removed too.
charts/agentregistry/values.yaml
Outdated
| targetMemory: "" | ||
|
|
||
| ## @section PostgreSQL sub-deployment (bundled) | ||
| postgresql: |
There was a problem hiding this comment.
Alternatively, we consolidate the postgresql/externalDatabase sections into a top-level database section?
There was a problem hiding this comment.
Great catch. Consolidated under a database section in values.yaml it has a bundled and an external with basic parameters.
charts/agentregistry/values.yaml
Outdated
| ## @section Global parameters | ||
| ## @param global.imageRegistry Global container image registry override | ||
| ## @param global.imagePullSecrets Global Docker registry secret names | ||
| ## @param global.storageClass Global StorageClass for PersistentVolumeClaims |
There was a problem hiding this comment.
How were these section/param markers generated? Via helm init? We've used the https://github.com/norwoodj/helm-docs tool in the past for generating documentation.
There was a problem hiding this comment.
Good point. I have changed the values.yaml to be compatible with helm-docs so it can produce the documentation. I have not used it before. It seems it needs a README.md.gotmpl so. I am adding it as well. Addressed in this commit 64e9513. Thank you for letting me know about this.
There was a problem hiding this comment.
It's been a while since I've looked into helm tests. Is this enforced anywhere? e.g. helm test?
There was a problem hiding this comment.
No, it is not enforced. In this new commit I have added tests in a folder which can be executed through helm-unittest. As far as I understand this can be run in a CI. Would you like me to add a first approach for a GH workflow?
There was a problem hiding this comment.
thanks for your PR! Since we have the tests defined, could you add them to the CI?
There was a problem hiding this comment.
Sure. Included in a new commit.
|
Glossed over this questions in the PR description. I'll just inline my 2c.
What's license in this context? There's no need to hook up a license key to use this project.
I think hosting on ghcr.io is the easiest here. Same with having the helm chart follow the same release cadence as the app.
Less familiar with their guidance here. I've historically just used helm init to scaffold out charts. Is there any commentary on their best practices? https://techdocs.broadcom.com/us/en/vmware-tanzu/bitnami-secure-images/bitnami-secure-images/services/bsi-doc/apps-tutorials-best-practices-hardening-charts-index.html? |
…ng the Helm Chart
…Added the README.md.gotmpl as well.
Understood.
Awesome!
Thanks for asking. Nothing specific. Not all of them apply to this chart. As I have been using their charts and I like how they maintain them I thought it would be a good idea to have them as a reference. Is there anything you would like me to address specifically? I have added a few more commits to address your comments and suggestions. Again, thank you very much for taking the time to review this chart, I appreciate your comments and questions. |
github-actions
bot
added
release-note
kind/feature
and removed
do-not-merge/release-note-invalid
do-not-merge/kind-invalid
labels
| # -- PostgreSQL image repository (pgvector/pgvector) | ||
| repository: pgvector/pgvector | ||
| # -- PostgreSQL image tag — MUST use immutable tags (not `pg17` or `latest`) | ||
| tag: "0.8.2-pg17" |
There was a problem hiding this comment.
can we default to pgvector/pgvector:pg16 for now as that's what we use for docker setup too.
There was a problem hiding this comment.
Sure. Included it in a new commit. I see the PR was merged.
|
thanks again for this! is it possible to add a target to Makefile that would build the images it needs and then run the helm install? this makes it much easier for development too |
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
55ae7c9
# Description We are testing and exploring Agent Registry and we have realized that deploying it to Kubernetes is easier using a Helm Chart, we could not find one and that is why we build it. This will be my first contribution to the project, please bear with me, as adding a license is needed, following the project's guidelines as well, etc. I would say this is a bare bones Helm Chart. I am completely aware that the team needs to review it and most likely I will need to make changes, happy to do so. **What is included:** **- Application Management:** Exposing and HTTP API through port 12121, I can access the UI in my browser through this port using for example, `kubectl port-forward` command. Also a gRPC Agent Gateway through 21212. **- Includes a PostgreSQL with pgvector:** One can choose the version to be deployed. Persistent storage through StorageClass. It also supports an external database if you don't want the bundled one. **- Security:** Non-root containers with read-only root filesystem, secrets are auto-generated on first install. Hex-encoded JWT. Supports pre-existing secrets so you can integrate with external secret managers. Network policies with granular rules. Least-privilege RBAC by default. **- Kubernetes Operations:** liveness, readiness and startup health probes. HPA with CPU and Memory targets. PDB for voluntary disruptions. Resource presets and affinity presets or full override block for more control if needed. **- Extensions:** You can change and extend through extraEnvVars, extraVolumes; commonLabels and commonAnnotations are also supported for better tagging. Global overrides for image, pull secrets, StorageClass etc. I can also provide a minimal and basic terraform code to deploy this chart. I was about to open an Issue and found agentregistry-dev#242 this morning so I realized that at least there is one more person interested on having a Helm Chart for the Agent Registry so I decided to go ahead and open a PR. I hope this is ok. # Change Type ``` /kind feature ``` # Release Notes ```release-note add Helm chart to agentregistry ``` # Additional Notes I am happy to maintain this Chart for the project. **I have a few questions/comments to the team:** 1. What license should I use for the Chart? 2. Where shall it be hosted? what should be the release cycle? 3. I have followed Bitnami's Helm Charts best practices. I have been using those Charts for a couple years and I like their approach however if the project team is not happy with that, I can make the changes needed. Please, make suggestions and comments so this Helm can be improved and hopefully approved by the team. Again, bear with me, this is my first contribution. --------- Co-authored-by: Copilot <[email protected]>
# Description This is a follow up to PR #245. This PR addresses the suggestions from @peterj and @timflannagan. This continues the implementation of #242. This PR includes 2 new workflows one to test and another to create a release of the chart. The set of targets in the Makefile just for the charts. I have tried to be very careful on messing with something else. **I want to bring to your attention a couple things:** 1. There are variables that need to be set for the workflow to work (I can change them if needed): ``` HELM_REGISTRY_PASSWORD HELM_REGISTRY HELM_REGISTRY_USERNAME HELM_REPO ``` 2. In our tests we have noticed that you always need kMCP (CRDs and the tool itself). We initially through it was kAgent but we narrowed it down to kMCP so Agent Registry can actually created the pod. We tested with just the CRDs, the MCP is deployed but no pod is created, with the tool itself it seems to work correctly. Shall I add kMCP as a dependency of the Agent Registry chart and also create a section in the values.yaml in which it can be enabled and configured? otherwise administrators will have to do this separately and it seems the documentation is not including this information. # Change type /kind cleanup # Changelog ```release-note Adding a Helm Chart ``` --------- Co-authored-by: Copilot <[email protected]>
Description
We are testing and exploring Agent Registry and we have realized that deploying it to Kubernetes is easier using a Helm Chart, we could not find one and that is why we build it.
This will be my first contribution to the project, please bear with me, as adding a license is needed, following the project's guidelines as well, etc. I would say this is a bare bones Helm Chart. I am completely aware that the team needs to review it and most likely I will need to make changes, happy to do so.
What is included:
- Application Management: Exposing and HTTP API through port 12121, I can access the UI in my browser through this port using for example,
kubectl port-forwardcommand. Also a gRPC Agent Gateway through 21212.- Includes a PostgreSQL with pgvector: One can choose the version to be deployed. Persistent storage through StorageClass. It also supports an external database if you don't want the bundled one.
- Security: Non-root containers with read-only root filesystem, secrets are auto-generated on first install. Hex-encoded JWT. Supports pre-existing secrets so you can integrate with external secret managers. Network policies with granular rules. Least-privilege RBAC by default.
- Kubernetes Operations: liveness, readiness and startup health probes. HPA with CPU and Memory targets. PDB for voluntary disruptions. Resource presets and affinity presets or full override block for more control if needed.
- Extensions: You can change and extend through extraEnvVars, extraVolumes; commonLabels and commonAnnotations are also supported for better tagging. Global overrides for image, pull secrets, StorageClass etc.
I can also provide a minimal and basic terraform code to deploy this chart.
I was about to open an Issue and found #242 this morning so I realized that at least there is one more person interested on having a Helm Chart for the Agent Registry so I decided to go ahead and open a PR. I hope this is ok.
Change Type
Release Notes
Additional Notes
I am happy to maintain this Chart for the project.
I have a few questions/comments to the team:
Please, make suggestions and comments so this Helm can be improved and hopefully approved by the team. Again, bear with me, this is my first contribution.