feature(helm) - Simplify helm chart#304
Merged
peterj merged 6 commits intoagentregistry-dev:mainfrom Mar 9, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR simplifies the charts/agentregistry Helm chart by removing bundled/optional components (managed PostgreSQL, NetworkPolicy, kubeconfig secret, and various “escape hatches”) and restructuring values so deployments require an externally managed PostgreSQL instance.
Changes:
- Remove bundled PostgreSQL resources and related tests/templates; require external DB configuration.
- Simplify RBAC configuration to
rbac.watchedNamespaceswith default cluster-wide permissions. - Restructure secret handling and rename secret key usage to
JWT_PRIVATE_KEY, adding validation for required credentials.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/agentregistry/values.yaml | Updates values schema (global/config/database secrets, flattened database config, simplified RBAC). |
| charts/agentregistry/tests/validation_test.yaml | Updates validation tests for JWT/db password requirements. |
| charts/agentregistry/tests/secrets_test.yaml | Updates secret rendering tests for new secret behavior and key names. |
| charts/agentregistry/tests/rbac_test.yaml | Updates RBAC tests to cover watchedNamespaces behavior. |
| charts/agentregistry/tests/postgresql_test.yaml | Deletes tests for bundled PostgreSQL (feature removed). |
| charts/agentregistry/tests/networkpolicy_test.yaml | Deletes NetworkPolicy tests (feature removed). |
| charts/agentregistry/tests/deployment_test.yaml | Updates deployment tests for env var rename, DB config flattening, and hardcoded strategy. |
| charts/agentregistry/tests/configmap_test.yaml | Updates ConfigMap tests after removing kubeconfig/extraConfig features. |
| charts/agentregistry/templates/service.yaml | Removes service.extraPorts rendering. |
| charts/agentregistry/templates/secrets.yaml | Reworks secret creation rules and key names; supports partial secret creation. |
| charts/agentregistry/templates/rbac.yaml | Replaces prior RBAC options with watchedNamespaces model. |
| charts/agentregistry/templates/postgresql.yaml | Deletes bundled PostgreSQL resources (feature removed). |
| charts/agentregistry/templates/networkpolicy.yaml | Deletes NetworkPolicy template (feature removed). |
| charts/agentregistry/templates/extra-list.yaml | Deletes extraDeploy template (feature removed). |
| charts/agentregistry/templates/deployment.yaml | Removes kubeconfig/init-container/diagnostic/extensibility hooks; hardcodes RollingUpdate; updates env vars. |
| charts/agentregistry/templates/configmap.yaml | Removes KUBECONFIG and extra config injection. |
| charts/agentregistry/templates/_helpers.tpl | Removes bundled-DB helpers and adds new validation logic / flattened DB URL builder. |
| charts/agentregistry/templates/NOTES.txt | Updates database info output to match external-only DB configuration. |
| charts/agentregistry/README.md.gotmpl | Updates documentation and examples for external DB, new secret structure, and watchedNamespaces RBAC. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
peterj
reviewed
Mar 7, 2026
| helm install my-agentregistry oci://ghcr.io/agentregistry-dev/helm/agentregistry | ||
| helm install my-agentregistry oci://ghcr.io/agentregistry-dev/helm/agentregistry \ | ||
| --set config.jwtPrivateKey=$(openssl rand -hex 32) \ | ||
| --set database.host=my-postgres.example.com \ |
Contributor
There was a problem hiding this comment.
probably as separate pr, but I'd love to have an easy way (at least for development), to install a postgres and the registry with a single make target.
Collaborator
Author
There was a problem hiding this comment.
I am working on a followup PR that uses the chart for a local develpement setup and e2e test environment. As part of that i'll include the user instruction for installing postgres.
peterj
approved these changes
Mar 9, 2026
auto-merge was automatically disabled
March 9, 2026 22:45
Head branch was pushed to by a user without write access
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Significantly simplifies the
charts/agentregistryHelm chart by removing features that were unused, or actively harmful in production. The chart now requires an external PostgreSQL instance and has a smaller surface area, cleaner values, and no cluster-state dependencies at render time.The motivation behind removing the managed PostgreSQL instance is to remove the load from this project to field requests and support for managing the database instance.
Net change: −1,066 lines across 19 files (3 templates deleted, 2 test files deleted).
Removed:
database.bundled.*) andwait-for-postgresinit container — external PostgreSQL with pgvector is now requirednetworkPolicy.*)extraDeploy/extra-list.yamldiagnosticMode.*)hostVolumes.*) — docker socket and host/tmpcustomLivenessProbe,customReadinessProbe,customStartupProbe)KUBECONFIGConfigMap entryextraEnvVarsCM,extraEnvVarsSecret,extraVolumes,extraVolumeMounts,initContainers,sidecars,config.extraConfig,service.extraPortssecrets.autoGenerate/ clusterlookupdependency insecrets.yamlSimplified / restructured:
database.external.*flattened todatabase.*clusterScoped/clusterAdminBinding/ruleswithwatchedNamespaces— empty = cluster-wide ClusterRole (default), non-empty = Role per listed namespace; namespace read access always granted via ClusterRoleexistingSecretwithglobal.existingSecret,config.existingSecret, anddatabase.existingSecret— chart creates a partial secret containing only the keys not covered by an existing secretexistingSecretandjwtPrivateKeyunderconfig.*RollingUpdatestrategy; removedupdateStrategyvalueValidation:
config.jwtPrivateKeymust be a non-empty valid hex string unlessconfig.existingSecretorglobal.existingSecretis setdatabase.passwordmust be set unlessdatabase.url,database.existingSecret, orglobal.existingSecretis setdatabase.host(ordatabase.url) must be set — missing database host is now a hard error instead of a warningChange Type
/kind breaking_change
/kind cleanup
Changelog
Additional Notes
Breaking changes migration guide:
database.bundled.*/database.external.*database.*(flat)database.external.existingSecretdatabase.existingSecretexistingSecret(top-level)global.existingSecret(drop-in equivalent)secrets.jwtPrivateKeyconfig.jwtPrivateKeyrbac.createrbac.enabledrbac.clusterScoped: falserbac.watchedNamespaces: [<namespace>]rbac.clusterAdminBinding: truekubeconfig.existingSecret/kubeconfig.contentnetworkPolicy.*diagnosticMode.*hostVolumes.*