fix(chart): PLT-663 self-hosted install bugs#13
Merged
Conversation
Allows running migrations standalone without booting the webapp server. Used by the umbrella chart's pre-install migration Job to avoid the chicken-and-egg of the Job inheriting webapp.extraEnvVars with SKIP_POSTGRES_MIGRATIONS=1. The migrate subcommand forces SKIP_POSTGRES_MIGRATIONS=0 because that's the Job's only purpose. Co-authored-by: Cursor <cursoragent@cursor.com>
Previously the block mounted s3-access-key-id / s3-secret-access-key
from secrets.existingSecret unconditionally, breaking installs where
the operator uses an existing Apollo-managed Secret that doesn't
contain those keys. Now three branches:
- s3.deploy: true -> existing behavior (chart-managed or
s3.auth.existingSecret).
- s3.deploy: false + useIam: false:
- external.existingSecret -> mount from external secret.
- chart-managed accessKeyId -> requires secrets.enabled: true
so secrets.yaml actually emits
the s3-access-key-id key.
- s3.deploy: false + useIam: true -> skip the entire S3 env block.
Co-authored-by: Cursor <cursoragent@cursor.com>
Electric requires /app/persistent to be writable for its state dir. The template previously rendered no volumes at all, so every Electric pod crashed with 'could not make directory /app/persistent/state'. This commit always renders a /app/persistent emptyDir and adds extraVolumes/extraVolumeMounts knobs matching the webapp/supervisor pattern for consumers that want PVC-backed durability. Co-authored-by: Cursor <cursoragent@cursor.com>
When clickhouse.deploy: true AND auth.existingSecret is set, the fork's clickhouse.url helper still interpolated values.auth.password literally, so webapp authenticated with a stale default while the Bitnami chart used the real password from the secret. This commit switches the deploy-mode URL to use a CLICKHOUSE_PASSWORD env-var indirection that resolves from existingSecret when set. Co-authored-by: Cursor <cursoragent@cursor.com>
Carries the four PLT-663 chart fixes above. Co-authored-by: Cursor <cursoragent@cursor.com>
🧭 Helm Chart Prerelease PublishedVersion: Install: helm upgrade --install trigger \
oci://ghcr.io/govsignals/charts/vendored-upstream-trigger \
--version "4.4.6-plt663.1-pr13.f66ed13"
|
@kubernetes/client-node@1.0.0 tightened V1ObjectMeta.annotations from 'unknown' to 'Record<string, string>'. The parsed JSON from the KUBERNETES_WORKER_POD_ANNOTATIONS env var lands as 'unknown' which now fails TS2322 at the assignment site. Cast (or validate) at the parse boundary. Co-authored-by: Cursor <cursoragent@cursor.com>
PR #12 added supervisor.config.kubernetes.workerPodSecurityContext, workerContainerSecurityContext, and workerPodAnnotations to values.yaml but the supervisor.yaml template never read them. The supervisor's Kubernetes workload manager reads KUBERNETES_WORKER_POD_SECURITY_CONTEXT, KUBERNETES_WORKER_CONTAINER_SECURITY_CONTEXT, and KUBERNETES_WORKER_POD_ANNOTATIONS env vars at runtime (JSON-parsed) and applies them to every worker pod it schedules. Without this wiring, worker pods on FedStart / GameWarden deployments are missing their compliance-required securityContext entries and would be rejected by pod-security admission. Co-authored-by: Cursor <cursoragent@cursor.com>
Reconciles plt-663-chart-fixes with gs-v4.4.4's main-merge (PR #12). Conflicts resolved: - hosting/k8s/helm/Chart.yaml -> hand-merged: bumped prerelease base from 4.4.5 to 4.4.6 to track gs-v4.4.4's version bump (PR triggerdotdev#3500 + triggerdotdev#3501 from upstream). New chart version is now 4.4.6-plt663.1. appVersion v4.4.6 from upstream. - hosting/k8s/helm/Chart.lock -> took gs-v4.4.4's lock (clickhouse 9.4.4 from upstream PR triggerdotdev#3524) then re-ran `helm dependency build`. Auto-merged cleanly: - hosting/k8s/helm/templates/supervisor.yaml (our security-context env wiring + worker pod annotations type fix preserved alongside upstream's extraVolumes/extraVolumeMounts and OTLP fully-qualified URL). Upstream-coverage check (4 PR #13 fixes vs newly-synced upstream main): - _helpers.tpl ($(CLICKHOUSE_PASSWORD) in deploy: true branch) -> NOVEL Upstream's deploy branch still interpolates `.Values.clickhouse.auth.password` literally; our fix is still required when auth.existingSecret is set. - electric.yaml (/app/persistent mount + extraVolumes) -> NOVEL Upstream electric.yaml still renders no volumes/volumeMounts at all. - webapp.yaml (S3 useIam gate + CLICKHOUSE_PASSWORD env) -> NOVEL Upstream webapp.yaml has no useIam reference and no CLICKHOUSE_PASSWORD env var; both are still required. - values.yaml (electric.extraVolumes + s3.external.useIam) -> NOVEL Upstream values.yaml has neither key under electric: nor s3.external:. All 4 fixes remain net-new fork-side patches. No PR #13 commits become redundant from this upstream sync. Smoke tests: - helm dependency build hosting/k8s/helm OK - helm template hosting/k8s/helm OK (renders v4.4.6-plt663.1) Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Four bugs caught during local OrbStack validation of the umbrella chart
(GovSignals/govsignals#2346):
s3-access-key-id/s3-secret-access-keyfromsecrets.existingSecreteven whens3.deploy: false,s3.external.useIam: true, and nos3.external.existingSecret— causingCreateContainerConfigErroron fresh installs that route around the chart-managed Secret./app/persistentto be writable but the template rendered no volumes at all →CrashLoopBackOff.clickhouse.auth.passwordliteral, ignoringclickhouse.auth.existingSecretwhendeploy: true.docker/scripts/entrypoint.shhad nomigratesubcommand — the umbrella's pre-install migration Job calledentrypoint.sh migratebut the positional arg was ignored, so the Job booted the webapp server and hung untilactiveDeadlineSeconds: 600.Per-commit detail
Test plan
secrets.enabled: false+ external Apollo-style secrets +s3.external.useIam: true. Webapp/healthcheckreturns 200; supervisor / electric / clickhouse / redis all reach Ready. See umbrella PR for full pod-state output.Stacked on
gs-v4.4.4because that's where the GovSignals fork lives; will roll up into PR #12 when that branch eventually rebases onto upstream.Made with Cursor