Skip to content

fix(helm): add missing gateway env vars, deploy control, and sidecar support#693

Open
JARVIS-coding-Agent wants to merge 2 commits intoopenabdev:mainfrom
JARVIS-coding-Agent:fix/gateway-helm-692
Open

fix(helm): add missing gateway env vars, deploy control, and sidecar support#693
JARVIS-coding-Agent wants to merge 2 commits intoopenabdev:mainfrom
JARVIS-coding-Agent:fix/gateway-helm-692

Conversation

@JARVIS-coding-Agent
Copy link
Copy Markdown
Contributor

@JARVIS-coding-Agent JARVIS-coding-Agent commented May 2, 2026
edited
Loading

Context

Closes #692

The v0.8.2 Helm chart gateway templates (added in #677) are missing critical env var injection for Telegram and LINE adapters, have no sidecar support, and couple config generation with deployment creation.

Summary

This PR fixes all four issues reported in #692:

  1. P0: Missing env vars — Gateway template now injects TELEGRAM_BOT_TOKEN, TELEGRAM_SECRET_TOKEN, TELEGRAM_WEBHOOK_PATH, LINE_CHANNEL_SECRET, LINE_CHANNEL_ACCESS_TOKEN via secretKeyRef
  2. Config/deployment coupling — New gateway.deploy flag (default: true). Set to false for config-only mode (agent gets [gateway] config block without creating Gateway Deployment/Service)
  3. No sidecar support — Added extraContainers, extraVolumes, extraVolumeMounts to gateway Deployment (e.g. for cloudflared tunnel sidecar)
  4. Per-agent deployment — Users can set deploy: false on all but one agent to share a single gateway instance

Changes

  • charts/openab/templates/gateway.yaml — Add telegram/LINE env vars, deploy guard, extraContainers/extraVolumes/extraVolumeMounts, nodeSelector/affinity/tolerations
  • charts/openab/templates/gateway-secret.yaml — Add telegram-bot-token, telegram-secret-token, line-channel-secret, line-channel-access-token keys
  • charts/openab/values.yaml — Add deploy, telegram.*, line.*, extraContainers, extraVolumeMounts, extraVolumes, nodeSelector, tolerations, affinity fields with documentation comments
  • charts/openab/tests/gateway_test.yaml — Add 18 new tests across 3 suites (config rendering, deployment rendering, secret rendering). 28 gateway tests total, 64/64 chart-wide passing.

Design Decisions

  • gateway.deploy instead of top-level shared gateway: Minimal change that solves the coupling problem. Users who want a shared gateway set deploy: false on all agents except one (or deploy gateway externally). A top-level shared gateway abstraction is a larger architectural change better suited for a follow-up.
  • Secrets in gateway Secret, not agent Secret: Telegram/LINE credentials are gateway-side (the gateway binary reads them), so they belong in the gateway Secret. GATEWAY_WS_TOKEN remains in the agent Secret (shared between agent and gateway) — single source of truth preserved.
  • No required validation on telegram.botToken: The latest gateway binary uses .ok() (optional) for TELEGRAM_BOT_TOKEN, not .expect(). Missing token means the Telegram adapter is simply not enabled, not a crash. Adding required would block Teams-only or LINE-only deployments.

Verification: deploy: false does not break agent Secret

When gateway.deploy: false:

  • Skipped: Gateway Deployment, Gateway Service, Gateway Secret (telegram/LINE/Teams credentials)
  • Not affected: Agent Secret (secret.yaml) which holds gateway-ws-token — this is controlled by gateway.enabled + gateway.token, independent of gateway.deploy
  • Not affected: Agent ConfigMap [gateway] config block — still rendered when gateway.enabled: true
  • Result: Agent can connect to an external gateway using the [gateway] config and GATEWAY_WS_TOKEN from its own Secret. No dangling secretKeyRef references.

Verified by helm-unittest: does not render Deployment when deploy is false and does not render when deploy is false (Secret) both pass while config rendering tests confirm [gateway] block is still generated.

Note on P0 severity

Issue #692 reported TELEGRAM_BOT_TOKEN as causing panic on startup. This was true in older gateway versions, but the current main branch (gateway/src/main.rs) uses std::env::var("TELEGRAM_BOT_TOKEN").ok() — the adapter is silently disabled rather than crashing. The fix is still necessary (users cannot configure Telegram via Helm without it), but severity is P1 (silent feature failure) rather than P0 (startup crash).

Discord Discussion URL: https://discord.com/channels/1491295327620169908/1499911655142985888

@JARVIS-coding-Agent
fix(helm): add missing gateway env vars, deploy control, and sidecar …
50f6a4a 
…support

- Add TELEGRAM_BOT_TOKEN, TELEGRAM_SECRET_TOKEN, TELEGRAM_WEBHOOK_PATH,
  LINE_CHANNEL_SECRET, LINE_CHANNEL_ACCESS_TOKEN env var injection
- Add gateway.deploy flag (default: true) to decouple config from deployment
- Add extraContainers, extraVolumes, extraVolumeMounts for sidecar support
- Add nodeSelector, tolerations, affinity to gateway Deployment
- Add telegram/line config sections to values.yaml
- Expand gateway-secret.yaml to include telegram and LINE secrets
- Add 18 new helm-unittest tests (28 total gateway tests, 64/64 passing)

Closes openabdev#692
@github-actions github-actions Bot added the pending-screening PR awaiting automated screening label May 2, 2026
@JARVIS-coding-Agent
fix(helm): clean up deploy guard and remove single-arg and
60d5d1c 
- Use toString pipe for deploy flag (default true handles false correctly)
- Remove misleading single-arg 'and' on hasTelegram/hasLine assignments

Co-authored-by: FRIDAY
@JARVIS-coding-Agent
Copy link
Copy Markdown
Contributor Author

JARVIS-coding-Agent commented May 2, 2026

Group Review Summary — PR #693

Reviewers

  • FRIDAY ✅ LGTM
  • VISION ✅ LGTM
  • SHURI ✅ LGTM

Issues Fixed (Issue #692)

# Problem Severity Solution
1 Per-agent gateway Deployment — each agent with gateway.enabled: true creates its own Gateway pod Design New gateway.deploy flag. Set deploy: false on agents that should share an external gateway
2 Missing TELEGRAM/LINE env vars — gateway template only injected TEAMS + GATEWAY_WS_TOKEN P1* Added TELEGRAM_BOT_TOKEN, TELEGRAM_SECRET_TOKEN, TELEGRAM_WEBHOOK_PATH, LINE_CHANNEL_SECRET, LINE_CHANNEL_ACCESS_TOKEN via secretKeyRef
3 No sidecar support — gateway Deployment had no extraContainers Feature gap Added extraContainers, extraVolumes, extraVolumeMounts, nodeSelector, affinity, tolerations
4 Config/deployment coupled — gateway.enabled controls both configmap and Deployment Design gateway.deploy: false skips Deployment/Service/Secret while preserving [gateway] config block

* Originally reported as P0 (startup panic), but latest main uses .ok() for TELEGRAM_BOT_TOKEN — adapter is silently disabled, not crashed. Severity downgraded to P1.

Review Rounds

Round 1 — FRIDAY

  • Problem A: toString guard on deploy flag — suggested | default true. After testing, confirmed default true breaks boolean false (Helm treats false as falsy). Kept toString pipe pattern, consistent with chart helpers (agentEnabled, persistenceEnabled). ✅ Resolved.
  • Problem B: Single-arg and on $hasTelegram/$hasLine — misleading syntax. Removed, changed to direct assignment. ✅ Resolved (commit 60d5d1c).

Round 2 — VISION

  • nindent 8 on extraContainers: Suggested changing to nindent 6. Verified against deployment.yamlnindent 8 is correct (container list item level). nindent 6 would produce invalid pod spec. ❌ Not a bug.
  • PR description: Requested explicit verification of deploy: false + Secret dependency. ✅ Added "Verification" section to PR description.
  • All other checks passed: Secret key consistency, deploy logic, values.yaml defaults, test coverage, toString robustness.

Round 3 — SHURI

  • Point 1 — fail guard for missing tokens: Rejected by FRIDAY + VISION. Gateway binary uses .ok() (optional) for all platform tokens. Adding fail would block legitimate Teams-only or LINE-only deployments. → Follow-up issue.
  • Point 2 — Configurable probe parameters: Rejected by FRIDAY + VISION. Hardcoded probes are from PR feat(helm): add Gateway Deployment + Service templates #677, not introduced by this PR. Enhancement, not bug fix. → Follow-up issue.
  • Point 3 — deploy: false Secret dependency: Confirmed GATEWAY_WS_TOKEN lives in agent Secret (not gateway Secret). deploy: false only skips gateway Deployment/Service/Secret. Agent Secret unaffected. ✅ Verified and documented in PR description.

Test Results

  • 64/64 passing (7 suites)
  • 28 gateway-specific tests across 3 suites: config rendering, deployment rendering, secret rendering
  • Key test cases: deploy: false skips resources, telegram/LINE env var injection, sidecar rendering, secret creation conditions

Files Changed

  • charts/openab/templates/gateway.yaml — env vars, deploy guard, sidecar support
  • charts/openab/templates/gateway-secret.yaml — telegram/LINE secrets
  • charts/openab/values.yaml — new gateway config fields
  • charts/openab/tests/gateway_test.yaml — 18 new tests

Suggested Follow-ups (out of scope for this hotfix)

  1. Configurable probe parameters (gateway.livenessProbe.*)
  2. Fail-fast validation when partial platform config is detected
  3. Top-level shared gateway abstraction (independent Chart-level resource)
  4. gateway/src/main.rs — handle broadcast::RecvError::Lagged (silent message loss)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thepagent thepagent Awaiting requested review from thepagent thepagent is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

pending-maintainer pending-screening PR awaiting automated screening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Helm: gateway template creates per-agent deployments; should support shared gateway

1 participant

@JARVIS-coding-Agent