Closed
Conversation
3 tasks
kirkchen
force-pushed
the
feat/helm-chart-extensibility
branch
from
665ab78 to
eb21a81
Compare
thekkagent
force-pushed
the
feat/helm-chart-extensibility
branch
from
6ad4050 to
0e70a04
Compare
Add pod/deployment extensibility to the Helm chart, focused on Deployment.spec.template scope: imagePullSecrets (global + per-agent with opt-out), per-agent imagePullPolicy, serviceAccountName, probes, lifecycle, initContainers, sidecars, extraVolumes, extraVolumeMounts, podAnnotations and podLabels with reserved-key protection. Also fixes Test 1-7 to pass botToken after upstream discord.enabled gate change. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The env map previously only supported simple key-value strings. This adds polymorphic rendering via kindIs "map" so users can use valueFrom (fieldRef, secretKeyRef, configMapKeyRef, etc.) while maintaining full backward compatibility with existing string values. In deployment.yaml, map-typed values render as toYaml (e.g. valueFrom blocks). In configmap.yaml, map-typed values are filtered out since config.toml only supports string env vars — valueFrom is a Kubernetes concept handled at the pod level. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename `sidecars` to `extraContainers` to avoid confusion with K8s 1.28+
native sidecar support — this field renders into the main containers
array, not as native sidecars.
Also adds a "Pod extensibility" comment header and documents that `{}`
means disabled for probes and lifecycle fields.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…imagePullSecrets format
- Fix pre-existing TOML injection risk where double quotes in env string
values produced invalid TOML. Use toJson for proper escaping.
- Add kindIs "slice" guard in both deployment.yaml and configmap.yaml to
reject list-typed env values with a clear error message.
- Derive agentPodLabels reserved keys from selectorLabels helper to
prevent future drift between Deployment selector and pod labels.
- Support both K8s native object format ({ name: regcred }) and
shorthand string format for imagePullSecrets.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the deleted helm-template-test.sh with helm unittest YAML files: - deployment_test.yaml: pod extensibility controls (18 tests) - env_test.yaml: polymorphic env rendering + configmap filtering (5 tests) Upstream already migrated to helm unittest (configmap_test.yaml, adapter-enablement_test.yaml). Total: 36 tests across 5 suites. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… helper Before: configmap used strict truthy check (`if ($cfg.discord).enabled`) while deployment and secret used default-true (`ne toString "false"`). This asymmetry came from upstream fix commits and caused different behavior for edge cases across templates. Introduces `openab.discordEnabled` helper following the same pattern as `openab.agentEnabled` and `openab.persistenceEnabled`. Returns "false" when discord config is absent or explicitly disabled, "true" otherwise. All three templates (configmap, deployment, secret) now use the helper for consistent behavior. Also strengthens the reserved-label-hijack test to assert both `app.kubernetes.io/name` and `app.kubernetes.io/component` are protected. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
thekkagent
force-pushed
the
feat/helm-chart-extensibility
branch
from
0e70a04 to
8dad081
Compare
|
All PRs must reference a prior Discord discussion to ensure community alignment before implementation. Please edit the PR description to include a link like: This PR will be automatically closed in 3 days if the link is not added. |
Phase 2 of helm chart extensibility (openabdev#397): - ServiceAccount (optional, opt-in via serviceAccount.create) - Supports custom name, annotations (e.g. IRSA), and automountServiceAccountToken - Backward compat: existing serviceAccountName still works for external SAs - Role + RoleBinding (optional, opt-in via rbac.create) - ClusterRole + ClusterRoleBinding (optional, opt-in via rbac.createClusterRole) - PodDisruptionBudget (optional, opt-in via podDisruptionBudget.enabled) - Supports both minAvailable and maxUnavailable (mutually exclusive) - values.yaml warns against minAvailable: 1 with the hardcoded replicas: 1 All resources are per-agent and follow the existing multi-agent loop pattern. All defaults are opt-in (false) to preserve existing behavior. 25 new tests added across 3 suites (serviceaccount, rbac, pdb). Total: 61 tests pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🔒 Auto-closing: this PR has had the Feel free to reopen after adding the discussion link to the PR body. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this solve?
OpenAB's Helm chart is currently strong on the minimal install path, but it is too thin for many real Kubernetes deployments.
It does not currently expose several common deployment controls that operators typically expect from a reusable open-source chart, including:
imagePullSecretslivenessProbe,readinessProbe,startupProbe)lifecycleinitContainersserviceAccountNamebindingThis leaves users with a few unattractive options:
helm templateOne immediate example is that the chart does not currently support
imagePullSecrets, which makes private registry deployments harder than they need to be.Closes: N/A
Discord Discussion URL: https://discordapp.com/channels/1491295327620169908/1493841502529523732
At a Glance
Prior Art & Industry Research
OpenClaw:
I reviewed the local OpenClaw repository and its Kubernetes deployment manifests. While OpenClaw does not currently ship a Helm chart in this repo, it does treat startup bootstrap as a first-class deployment concern. In particular, it uses an
initContainerto prepare configuration and workspace state before the main container starts.This suggests:
initContainersare a reasonable place for startup preparationReference:
scripts/k8s/manifests/deployment.yamlHermes Agent:
I reviewed Hermes Agent's Docker and deployment documentation. Hermes takes a clearer stance on tool installation: stable toolchains should primarily be handled through custom images or clearly defined mutable runtime environments, not by stretching the chart into a package manager.
This suggests:
References:
Dockerfilewebsite/docs/user-guide/docker.mdwebsite/docs/getting-started/nix-setup.mdOther references:
I reviewed Bitnami charts and Helm / Kubernetes best practices. Bitnami's more mature charts commonly expose
imagePullSecrets,serviceAccount, probes,lifecycle,initContainers, sidecars,extraVolumes,extraVolumeMounts,extraEnvVarsCM,extraEnvVarsSecret,extraDeploy, andpdb. This PR adopts the subset of that surface area that fits underDeployment.spec.template.Relevant upstream guidance also supports this direction:
initContainersimagePullSecretsProposed Solution
This PR implements the first phase of pod / deployment extensibility for the OpenAB Helm chart, focused entirely on
Deployment.spec.template.charts/openab/values.yamlcharts/openab/templates/_helpers.tplcharts/openab/templates/deployment.yamlDeployment.spec.templatecharts/openab/tests/helm-template-test.shset -eImplemented scope:
imagePullSecrets(global + per-agent, with explicit opt-out)imagePullPolicy(global default + per-agent override)serviceAccountNamebindinglivenessProbe,readinessProbe,startupProbe,lifecycleinitContainers, sidecarsextraVolumes,extraVolumeMountspodAnnotations,podLabels(global + per-agent, merged)Explicitly out of scope:
PodDisruptionBudgetextraDeployFor the "install tools" question specifically, the implementation keeps two clear paths:
initContainers+ shared volume — a lightweight bootstrap path for small binaries or startup initializationSafety & correctness
Two design decisions are load-bearing for correctness.
Reserved pod-metadata keys cannot be hijacked.
agentPodLabelsandagentPodAnnotationsusemergeOverwrite(dict, global, per-agent, reserved), where the reserved key set is merged last. This guarantees:checksum/configannotation is always the chart-computed hash — users cannot accidentally pin it or disable rollout-on-config-changeapp.kubernetes.io/{name,instance,component}labels on the pod template always matchspec.selector.matchLabels, soDeployment→Podselector matching can never be broken by a user-suppliedpodLabelsentryWithout this protection, a user who set
podLabels.app.kubernetes.io/name: customwould silently produce duplicate YAML keys and a Deployment whose ReplicaSet could no longer match its own Pods.Per-agent
imagePullSecrets: []explicitly opts out of the global list. The helper useshasKeyinstead of a truthy check, so three states are distinguishable per agent:.Values.imagePullSecretsimagePullSecrets: []→ opt out (no pull secrets, even if global is set)imagePullSecrets: [foo]→ replace with per-agent listWhy this approach?
I do not think OpenAB should model every Kubernetes field at once, and I do not think Helm should become the primary mechanism for packaging arbitrary tools.
At the same time, the current chart is thin enough that users are pushed toward forking it for fairly normal deployment requirements. That creates unnecessary friction for a public chart.
This approach takes the middle path:
initContainersbootstrap as a lightweight complement, not the main packaging modelTradeoffs and limitations:
mergeOverwritepattern described aboveAlternatives Considered
The main implementation question is not whether Helm extensibility should be improved, but how much should be included in the first implementation PR.
1. Do the minimum: only
imagePullSecrets— rejectedThis would solve the most immediate private-registry gap, but it would still leave the chart without probes, lifecycle hooks, and pod composition controls such as
initContainers, sidecars, and extra volumes. The result would still feel incomplete for real deployments.2. Implement pod / deployment extensibility only — chosen
This keeps the first implementation focused on a single surface area:
Deployment.spec.template. It addresses the highest-value deployment gaps first, including private registry support, health / lifecycle controls, and pod composition hooks, while keeping the PR cohesive and reviewable.3. Implement everything at once, including PDB, RBAC, and generic extra objects — rejected
Although these features are valid chart capabilities, they extend beyond pod template extensibility and would make the first implementation significantly broader. Mixing pod-level changes with additional chart-managed resources would increase review complexity and make the initial rollout harder to reason about.
Validation
helm lint charts/openabpassesimagePullSecrets(global + per-agent)imagePullPolicyinitContainerslivenessProbe,readinessProbe,startupProbe)lifecycleserviceAccountNamepodLabelschecksum/configannotation cannot be overridden by userpodAnnotationsimagePullSecrets: []opts out of the global listpodLabelsoverride global for the same non-reserved keyValidation command:
Result: 18 passed, 0 failed
Open questions
PodDisruptionBudgetbefore or after chart-managed ServiceAccount support?extraDeploy,extraObjects, or deferred further?