v4 helm chart and docs

[nicktrn]

No description provided.

[coderabbitai]

Actionable comments posted: 17

🔭 Outside diff range comments (1)

hosting/docker/webapp/docker-compose.yml (1)

139-159: Expose ClickHouse HTTP port 8123, not only TCP 9000

The app’s default URLs target port 8123 (HTTP), yet only 9000 is published (9090:9000). Local developers will get connection refused if they map to host.

-  ports:
-      - ${CLICKHOUSE_PUBLISH_IP:-127.0.0.1}:9090:9000
+  ports:
+      - ${CLICKHOUSE_PUBLISH_IP:-127.0.0.1}:9090:9000    # native
+      - ${CLICKHOUSE_PUBLISH_IP:-127.0.0.1}:8123:8123    # HTTP

🧹 Nitpick comments (41)

hosting/k8s/setup-kind.sh (2)

47-48: Quote expansions in the node loop
If kind get nodes ever returns multiple node names separated by whitespace, word-splitting may break. Quote the command substitution to preserve newlines.

-for node in $(kind get nodes --name ${cluster_name}); do
+for node in $(kind get nodes --name "${cluster_name}"); do

---

49-52: Minimal hosts.toml may be insufficient for containerd
Containerd usually expects server and capabilities keys inside the host block. Without them image pushes can fail on some versions.

-[host."http://${reg_name}:5000"]
+[host."http://${reg_name}:5000"]
+  server = "http://${reg_name}:5000"
+  capabilities = ["pull", "push"]

hosting/k8s/helm/Chart.yaml (2)

5-6: Semantic-versioning mismatch between version and appVersion

Chart version 4.0.0-beta.4 but appVersion is v4.0.0-v4-beta.21.

appVersion should be a clean upstream version tag (e.g. 4.0.0-beta.21) without the v prefix or duplicate “v4”. Helm only treats it as an opaque string, yet human tools (helm diff, dashboards) assume semver-compatible values.

---

17-18: Add maintainers / license metadata

Most Helm repositories include:

maintainers:
  - name: …
    email: …
license: MIT

This helps helm search and ArtifactHub automation.

hosting/docker/webapp/docker-compose.yml (1)

76-78: Boolean env var should be “0/1” or “true/false” consistently

RUN_REPLICATION_ENABLED defaults to 1 while INTERNAL_OTEL_TRACE_LOGGING_ENABLED defaults to 0.
Document the convention or switch to true/false to avoid mis-parsing in shell vs Node.

hosting/docker/clickhouse/override.xml (1)

12-19: Indentation inside <default> profile is off by two spaces

Nested elements should be indented once to preserve readability and avoid accidental whitespace in XML text nodes:

-        <default>
-        <max_block_size>8192</max_block_size>
-        ...
-        </default>
+        <default>
+            <max_block_size>8192</max_block_size>
+            <max_download_threads>1</max_download_threads>
+            <input_format_parallel_parsing>0</input_format_parallel_parsing>
+            <output_format_parallel_formatting>0</output_format_parallel_formatting>
+        </default>

hosting/k8s/helm/templates/configmap.yaml (1)

9-10: Use nindent to guarantee proper indentation of multiline XML

If clickhouse.config.override starts with <clickhouse> (no leading spaces) the rendered YAML will be invalid. Helm tip:

-  override.xml: |
-{{ .Values.clickhouse.config.override | indent 4 }}
+  override.xml: |
+{{ .Values.clickhouse.config.override | nindent 4 }}

nindent trims leading newline then indents, ensuring the first line aligns correctly.

hosting/k8s/helm/templates/tests/test-webapp.yaml (2)

1-9: Trim the leading newline and add a --- document start to silence linters

Helm templates that start with {{- already trim left-hand whitespace, but because the file does not start with --- YAML front-matter, tools such as yamllint flag it as a syntax error.
A minimal fix is to prepend the YAML document marker and keep the {{- trim so no blank line is emitted:

-{{/* nothing */}}
+{{- /* vim: set filetype=mustache: */ -}}
+---                # Make the rendered file valid YAML

Or simply:

-{{- /* template starts */}}
+--- {{- /* template starts */}}

---

15-18: Make the health-check more robust

A single failed TCP handshake will fail the whole test. Adding retries with back-off dramatically reduces flakes:

-          curl -f http://{{ include "trigger-v4.fullname" . }}-webapp:{{ .Values.webapp.service.port }}/healthcheck
+          for i in $(seq 1 5); do
+            curl -sf http://{{ include "trigger-v4.fullname" . }}-webapp:{{ .Values.webapp.service.port }}/healthcheck && exit 0
+            echo "Health-check failed ($i/5), retrying…"
+            sleep 3
+          done
+          echo "Webapp health-check failed after retries" >&2
+          exit 1

hosting/k8s/helm/templates/tests/test-redis.yaml (2)

1-3: Same lint problem: emit a YAML document start

yamllint complains because the first non-template token is apiVersion: without ---.
Add the marker (see previous comment) or suppress the linter.

---

14-19: Pin Redis image & add retry loop

Pinning makes the test deterministic, and Redis might take a couple of seconds to accept connections – wrap in a retry loop:

-      image: redis:{{ .Values.redis.image.tag }}
+      image: redis:{{ .Values.redis.image.tag | default "7.2.4" }}
@@
-          redis-cli -h {{ include "trigger-v4.fullname" . }}-redis-master -p {{ .Values.redis.master.service.ports.redis }} ping
+          for i in $(seq 1 5); do
+            redis-cli -h {{ include "trigger-v4.fullname" . }}-redis-master \
+                      -p {{ .Values.redis.master.service.ports.redis }} ping && exit 0
+            echo "Redis not ready ($i/5), retrying…"
+            sleep 3
+          done
+          echo "Redis ping failed" >&2
+          exit 1

hosting/k8s/helm/templates/ingress.yaml (1)

1-3: Insert --- and trim template whitespace to satisfy YAML linters

The leading {{- if …}} without a document separator causes yamllint syntax error: expected the node content, but found '-'.
Adding --- after the if (or before the if with right-trim) avoids the error and keeps rendered output unchanged.

hosting/k8s/helm/templates/tests/test-electric.yaml (1)

13-20: Repeat suggestions: pin image & add retry to reduce flakes

Same rationale as previous test pods.

-      image: curlimages/curl:latest
+      image: curlimages/curl:8.7.1
@@
-          curl -f http://{{ include "trigger-v4.fullname" . }}-electric:{{ .Values.electric.service.port }}/api/status
+          for i in $(seq 1 5); do
+            curl -sf http://{{ include "trigger-v4.fullname" . }}-electric:{{ .Values.electric.service.port }}/api/status && exit 0
+            sleep 3
+          done
+          exit 1

hosting/k8s/helm/templates/tests/test-supervisor.yaml (1)

13-20: Same image-pin / retry considerations

For consistency across tests, pin the image and wrap the curl in a retry loop (see earlier comments). This prevents transient failures while the Supervisor container starts.

hosting/k8s/helm/templates/servicemonitor.yaml (1)

55-55: Missing trailing newline at EOF.

A final newline avoids unnecessary diffs and satisfies many linters.

-{{- end }}
\ No newline at end of file
+{{- end }}
+

hosting/k8s/helm/templates/tests/test-minio.yaml (1)

1-4: Add --- document separator for YAML tooling friendliness.

Some editors and external linters complain when the first manifest in a template is not prefixed with ---.
Adding it after the {{- if … }} keeps templates valid for both Helm and standalone YAML tools.

 {{- if .Values.minio.enabled }}
+---
 apiVersion: v1
 kind: Pod

hosting/k8s/helm/templates/secrets.yaml (1)

48-48: Missing trailing newline at EOF.

-{{- end }}
\ No newline at end of file
+{{- end }}
+

hosting/k8s/helm/templates/electric.yaml (2)

33-34: Registry prefix prints a leading “/” when empty.

If image.registry is an empty string the produced image reference becomes /repo:tag, which Docker treats as an invalid hostname.
Guard the prefix:

-image: "{{ .Values.electric.image.registry }}/{{ .Values.electric.image.repository }}:{{ .Values.electric.image.tag }}"
+image: "{{- if .Values.electric.image.registry }}{{ .Values.electric.image.registry }}/{{- end }}{{ .Values.electric.image.repository }}:{{ .Values.electric.image.tag }}"

---

84-84: Missing trailing newline at EOF.

-{{- end }}
\ No newline at end of file
+{{- end }}
+

hosting/k8s/helm/templates/NOTES.txt (1)

40-41: Nested Helm/Go-template braces are hard to read and error-prone.

The current command:

--template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}"

is difficult to maintain and has broken a few charts in the past.
A simpler, battle-tested alternative uses the jsonpath syntax:

-export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "trigger-v4.fullname" . }}-webapp --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "trigger-v4.fullname" . }}-webapp -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

hosting/k8s/helm/templates/clickhouse.yaml (2)

17-20: yamllint indentation warning – harmless but easy to silence

yamllint complains that annotations: is indented 6 spaces instead of the expected 4.
Helm’s nindent 8 (with the surrounding block) intentionally produces this, but adding an explicit | block or a lint-disable comment removes the warning without changing semantics.

-      {{- with .Values.clickhouse.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- with .Values.clickhouse.podAnnotations }}
+      # yamllint disable-line rule:indentation
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

Purely cosmetic – feel free to ignore.

---

165-165: Add a trailing newline

Several template files in this chart miss the final newline, which causes yamllint new-line-at-end-of-file warnings and can trip up some diff tools.

hosting/k8s/helm/templates/postgresql.yaml (1)

156-156: Add trailing newline

Missing final newline – same note as for other templates.

hosting/k8s/helm/templates/registry.yaml (1)

135-140: Trailing newline missing

Same lint note as above.

hosting/k8s/helm/templates/redis.yaml (2)

17-20: yamllint indentation warning – cosmetic

annotations: is indented 6 spaces. Consider adding a lint-disable comment (see ClickHouse note) or reducing to 4 spaces to quiet the warning. Functionality is unaffected.

---

125-125: Trailing newline

Add final newline for consistency.

hosting/k8s/helm/values-production-example.yaml (1)

4-14: Avoid committing sample secrets – even placeholders trigger secret-scanners
The placeholder secrets are tripping Gitleaks and may alarm downstream scanners / supply-chain tooling. Consider:

-  sessionSecret: "YOUR_32_CHAR_HEX_SECRET_HERE_001"
+  # sessionSecret: ""           # <-- generate with `openssl rand -hex 16`

and add a note in the README that no secrets are shipped in the repo; users must supply them in a private values file.

If you prefer to keep the placeholders, add them to a .gitleaks.toml allow-list so CI passes consistently.

hosting/k8s/helm/templates/minio.yaml (2)

56-72: Use distinct readiness probe (/ready)
Using the same /live endpoint for both probes can mask issues – liveness should be coarse, readiness should reflect API usability:

-          readinessProbe:
-            httpGet:
-              path: /minio/health/live
+          readinessProbe:
+            httpGet:
+              path: /minio/health/ready

MinIO exposes /ready specifically for this.

---

99-100: Missing newline at EOF
Add a newline to keep yamllint quiet and match POSIX conventions.

.github/workflows/release-helm.yml (2)

18-46: lint-and-test job lacks a minimal permissions: block
CodeQL flagged this. Lock it down to the recommended least-privilege:

 lint-and-test:
   permissions:
-    contents: read
+    contents: read
+    packages: read

---

96-104: Quote variable to silence ShellCheck SC2086 & trim trailing spaces

-          CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
-          
-          # Push to GHCR OCI registry
-          helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
+          CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
+
+          # Push to GHCR OCI registry
+          helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"

Also update softprops/action-gh-release@v1 → v2 to avoid “runner too old” warning.

hosting/k8s/helm/templates/webapp.yaml (3)

28-37: Init container runs as root – consider safer alternative
Running busybox with runAsUser: 0 just to chown can be replaced by setting fsGroup: 1000 in podSecurityContext, which gives the main container write access without a root step. Eliminates an unnecessary privilege escalation.

---

42-45: Extraneous trailing spaces after command: line
yamllint flags this. Simple cleanup:

-          command: 
+          command:

---

260-281: Add newline at EOF to satisfy linters
Minor but avoids no new line character at the end of file warning.

hosting/k8s/helm/README.md (5)

36-36: Fix bare URL formatting.

The bare URL should be properly formatted as a markdown link for better readability and accessibility.

-Dashboard: http://localhost:3040/
+Dashboard: [http://localhost:3040/](http://localhost:3040/)

---

389-389: Add missing article for better grammar.

The sentence is missing the article "a" before "new version".

-2. **Update App Version** when Trigger.dev releases new version:
+2. **Update App Version** when Trigger.dev releases a new version:

---

553-555: Format bare URLs as proper markdown links.

The support section contains bare URLs that should be formatted as proper markdown links for consistency and accessibility.

-- Documentation: https://trigger.dev/docs/self-hosting
-- GitHub Issues: https://github.com/triggerdotdev/trigger.dev/issues
-- Discord: https://discord.gg/untWVke9aH
+- Documentation: [https://trigger.dev/docs/self-hosting](https://trigger.dev/docs/self-hosting)
+- GitHub Issues: [https://github.com/triggerdotdev/trigger.dev/issues](https://github.com/triggerdotdev/trigger.dev/issues)
+- Discord: [https://discord.gg/untWVke9aH](https://discord.gg/untWVke9aH)

---

348-348: Correct the Helm template validation command.

The command uses an inconsistent naming pattern. The chart name should match the pattern used throughout the document.

-helm template trigger.dev . --dry-run > /dev/null && echo "Template validation successful"
+helm template trigger . --dry-run > /dev/null && echo "Template validation successful"

---

354-354: Fix inconsistent service name in port-forward command.

The service name should match the naming convention used throughout the document.

-kubectl port-forward svc/trigger.dev-webapp 3040:3030 --address 0.0.0.0
+kubectl port-forward svc/trigger-webapp 3040:3030 --address 0.0.0.0

hosting/k8s/helm/templates/supervisor.yaml (1)

262-262: Add missing newline at end of file.

YAML files should end with a newline character for better POSIX compliance and tool compatibility.

     {{- include "trigger-v4.componentSelectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
-{{- end }}
+{{- end }}
+

hosting/k8s/helm/templates/_helpers.tpl (1)

237-237: Add missing newline at end of file.

Template files should end with a newline character for better POSIX compliance.

 {{- end }}
-{{- end }}
+{{- end }}
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aaf40c3 and 3139105.

📒 Files selected for processing (34)

• .github/workflows/release-helm.yml (1 hunks)
• docs/docs.json (1 hunks)
• docs/self-hosting/kubernetes.mdx (1 hunks)
• hosting/docker/clickhouse/override.xml (1 hunks)
• hosting/docker/webapp/docker-compose.yml (2 hunks)
• hosting/k8s/helm/.gitignore (1 hunks)
• hosting/k8s/helm/.helmignore (1 hunks)
• hosting/k8s/helm/Chart.yaml (1 hunks)
• hosting/k8s/helm/README.md (1 hunks)
• hosting/k8s/helm/templates/NOTES.txt (1 hunks)
• hosting/k8s/helm/templates/_helpers.tpl (1 hunks)
• hosting/k8s/helm/templates/clickhouse.yaml (1 hunks)
• hosting/k8s/helm/templates/configmap.yaml (1 hunks)
• hosting/k8s/helm/templates/electric.yaml (1 hunks)
• hosting/k8s/helm/templates/extra-manifests.yaml (1 hunks)
• hosting/k8s/helm/templates/ingress.yaml (1 hunks)
• hosting/k8s/helm/templates/minio.yaml (1 hunks)
• hosting/k8s/helm/templates/postgresql.yaml (1 hunks)
• hosting/k8s/helm/templates/redis.yaml (1 hunks)
• hosting/k8s/helm/templates/registry.yaml (1 hunks)
• hosting/k8s/helm/templates/secrets.yaml (1 hunks)
• hosting/k8s/helm/templates/servicemonitor.yaml (1 hunks)
• hosting/k8s/helm/templates/supervisor.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-clickhouse.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-electric.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-minio.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-postgresql.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-redis.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-supervisor.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-webapp.yaml (1 hunks)
• hosting/k8s/helm/templates/webapp.yaml (1 hunks)
• hosting/k8s/helm/values-production-example.yaml (1 hunks)
• hosting/k8s/helm/values.yaml (1 hunks)
• hosting/k8s/setup-kind.sh (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

hosting/k8s/helm/templates/tests/test-clickhouse.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/tests/test-webapp.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

hosting/k8s/helm/templates/configmap.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/ingress.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 13-13: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 14-14: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 15-15: wrong indentation: expected 2 but found 4

(indentation)

---

[error] 60-60: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/tests/test-electric.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/tests/test-supervisor.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/servicemonitor.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 55-55: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/postgresql.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 18-18: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 156-156: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/tests/test-minio.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/extra-manifests.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/registry.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 18-18: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 143-143: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/clickhouse.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 18-18: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 165-165: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/secrets.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/redis.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 18-18: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 125-125: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/webapp.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 16-16: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 43-43: trailing spaces

(trailing-spaces)

---

[error] 281-281: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 4-4: syntax error: expected , but found ''

(syntax)

hosting/k8s/helm/templates/tests/test-redis.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/electric.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 17-17: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 84-84: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/supervisor.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 262-262: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/minio.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 18-18: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 143-143: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/tests/test-postgresql.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

.github/workflows/release-helm.yml

[error] 100-100: trailing spaces

(trailing-spaces)

---

[error] 118-118: trailing spaces

(trailing-spaces)

🪛 Checkov (3.2.334)

hosting/docker/webapp/docker-compose.yml

[MEDIUM] 63-64: Basic Auth Credentials

(CKV_SECRET_4)

🪛 Gitleaks (8.26.0)

hosting/k8s/helm/values.yaml

42-42: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

46-46: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 LanguageTool

hosting/k8s/helm/templates/NOTES.txt

[style] ~6-~6: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...44da78b7bbb0dfe709cf38931d25dcdd") (eq .Values.secrets.encryptionKey "f686147ab967943e...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~6-~6: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...f686147ab967943ebbe9ed3b496e465a") (eq .Values.secrets.managedWorkerSecret "447c29678f...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[uncategorized] ~34-~34: Loose punctuation mark.
Context: ...ices {{ include "trigger-v4.fullname" . }}-webapp) export NODE_IP=$(kubectl ge...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~39-~39: Loose punctuation mark.
Context: ...c -w {{ include "trigger-v4.fullname" . }}-webapp' export SERVICE_IP=$(kubectl...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~40-~40: Loose punctuation mark.
Context: ...e }} {{ include "trigger-v4.fullname" . }}-webapp --template "{{"{{ range (index ...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~43-~43: Loose punctuation mark.
Context: ...{ include "trigger-v4.selectorLabels" . }},app.kubernetes.io/component=webapp" -o...

(UNLIKELY_OPENING_PUNCTUATION)

---

[uncategorized] ~51-~51: Loose punctuation mark.
Context: ...{ include "trigger-v4.selectorLabels" . }}" {{- if .Values.webapp.bootstrap.enab...

(UNLIKELY_OPENING_PUNCTUATION)

---

[style] ~62-~62: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...postgres.externalConnection.host }}:{{ .Values.postgres.externalConnection.port }} {{-...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~67-~67: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...es.redis.externalConnection.host }}:{{ .Values.redis.externalConnection.port }} {{- el...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

hosting/k8s/helm/README.md

[uncategorized] ~389-~389: You might be missing the article “a” here.
Context: ...App Version** when Trigger.dev releases new version: ```bash # Edit Chart.yam...

(AI_EN_LECTOR_MISSING_DETERMINER_A)

🪛 GitHub Check: CodeQL

.github/workflows/release-helm.yml

[warning] 20-46: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🪛 actionlint (1.7.7)

.github/workflows/release-helm.yml

70-70: shellcheck reported issue in this script: SC2086:info:7:28: Double quote to prevent globbing and word splitting

(shellcheck)

---

106-106: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 markdownlint-cli2 (0.17.2)

hosting/k8s/helm/README.md

36-36: Bare URL used
null

(MD034, no-bare-urls)

---

553-553: Bare URL used
null

(MD034, no-bare-urls)

---

554-554: Bare URL used
null

(MD034, no-bare-urls)

---

555-555: Bare URL used
null

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms (25)

• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: typecheck / typecheck
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (23)

hosting/k8s/helm/.gitignore (1)

1-3: Ignore rules look correct and targeted
Pattern order and negation ensure that values-production-example.yaml remains under version control while all other ad-hoc values files and packaged charts are excluded.

docs/docs.json (1)

178-186: Navigation entry added correctly
The new "self-hosting/kubernetes" page is registered under the existing Self-hosting group and tagged v4, matching the rest of the section. No issues spotted.

hosting/k8s/helm/.helmignore (1)

1-17: Well-scoped ignore list
The patterns align with Helm packaging best practices and complement the .gitignore. Looks good.

hosting/docker/clickhouse/override.xml (1)

10-11: Verify setting name: concurrent_threads_soft_limit_num may be invalid

Official ClickHouse config uses <concurrent_threads_soft_limit> (without _num).
A typo will render the setting ineffective and ClickHouse will silently ignore it.

Please cross-check the docs or run ClickHouse with --validate-config to confirm.

hosting/k8s/helm/templates/ingress.yaml (1)

36-59: Host/path loop can emit an empty list

When .Values.ingress.hosts is an empty array the rendered Ingress has an empty rules: list, which the API server rejects.
Add an outer if:

{{- if gt (len .Values.ingress.hosts) 0 }}
rules:
  …
{{- end }}

hosting/k8s/helm/templates/servicemonitor.yaml (1)

20-23: ```shell
#!/bin/bash

Locate all Service templates in the Helm chart and list their named ports

SERVICE_FILES=$(rg -l "kind: *Service" -n hosting/k8s/helm/templates)
if [[ -z "$SERVICE_FILES" ]]; then
echo "No Service templates found under hosting/k8s/helm/templates"
exit 0
fi

for f in $SERVICE_FILES; do
echo "File: $f"
awk '
/^\sports:/ { in_ports=1 }
in_ports && /^\sname:/ {
gsub(/^[[:space:]]name:[[:space:]]/, "")
print " port name: " $0
}
in_ports && /^[[:space:]]*[^-[:space:]]/ { in_ports=0 }
' "$f" || echo " (no named ports found)"
done

</details>
<details>
<summary>hosting/k8s/helm/templates/tests/test-postgresql.yaml (1)</summary>

`14-20`: **Consider passing the password to `pg_isready` to avoid false negatives**

If your Postgres instance enforces password authentication, `pg_isready` will fail unless the `PGPASSWORD` env var (or a `.pgpass` file) is provided.  
A minimal adjustment is to inject the password via an environment variable in the container spec:

```diff
       containers:
         - name: test-postgres
           image: postgres:{{ .Values.postgres.image.tag }}
+          env:
+            - name: PGPASSWORD
+              value: {{ .Values.postgres.auth.password | quote }}
           command: ['sh', '-c']

This keeps the test self-contained and avoids dependence on trust / md5 settings in pg_hba.conf.

hosting/k8s/helm/templates/registry.yaml (1)

34-40: Container port should follow the service port, not targetPort

containerPort is currently bound to .Values.registry.service.targetPort.
If users set service.port ≠ service.targetPort, the Service will forward traffic to a port the container does not expose.

-              containerPort: {{ .Values.registry.service.targetPort }}
+              containerPort: {{ .Values.registry.service.port }}

Adjusting keeps the headless & public services, probes, and container definition in sync.

Likely an incorrect or invalid review comment.

hosting/k8s/helm/README.md (2)

425-443: Excellent security guidance with comprehensive examples.

The security section provides clear, actionable guidance for production deployments including secret generation, security contexts, and RBAC configuration. The examples are well-structured and follow Kubernetes security best practices.

---

53-64: Verify the 32-character hex requirement for secrets.

The documentation states that secrets must be exactly 32 hexadecimal characters, but the generation command openssl rand -hex 16 produces 32 hex characters from 16 bytes. Please verify this requirement is accurate and consistent with the application's expectations.

#!/bin/bash
# Verify the secret length requirements in the codebase
echo "Searching for secret validation patterns..."
rg -A 5 -B 5 "32.*hex|hex.*32|16.*byte|byte.*16" --type yaml --type js --type ts
echo "Searching for secret length validation..."
ast-grep --pattern 'function $_(secret) { $$$ if (secret.length !== $_) { $$$ } $$$ }'

hosting/k8s/helm/templates/supervisor.yaml (4)

119-129: Robust worker token configuration with multiple options.

The worker token configuration provides excellent flexibility with support for file-based tokens, secret references, and direct values. The conditional logic properly handles different authentication scenarios.

---

149-152: Well-implemented conditional image pull secrets.

The image pull secrets configuration correctly handles both internal and external registry scenarios with proper authentication checks.

---

97-112: Good health check configuration.

The liveness and readiness probes are properly configured with reasonable timeouts and failure thresholds. The health endpoint appears to be standard for this type of service.

---

24-27: Review ClusterRole permissions for security.

The ClusterRole grants broad permissions including deletecollection on pods across the entire cluster. Consider if these permissions are necessary or if they can be scoped down for better security.

The supervisor needs these permissions to manage worker pods, but verify if deletecollection is actually used:

#!/bin/bash
# Search for usage of deletecollection in the supervisor codebase
echo "Searching for deletecollection usage..."
rg -A 3 -B 3 "deletecollection|delete.*collection" --type js --type ts --type go
echo "Searching for batch pod deletion patterns..."
rg -A 3 -B 3 "delete.*pod.*batch|batch.*delete.*pod" --type js --type ts --type go

docs/self-hosting/kubernetes.mdx (6)

134-137: Version consistency check needed.

The same beta version is referenced again. This should be kept in sync with the actual chart version or use a more generic approach.

Same version concern as above - these specific version references may become outdated quickly.

---

26-37: Excellent resource requirements documentation.

The resource requirements section provides clear guidance with both cluster-level and component-level requirements. This helps users plan their deployments effectively.

---

96-128: Comprehensive configuration examples.

The custom values example covers all essential configuration aspects including secrets, URLs, and resource limits. The mapping explanation between environment variables and Helm values is particularly helpful.

---

176-218: Well-documented worker token management.

The worker token section clearly explains both bootstrap and manual configuration approaches, providing practical commands for both scenarios.

---

306-308: Chart version reference consistency.

Another instance of the specific beta version that should be kept in sync with the actual chart version.

This is the third occurrence of the specific version reference that needs consistency checking.

---

60-62: Verify the chart version reference.

The documentation references a specific beta version 4.0.0-beta.3. Ensure this version exists and is consistent with the chart's current version.

#!/bin/bash
# Check the current chart version
echo "Current chart version:"
cat hosting/k8s/helm/Chart.yaml | grep -E "^version:|^appVersion:"

echo -e "\nSearching for version references in documentation:"
rg "4\.0\.0-beta\.3" docs/

hosting/k8s/helm/templates/_helpers.tpl (3)

219-235: Well-implemented Docker config generation.

The image pull secret generation correctly handles both internal and external registry scenarios with proper base64 encoding and JSON structure. The conditional logic ensures secrets are only generated when authentication is enabled.

---

73-82: Robust image reference generation.

The image helper functions properly handle global registry overrides, default tags from Chart.AppVersion, and optional registry prefixes. The logic correctly handles cases where no registry is specified.

Also applies to: 87-96

---

201-214: Good naming conventions for RBAC resources.

The supervisor service account and cluster role naming functions include namespace isolation for cluster roles, which helps prevent naming conflicts in multi-tenant clusters.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release-helm.yml (1)

102-102: Strip trailing whitespace to satisfy YAML-lint

Lines 102 and 120 contain stray spaces. They do not break the workflow but fail CI linters.

-102␠␠
+102
…
-120␠␠
+120

Also applies to: 120-120

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3139105 and f883736.

📒 Files selected for processing (1)

• .github/workflows/release-helm.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/release-helm.yml

108-108: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/release-helm.yml

[error] 102-102: trailing spaces

(trailing-spaces)

---

[error] 120-120: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms (23)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: typecheck / typecheck
• GitHub Check: check-broken-links
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

.github/workflows/release-helm.yml (2)

108-108: Update softprops/action-gh-release to a Node ≥ 20 build
softprops/action-gh-release@v1 ships a Node 12 runner, which GitHub is actively deprecating; new workflows will soon refuse to run it (see actionlint warning).
Pin to a more recent tag/commit (e.g. softprops/action-gh-release@v2 or a specific SHA) that targets Node 20 to avoid sudden breakage.

---

21-23: 👍 Least-privilege permissions blocks address previous security finding
Both jobs now declare explicit, minimal scopes (contents: read / write, packages: write), resolving the earlier Advanced Security alert about unrestricted GITHUB_TOKEN.

Also applies to: 51-53

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (5)

hosting/k8s/helm/templates/_helpers.tpl (1)

103-105: Security issue resolved - SSL mode is now configurable.

The previous security concern about hardcoded sslmode=disable has been properly addressed. The connection strings now use configurable SSL mode values with secure defaults (prefer).

hosting/k8s/helm/templates/ingress.yaml (1)

10-11: Annotations duplication issue resolved.

The previous concern about duplicate annotations has been properly addressed by using the trigger-v4.ingress.annotations helper function, which merges annotations from multiple sources without conflicts.

hosting/k8s/helm/templates/postgresql.yaml (1)

81-102: Duplicate volumeClaimTemplates issue resolved.

The previous concern about duplicate volumeClaimTemplates blocks has been properly addressed. The template now has a single, properly structured conditional block that either creates persistent volume claims or uses emptyDir volumes based on configuration.

hosting/k8s/helm/templates/tests/test-clickhouse.yaml (1)

19-19: Security and reliability issues resolved.

Both previous concerns have been properly addressed:

• Credentials are now passed securely via --user option instead of being embedded in the URL
• Image is pinned to a specific version (curlimages/curl:8.14.1) instead of using latest

hosting/k8s/helm/templates/tests/test-webapp.yaml (1)

13-13: Image version pinning issue resolved.

The previous concern about using curlimages/curl:latest has been properly addressed by pinning to a specific version (curlimages/curl:8.14.1), ensuring reproducible tests.

🧹 Nitpick comments (12)

hosting/k8s/helm/templates/tests/test-electric.yaml (2)

8-9: Add hook-delete-policy to prevent orphaned test Pods

Successful test Pods will linger unless explicitly cleaned up.
Annotating with a delete-policy keeps the namespace tidy and avoids quota pressure.

   annotations:
     "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

---

18-20: Harden the curl check with retries & timeouts

A single timeout spike will mark the test failed even though the service might be healthy.
Adding retry / timeout flags provides a small resilience boost while keeping the test fast.

-          curl -f http://{{ include "trigger-v4.fullname" . }}-electric:{{ .Values.electric.service.port }}/api/status
+          curl -fsS --retry 3 --max-time 5 \
+            http://{{ include "trigger-v4.fullname" . }}-electric:{{ .Values.electric.service.port }}/api/status

hosting/k8s/helm/templates/tests/test-supervisor.yaml (2)

8-9: Mirror hook-delete-policy here as well

Same motivation as for the Electric test – keeps the cluster clean.

   annotations:
     "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

---

18-20: Add curl resiliency flags

-          curl -f http://{{ include "trigger-v4.fullname" . }}-supervisor:{{ .Values.supervisor.service.ports.metrics }}/metrics
+          curl -fsS --retry 3 --max-time 5 \
+            http://{{ include "trigger-v4.fullname" . }}-supervisor:{{ .Values.supervisor.service.ports.metrics }}/metrics

hosting/k8s/helm/templates/tests/test-minio.yaml (2)

8-9: Add delete policy for test Pod

   annotations:
     "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

---

18-20: Retry / timeout for curl

-          curl -f http://{{ include "trigger-v4.fullname" . }}-minio:{{ .Values.minio.service.ports.api }}/minio/health/live
+          curl -fsS --retry 3 --max-time 5 \
+            http://{{ include "trigger-v4.fullname" . }}-minio:{{ .Values.minio.service.ports.api }}/minio/health/live

hosting/k8s/helm/templates/secrets.yaml (1)

10-16: Consider switching to stringData for easier plaintext authoring

Using data requires callers to pre-base64 every value, which is error-prone.
stringData lets users supply plain strings which Helm will encode for them, reducing sharp edges.

-type: Opaque
-data:
+type: Opaque
+stringData:

(Helm will still render correct base64 in the final manifest.)

hosting/k8s/helm/templates/webapp.yaml (2)

44-48: Remove trailing space & keep command/args YAML-valid

There is a trailing space after command: which trips YAML linters.
While here, make the list form explicit to avoid accidental string coercion.

-          command: 
-            - ./scripts/entrypoint.sh
+          command:
+            - ./scripts/entrypoint.sh

---

283-284: Add a final newline for POSIX compliance

Several tools complain when files lack a terminating newline; easy win for lint cleanliness.

hosting/k8s/helm/templates/supervisor.yaml (3)

78-86: Init container: add read-only filesystem & non-root by default

You already dropped root privileges—nice. Consider sealing it completely with a read-only root FS:

       securityContext:
         runAsUser: 1000
+        readOnlyRootFilesystem: true

Small change, big defense-in-depth gain.

---

117-214: Environment block becoming unwieldy

More than 90 env vars in a single block affects readability & diffability.
Consider extracting groups (e.g., kubernetes, metrics) into named ConfigMaps and mounting them via envFrom, or templating a helper that iterates keys.

Keeps this template maintainable as config grows.

---

263-263: Missing newline at EOF

YAML lint flags the absence; add a trailing newline for POSIX friendliness.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f883736 and a9c91c5.

📒 Files selected for processing (15)

• docs/self-hosting/docker.mdx (1 hunks)
• docs/self-hosting/kubernetes.mdx (1 hunks)
• hosting/k8s/helm/templates/_helpers.tpl (1 hunks)
• hosting/k8s/helm/templates/ingress.yaml (1 hunks)
• hosting/k8s/helm/templates/postgresql.yaml (1 hunks)
• hosting/k8s/helm/templates/secrets.yaml (1 hunks)
• hosting/k8s/helm/templates/supervisor.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-clickhouse.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-electric.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-minio.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-supervisor.yaml (1 hunks)
• hosting/k8s/helm/templates/tests/test-webapp.yaml (1 hunks)
• hosting/k8s/helm/templates/webapp.yaml (1 hunks)
• hosting/k8s/helm/values-production-example.yaml (1 hunks)
• hosting/k8s/helm/values.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• docs/self-hosting/docker.mdx
• docs/self-hosting/kubernetes.mdx

🚧 Files skipped from review as they are similar to previous changes (2)

• hosting/k8s/helm/values-production-example.yaml
• hosting/k8s/helm/values.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

hosting/k8s/helm/templates/ingress.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 51-51: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/postgresql.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[warning] 18-18: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 138-138: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/secrets.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/supervisor.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 263-263: no new line character at the end of file

(new-line-at-end-of-file)

hosting/k8s/helm/templates/tests/test-clickhouse.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/tests/test-electric.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/tests/test-minio.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/tests/test-supervisor.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

hosting/k8s/helm/templates/tests/test-webapp.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

hosting/k8s/helm/templates/webapp.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)

---

[warning] 16-16: wrong indentation: expected 4 but found 6

(indentation)

---

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 284-284: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 4-4: syntax error: expected , but found ''

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms (25)

• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: typecheck / typecheck
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (8)

hosting/k8s/helm/templates/_helpers.tpl (1)

1-253: Comprehensive helper template looks well-structured.

The helper template provides a robust set of utility functions for:

• Consistent naming and labeling across resources
• Configurable image references with registry override support
• Secure connection string generation with proper SSL configuration
• Flexible service account and authentication handling

The implementation follows Helm best practices and enables proper separation of concerns.

hosting/k8s/helm/templates/ingress.yaml (1)

1-51: Well-structured ingress template with proper conditional rendering.

The ingress template includes:

• Conditional deployment based on .Values.ingress.enabled
• Proper TLS configuration with multiple host support
• Flexible path configuration with sensible defaults
• Integration with cert-manager and external-dns through helper functions

The implementation follows Kubernetes ingress best practices.

hosting/k8s/helm/templates/postgresql.yaml (2)

50-55: PostgreSQL configuration includes logical replication setup.

The PostgreSQL container is configured with wal_level=logical, which is essential for logical replication features. This shows proper consideration for advanced PostgreSQL use cases.

---

1-138: Comprehensive PostgreSQL deployment with proper service configuration.

The template provides:

• StatefulSet with configurable persistence and resources
• Proper security context and probe configurations
• Both headless and standard services for different access patterns
• Consistent labeling and naming through helper functions

The implementation follows StatefulSet best practices for database deployments.

hosting/k8s/helm/templates/tests/test-clickhouse.yaml (1)

1-21: Well-implemented Helm test for ClickHouse health verification.

The test provides:

• Conditional execution based on ClickHouse configuration
• Secure credential handling
• Clear test output with status messages
• Proper Helm test hook annotation

The implementation ensures reliable health checking for the ClickHouse service.

hosting/k8s/helm/templates/tests/test-webapp.yaml (1)

1-19: Simple and effective webapp health check test.

The test provides:

• Health endpoint verification via HTTP request
• Clear test output with status messages
• Proper Helm test hook annotation
• Pinned image version for reliability

The implementation provides reliable health verification for the webapp service.

hosting/k8s/helm/templates/secrets.yaml (1)

27-27: 👍 Trim fix applied – resolves prior basic-auth issue

The newline-trimming we flagged previously is now in place.
No further action needed here.

hosting/k8s/helm/templates/supervisor.yaml (1)

80-81: Image tag lacks immutability

busybox:1.35 is mutable in public registries. Pin to a digest (or distroless) to guarantee reproducible builds and avoid surprise CVE regressions.

Example:

-          image: busybox:1.35
+          image: busybox@sha256:<digest>