feat(helm): add optional PostgreSQL backing store#1579
Open
sauagarwa wants to merge 3 commits into
Open
Conversation
sauagarwa
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
3 times, most recently
from
1fc9bef to
253051f
Compare
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
from
253051f to
d8d0be7
Compare
7 tasks
9 tasks
…redentials - Add postgres.enabled and postgres.deploy values to control database backend (SQLite vs PostgreSQL) and subchart deployment independently. - Introduce db-secret.yaml template for Opaque Secret with assembled postgresql:// connection string injected via OPENSHELL_DB_URL env var. - Add Bitnami PostgreSQL as optional subchart dependency keyed on postgres.deploy to prevent subchart deployment in external mode. - Externalize JWT signing key file mode via sandboxJwt.secretDefaultMode with 0400 default matching upstream. - Add validation guard for postgres.deploy=true without postgres.enabled. - Add helm unit tests covering internal, external, URL-override, special character encoding, and misconfiguration error paths. - Update README with Kubernetes and OpenShift install examples for bundled and external PostgreSQL configurations. - Add helm dependency build to lint and unittest tasks.
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
from
4ba4f67 to
b71c3a7
Compare
sauagarwa
changed the title
Collaborator
|
/ok to test b71c3a7 |
|
Label |
The helm-docs CI check failed because the Database backend section was added directly to README.md instead of README.md.gotmpl. Move the content to the template and regenerate so the check passes.
Collaborator
|
/ok to test 6a2b2ee |
TaylorMutch
requested changes
May 28, 2026
Comment on lines
+123
to
+125
| helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart --version <version> \ | ||
| --set postgres.enabled=true \ | ||
| --set postgres.external.url="postgres://user:pass@host:5432/db?sslmode=require" |
Collaborator
There was a problem hiding this comment.
We probably don't want to include the connection string directly, since it will contain plaintext credentials. We should prefer to use an existing kube secret with those credentials and not do any of our own templating.
Contributor
Author
There was a problem hiding this comment.
See the comment above.
Replace the inline db-url stringData pattern with a proper Secret containing individual fields plus a uri key. When postgres.deploy=true the Bitnami service-binding secret is referenced directly; when deploy=false users can supply postgres.external.existingSecret to bring their own Secret, or let the chart generate one from the external field values. Also restructures the README database section for clarity, adds helm-unittest coverage for the new secret resolution paths, and fixes a markdown lint issue in the root README.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
postgres.enabled(use PostgreSQL) andpostgres.deploy(deploy bundled Bitnami subchart) flagspostgres.external.existingSecretto let users bring their own pre-existing Secret (e.g. from external-secrets-operator or GitOps)postgres.deploy=true, reference the Bitnami service-binding secret directly instead of duplicating credentialssandboxJwt.secretDefaultModewith0400defaultCloses #1599
Changes
values.yaml: Addpostgres.*values block includingexternal.existingSecretandsandboxJwt.secretDefaultModeChart.yaml: Add Bitnami PostgreSQL optional subchart dependency (condition: postgres.deploy)templates/db-secret.yaml: Chart-managed Opaque Secret with individual credential fields +urikey (only created whendeploy=falseand noexistingSecret)templates/_helpers.tpl:openshell.dbSecretNameandopenshell.postgresFullnamehelpers for secret resolution across all modestemplates/statefulset.yaml: ConditionalOPENSHELL_DB_URLenv var from Secreturikey, scoped checksum annotationtemplates/gateway-config.yaml: Omitdb_urlfrom TOML when PostgreSQL is enabledtests/gateway_config_test.yaml: Comprehensive test cases covering bundled, external, existingSecret, fullnameOverride, and nameOverride pathsREADME.md.gotmpl: Restructured database backend section with existingSecret-first flow, separate Kubernetes/OpenShift examplestasks/helm.toml: Addhelm dependency buildbefore lint and unittest.gitignore: Ignore subchart tarballsTest plan
mise run helm:test— all tests passmise run pre-commit— all lint checks passpostgres.enabled=true,postgres.deploy=true)postgres.enabled=true, external host)postgres.external.existingSecretpointing to a pre-existing Secretpostgres.deploy=truewithoutpostgres.enabled=truefails with clear errorpostgres.enabled=false