From af2117a217d29eb9f029eda3a8b57db79624710a Mon Sep 17 00:00:00 2001 From: Shiny Brar Date: Wed, 29 Apr 2026 15:00:16 -0700 Subject: [PATCH 1/6] feat(helm): updated skaha helm chart to include the service, rbac for metrics deployment --- helm/applications/skaha/README.md | 14 ++++ .../applications/skaha/templates/_helpers.tpl | 38 +++++++++ .../templates/metrics-backend-deployment.yaml | 77 +++++++++++++++++++ .../skaha/templates/metrics-backend-rbac.yaml | 28 +++++++ .../templates/metrics-backend-service.yaml | 19 +++++ .../skaha/templates/skaha-ingress.yaml | 11 +++ .../templates/skaha-tomcat-deployment.yaml | 5 ++ .../templates/tests/test-metrics-backend.yaml | 36 +++++++++ helm/applications/skaha/values.yaml | 42 ++++++++++ 9 files changed, 270 insertions(+) create mode 100644 helm/applications/skaha/templates/metrics-backend-deployment.yaml create mode 100644 helm/applications/skaha/templates/metrics-backend-rbac.yaml create mode 100644 helm/applications/skaha/templates/metrics-backend-service.yaml create mode 100644 helm/applications/skaha/templates/tests/test-metrics-backend.yaml diff --git a/helm/applications/skaha/README.md b/helm/applications/skaha/README.md index b507d9f3..4ebec45d 100644 --- a/helm/applications/skaha/README.md +++ b/helm/applications/skaha/README.md @@ -61,6 +61,20 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | ingress.enabled | bool | `true` | Enable ingress routing for the Skaha API. | | ingress.path | string | `"/skaha"` | Ingress path prefix routed to the Skaha API Service. | | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes DNS domain used when building internal service hostnames. | +| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment, Service, and Kueue ClusterRole for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). | +| metrics-backend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | +| metrics-backend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | +| metrics-backend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | +| metrics-backend.image.tag | string | `"v0.1.4"` | Metrics container image tag. | +| metrics-backend.ingress.enabled | bool | `false` | When true and top-level ingress.enabled is true, add a path on the same host routing to the Metrics Service. | +| metrics-backend.ingress.path | string | `"/metrics"` | Ingress path prefix for the Metrics API (Traefik). | +| metrics-backend.redis.enabled | bool | `true` | When true, set METRICS_REDIS_URL to this release's Bitnami Redis master Service (-redis-master), same instance Skaha uses. Set false and supply METRICS_REDIS_URL in env if Metrics should use another Redis. | +| metrics-backend.replicaCount | int | `1` | Fixed replica count for the Metrics API (no HPA in this chart version). | +| metrics-backend.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | Resource requests and limits for the Metrics API container. | +| metrics-backend.revisionHistoryLimit | int | `3` | revisionHistoryLimit for the Metrics API Deployment. | +| metrics-backend.test.enabled | bool | `true` | Run helm test hook that retries /healthz until success (requires metrics-backend.enabled). | +| metrics-backend.test.image | string | `"busybox:1.37.0"` | Image for the helm test hook Pod. | +| metrics-backend.test.maxWaitSeconds | int | `180` | Maximum seconds to wait for Metrics /healthz (should exceed startupProbe worst case plus scheduling margin). | | podSecurityContext | object | `{}` | Optional container-level security context for the Skaha API container. | | redis.architecture | string | `"standalone"` | Redis deployment architecture. | | redis.auth.enabled | bool | `false` | Enable Redis authentication. | diff --git a/helm/applications/skaha/templates/_helpers.tpl b/helm/applications/skaha/templates/_helpers.tpl index 002786d3..796dd125 100644 --- a/helm/applications/skaha/templates/_helpers.tpl +++ b/helm/applications/skaha/templates/_helpers.tpl @@ -103,6 +103,44 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- define "skaha.metricsBackend.deploymentName" -}} +{{- printf "%s-skaha-metrics-api" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end }} + +{{- define "skaha.metricsBackend.serviceName" -}} +{{- printf "%s-skaha-metrics-api-svc" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end }} + +{{- define "skaha.metricsBackend.chartRedisURL" -}} +{{- printf "redis://%s-redis-master.%s.svc.%s:6379/0" .Release.Name .Release.Namespace .Values.kubernetesClusterDomain -}} +{{- end }} + +{{- define "skaha.metricsBackend.internalURL" -}} +{{- printf "http://%s.%s.svc.%s:8000" (include "skaha.metricsBackend.serviceName" .) .Release.Namespace .Values.kubernetesClusterDomain -}} +{{- end }} + +{{- define "skaha.metricsBackend.selectorLabels" -}} +app.kubernetes.io/name: skaha-metrics-api +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: metrics-api +{{- end }} + +{{- define "skaha.metricsBackend.labels" -}} +helm.sh/chart: {{ include "skaha.chart" . }} +{{ include "skaha.metricsBackend.selectorLabels" . }} +{{- $mb := index .Values "metrics-backend" | default dict -}} +{{- with $mb.image }} +{{- with .tag }} +app.kubernetes.io/version: {{ . | quote }} +{{- end }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{- define "skaha.metricsBackend.clusterRoleName" -}} +{{- printf "skaha-metrics-%s-%s-kueue-read" .Release.Namespace .Release.Name | replace "." "-" | trunc 63 | trimSuffix "-" -}} +{{- end }} + {{/* USER SESSION TEMPLATE DEFINITIONS diff --git a/helm/applications/skaha/templates/metrics-backend-deployment.yaml b/helm/applications/skaha/templates/metrics-backend-deployment.yaml new file mode 100644 index 00000000..fc8f562e --- /dev/null +++ b/helm/applications/skaha/templates/metrics-backend-deployment.yaml @@ -0,0 +1,77 @@ +{{- $mb := index .Values "metrics-backend" | default dict }} +{{- if (default false $mb.enabled) }} +{{- $img := $mb.image | default dict }} +{{- $customEnv := $mb.env | default dict }} +{{- $redis := $mb.redis | default dict }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "skaha.metricsBackend.deploymentName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "skaha.metricsBackend.labels" . | nindent 4 }} +spec: + replicas: {{ $mb.replicaCount | default 1 }} + revisionHistoryLimit: {{ $mb.revisionHistoryLimit | default 3 }} + selector: + matchLabels: + {{- include "skaha.metricsBackend.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "skaha.metricsBackend.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ .Values.deployment.skaha.serviceAccountName }} + automountServiceAccountToken: true + securityContext: + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 + containers: + - name: metrics-api + image: "{{ $img.repository }}:{{ $img.tag | default "v0.1.4" }}" + imagePullPolicy: {{ $img.pullPolicy | default "IfNotPresent" }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + env: + {{- if and (default true $redis.enabled) (not (hasKey $customEnv "METRICS_REDIS_URL")) }} + - name: METRICS_REDIS_URL + value: {{ include "skaha.metricsBackend.chartRedisURL" . | quote }} + {{- end }} + {{- range $k, $v := $customEnv }} + - name: {{ $k }} + value: {{ $v | quote }} + {{- end }} + startupProbe: + httpGet: + path: /healthz + port: http + failureThreshold: 40 + periodSeconds: 3 + timeoutSeconds: 3 + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 0 + periodSeconds: 20 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 3 + {{- with $mb.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end }} diff --git a/helm/applications/skaha/templates/metrics-backend-rbac.yaml b/helm/applications/skaha/templates/metrics-backend-rbac.yaml new file mode 100644 index 00000000..f9913c03 --- /dev/null +++ b/helm/applications/skaha/templates/metrics-backend-rbac.yaml @@ -0,0 +1,28 @@ +{{- $mb := index .Values "metrics-backend" | default dict }} +{{- if (default false $mb.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "skaha.metricsBackend.clusterRoleName" . }} + labels: + {{- include "skaha.metricsBackend.labels" . | nindent 4 }} +rules: + - apiGroups: ["kueue.x-k8s.io"] + resources: ["clusterqueues", "cohorts"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "skaha.metricsBackend.clusterRoleName" . }} + labels: + {{- include "skaha.metricsBackend.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "skaha.metricsBackend.clusterRoleName" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.deployment.skaha.serviceAccountName }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/applications/skaha/templates/metrics-backend-service.yaml b/helm/applications/skaha/templates/metrics-backend-service.yaml new file mode 100644 index 00000000..b1381071 --- /dev/null +++ b/helm/applications/skaha/templates/metrics-backend-service.yaml @@ -0,0 +1,19 @@ +{{- $mb := index .Values "metrics-backend" | default dict }} +{{- if (default false $mb.enabled) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "skaha.metricsBackend.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "skaha.metricsBackend.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "skaha.metricsBackend.selectorLabels" . | nindent 4 }} + ports: + - name: http + port: 8000 + targetPort: http + protocol: TCP +{{- end }} diff --git a/helm/applications/skaha/templates/skaha-ingress.yaml b/helm/applications/skaha/templates/skaha-ingress.yaml index 91cd2bcf..e85b6e88 100644 --- a/helm/applications/skaha/templates/skaha-ingress.yaml +++ b/helm/applications/skaha/templates/skaha-ingress.yaml @@ -1,4 +1,5 @@ {{- if .Values.ingress.enabled }} +{{- $mb := index .Values "metrics-backend" | default dict }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -18,4 +19,14 @@ spec: name: {{ .Release.Name }}-skaha-tomcat-svc port: number: {{ .Values.service.port | default "8080" }} + {{- $ming := $mb.ingress | default dict }} + {{- if and (default false $mb.enabled) $ming.enabled }} + - path: {{ $ming.path | default "/metrics" }} + pathType: Prefix + backend: + service: + name: {{ include "skaha.metricsBackend.serviceName" . }} + port: + name: http + {{- end }} {{- end }} diff --git a/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml b/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml index 17b932dd..8595ded8 100644 --- a/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml +++ b/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml @@ -139,6 +139,11 @@ spec: value: "{{ .Release.Name }}-redis-master.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}" - name: REDIS_PORT value: "6379" + {{- $mb := index .Values "metrics-backend" | default dict }} + {{- if (default false $mb.enabled) }} + - name: SKAHA_METRICS_BACKEND_URL + value: {{ include "skaha.metricsBackend.internalURL" . | quote }} + {{- end }} - name: SKAHA_EXPERIMENTAL_FEATURE_GATES value: "{{ include "skaha.experimentalFeatureGates" $ }}" {{- with .Values.deployment.skaha.extraEnv }} diff --git a/helm/applications/skaha/templates/tests/test-metrics-backend.yaml b/helm/applications/skaha/templates/tests/test-metrics-backend.yaml new file mode 100644 index 00000000..0ec9ff61 --- /dev/null +++ b/helm/applications/skaha/templates/tests/test-metrics-backend.yaml @@ -0,0 +1,36 @@ +{{- $mb := index .Values "metrics-backend" | default dict }} +{{- $test := $mb.test | default dict }} +{{- if and (default false $mb.enabled) (default true $test.enabled) }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "skaha.fullname" . }}-test-metrics-backend + labels: + {{- include "skaha.labels" . | nindent 4 }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +spec: + containers: + - name: wget + image: {{ $test.image | default "busybox:1.37.0" }} + command: + - /bin/sh + - -c + - | + set -e + url="http://{{ include "skaha.metricsBackend.serviceName" . }}.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}:8000/healthz" + max={{ $test.maxWaitSeconds | default 180 }} + i=0 + while [ "$i" -lt "$max" ]; do + if wget -q -T 3 -O /dev/null "$url" 2>/dev/null; then + echo "metrics-backend health check ok" + exit 0 + fi + i=$((i+1)) + sleep 1 + done + echo "metrics-backend health check failed after ${max}s" >&2 + exit 1 + restartPolicy: Never +{{- end }} diff --git a/helm/applications/skaha/values.yaml b/helm/applications/skaha/values.yaml index e9f63a7f..fe18855d 100644 --- a/helm/applications/skaha/values.yaml +++ b/helm/applications/skaha/values.yaml @@ -495,6 +495,48 @@ ingress: # -- Ingress path prefix routed to the Skaha API Service. path: /skaha +# Optional science-platform Metrics API in the same release as Skaha (see README). +# Access in templates via index .Values "metrics-backend" (hyphenated key). +"metrics-backend": + # -- Deploy the Metrics API Deployment, Service, and Kueue ClusterRole for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). + enabled: false + # -- Fixed replica count for the Metrics API (no HPA in this chart version). + replicaCount: 1 + image: + # -- Metrics container image repository. + repository: images.opencadc.org/platform/metrics + # -- Metrics container image tag. + tag: v0.1.4 + # -- imagePullPolicy for the Metrics API container. + pullPolicy: IfNotPresent + # -- Resource requests and limits for the Metrics API container. + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: "1" + memory: 1Gi + # -- Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. + env: {} + redis: + # -- When true, set METRICS_REDIS_URL to this release's Bitnami Redis master Service (-redis-master), same instance Skaha uses. Set false and supply METRICS_REDIS_URL in env if Metrics should use another Redis. + enabled: true + # -- revisionHistoryLimit for the Metrics API Deployment. + revisionHistoryLimit: 3 + ingress: + # -- When true and top-level ingress.enabled is true, add a path on the same host routing to the Metrics Service. + enabled: false + # -- Ingress path prefix for the Metrics API (Traefik). + path: /metrics + test: + # -- Run helm test hook that retries /healthz until success (requires metrics-backend.enabled). + enabled: true + # -- Image for the helm test hook Pod. + image: busybox:1.37.0 + # -- Maximum seconds to wait for Metrics /healthz (should exceed startupProbe worst case plus scheduling margin). + maxWaitSeconds: 180 + experimentalFeatures: # Experimental features that can be enabled. These represent features that are not released and confined behind feature flags. # -- Enable processing of experimental feature gates. From 1345968e941723da6e0896f87d1d67eb0cceb3f9 Mon Sep 17 00:00:00 2001 From: Shiny Brar Date: Wed, 6 May 2026 14:49:01 -0700 Subject: [PATCH 2/6] fix(skaha): gate metrics Kueue RBAC with rbac.create, not enabled alone Address PR review: cluster-scoped RBAC is controlled by an explicit metrics-backend.rbac.create knob (default true), matching the session limit range pattern. metrics-backend.enabled continues to gate the metrics Deployment and Service. --- helm/applications/skaha/README.md | 3 ++- helm/applications/skaha/templates/metrics-backend-rbac.yaml | 4 +++- helm/applications/skaha/values.yaml | 5 ++++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/helm/applications/skaha/README.md b/helm/applications/skaha/README.md index 4ebec45d..27df1909 100644 --- a/helm/applications/skaha/README.md +++ b/helm/applications/skaha/README.md @@ -61,7 +61,8 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | ingress.enabled | bool | `true` | Enable ingress routing for the Skaha API. | | ingress.path | string | `"/skaha"` | Ingress path prefix routed to the Skaha API Service. | | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes DNS domain used when building internal service hostnames. | -| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment, Service, and Kueue ClusterRole for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). | +| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. | +| metrics-backend.rbac.create | bool | `true` | Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. | | metrics-backend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | | metrics-backend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | | metrics-backend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | diff --git a/helm/applications/skaha/templates/metrics-backend-rbac.yaml b/helm/applications/skaha/templates/metrics-backend-rbac.yaml index f9913c03..f8a3a489 100644 --- a/helm/applications/skaha/templates/metrics-backend-rbac.yaml +++ b/helm/applications/skaha/templates/metrics-backend-rbac.yaml @@ -1,5 +1,7 @@ {{- $mb := index .Values "metrics-backend" | default dict }} -{{- if (default false $mb.enabled) }} +{{- $rbac := $mb.rbac | default dict }} +{{/* Kueue read ClusterRole/RBAC. If created outside this chart, set metrics-backend.rbac.create to false. */}} +{{- if and (default false $mb.enabled) (default true $rbac.create) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/applications/skaha/values.yaml b/helm/applications/skaha/values.yaml index fe18855d..73be77d7 100644 --- a/helm/applications/skaha/values.yaml +++ b/helm/applications/skaha/values.yaml @@ -498,8 +498,11 @@ ingress: # Optional science-platform Metrics API in the same release as Skaha (see README). # Access in templates via index .Values "metrics-backend" (hyphenated key). "metrics-backend": - # -- Deploy the Metrics API Deployment, Service, and Kueue ClusterRole for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). + # -- Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. enabled: false + rbac: + # -- Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. + create: true # -- Fixed replica count for the Metrics API (no HPA in this chart version). replicaCount: 1 image: From 5a3f6874c421a6e57592742700344b738026f8ef Mon Sep 17 00:00:00 2001 From: Shiny Brar Date: Wed, 6 May 2026 14:51:00 -0700 Subject: [PATCH 3/6] fix(skaha): default metrics-backend.rbac.create to false Opt out of cluster-scoped RBAC unless GitOps sets rbac.create: true. --- helm/applications/skaha/README.md | 4 ++-- helm/applications/skaha/templates/metrics-backend-rbac.yaml | 2 +- helm/applications/skaha/values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm/applications/skaha/README.md b/helm/applications/skaha/README.md index 27df1909..e55dacad 100644 --- a/helm/applications/skaha/README.md +++ b/helm/applications/skaha/README.md @@ -61,8 +61,8 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | ingress.enabled | bool | `true` | Enable ingress routing for the Skaha API. | | ingress.path | string | `"/skaha"` | Ingress path prefix routed to the Skaha API Service. | | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes DNS domain used when building internal service hostnames. | -| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. | -| metrics-backend.rbac.create | bool | `true` | Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. | +| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue ClusterRole/RBAC requires metrics-backend.rbac.create (off by default). | +| metrics-backend.rbac.create | bool | `false` | Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Default false so installs need not assume cluster RBAC permissions; set true where the deployer may create cluster RBAC. | | metrics-backend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | | metrics-backend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | | metrics-backend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | diff --git a/helm/applications/skaha/templates/metrics-backend-rbac.yaml b/helm/applications/skaha/templates/metrics-backend-rbac.yaml index f8a3a489..99d0043b 100644 --- a/helm/applications/skaha/templates/metrics-backend-rbac.yaml +++ b/helm/applications/skaha/templates/metrics-backend-rbac.yaml @@ -1,7 +1,7 @@ {{- $mb := index .Values "metrics-backend" | default dict }} {{- $rbac := $mb.rbac | default dict }} {{/* Kueue read ClusterRole/RBAC. If created outside this chart, set metrics-backend.rbac.create to false. */}} -{{- if and (default false $mb.enabled) (default true $rbac.create) }} +{{- if and (default false $mb.enabled) $rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/applications/skaha/values.yaml b/helm/applications/skaha/values.yaml index 73be77d7..c5cfc66e 100644 --- a/helm/applications/skaha/values.yaml +++ b/helm/applications/skaha/values.yaml @@ -498,11 +498,11 @@ ingress: # Optional science-platform Metrics API in the same release as Skaha (see README). # Access in templates via index .Values "metrics-backend" (hyphenated key). "metrics-backend": - # -- Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. + # -- Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue ClusterRole/RBAC requires metrics-backend.enabled and metrics-backend.rbac.create (off by default). enabled: false rbac: - # -- Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. - create: true + # -- Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Default false so plain installs do not require cluster-scoped RBAC; set true where the deployer may create cluster RBAC. + create: false # -- Fixed replica count for the Metrics API (no HPA in this chart version). replicaCount: 1 image: From a8528c46a33785135fe99d843e26cf81e8f57444 Mon Sep 17 00:00:00 2001 From: Shiny Brar Date: Wed, 6 May 2026 14:52:25 -0700 Subject: [PATCH 4/6] revert(skaha): restore metrics rbac.create default true Undo default-false rbac; keep gated by enabled and rbac.create. --- helm/applications/skaha/README.md | 4 ++-- helm/applications/skaha/templates/metrics-backend-rbac.yaml | 2 +- helm/applications/skaha/values.yaml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/helm/applications/skaha/README.md b/helm/applications/skaha/README.md index e55dacad..27df1909 100644 --- a/helm/applications/skaha/README.md +++ b/helm/applications/skaha/README.md @@ -61,8 +61,8 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | ingress.enabled | bool | `true` | Enable ingress routing for the Skaha API. | | ingress.path | string | `"/skaha"` | Ingress path prefix routed to the Skaha API Service. | | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes DNS domain used when building internal service hostnames. | -| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue ClusterRole/RBAC requires metrics-backend.rbac.create (off by default). | -| metrics-backend.rbac.create | bool | `false` | Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Default false so installs need not assume cluster RBAC permissions; set true where the deployer may create cluster RBAC. | +| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. | +| metrics-backend.rbac.create | bool | `true` | Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. | | metrics-backend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | | metrics-backend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | | metrics-backend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | diff --git a/helm/applications/skaha/templates/metrics-backend-rbac.yaml b/helm/applications/skaha/templates/metrics-backend-rbac.yaml index 99d0043b..f8a3a489 100644 --- a/helm/applications/skaha/templates/metrics-backend-rbac.yaml +++ b/helm/applications/skaha/templates/metrics-backend-rbac.yaml @@ -1,7 +1,7 @@ {{- $mb := index .Values "metrics-backend" | default dict }} {{- $rbac := $mb.rbac | default dict }} {{/* Kueue read ClusterRole/RBAC. If created outside this chart, set metrics-backend.rbac.create to false. */}} -{{- if and (default false $mb.enabled) $rbac.create }} +{{- if and (default false $mb.enabled) (default true $rbac.create) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/applications/skaha/values.yaml b/helm/applications/skaha/values.yaml index c5cfc66e..73be77d7 100644 --- a/helm/applications/skaha/values.yaml +++ b/helm/applications/skaha/values.yaml @@ -498,11 +498,11 @@ ingress: # Optional science-platform Metrics API in the same release as Skaha (see README). # Access in templates via index .Values "metrics-backend" (hyphenated key). "metrics-backend": - # -- Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue ClusterRole/RBAC requires metrics-backend.enabled and metrics-backend.rbac.create (off by default). + # -- Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. enabled: false rbac: - # -- Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Default false so plain installs do not require cluster-scoped RBAC; set true where the deployer may create cluster RBAC. - create: false + # -- Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. + create: true # -- Fixed replica count for the Metrics API (no HPA in this chart version). replicaCount: 1 image: From 0b819f14ca7236ccfbaac6d063805d38ef552c61 Mon Sep 17 00:00:00 2001 From: Shiny Brar Date: Wed, 6 May 2026 15:11:36 -0700 Subject: [PATCH 5/6] refactor(skaha): metricsBackend values key, single enabled gate - Rename values key from metrics-backend to metricsBackend; drop rbac.create - Replace template files with metricsBackend-*.yaml naming - Document RBAC-before-workload Helm kind ordering for fail-fast installs - Rename helm test Pod to *-metrics-backend-test (DNS-safe) --- helm/applications/skaha/README.md | 33 ++++++++++--------- .../applications/skaha/templates/_helpers.tpl | 2 +- ...nt.yaml => metricsBackend-deployment.yaml} | 2 +- ...end-rbac.yaml => metricsBackend-rbac.yaml} | 12 ++++--- ...rvice.yaml => metricsBackend-service.yaml} | 2 +- .../skaha/templates/skaha-ingress.yaml | 2 +- .../templates/skaha-tomcat-deployment.yaml | 2 +- ...-backend.yaml => test-metricsBackend.yaml} | 8 ++--- helm/applications/skaha/values.yaml | 10 ++---- 9 files changed, 38 insertions(+), 35 deletions(-) rename helm/applications/skaha/templates/{metrics-backend-deployment.yaml => metricsBackend-deployment.yaml} (97%) rename helm/applications/skaha/templates/{metrics-backend-rbac.yaml => metricsBackend-rbac.yaml} (65%) rename helm/applications/skaha/templates/{metrics-backend-service.yaml => metricsBackend-service.yaml} (88%) rename helm/applications/skaha/templates/tests/{test-metrics-backend.yaml => test-metricsBackend.yaml} (79%) diff --git a/helm/applications/skaha/README.md b/helm/applications/skaha/README.md index 27df1909..26799e9c 100644 --- a/helm/applications/skaha/README.md +++ b/helm/applications/skaha/README.md @@ -61,21 +61,20 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | ingress.enabled | bool | `true` | Enable ingress routing for the Skaha API. | | ingress.path | string | `"/skaha"` | Ingress path prefix routed to the Skaha API Service. | | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes DNS domain used when building internal service hostnames. | -| metrics-backend.enabled | bool | `false` | Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. | -| metrics-backend.rbac.create | bool | `true` | Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. | -| metrics-backend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | -| metrics-backend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | -| metrics-backend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | -| metrics-backend.image.tag | string | `"v0.1.4"` | Metrics container image tag. | -| metrics-backend.ingress.enabled | bool | `false` | When true and top-level ingress.enabled is true, add a path on the same host routing to the Metrics Service. | -| metrics-backend.ingress.path | string | `"/metrics"` | Ingress path prefix for the Metrics API (Traefik). | -| metrics-backend.redis.enabled | bool | `true` | When true, set METRICS_REDIS_URL to this release's Bitnami Redis master Service (-redis-master), same instance Skaha uses. Set false and supply METRICS_REDIS_URL in env if Metrics should use another Redis. | -| metrics-backend.replicaCount | int | `1` | Fixed replica count for the Metrics API (no HPA in this chart version). | -| metrics-backend.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | Resource requests and limits for the Metrics API container. | -| metrics-backend.revisionHistoryLimit | int | `3` | revisionHistoryLimit for the Metrics API Deployment. | -| metrics-backend.test.enabled | bool | `true` | Run helm test hook that retries /healthz until success (requires metrics-backend.enabled). | -| metrics-backend.test.image | string | `"busybox:1.37.0"` | Image for the helm test hook Pod. | -| metrics-backend.test.maxWaitSeconds | int | `180` | Maximum seconds to wait for Metrics /healthz (should exceed startupProbe worst case plus scheduling margin). | +| metricsBackend.enabled | bool | `false` | When true, install Kueue-read ClusterRole/Binding (Helm installs these before the metrics workload kinds; see below), then Metrics Service and Deployment. Uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured. | +| metricsBackend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | +| metricsBackend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | +| metricsBackend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | +| metricsBackend.image.tag | string | `"v0.1.4"` | Metrics container image tag. | +| metricsBackend.ingress.enabled | bool | `false` | When true and top-level ingress.enabled is true, add a path on the same host routing to the Metrics Service. | +| metricsBackend.ingress.path | string | `"/metrics"` | Ingress path prefix for the Metrics API (Traefik). | +| metricsBackend.redis.enabled | bool | `true` | When true, set METRICS_REDIS_URL to this release's Bitnami Redis master Service (-redis-master), same instance Skaha uses. Set false and supply METRICS_REDIS_URL in env if Metrics should use another Redis. | +| metricsBackend.replicaCount | int | `1` | Fixed replica count for the Metrics API (no HPA in this chart version). | +| metricsBackend.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | Resource requests and limits for the Metrics API container. | +| metricsBackend.revisionHistoryLimit | int | `3` | revisionHistoryLimit for the Metrics API Deployment. | +| metricsBackend.test.enabled | bool | `true` | Run helm test hook that retries /healthz until success (requires metricsBackend.enabled). | +| metricsBackend.test.image | string | `"busybox:1.37.0"` | Image for the helm test hook Pod. | +| metricsBackend.test.maxWaitSeconds | int | `180` | Maximum seconds to wait for Metrics /healthz (should exceed startupProbe worst case plus scheduling margin). | | podSecurityContext | object | `{}` | Optional container-level security context for the Skaha API container. | | redis.architecture | string | `"standalone"` | Redis deployment architecture. | | redis.auth.enabled | bool | `false` | Enable Redis authentication. | @@ -95,3 +94,7 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | service.port | int | `8080` | Service port exposed for the Skaha API Service. | | skahaWorkload.namespace | string | `"skaha-workload"` | Workload namespace used for user session Jobs and related resources. | | tolerations | list | `[]` | Tolerations applied to the Skaha API Pod. | + +## metricsBackend install ordering + +When `metricsBackend.enabled` is true, the chart emits `ClusterRole`, `ClusterRoleBinding`, `Service`, and `Deployment` for metrics. Helm applies manifest groups in a deterministic [kind order](https://github.com/helm/helm/blob/main/pkg/releaseutil/kind_sorter.go) so RBAC objects are reconciled before typical namespaced workload kinds. If the API server rejects creating or updating those cluster-scoped RBAC rules (for example the caller lacks permission), the release fails instead of only rolling out a broken metrics `Deployment`. `helm test` (optional) still targets the running Service after install; it does not replace RBAC admission checks. diff --git a/helm/applications/skaha/templates/_helpers.tpl b/helm/applications/skaha/templates/_helpers.tpl index 796dd125..f95bb915 100644 --- a/helm/applications/skaha/templates/_helpers.tpl +++ b/helm/applications/skaha/templates/_helpers.tpl @@ -128,7 +128,7 @@ app.kubernetes.io/component: metrics-api {{- define "skaha.metricsBackend.labels" -}} helm.sh/chart: {{ include "skaha.chart" . }} {{ include "skaha.metricsBackend.selectorLabels" . }} -{{- $mb := index .Values "metrics-backend" | default dict -}} +{{- $mb := .Values.metricsBackend | default dict -}} {{- with $mb.image }} {{- with .tag }} app.kubernetes.io/version: {{ . | quote }} diff --git a/helm/applications/skaha/templates/metrics-backend-deployment.yaml b/helm/applications/skaha/templates/metricsBackend-deployment.yaml similarity index 97% rename from helm/applications/skaha/templates/metrics-backend-deployment.yaml rename to helm/applications/skaha/templates/metricsBackend-deployment.yaml index fc8f562e..4f46e795 100644 --- a/helm/applications/skaha/templates/metrics-backend-deployment.yaml +++ b/helm/applications/skaha/templates/metricsBackend-deployment.yaml @@ -1,4 +1,4 @@ -{{- $mb := index .Values "metrics-backend" | default dict }} +{{- $mb := .Values.metricsBackend | default dict }} {{- if (default false $mb.enabled) }} {{- $img := $mb.image | default dict }} {{- $customEnv := $mb.env | default dict }} diff --git a/helm/applications/skaha/templates/metrics-backend-rbac.yaml b/helm/applications/skaha/templates/metricsBackend-rbac.yaml similarity index 65% rename from helm/applications/skaha/templates/metrics-backend-rbac.yaml rename to helm/applications/skaha/templates/metricsBackend-rbac.yaml index f8a3a489..35cf75c0 100644 --- a/helm/applications/skaha/templates/metrics-backend-rbac.yaml +++ b/helm/applications/skaha/templates/metricsBackend-rbac.yaml @@ -1,7 +1,11 @@ -{{- $mb := index .Values "metrics-backend" | default dict }} -{{- $rbac := $mb.rbac | default dict }} -{{/* Kueue read ClusterRole/RBAC. If created outside this chart, set metrics-backend.rbac.create to false. */}} -{{- if and (default false $mb.enabled) (default true $rbac.create) }} +{{- $mb := .Values.metricsBackend | default dict }} +{{- if (default false $mb.enabled) }} +{{/* + Kueue read ClusterRole / ClusterRoleBinding. With metricsBackend.enabled Helm renders these + before the metrics Deployment and Service (Helm builtin kind install order applies RBAC before + typical workload kinds). Apply failures (for example forbidden cluster RBAC) fail the release + before those workload resources reconcile. +*/}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/helm/applications/skaha/templates/metrics-backend-service.yaml b/helm/applications/skaha/templates/metricsBackend-service.yaml similarity index 88% rename from helm/applications/skaha/templates/metrics-backend-service.yaml rename to helm/applications/skaha/templates/metricsBackend-service.yaml index b1381071..0e11f440 100644 --- a/helm/applications/skaha/templates/metrics-backend-service.yaml +++ b/helm/applications/skaha/templates/metricsBackend-service.yaml @@ -1,4 +1,4 @@ -{{- $mb := index .Values "metrics-backend" | default dict }} +{{- $mb := .Values.metricsBackend | default dict }} {{- if (default false $mb.enabled) }} apiVersion: v1 kind: Service diff --git a/helm/applications/skaha/templates/skaha-ingress.yaml b/helm/applications/skaha/templates/skaha-ingress.yaml index e85b6e88..21c1641f 100644 --- a/helm/applications/skaha/templates/skaha-ingress.yaml +++ b/helm/applications/skaha/templates/skaha-ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress.enabled }} -{{- $mb := index .Values "metrics-backend" | default dict }} +{{- $mb := .Values.metricsBackend | default dict }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: diff --git a/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml b/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml index 8595ded8..cf9eac56 100644 --- a/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml +++ b/helm/applications/skaha/templates/skaha-tomcat-deployment.yaml @@ -139,7 +139,7 @@ spec: value: "{{ .Release.Name }}-redis-master.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}" - name: REDIS_PORT value: "6379" - {{- $mb := index .Values "metrics-backend" | default dict }} + {{- $mb := .Values.metricsBackend | default dict }} {{- if (default false $mb.enabled) }} - name: SKAHA_METRICS_BACKEND_URL value: {{ include "skaha.metricsBackend.internalURL" . | quote }} diff --git a/helm/applications/skaha/templates/tests/test-metrics-backend.yaml b/helm/applications/skaha/templates/tests/test-metricsBackend.yaml similarity index 79% rename from helm/applications/skaha/templates/tests/test-metrics-backend.yaml rename to helm/applications/skaha/templates/tests/test-metricsBackend.yaml index 0ec9ff61..a1b146e6 100644 --- a/helm/applications/skaha/templates/tests/test-metrics-backend.yaml +++ b/helm/applications/skaha/templates/tests/test-metricsBackend.yaml @@ -1,10 +1,10 @@ -{{- $mb := index .Values "metrics-backend" | default dict }} +{{- $mb := .Values.metricsBackend | default dict }} {{- $test := $mb.test | default dict }} {{- if and (default false $mb.enabled) (default true $test.enabled) }} apiVersion: v1 kind: Pod metadata: - name: {{ include "skaha.fullname" . }}-test-metrics-backend + name: {{ include "skaha.fullname" . }}-metrics-backend-test labels: {{- include "skaha.labels" . | nindent 4 }} annotations: @@ -24,13 +24,13 @@ spec: i=0 while [ "$i" -lt "$max" ]; do if wget -q -T 3 -O /dev/null "$url" 2>/dev/null; then - echo "metrics-backend health check ok" + echo "metricsBackend health check ok" exit 0 fi i=$((i+1)) sleep 1 done - echo "metrics-backend health check failed after ${max}s" >&2 + echo "metricsBackend health check failed after ${max}s" >&2 exit 1 restartPolicy: Never {{- end }} diff --git a/helm/applications/skaha/values.yaml b/helm/applications/skaha/values.yaml index 73be77d7..f925df3f 100644 --- a/helm/applications/skaha/values.yaml +++ b/helm/applications/skaha/values.yaml @@ -496,13 +496,9 @@ ingress: path: /skaha # Optional science-platform Metrics API in the same release as Skaha (see README). -# Access in templates via index .Values "metrics-backend" (hyphenated key). -"metrics-backend": - # -- Deploy the Metrics API Deployment and Service for the shared Skaha ServiceAccount (uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured). Kueue read ClusterRole/RBAC is gated by metrics-backend.rbac.create. +metricsBackend: + # -- When true, install Kueue-read ClusterRole/Binding first (Helm kind order), then Metrics Service and Deployment. Applies fail if cluster RBAC cannot be created (for example forbidden). enabled: false - rbac: - # -- Create ClusterRole and ClusterRoleBinding for Kueue API read access (cluster-scoped resources). Set false if RBAC is managed outside this chart; requires a deployer with permission to create cluster-scoped RBAC when true. - create: true # -- Fixed replica count for the Metrics API (no HPA in this chart version). replicaCount: 1 image: @@ -533,7 +529,7 @@ ingress: # -- Ingress path prefix for the Metrics API (Traefik). path: /metrics test: - # -- Run helm test hook that retries /healthz until success (requires metrics-backend.enabled). + # -- Run helm test hook that retries /healthz until success (requires metricsBackend.enabled). enabled: true # -- Image for the helm test hook Pod. image: busybox:1.37.0 From 955e7ada3f499e2697dfe74f2e6ae7956ccd9677 Mon Sep 17 00:00:00 2001 From: Shiny Brar Date: Wed, 6 May 2026 15:16:36 -0700 Subject: [PATCH 6/6] docs(skaha): helm-docs via pre-commit; install ordering in README.gotmpl Move metricsBackend install-ordering prose after chart.valuesSection in README.md.gotmpl so helm-docs regeneration preserves it. --- helm/applications/skaha/README.md | 2 +- helm/applications/skaha/README.md.gotmpl | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/helm/applications/skaha/README.md b/helm/applications/skaha/README.md index 26799e9c..6801a7db 100644 --- a/helm/applications/skaha/README.md +++ b/helm/applications/skaha/README.md @@ -61,7 +61,7 @@ A Helm chart to install the Skaha web service of the CANFAR Science Platform | ingress.enabled | bool | `true` | Enable ingress routing for the Skaha API. | | ingress.path | string | `"/skaha"` | Ingress path prefix routed to the Skaha API Service. | | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes DNS domain used when building internal service hostnames. | -| metricsBackend.enabled | bool | `false` | When true, install Kueue-read ClusterRole/Binding (Helm installs these before the metrics workload kinds; see below), then Metrics Service and Deployment. Uses this chart's Bitnami Redis for METRICS_REDIS_URL when configured. | +| metricsBackend.enabled | bool | `false` | When true, install Kueue-read ClusterRole/Binding first (Helm kind order), then Metrics Service and Deployment. Applies fail if cluster RBAC cannot be created (for example forbidden). | | metricsBackend.env | object | `{}` | Map of environment variables for the Metrics container (typically METRICS_*). GitOps should supply the full map per environment. | | metricsBackend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Metrics API container. | | metricsBackend.image.repository | string | `"images.opencadc.org/platform/metrics"` | Metrics container image repository. | diff --git a/helm/applications/skaha/README.md.gotmpl b/helm/applications/skaha/README.md.gotmpl index 673719ab..2c0ad09f 100644 --- a/helm/applications/skaha/README.md.gotmpl +++ b/helm/applications/skaha/README.md.gotmpl @@ -11,3 +11,7 @@ {{ template "chart.requirementsSection" . }} {{ template "chart.valuesSection" . }} + +## metricsBackend install ordering + +When `metricsBackend.enabled` is true, the chart emits `ClusterRole`, `ClusterRoleBinding`, `Service`, and `Deployment` for metrics. Helm applies manifest groups in a deterministic [kind order](https://github.com/helm/helm/blob/main/pkg/releaseutil/kind_sorter.go) so RBAC objects are reconciled before typical namespaced workload kinds. If the API server rejects creating or updating those cluster-scoped RBAC rules (for example the caller lacks permission), the release fails instead of only rolling out a broken metrics `Deployment`. `helm test` (optional) still targets the running Service after install; it does not replace RBAC admission checks.