Skip to content

Add support for the namespaces feature#331

Open
jfrancoa wants to merge 2 commits into
mainfrom
jose/namespaces
Open

Add support for the namespaces feature#331
jfrancoa wants to merge 2 commits into
mainfrom
jose/namespaces

Conversation

@jfrancoa
Copy link
Copy Markdown
Contributor

@jfrancoa jfrancoa commented May 20, 2026
edited
Loading

Summary

  • Adds a top-level namespaces.enabled flag (default false). When enabled, the statefulset emits NAMESPACES_ENABLED=true, DISABLE_GRAPHQL=true, and REPLICATION_MAXIMUM_FACTOR=1 together — Weaviate refuses to start (fatal) unless all three are aligned with NAMESPACES_ENABLED.
  • REPLICATION_MAXIMUM_FACTOR=1 is a hard server precondition, not a tunable, so it is pinned in the chart rather than exposed as a configurable value (a value other than 1 would crash every pod when namespaces is on).
  • Exposes the OIDC claim fields needed for namespace-aware identities (namespace_claim, global_principal_claim, skip_client_id_check) as commented-out entries under authentication.oidc. They flow through toYaml .Values.authentication into the weaviate-config ConfigMap when set.
  • Adds chart tests covering: defaults (envs absent), explicit namespaces.enabled=false, namespaces.enabled=true (all three envs rendered), the REPLICATION_MAXIMUM_FACTOR override case, namespaces + apikey + RBAC end-to-end, and OIDC claim propagation into the ConfigMap.

Notes for reviewers

  • The new env block sits after the generic env.* loop in weaviateStatefulset.yaml, so user combinations like --set namespaces.enabled=true --set env.DISABLE_GRAPHQL=false or --set env.REPLICATION_MAXIMUM_FACTOR=3 still end up with the server-required values (last-value-wins: runc dedupes duplicate env vars keeping the last occurrence), matching the server's invariant.
  • The change is opt-in: a chart upgrade with no value overrides produces no diff in the rendered StatefulSet.

Test plan

  • bash .cicd/test.sh passes locally (exit 0, "Tests successful."), including the namespaces + REPLICATION_MAXIMUM_FACTOR assertions.
  • helm template . --set namespaces.enabled=true shows all three required envs.
  • helm template . --set namespaces.enabled=true --set env.REPLICATION_MAXIMUM_FACTOR=3 renders the pinned REPLICATION_MAXIMUM_FACTOR=1 last, overriding the user value.
  • helm template . --set authentication.oidc.namespace_claim=... --set authentication.oidc.global_principal_claim=... renders the claim fields into the ConfigMap.

🤖 Generated with Claude Code

@jfrancoa @claude
Add support for the namespaces feature
dd22f00 
- Introduce a top-level `namespaces.enabled` flag (default false). When
  enabled, the statefulset sets `NAMESPACES_ENABLED=true` and
  `DISABLE_GRAPHQL=true`, since the server rejects startup if these two
  are not aligned.
- Surface the OIDC claim fields needed for namespace-aware identities
  (`namespace_claim`, `global_principal_claim`, `skip_client_id_check`)
  as commented-out entries under `authentication.oidc`, rendered into
  the weaviate-config ConfigMap when set.
- Add chart tests covering: defaults (envs absent), explicit
  `namespaces.enabled=false`, `namespaces.enabled=true` (both envs
  rendered), the namespaces + apikey + RBAC combination, and the OIDC
  claim fields propagating into the ConfigMap.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jfrancoa jfrancoa requested a review from a team as a code owner May 20, 2026 14:43
orca-security-eu[bot]
orca-security-eu Bot reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

@orca-security-eu orca-security-eu Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca

@jfrancoa @claude
Enforce REPLICATION_MAXIMUM_FACTOR=1 when namespaces is enabled
e370a2c 
The core server fatals at startup when NAMESPACES_ENABLED=true unless
REPLICATION_MAXIMUM_FACTOR=1. Pin it alongside DISABLE_GRAPHQL in the
namespaces block (after the generic env loop so it overrides any
user-supplied value) and add test coverage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jfrancoa jfrancoa requested a review from Copilot May 28, 2026 14:13
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an opt-in Helm chart toggle for Weaviate’s namespaces feature, ensuring the server-required environment variables are rendered together, and extends CI templating tests to cover the new behavior and related auth config propagation.

Changes:

  • Introduces namespaces.enabled (default false) in values.yaml.
  • When enabled, the StatefulSet renders NAMESPACES_ENABLED=true, DISABLE_GRAPHQL=true, and REPLICATION_MAXIMUM_FACTOR=1.
  • Extends .cicd/test.sh with template assertions for defaults, enabled/disabled cases, override behavior, and OIDC claim passthrough.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
weaviate/values.yaml Adds namespaces.enabled and documents additional OIDC claim fields in values.
weaviate/templates/weaviateStatefulset.yaml Conditionally injects namespaces-required env vars into the Weaviate container spec.
.cicd/test.sh Adds Helm template tests for namespaces env rendering and OIDC claim propagation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread weaviate/templates/weaviateStatefulset.yaml
Comment on lines +515 to +521
{{- if index .Values "namespaces" "enabled" }}
- name: NAMESPACES_ENABLED
value: "true"
- name: DISABLE_GRAPHQL
value: "true"
- name: REPLICATION_MAXIMUM_FACTOR
value: "1"
Comment thread .cicd/test.sh
Comment on lines +467 to +469
# The pinned REPLICATION_MAXIMUM_FACTOR=1 is rendered after the generic env loop, so it overrides
# any user-supplied env.REPLICATION_MAXIMUM_FACTOR (Kubernetes keeps the last duplicate env entry).
check_setting_has_value "--set namespaces.enabled=true --set env.REPLICATION_MAXIMUM_FACTOR=3" "name: REPLICATION_MAXIMUM_FACTOR" "value: \"1\""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orca-security-eu orca-security-eu[bot] orca-security-eu[bot] left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jfrancoa