feat(helm): add optional PostgreSQL backing store#1579
Open
sauagarwa wants to merge 5 commits into
Open
Conversation
sauagarwa
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
3 times, most recently
from
1fc9bef to
253051f
Compare
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
from
253051f to
d8d0be7
Compare
7 tasks
9 tasks
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
from
4ba4f67 to
b71c3a7
Compare
sauagarwa
changed the title
Collaborator
|
/ok to test b71c3a7 |
|
Label |
Collaborator
|
/ok to test 6a2b2ee |
TaylorMutch
requested changes
May 28, 2026
Collaborator
|
/ok to test db1dbe8 |
…redentials - Add postgres.enabled and postgres.deploy values to control database backend (SQLite vs PostgreSQL) and subchart deployment independently. - Introduce db-secret.yaml template for Opaque Secret with assembled postgresql:// connection string injected via OPENSHELL_DB_URL env var. - Add Bitnami PostgreSQL as optional subchart dependency keyed on postgres.deploy to prevent subchart deployment in external mode. - Externalize JWT signing key file mode via sandboxJwt.secretDefaultMode with 0400 default matching upstream. - Add validation guard for postgres.deploy=true without postgres.enabled. - Add helm unit tests covering internal, external, URL-override, special character encoding, and misconfiguration error paths. - Update README with Kubernetes and OpenShift install examples for bundled and external PostgreSQL configurations. - Add helm dependency build to lint and unittest tasks.
The helm-docs CI check failed because the Database backend section was added directly to README.md instead of README.md.gotmpl. Move the content to the template and regenerate so the check passes.
Replace the inline db-url stringData pattern with a proper Secret containing individual fields plus a uri key. When postgres.deploy=true the Bitnami service-binding secret is referenced directly; when deploy=false users can supply postgres.external.existingSecret to bring their own Secret, or let the chart generate one from the external field values. Also restructures the README database section for clarity, adds helm-unittest coverage for the new secret resolution paths, and fixes a markdown lint issue in the root README.
Move test-openshift-scenarios.sh from deploy/helm/openshell/ci/ to e2e/rust/e2e-openshift.sh, matching the existing e2e script naming convention. Register it as `e2e:openshift` in tasks/test.toml — not wired into the `test` or `e2e` aggregates so it only runs on explicit invocation against a live OpenShift cluster.
Extend with-kube-gateway.sh with an optional multi-scenario loop gated by OPENSHELL_E2E_KUBE_DB_SCENARIOS=1. When enabled, the script installs the Helm chart three times — SQLite (default), bundled PostgreSQL, and external PostgreSQL with existingSecret — running the full test suite against each backend. When unset, existing single-install behavior is unchanged. Also adds helm dependency build before helm install, fixing CI failures caused by the missing PostgreSQL subchart dependency.
sauagarwa
force-pushed
the
feat/helm-postgres-secret
branch
from
31d6a8e to
25ed9f6
Compare
Collaborator
|
/ok to test 25ed9f6 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
postgres.enabled(use PostgreSQL) andpostgres.deploy(deploy bundled Bitnami subchart) flagspostgres.external.existingSecretto let users bring their own pre-existing Secret (e.g. from external-secrets-operator or GitOps)postgres.deploy=true, reference the Bitnami service-binding secret directly instead of duplicating credentialssandboxJwt.secretDefaultModewith0400defaulte2e:kubernetes:db) and OpenShift e2e (e2e:openshift)Closes #1599
Changes
values.yaml: Addpostgres.*values block includingexternal.existingSecretandsandboxJwt.secretDefaultModeChart.yaml: Add Bitnami PostgreSQL optional subchart dependency (condition: postgres.deploy)templates/db-secret.yaml: Chart-managed Opaque Secret with individual credential fields +urikey (only created whendeploy=falseand noexistingSecret)templates/_helpers.tpl:openshell.dbSecretNameandopenshell.postgresFullnamehelpers for secret resolution across all modestemplates/statefulset.yaml: ConditionalOPENSHELL_DB_URLenv var from Secreturikey, scoped checksum annotationtemplates/gateway-config.yaml: Omitdb_urlfrom TOML when PostgreSQL is enabledtests/gateway_config_test.yaml: Comprehensive test cases covering bundled, external, existingSecret, fullnameOverride, and nameOverride pathsREADME.md.gotmpl: Restructured database backend section with existingSecret-first flow, separate Kubernetes/OpenShift examplese2e/with-kube-gateway.sh: Addhelm dependency buildbefore install (fixes CI); add multi-scenario DB backend loop gated byOPENSHELL_E2E_KUBE_DB_SCENARIOS=1(SQLite, bundled PG, external PG with existingSecret)e2e/rust/e2e-openshift.sh: OpenShift-specific database-backend integration scenariostasks/test.toml: Adde2e:kubernetes:dbande2e:openshiftmise taskstasks/helm.toml: Addhelm dependency buildbefore lint and unittest.gitignore: Ignore subchart tarballsTest plan
mise run helm:test— all tests passmise run pre-commit— all lint checks passmise run ci— full local CI passesmise run e2e:kubernetes— existing behavior unchanged (no env var set)mise run e2e:kubernetes:db— all 3 DB scenarios passmise run e2e:openshift— OpenShift integration scenarios passpostgres.external.existingSecretpointing to a pre-existing Secretpostgres.enabled=false