feat!: introduce new standalone RHDH Chart [RHDHPLAN-1058]#438
Draft
Conversation
…ency Helm cannot merge lists, so when users set extraVolumes/extraEnvVars on the current chart, the entire default list is replaced — forcing them to copy-paste all system defaults just to add one item. This is a Day 2 maintenance burden that grows with every release. This new chart at charts/rhdh/ owns all Kubernetes templates directly and uses an "add, don't replace" pattern: system-required volumes, mounts, env vars, and init containers are hardcoded in the Deployment template, while user-provided values are always appended. Users can now add a volume without knowing or duplicating the system defaults. The values layout is flattened to match helm-create conventions (replicaCount, image, service at root level) — no more navigating global.*/upstream.backstage.* nesting to set basic options. Assisted-by: Claude
The new rhdh chart owns all Kubernetes templates directly and no longer depends on the upstream Backstage subchart, so the weekly sync workflow and its helper script are no longer needed. Assisted-by: Claude
…ove-helm-chart-configuration-experience-via-standalone-rhdh-helm-chart-without-backstage-subchart-dependency # Conflicts: # .github/workflows/sync-upstream-backstage.yaml
Assisted-by: Claude
Port test scenarios from charts/backstage/ci/ with key paths adjusted for the flat values layout. The custom-dynamic-pvc-claim-spec scenario is dropped because the new chart hardcodes the dynamic-plugins-root volume (user volumes are appended, not replaced). Assisted-by: Claude
Add global.imageRegistry, global.imagePullSecrets, and global.defaultStorageClass so they flow through to both the postgresql subchart and the rhdh chart's own templates. Image helpers now delegate to bitnami common's common.images.image, and imagePullSecrets are merged from both global and root-level sources. Lightspeed container images converted from strings to structured registry/repository/tag maps so global.imageRegistry applies uniformly to all containers. Also pins the test pod image to curl/curl:8.9.1 instead of latest, adds automountServiceAccountToken: false and ephemeral-storage requests to the test pod (SonarCloud findings). Assisted-by: Claude
The previous version (12.10.0) was far behind. The new version requires global.security.allowInsecureImages=true since we use a Fedora-based PostgreSQL image instead of the bitnami one. Assisted-by: Claude
Assisted-by: Claude
…ion-experience-via-standalone-rhdh-helm-chart-without-backstage-subchart-dependency
…ove-helm-chart-configuration-experience-via-standalone-rhdh-helm-chart-without-backstage-subchart-dependency # Conflicts: # .github/workflows/sync-upstream-backstage.yaml
…anch chart-testing's --upgrade flag checks out the target branch and tries to build dependencies for the chart there. For brand-new charts like charts/rhdh/ that do not exist on main yet, this causes helm dependency build to fail. Make --upgrade conditional: when a specific chart is tested, check whether its Chart.yaml exists on the target branch first. If not, skip the upgrade test and only run a fresh install. Also rename the backstageChartChanged output to orchestratorCrdsNeeded and include charts/rhdh so that Knative and SonataFlow CRDs are installed for both charts' orchestrator CI scenarios.
On vanilla K8s (KinD), there is no SCC to assign a common UID to all containers in a pod. Set fsGroup so shared volumes (e.g. RAG data) are group-writable across init containers and sidecars that may run as different UIDs. Also disable the route, which is not available on KinD.
Without a default appConfig, no app-config ConfigMap is created and the RHDH application lacks essential configuration (base URLs, CORS, database connection, backend auth), causing it to fail to start. Add a default appConfig matching the backstage chart, providing: - app.baseUrl and backend.baseUrl from rhdh.hostname - backend.cors.origin - backend.database.connection (postgres user, password from env var) - backend.auth.externalAccess (legacy service-to-service auth)
…ion-experience-via-standalone-rhdh-helm-chart-without-backstage-subchart-dependency
Accept incoming changes, bumping backstage chart to 6.2.1. Keep our deletion of sync-upstream-backstage.yaml.
…[RHIDP-14726] Align the rhdh chart with the backstage chart change from PR redhat-developer#453: use `enabled: true` instead of `disabled: false` for dynamic plugin entries in values, schema, CI files, and documentation. Assisted-by: Claude
…ack to 0.5.2 Use --no-preserve=mode,ownership when copying RAG data so the sidecar (UID 1001) can access files written by the init container (UID 65532). Pre-create the notebooks subdirectory and chmod the copied data to prevent PermissionError on vanilla Kubernetes. Also bump lightspeed-stack sidecar from 0.5.1 to 0.5.2. Refs: - redhat-developer#460 - redhat-developer#461 Assisted-by: Claude
The RAG init container permission fix (--no-preserve=mode,ownership + chmod) makes a shared UID unnecessary. Only fsGroup is needed, matching the backstage chart CI setup. Assisted-by: Claude
Move route.enabled=false and postgresql.primary.persistence.enabled=false from all 7 rhdh CI values files into the test-charts action as --set flags. These are KinD environment workarounds, not chart-specific test scenarios. Assisted-by: Claude
- Quote all string values consistently (Helm best practice: YAML type coercion is counterintuitive; wildcardPolicy: None is especially dangerous as YAML 1.1 treats it as null) - Add missing helm-docs comments for nodeSelector, tolerations, affinity - Remove duplicate catalogIndex comment - Remove dead networkPolicy configuration (no template references it) - Rename externalDBsecretRef to externalDBSecretRef (camelCase fix) - Regenerate values.schema.json and README.md Assisted-by: Claude
kubectl debug (stable since K8s 1.25, chart requires 1.27+) is the standard way to debug running pods without mutating the Deployment spec or requiring a Helm upgrade cycle. Assisted-by: Claude
Starting with 16.3.0, the bitnami common library rejects non-bitnami images unless global.security.allowInsecureImages is set. Since this chart ships a Fedora-based PostgreSQL image, that setting was required and confusing for users. Pin to 16.2.5 (the last version without the check) and remove the allowInsecureImages workaround entirely. See bitnami/charts#30850 Assisted-by: Claude
The pod has multiple containers (main RHDH, lightspeed sidecar, init containers), so the bare name securityContext is ambiguous. Rename to containerSecurityContext to clarify it applies only to the main RHDH container, matching the podSecurityContext / containerSecurityContext naming convention from Kubernetes. Assisted-by: Claude
…ugins The init container had the same security context hardcoded. Use the shared containerSecurityContext value so users can adjust it in one place for both the main container and the init container. Assisted-by: Claude
Expose dynamicPlugins.volume with a type selector (ephemeral, emptyDir, pvc) and raw Kubernetes volume specs for each type. Users can now customize the storage class, size, access mode, or switch to an emptyDir or pre-existing PVC without forking the template. Assisted-by: Claude
Rename volumes → extraVolumes, volumeMounts → extraVolumeMounts, containers → extraContainers, initContainers → extraInitContainers. The "extra" prefix makes it explicit that these are appended to system defaults, not replacing them. Assisted-by: Claude
Follows the same naming convention as the other extra resource fields (extraVolumes, extraVolumeMounts, extraContainers, extraInitContainers). Assisted-by: Claude
args now fully overrides the container arguments, skipping the system --config flags. extraArgs appends additional arguments after the system --config flags for users who just need to pass extra options. Assisted-by: Claude
Backstage uses last-wins for --config ordering. Move the inline appConfig before extraAppConfig so that external ConfigMaps can override the chart's built-in configuration. Assisted-by: Claude
The name argsOverride makes it explicit that setting this field replaces the default system --config arguments entirely, steering users toward extraArgs for the common append use case. Assisted-by: Claude
Same pattern as argsOverride/extraArgs: envOverride replaces all system env vars (BACKEND_SECRET, DB credentials, etc.), while extraEnv appends after them. Assisted-by: Claude
Move clusterRouterBase and route under openshift.clusterRouterBase and openshift.route respectively. This makes it clear which values are OCP-specific and which are platform-agnostic. Assisted-by: Claude
Group fields into labeled sections (Global, Image, App Config, Dynamic Plugins, Deployment/Pod, Networking, OpenShift, Database, Observability, Built-in Features, Testing) for easier navigation. Reorder only — no functional change. Assisted-by: Claude
Move `app.kubernetes.io/component: backstage` into the `rhdh.selectorLabels` helper instead of repeating it inline in every template. Remove `namespace:` from all resource metadata — Helm injects it at install time per best practice. Also add standard labels to lightspeed, orchestrator, and test templates that previously lacked them, and move orchestrator templates into an `orchestrator/` subdirectory. Assisted-by: Claude
… support Fix route.yaml annotation rendering order to match all other templates: commonAnnotations first, then resource-specific annotations (so resource-specific wins on key conflicts). Add commonAnnotations support to templates that previously lacked it: lightspeed configmaps/secret, orchestrator network-policies/ sonataflows, and test-connection/test-secret pods. Assisted-by: Claude
Replicate the fix from PR redhat-developer#466 (backstage chart) into the rhdh chart. Chart versions with uppercase characters (e.g. CI builds) produced Job names violating RFC 1123 subdomain rules. Add rhdh.orchestrator.dbJobName helper that lowercases the name and truncates to 63 chars while preserving the version suffix. Ref: redhat-developer#466 Assisted-by: Claude
|
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Description of the change
Which issue(s) does this PR fix or relate to
ref RHDHPLAN-1058
How to test changes / Special notes to the reviewer
Checklist
Chart.yamlaccording to Semantic Versioning.values.yamland added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Runpre-commit run --all-filesto run the hooks and then push any resulting changes. The pre-commit Workflow will enforce this and warn you if needed.pre-commithook.ct lintcommand.