improvement(helm): helm chart updates with security, ESO, and docs overhaul#4565
improvement(helm): helm chart updates with security, ESO, and docs overhaul#4565waleedlatif1 wants to merge 15 commits into
Conversation
…s overhaul Comprehensive Helm chart improvements bringing the chart up to industry standards for security, secret management, and documentation. Security - Pod Security Standards "restricted" defaults on every pod and container (runAsNonRoot, allowPrivilegeEscalation=false, capabilities.drop=[ALL], seccompProfile=RuntimeDefault) - automountServiceAccountToken=false on ServiceAccount and every pod - NetworkPolicy egress blocks cloud metadata endpoints by default - Sensitive app/realtime env keys auto-partitioned into chart-managed Secret via envFrom; no more plaintext secrets on container specs Secret management - Three modes: inline, existingSecret, ExternalSecrets Operator (ESO) - ESO sync supports arbitrary sensitive keys - Fail-fast template rendering when ESO enabled but sensitive key unmapped - AWS/Azure/GCP example files document all three modes Reliability - Headless Services for both Postgres StatefulSets - HPA-aware replicas (omits spec.replicas when autoscaling.enabled) - PodDisruptionBudget auto-activates when replicaCount > 1 - Startup / liveness / readiness probes with distinct timings - CronJob ttlSecondsAfterFinished for automatic cleanup Chart hygiene - Image tags default to Chart.AppVersion; pullPolicy IfNotPresent - Optional image.digest pin for content-addressed deploys - kubeVersion >=1.25.0-0 enforced - Ollama pinned to 0.23.2; mount moved to /data Documentation - README rewritten in cert-manager / Bitnami style - NOTES.txt with post-install guidance - Example values files annotated with usage and secret-strategy guidance
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryMedium Risk Overview Adds/clarifies three secret delivery modes (inline, Operational behavior changes include headless Services for Postgres StatefulSets (and corresponding upgrade guidance for pre- Reviewed by Cursor Bugbot for commit bc50116. Configure here. |
Greptile SummaryThis PR overhauled the Sim Helm chart with Pod Security Standards "restricted" defaults, a three-mode secret management system (inline / existingSecret / ESO), and numerous operational improvements. A large number of real bugs were caught and fixed during the review cycle (apiVersion default, merge precedence, ESO coverage gaps, image tag guard, NetworkPolicy OTEL egress, StatefulSet serviceName upgrade notice).
Confidence Score: 4/5Two issues need attention before merging: the envDefaults/existingSecret shadowing bug silently overrides BETTER_AUTH_URL from pre-existing secrets, and the networkPolicy.egress key rename drops custom egress rules silently. The envDefaults rendering block does not guard against existingSecret mode, so any user who stores URL-type values (BETTER_AUTH_URL, NEXT_PUBLIC_APP_URL, ALLOWED_ORIGINS) in their pre-existing Secret but leaves app.env empty will get the localhost default instead — breaking authentication silently. The same issue exists in the realtime deployment. Additionally, the custom-egress values key moved from networkPolicy.egress (list) to networkPolicy.egress.extraRules (nested), and existing custom rules are silently dropped with no upgrade warning. helm/sim/templates/deployment-app.yaml and helm/sim/templates/deployment-realtime.yaml (envDefaults shadow fix), helm/sim/values.yaml and helm/sim/templates/NOTES.txt (networkPolicy.egress rename notice) Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[helm install / upgrade] --> B{Secret mode?}
B -->|inline default| C[sim.validateSecrets\nfail on missing/placeholder keys]
B -->|existingSecret| D[sim.validateSecrets\nskipped for app secrets]
B -->|ESO| E[sim.validateExternalSecretCoverage\nfail if required keys unmapped in remoteRefs.app]
C --> F[secrets-app.yaml\nmerge app.env + realtime.env\napp.env authoritative on collision]
D --> G[User pre-created Secret\ne.g. kubectl create secret generic]
E --> H[ExternalSecret CR\nsyncs remoteRefs.app into\nrelease-app-secrets]
F --> I[app Secret\nrelease-app-secrets]
G --> I
H --> I
I --> J[deployment-app\nenvFrom: secretRef]
I --> K[deployment-realtime\nenvFrom: secretRef]
I --> L[cronjobs\nsecretKeyRef: CRON_SECRET]
J --> M[inline env: DATABASE_URL\nSOCKET_SERVER_URL\nOLLAMA_URL\nenvDefaults tunables]
K --> N[inline env: DATABASE_URL\nenvDefaults tunables]
Reviews (11): Last reviewed commit: "fix(helm): correct realtime env overlay ..." | Re-trigger Greptile |
The sim.fullname helper collapses to the release name when the release name contains the chart name. With the documented release name 'sim', actual resources are 'sim-app', 'sim-postgresql', etc. — not the 'sim-sim-*' form previously documented. Fixes copy-paste commands in the pre-1.0.0 upgrade walkthrough and several troubleshooting snippets. Also expands the cronjobs component description to reflect the full set of 13 scheduled jobs (was understated as just Gmail/Outlook polling).
…defaults - Add app.envDefaults / realtime.envDefaults for chart-shipped operational tunables (rate limits, timeouts, IVM, feature-flag defaults, localhost URL fallbacks). Rendered inline on the container, not into the Secret - Remove operational defaults from app.env / realtime.env so the chart-managed Secret stays minimal and External Secrets Operator users only map keys they actually set, not every chart default - Skip an envDefaults key when the user explicitly sets it in env (K8s `env` overrides `envFrom`, so an inline default would otherwise mask a Secret value at runtime) - Relax values.schema.json to allow empty strings on NEXT_PUBLIC_APP_URL, BETTER_AUTH_URL, NEXT_PUBLIC_SUPPORT_EMAIL (defaults supplied via envDefaults)
…cret merge order, image guard - CronJobs reference CRON_SECRET via secretKeyRef; fail-fast at template time when cronjobs.enabled=true and app.env.CRON_SECRET is empty so users get a clear error instead of a CreateContainerConfigError loop - Default externalSecrets.apiVersion to "v1beta1" (supported by every ESO release since v0.7). The previous "v1" default targets only ESO v0.17+ - Swap merge order in secrets-app.yaml so app.env wins over realtime.env for shared keys (BETTER_AUTH_SECRET, BETTER_AUTH_URL, …) — both pods consume the same Secret via envFrom, so the app value must be canonical - Add `required` guard on sim.image so an empty tag + empty digest + empty Chart.AppVersion surfaces as a clear template-time error instead of rendering an invalid `repo:` reference
|
@greptile |
|
@cursor review |
Previously, enabling externalSecrets without mapping BETTER_AUTH_SECRET / ENCRYPTION_KEY / INTERNAL_API_SECRET (and CRON_SECRET when cronjobs are on) rendered cleanly but produced CrashLoopBackOff at runtime with cryptic missing-env errors. Fail at template time instead.
Previously the auto-enable predicate only checked the static app.replicaCount, which defaults to 1 even when autoscaling is on (HPA owns spec.replicas). PDB now also activates when autoscaling.enabled=true and minReplicas > 1.
|
@greptile |
|
@cursor review |
…alues; add StatefulSet upgrade NOTES - Realtime override-skip now considers keys set in either app.env or realtime.env. The shared app Secret is mounted via envFrom on the realtime pod, so a key set in app.env (e.g. NEXT_PUBLIC_APP_URL) would previously be masked by the realtime envDefault (inline env overrides envFrom in K8s). - NOTES.txt now prints a StatefulSet orphan-delete reminder on upgrade, surfacing the immutable serviceName issue documented in the README.
|
@cursor review |
|
@greptile |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 9519a8f. Configure here.
The new validateSecrets check makes app.env.INTERNAL_API_SECRET mandatory on upgrade. Existing installs that never set it would hit a template render failure with no in-context guidance. Adds an upgrade-only note with the generation snippet and storage guidance alongside the existing StatefulSet orphan-delete instructions.
|
@greptile |
|
@cursor review |
…le format
- Add app/realtime NetworkPolicy egress rules for the OpenTelemetry
collector pod on ports 4317 (OTLP gRPC) and 4318 (OTLP HTTP) when
telemetry.enabled=true. Without these, traces and metrics were silently
dropped with connection-refused errors when both telemetry and
networkPolicy were enabled.
- Migrate values-external-db.yaml from the legacy list-shaped egress
format to the new {exceptCidrs, extraRules} object. The list form would
replace the default object on merge and crash template rendering when
the chart tried to access .exceptCidrs on a list.
|
@cursor review |
|
@greptile |
The secrets-empty warning only checked app.secrets.existingSecret.enabled before scanning app.env. ESO users intentionally leave app.env empty — secrets come from the ESO-synced Secret — so every ESO install/upgrade printed a misleading 'pods will fail to start' warning. Reorders the branches so externalSecrets.enabled takes precedence: ESO users now see a confirmation message with kubectl commands to verify the ExternalSecret has synced. The empty-app.env warning only fires when both ESO and existingSecret are disabled.
|
@greptile |
|
@cursor review |
… values In existingSecret mode the chart-managed Secret is not rendered, so non-empty values in app.env / realtime.env had nowhere to land — yet the envDefaults skip logic still suppressed the matching defaults. Result: keys like NEXT_PUBLIC_APP_URL, BETTER_AUTH_URL, and NODE_ENV silently went missing on both pods (the example values-existing-secret.yaml hit this directly). Both app and realtime deployments now inline non-empty values from app.env (plus realtime.env on the realtime container) when existingSecret is enabled and ESO is not. Inline / ESO modes are unchanged: inline still flows through the chart-managed Secret, ESO still owns the synced Secret.
|
@cursor review |
|
@greptile |
…in existingSecret mode Realtime: Sprig merge gives the first source precedence and treats "" as a real value, so realtime.env empty defaults for shared keys shadowed non-empty app.env values. Replace with deepCopy($appEnv) base + manual non-empty overlay of $rtEnv. Both deployments: exclude DATABASE_URL/SOCKET_SERVER_URL/OLLAMA_URL from the existingSecret inline path so user-supplied values can't override chart-computed ones via last-wins env semantics.
|
@greptile |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit bc50116. Configure here.
| {{- $appEnv := .Values.app.env | default dict }} | ||
| {{- range $key, $value := .Values.app.envDefaults | default dict }} | ||
| {{- $override := index $appEnv $key }} | ||
| {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") (or (not $override) (eq (toString $override) "") (eq (toString $override) "<nil>")) }} | ||
| - name: {{ $key }} | ||
| value: {{ $value | quote }} | ||
| {{- end }} | ||
| {{- end }} |
There was a problem hiding this comment.
existingSecret.enabled=true, envDefaults keys such as BETTER_AUTH_URL and NEXT_PUBLIC_APP_URL are rendered as inline env: entries (value http://localhost:3000). Kubernetes inline env: always wins over envFrom:, so any user who stores these URL keys in their pre-existing Secret but leaves app.env.*: "" (the default) will silently get the localhost value, breaking authentication. The values-existing-secret.yaml example correctly sets these in app.env, but users treating the external Secret as a single source of truth won't know to do this. Skipping envDefaults keys in existingSecret mode eliminates the trap.
| {{- $appEnv := .Values.app.env | default dict }} | |
| {{- range $key, $value := .Values.app.envDefaults | default dict }} | |
| {{- $override := index $appEnv $key }} | |
| {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") (or (not $override) (eq (toString $override) "") (eq (toString $override) "<nil>")) }} | |
| - name: {{ $key }} | |
| value: {{ $value | quote }} | |
| {{- end }} | |
| {{- end }} | |
| {{- $appEnv := .Values.app.env | default dict }} | |
| {{- $useExistingAppSecret := and .Values.app.secrets .Values.app.secrets.existingSecret .Values.app.secrets.existingSecret.enabled }} | |
| {{- range $key, $value := .Values.app.envDefaults | default dict }} | |
| {{- $override := index $appEnv $key }} | |
| {{- /* In existingSecret mode, skip envDefaults — user's Secret supplies them via envFrom and inline defaults would silently win. */}} | |
| {{- if and (not $useExistingAppSecret) (ne (toString $value) "") (ne (toString $value) "<nil>") (or (not $override) (eq (toString $override) "") (eq (toString $override) "<nil>")) }} | |
| - name: {{ $key }} | |
| value: {{ $value | quote }} | |
| {{- end }} | |
| {{- end }} |
| {{- $rtEnv := .Values.realtime.env | default dict }} | ||
| {{- $appEnv := .Values.app.env | default dict }} | ||
| {{- range $key, $value := .Values.realtime.envDefaults | default dict }} | ||
| {{- $rtOverride := index $rtEnv $key }} | ||
| {{- $appOverride := index $appEnv $key }} | ||
| {{- $hasRt := and $rtOverride (ne (toString $rtOverride) "") (ne (toString $rtOverride) "<nil>") }} | ||
| {{- $hasApp := and $appOverride (ne (toString $appOverride) "") (ne (toString $appOverride) "<nil>") }} | ||
| {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") (not $hasRt) (not $hasApp) }} | ||
| - name: {{ $key }} | ||
| value: {{ $value | quote }} | ||
| {{- end }} | ||
| {{- end }} |
There was a problem hiding this comment.
envDefaults-shadow issue as the app deployment: in existingSecret mode, realtime.envDefaults keys (e.g. BETTER_AUTH_URL: "http://localhost:3000", ALLOWED_ORIGINS: "http://localhost:3000") are rendered as inline env: entries that take precedence over the pre-existing Secret loaded via envFrom:. Any URL key stored in the Secret but left empty in realtime.env receives the localhost default instead.
| {{- $rtEnv := .Values.realtime.env | default dict }} | |
| {{- $appEnv := .Values.app.env | default dict }} | |
| {{- range $key, $value := .Values.realtime.envDefaults | default dict }} | |
| {{- $rtOverride := index $rtEnv $key }} | |
| {{- $appOverride := index $appEnv $key }} | |
| {{- $hasRt := and $rtOverride (ne (toString $rtOverride) "") (ne (toString $rtOverride) "<nil>") }} | |
| {{- $hasApp := and $appOverride (ne (toString $appOverride) "") (ne (toString $appOverride) "<nil>") }} | |
| {{- if and (ne (toString $value) "") (ne (toString $value) "<nil>") (not $hasRt) (not $hasApp) }} | |
| - name: {{ $key }} | |
| value: {{ $value | quote }} | |
| {{- end }} | |
| {{- end }} | |
| {{- $rtEnv := .Values.realtime.env | default dict }} | |
| {{- $appEnv := .Values.app.env | default dict }} | |
| {{- $useExistingAppSecret := and .Values.app.secrets .Values.app.secrets.existingSecret .Values.app.secrets.existingSecret.enabled }} | |
| {{- range $key, $value := .Values.realtime.envDefaults | default dict }} | |
| {{- $rtOverride := index $rtEnv $key }} | |
| {{- $appOverride := index $appEnv $key }} | |
| {{- $hasRt := and $rtOverride (ne (toString $rtOverride) "") (ne (toString $rtOverride) "<nil>") }} | |
| {{- $hasApp := and $appOverride (ne (toString $appOverride) "") (ne (toString $appOverride) "<nil>") }} | |
| {{- /* In existingSecret mode, skip envDefaults — user's Secret supplies them via envFrom */}} | |
| {{- if and (not $useExistingAppSecret) (ne (toString $value) "") (ne (toString $value) "<nil>") (not $hasRt) (not $hasApp) }} | |
| - name: {{ $key }} | |
| value: {{ $value | quote }} | |
| {{- end }} | |
| {{- end }} |
| egress: | ||
| # CIDRs excluded from broad HTTPS (443) egress. | ||
| # Defaults block AWS/GCP/Azure IMDS (169.254.169.254/32) and ECS task metadata | ||
| # (169.254.170.2/32). Add your cluster's API server CIDR for stronger isolation. | ||
| exceptCidrs: | ||
| - "169.254.169.254/32" | ||
| - "169.254.170.2/32" | ||
| # Custom egress rules appended to the policy | ||
| extraRules: [] |
There was a problem hiding this comment.
networkPolicy.egress users
The custom-egress key changed from .Values.networkPolicy.egress (a list) to .Values.networkPolicy.egress.extraRules (a nested key). Any user who previously had custom egress rules under networkPolicy.egress: will silently lose them after upgrade — the rules are ignored and no error is emitted. The NOTES.txt upgrade block only mentions the StatefulSet rename; this values-path change should be called out there (or in the README upgrade section) so operators know to migrate their custom rules to networkPolicy.egress.extraRules.
Summary
automountServiceAccountToken: false, block cloud metadata endpoints via NetworkPolicy egressapp.env/realtime.envkeys into a chart-managed Secret viaenvFrom(no more plaintext secrets on container specs)existingSecret, and ExternalSecrets Operator (ESO) — with fail-fast rendering when ESO is enabled but a sensitive key is unmappedreplicas, auto PodDisruptionBudget, distinct startup/liveness/readiness probes, andttlSecondsAfterFinishedon CronJobsChart.AppVersionwithpullPolicy: IfNotPresent; optionalimage.digestpin; enforcekubeVersion >=1.25.0-0Type of Change
Testing
Tested manually —
helm lintclean,helm templaterenders 2055 lines without error across all three secret modes.Checklist