fix(helm): install with default values — zero-config bootstrap as chart default#165
Merged
Conversation
…rt default The Rancher partner-charts repository requires charts to be deployable with default values; the chart previously failed at render time (secrets.jwtSecret required). Default config.authBootstrap to "" so the app's zero-config first run (#109) engages: generated credentials are printed once to the pod log and stored in /app/data/auth-bootstrap.json. - secret.yaml: required validations only in strict mode (authBootstrap=off); empty keys are omitted otherwise - deployment.yaml: JWT_SECRET/ADMIN_EMAIL/ADMIN_PASSWORD/USER_EMAIL/ USER_PASSWORD envs render only when set or via existingSecret (optional: true, the LLM_API_KEY pattern) so pods never reference missing Secret keys; USER_* gated on secrets.userPassword because the app never generates the user account (admin-only default) - deployment.yaml: mount an emptyDir at /app/data when persistence is off so bootstrap can write under readOnlyRootFilesystem - _helpers.tpl: authStrict helper mirroring the app's isBootstrapEnabled() semantics - NOTES.txt: first-run credential retrieval, admin-only note, persistence caveat; strict-mode output unchanged - Chart.yaml: declare linux/arm64 (image verified multi-arch on GHCR), prerelease "false", changelog entries (Track line kept for chart:bump) - values.schema.json: enum "", on, off for authBootstrap - docs: chart README, HELM_CHART.md, DISTRIBUTION.md (#118 note), new RANCHER.md (supported versions, Rancher Apps install, validated table) Verified: 61-assertion helm template/lint matrix on helm 3.19.0 and 4.2.2; 16/16 e2e on K3s v1.31.14+k3s1 and v1.35.5+k3s1 (k3d v5.9.0) - default install to Ready, banner login 200, health 200, container restart keeps credentials, pod recreation regenerates them; strict regression byte-identical. No chart version bump (release ritual). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the charts/libredb-studio Helm chart so it can be installed/rendered with default values (zero-config bootstrap) to satisfy catalog requirements (e.g., Rancher partner-charts), while keeping a strict mode (config.authBootstrap=off) available for fail-fast secret enforcement.
Changes:
- Default
config.authBootstrapto""(omitAUTH_BOOTSTRAP) and add schema enum validation for"" | on | off. - Make chart templates tolerant of unset secrets by conditionally rendering Secret keys and Deployment env entries, and mount
/app/dataviaemptyDirwhen persistence is disabled. - Expand documentation for Rancher install flow, bootstrap credential retrieval, and strict vs zero-config behavior.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/RANCHER.md | Adds Rancher-specific install/validation guidance and a validated-matrix table. |
| docs/HELM_CHART.md | Updates chart architecture notes to reflect zero-config bootstrap and /app/data volume behavior. |
| docs/DISTRIBUTION.md | Updates distribution docs to reflect the new zero-config default and strict-mode option. |
| charts/libredb-studio/values.yaml | Changes default config.authBootstrap to "" and updates inline docs. |
| charts/libredb-studio/values.schema.json | Constrains config.authBootstrap to ["", "on", "off"] and updates description. |
| charts/libredb-studio/templates/secret.yaml | Makes required validations conditional on strict mode; omits empty keys by default. |
| charts/libredb-studio/templates/NOTES.txt | Updates post-install notes for zero-config credential retrieval and persistence caveats. |
| charts/libredb-studio/templates/deployment.yaml | Conditionally renders env vars; always mounts /app/data with PVC or emptyDir. |
| charts/libredb-studio/templates/_helpers.tpl | Adds authStrict helper to mirror app bootstrap semantics. |
| charts/libredb-studio/README.md | Updates installation instructions and documents zero-config vs strict mode. |
| charts/libredb-studio/Chart.yaml | Updates Artifact Hub annotations (prerelease flag, arm64 platform, changelog). |
| .gitignore | Ignores SQLite WAL/SHM files for local test DBs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…eview Review follow-up for PR #165: - secrets.userPassword is no longer required in strict mode and the docs no longer present it as mandatory: the non-admin account is an optional app feature that exists only when USER_PASSWORD is set and is never generated (src/lib/local-auth.ts). Strict mode now requires exactly what the app needs to run: secrets.jwtSecret and secrets.adminPassword. - With secrets.existingSecret, JWT_SECRET and ADMIN_PASSWORD are hard secretKeyRefs in strict mode (no optional: true), so the pod waits for missing keys instead of starting without auth env - this also covers external-secret operators materializing the Secret after install. Zero-config mode keeps optional: true: partial existing secrets are supported and missing values are generated at first start. - Docs sync: chart README (examples no longer pass userPassword; the external-secret key list distinguishes required-in-strict vs optional), HELM_CHART.md, DISTRIBUTION.md, RANCHER.md, values.yaml comments, values.schema.json, artifacthub.io/changes. The NOTES.txt "not (include ...) type mismatch" review comment is not applied: Go template not() operates on truthiness (no type error on strings), verified by helm lint --strict on helm 3.19/4.2 and rendered NOTES in real installs on K3s v1.31/v1.35. Template/lint matrix re-run: 69 assertions, 0 failures on helm 3.19.0 and 4.2.2; the default-values render is byte-identical to the previous commit, so the two-cluster e2e evidence for the default path stands. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- secret.yaml: always render the admin-email key (falling back to the app default admin@libredb.org when secrets.adminEmail is cleared), so the Secret data map can never render as null. Empty adminEmail is already rejected by values.schema.json (format: email); this covers installs that bypass validation (--skip-schema-validation). - _helpers.tpl: document why authStrict accepts the app's "false"/"0" synonyms beyond the schema enum - a schema-bypassed install must stay strict in both the chart and the app instead of splitting half-strict. Template/lint matrix: 71 assertions, 0 failures (helm 3.19.0 + 4.2.2); the default-values render is unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Review follow-up (PR #165): the readOnlyRootFilesystem section implied all three writable mounts are emptyDirs; /app/data is the PVC when persistence is enabled. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
13 tasks
…, CI default-install Review findings on the zero-config default: - deployment.yaml: refuse zero-config renders with replicaCount > 1 or autoscaling enabled unless secrets.jwtSecret or secrets.existingSecret is set - each pod would otherwise generate its own JWT secret and break sessions across replicas - values.schema.json: replace the ["", "on", "off"] enum with a case-insensitive pattern that also accepts the app's documented synonyms (true/false/0/1), so values files that were valid before this chart version keep working on helm upgrade - NOTES.txt: warn when the JWT secret will be generated (adminPassword set without jwtSecret, or OIDC) - pod recreation invalidates sessions without persistence; the old chart failed fast on this combination - chart README: document the strict-to-zero-config default flip in Upgrading (existingSecret refs become optional: true) and the single-replica constraint of zero-config - helm-release.yml: add a default-values ct install run so the "deployable with default values" promise is exercised in CI - root README: sync the Helm quickstart with the zero-config default
JSON Schema's regex dialect is ECMA-262, which has no inline (?i) flag - a JavaScript-based validator (catalog tooling, IDE YAML validation) would reject the pattern as a syntax error even though Go's engine accepts it. Spell the case-insensitivity with character classes instead; behavior under helm is unchanged (verified: synonyms accepted, garbage rejected, and the pattern compiles in both engines).
… comment Review follow-ups: - values.schema.json: require a real token when the value is non-empty (whitespace-only strings passed the pattern, rendered AUTH_BOOTSTRAP as whitespace, and only produced an app warn log); "" and whitespace-wrapped tokens like " off " remain valid - _helpers.tpl: the authStrict comment still described the old ""/"on"/"off" enum; document the synonym set the schema now accepts
|
This was referenced Jul 7, 2026
cevheri
added a commit
that referenced
this pull request
Jul 11, 2026
Five first-run/install-path bugs fixed by an autonomous, test-gated maintainer loop working from a fixed queue of filed issues, one commit per issue originally, squashed here. - #134 - deb/rpm and Homebrew wrappers now default to a loopback bind (127.0.0.1) on a direct run instead of leaking an inherited HOSTNAME; LIBREDB_BIND opts in to a different address. The systemd unit path is untouched (INVOCATION_ID guard). - #135 - the Homebrew formula's direct-run wrapper now defaults STORAGE_SQLITE_PATH outside the versioned Cellar keg, so credentials and SQLite state survive brew upgrade. - #132 - npx @libredb/studio --verify-cache (and --archive) no longer wipes payload/data/ on re-extraction. - #133 - the standalone release tarball now packs under a top-level libredb-studio-<version>/ directory instead of spilling at archive root; npx launcher and deb/rpm/snap release jobs updated to strip that one path component. - #137 - the underlying fix (writable /app/data via emptyDir on a default install) had already shipped in #165; this adds the regression test that was missing. Also includes: CI fixes for the new Helm-dependent unit test (build chart deps + pin Helm version), a version bump to 0.9.51 (with chart:bump sync), and hardening of the maintainer-loop scaffold itself for future fully-autonomous runs against the public issue tracker. Refs #132, #133, #134, #135, #137 (left open; closed manually after verifying in production).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
The Rancher partner-charts repository requires charts to be deployable with default values; the chart previously failed at render time (
secrets.jwtSecretrequired). This PR makeshelm install libredb libredb/libredb-studiowork with no values set by defaultingconfig.authBootstrapto"", so the app's zero-config first run (#109) engages: generated admin credentials are printed once to the pod log and stored in/app/data/auth-bootstrap.json.Changes
requiredvalidations only in strict mode (authBootstrap=off); empty keys are omitted otherwiseJWT_SECRET/ADMIN_EMAIL/ADMIN_PASSWORD/USER_EMAIL/USER_PASSWORDenvs render only when set or viaexistingSecret(optional: true, theLLM_API_KEYpattern) so pods never reference missing Secret keys;USER_*gated onsecrets.userPasswordbecause the app never generates the user account (admin-only default)emptyDirat/app/datawhen persistence is off so bootstrap can write underreadOnlyRootFilesystemauthStricthelper mirroring the app'sisBootstrapEnabled()semanticslinux/arm64(image verified multi-arch on GHCR),prerelease: "false", changelog entries"",on,offforauthBootstrapNo chart version bump (release ritual handles it); no
package.jsonversion change, so nochart:bumpneeded.Verification
helm template/helm lintmatrix on helm 3.19.0 and 4.2.2authBootstrap=off) render output byte-identical to before