Skip to content

fix(helm): install with default values — zero-config bootstrap as chart default#165

Merged
cevheri merged 7 commits into
mainfrom
fix/helm-zero-config-defaults
Jul 7, 2026
Merged

fix(helm): install with default values — zero-config bootstrap as chart default#165
cevheri merged 7 commits into
mainfrom
fix/helm-zero-config-defaults

Conversation

@yusuf-gundogdu

@yusuf-gundogdu yusuf-gundogdu commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

The Rancher partner-charts repository requires charts to be deployable with default values; the chart previously failed at render time (secrets.jwtSecret required). This PR makes helm install libredb libredb/libredb-studio work with no values set by defaulting config.authBootstrap to "", so the app's zero-config first run (#109) engages: generated admin credentials are printed once to the pod log and stored in /app/data/auth-bootstrap.json.

Changes

  • secret.yaml: required validations only in strict mode (authBootstrap=off); empty keys are omitted otherwise
  • deployment.yaml: JWT_SECRET/ADMIN_EMAIL/ADMIN_PASSWORD/USER_EMAIL/USER_PASSWORD envs render only when set or via existingSecret (optional: true, the LLM_API_KEY pattern) so pods never reference missing Secret keys; USER_* gated on secrets.userPassword because the app never generates the user account (admin-only default)
  • deployment.yaml: mount an emptyDir at /app/data when persistence is off so bootstrap can write under readOnlyRootFilesystem
  • _helpers.tpl: authStrict helper mirroring the app's isBootstrapEnabled() semantics
  • NOTES.txt: first-run credential retrieval, admin-only note, persistence caveat; strict-mode output unchanged
  • Chart.yaml: declare linux/arm64 (image verified multi-arch on GHCR), prerelease: "false", changelog entries
  • values.schema.json: enum "", on, off for authBootstrap
  • Docs: chart README, HELM_CHART.md, DISTRIBUTION.md (Helm: expose AUTH_BOOTSTRAP and document zero-config vs strict mode #118 note), new RANCHER.md (supported versions, Rancher Apps install, validated table)

No chart version bump (release ritual handles it); no package.json version change, so no chart:bump needed.

Verification

  • 61-assertion helm template/helm lint matrix on helm 3.19.0 and 4.2.2
  • 16/16 e2e on K3s v1.31.14+k3s1 and v1.35.5+k3s1 (k3d v5.9.0): default install to Ready, banner login 200, health 200, container restart keeps credentials, pod recreation regenerates them
  • Strict-mode (authBootstrap=off) render output byte-identical to before

…rt default

The Rancher partner-charts repository requires charts to be deployable
with default values; the chart previously failed at render time
(secrets.jwtSecret required). Default config.authBootstrap to "" so the
app's zero-config first run (#109) engages: generated credentials are
printed once to the pod log and stored in /app/data/auth-bootstrap.json.

- secret.yaml: required validations only in strict mode
  (authBootstrap=off); empty keys are omitted otherwise
- deployment.yaml: JWT_SECRET/ADMIN_EMAIL/ADMIN_PASSWORD/USER_EMAIL/
  USER_PASSWORD envs render only when set or via existingSecret
  (optional: true, the LLM_API_KEY pattern) so pods never reference
  missing Secret keys; USER_* gated on secrets.userPassword because the
  app never generates the user account (admin-only default)
- deployment.yaml: mount an emptyDir at /app/data when persistence is
  off so bootstrap can write under readOnlyRootFilesystem
- _helpers.tpl: authStrict helper mirroring the app's
  isBootstrapEnabled() semantics
- NOTES.txt: first-run credential retrieval, admin-only note,
  persistence caveat; strict-mode output unchanged
- Chart.yaml: declare linux/arm64 (image verified multi-arch on GHCR),
  prerelease "false", changelog entries (Track line kept for chart:bump)
- values.schema.json: enum "", on, off for authBootstrap
- docs: chart README, HELM_CHART.md, DISTRIBUTION.md (#118 note), new
  RANCHER.md (supported versions, Rancher Apps install, validated table)

Verified: 61-assertion helm template/lint matrix on helm 3.19.0 and
4.2.2; 16/16 e2e on K3s v1.31.14+k3s1 and v1.35.5+k3s1 (k3d v5.9.0) -
default install to Ready, banner login 200, health 200, container
restart keeps credentials, pod recreation regenerates them; strict
regression byte-identical. No chart version bump (release ritual).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the charts/libredb-studio Helm chart so it can be installed/rendered with default values (zero-config bootstrap) to satisfy catalog requirements (e.g., Rancher partner-charts), while keeping a strict mode (config.authBootstrap=off) available for fail-fast secret enforcement.

Changes:

  • Default config.authBootstrap to "" (omit AUTH_BOOTSTRAP) and add schema enum validation for "" | on | off.
  • Make chart templates tolerant of unset secrets by conditionally rendering Secret keys and Deployment env entries, and mount /app/data via emptyDir when persistence is disabled.
  • Expand documentation for Rancher install flow, bootstrap credential retrieval, and strict vs zero-config behavior.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
docs/RANCHER.md Adds Rancher-specific install/validation guidance and a validated-matrix table.
docs/HELM_CHART.md Updates chart architecture notes to reflect zero-config bootstrap and /app/data volume behavior.
docs/DISTRIBUTION.md Updates distribution docs to reflect the new zero-config default and strict-mode option.
charts/libredb-studio/values.yaml Changes default config.authBootstrap to "" and updates inline docs.
charts/libredb-studio/values.schema.json Constrains config.authBootstrap to ["", "on", "off"] and updates description.
charts/libredb-studio/templates/secret.yaml Makes required validations conditional on strict mode; omits empty keys by default.
charts/libredb-studio/templates/NOTES.txt Updates post-install notes for zero-config credential retrieval and persistence caveats.
charts/libredb-studio/templates/deployment.yaml Conditionally renders env vars; always mounts /app/data with PVC or emptyDir.
charts/libredb-studio/templates/_helpers.tpl Adds authStrict helper to mirror app bootstrap semantics.
charts/libredb-studio/README.md Updates installation instructions and documents zero-config vs strict mode.
charts/libredb-studio/Chart.yaml Updates Artifact Hub annotations (prerelease flag, arm64 platform, changelog).
.gitignore Ignores SQLite WAL/SHM files for local test DBs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/libredb-studio/templates/NOTES.txt
Comment thread charts/libredb-studio/templates/deployment.yaml
Comment thread charts/libredb-studio/templates/deployment.yaml
Comment thread charts/libredb-studio/templates/deployment.yaml
Comment thread charts/libredb-studio/templates/deployment.yaml
…eview

Review follow-up for PR #165:

- secrets.userPassword is no longer required in strict mode and the docs
  no longer present it as mandatory: the non-admin account is an optional
  app feature that exists only when USER_PASSWORD is set and is never
  generated (src/lib/local-auth.ts). Strict mode now requires exactly
  what the app needs to run: secrets.jwtSecret and secrets.adminPassword.
- With secrets.existingSecret, JWT_SECRET and ADMIN_PASSWORD are hard
  secretKeyRefs in strict mode (no optional: true), so the pod waits for
  missing keys instead of starting without auth env - this also covers
  external-secret operators materializing the Secret after install.
  Zero-config mode keeps optional: true: partial existing secrets are
  supported and missing values are generated at first start.
- Docs sync: chart README (examples no longer pass userPassword; the
  external-secret key list distinguishes required-in-strict vs optional),
  HELM_CHART.md, DISTRIBUTION.md, RANCHER.md, values.yaml comments,
  values.schema.json, artifacthub.io/changes.

The NOTES.txt "not (include ...) type mismatch" review comment is not
applied: Go template not() operates on truthiness (no type error on
strings), verified by helm lint --strict on helm 3.19/4.2 and rendered
NOTES in real installs on K3s v1.31/v1.35.

Template/lint matrix re-run: 69 assertions, 0 failures on helm 3.19.0
and 4.2.2; the default-values render is byte-identical to the previous
commit, so the two-cluster e2e evidence for the default path stands.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.

Comment thread charts/libredb-studio/values.schema.json
Comment thread charts/libredb-studio/templates/secret.yaml Outdated
- secret.yaml: always render the admin-email key (falling back to the
  app default admin@libredb.org when secrets.adminEmail is cleared), so
  the Secret data map can never render as null. Empty adminEmail is
  already rejected by values.schema.json (format: email); this covers
  installs that bypass validation (--skip-schema-validation).
- _helpers.tpl: document why authStrict accepts the app's "false"/"0"
  synonyms beyond the schema enum - a schema-bypassed install must stay
  strict in both the chart and the app instead of splitting half-strict.

Template/lint matrix: 71 assertions, 0 failures (helm 3.19.0 + 4.2.2);
the default-values render is unchanged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 2 comments.

Comment thread charts/libredb-studio/templates/secret.yaml
Comment thread docs/HELM_CHART.md Outdated
Review follow-up (PR #165): the readOnlyRootFilesystem section implied
all three writable mounts are emptyDirs; /app/data is the PVC when
persistence is enabled.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
cevheri added 2 commits July 7, 2026 11:23
…, CI default-install

Review findings on the zero-config default:

- deployment.yaml: refuse zero-config renders with replicaCount > 1 or
  autoscaling enabled unless secrets.jwtSecret or secrets.existingSecret is
  set - each pod would otherwise generate its own JWT secret and break
  sessions across replicas
- values.schema.json: replace the ["", "on", "off"] enum with a
  case-insensitive pattern that also accepts the app's documented synonyms
  (true/false/0/1), so values files that were valid before this chart
  version keep working on helm upgrade
- NOTES.txt: warn when the JWT secret will be generated (adminPassword set
  without jwtSecret, or OIDC) - pod recreation invalidates sessions without
  persistence; the old chart failed fast on this combination
- chart README: document the strict-to-zero-config default flip in
  Upgrading (existingSecret refs become optional: true) and the
  single-replica constraint of zero-config
- helm-release.yml: add a default-values ct install run so the "deployable
  with default values" promise is exercised in CI
- root README: sync the Helm quickstart with the zero-config default
JSON Schema's regex dialect is ECMA-262, which has no inline (?i) flag -
a JavaScript-based validator (catalog tooling, IDE YAML validation) would
reject the pattern as a syntax error even though Go's engine accepts it.
Spell the case-insensitivity with character classes instead; behavior
under helm is unchanged (verified: synonyms accepted, garbage rejected,
and the pattern compiles in both engines).
@cevheri
cevheri requested a review from Copilot July 7, 2026 08:56
@cevheri cevheri added documentation Improvements or additions to documentation enhancement New feature or request labels Jul 7, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated 2 comments.

Comment thread charts/libredb-studio/values.schema.json
Comment thread charts/libredb-studio/templates/_helpers.tpl
… comment

Review follow-ups:

- values.schema.json: require a real token when the value is non-empty
  (whitespace-only strings passed the pattern, rendered AUTH_BOOTSTRAP as
  whitespace, and only produced an app warn log); "" and
  whitespace-wrapped tokens like " off " remain valid
- _helpers.tpl: the authStrict comment still described the old
  ""/"on"/"off" enum; document the synonym set the schema now accepts
@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

@cevheri
cevheri merged commit 3a22428 into main Jul 7, 2026
16 checks passed
@cevheri
cevheri deleted the fix/helm-zero-config-defaults branch July 7, 2026 09:17
cevheri added a commit that referenced this pull request Jul 7, 2026
…rt:bump) (#168)

Release bump: package.json 0.9.50; Chart.yaml version 0.1.9 / appVersion 0.9.50; chart README synced. Chart 0.1.9 is the first published version carrying the zero-config default-install changes from #165.
cevheri added a commit that referenced this pull request Jul 11, 2026
Five first-run/install-path bugs fixed by an autonomous, test-gated maintainer loop working
from a fixed queue of filed issues, one commit per issue originally, squashed here.

- #134 - deb/rpm and Homebrew wrappers now default to a loopback bind (127.0.0.1) on a direct
  run instead of leaking an inherited HOSTNAME; LIBREDB_BIND opts in to a different address.
  The systemd unit path is untouched (INVOCATION_ID guard).
- #135 - the Homebrew formula's direct-run wrapper now defaults STORAGE_SQLITE_PATH outside the
  versioned Cellar keg, so credentials and SQLite state survive brew upgrade.
- #132 - npx @libredb/studio --verify-cache (and --archive) no longer wipes payload/data/ on
  re-extraction.
- #133 - the standalone release tarball now packs under a top-level libredb-studio-<version>/
  directory instead of spilling at archive root; npx launcher and deb/rpm/snap release jobs
  updated to strip that one path component.
- #137 - the underlying fix (writable /app/data via emptyDir on a default install) had already
  shipped in #165; this adds the regression test that was missing.

Also includes: CI fixes for the new Helm-dependent unit test (build chart deps + pin Helm
version), a version bump to 0.9.51 (with chart:bump sync), and hardening of the maintainer-loop
scaffold itself for future fully-autonomous runs against the public issue tracker.

Refs #132, #133, #134, #135, #137 (left open; closed manually after verifying in production).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants