Skip to content

feat(helm): add optional PostgreSQL backing store with Secret-based credentials#1579

Draft
sauagarwa wants to merge 2 commits into
NVIDIA:mainfrom
sauagarwa:feat/helm-postgres-secret
Draft

feat(helm): add optional PostgreSQL backing store with Secret-based credentials#1579
sauagarwa wants to merge 2 commits into
NVIDIA:mainfrom
sauagarwa:feat/helm-postgres-secret

Conversation

@sauagarwa
Copy link
Copy Markdown
Contributor

@sauagarwa sauagarwa commented May 26, 2026

Summary

Add an optional PostgreSQL backing store to the Helm chart as an alternative to the default SQLite database. Credentials are stored in a Kubernetes Secret and injected via the OPENSHELL_DB_URL environment variable, avoiding exposure in CLI args, pod specs, or process listings.

Related Issue

N/A

Changes

  • New postgres values block supporting three modes: SQLite (default), bundled Bitnami PostgreSQL (mode=internal), and external PostgreSQL (mode=external or external.url)
  • New db-secret.yaml template — Kubernetes Secret created only when postgres.enabled=true, containing the composed database URL
  • StatefulSet update — conditional --db-url CLI arg (SQLite only) and OPENSHELL_DB_URL env var via secretKeyRef (PostgreSQL), plus a checksum annotation for rollout on credential change
  • Credential safetyurlquery encoding on username/password, required guards on auth.password (internal) and external.host/external.password (external mode), no hardcoded default password
  • Bitnami PostgreSQL subchart dependency (v18.6.7, conditional on postgres.enabled)
  • Helm test coverage — 12 new test cases covering Secret creation, env var injection, URL encoding, external URL verbatim, and required-field validation errors
  • .gitignore — exclude deploy/helm/openshell/charts/ (regenerated by helm dependency build); commit Chart.lock for reproducibility
  • deploy-openshell-cluster skill — new agent skill for deploying the gateway with optional PostgreSQL configuration
  • Documentation — README database backend section, values.yaml comments documenting Bitnami subchart coupling

Testing

  • helm lint passes (defaults + all 5 CI variants)
  • helm unittest passes (30/30 tests across 3 suites)
  • helm template verified for SQLite default, internal postgres, and external postgres modes
  • required guard verified: helm template --set postgres.enabled=true fails with clear error when password is missing
  • mise run pre-commit (Rust compile not applicable — Helm-only changes)
  • E2E tests added/updated (not applicable — no runtime changes)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 26, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@sauagarwa sauagarwa force-pushed the feat/helm-postgres-secret branch 3 times, most recently from 1fc9bef to 253051f Compare May 26, 2026 22:07
@sauagarwa sauagarwa marked this pull request as draft May 26, 2026 22:07
@sauagarwa
feat(helm): add optional PostgreSQL backing store with Secret-based c…
d8d0be7 
…redentials

Add postgres.enabled toggle supporting three modes: SQLite (default),
bundled Bitnami PostgreSQL (internal), and external PostgreSQL. Database
credentials are stored in a Kubernetes Secret and injected via the
OPENSHELL_DB_URL env var to avoid exposing passwords in CLI args, pod
specs, or process listings. Passwords are URL-encoded via urlquery, and
required guards prevent misconfiguration (missing password or host).
@sauagarwa sauagarwa force-pushed the feat/helm-postgres-secret branch from 253051f to d8d0be7 Compare May 26, 2026 22:15
@sauagarwa
fix(helm): conditional JWT secret file mode and deploy skill hardening
4ba4f67 
- JWT signing key defaultMode auto-selects 0440 (fsGroup set) or 0444
  (OpenShift random UID) instead of unconditional 0444. Configurable
  via server.sandboxJwt.secretDefaultMode for strict environments.
- Deploy skill: guard against empty --version on OCI deploys, support
  local chart paths with dependency build, add CLEAN_INSTALL opt-in
  for stale PVC cleanup, and improve version derivation logic.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sauagarwa