[maestrod] initial chart

.github/workflows/helm-docs.yaml

@@ -27,3 +27,10 @@ jobs:
           chart-search-root: charts/ai-assistant
           # git-push: true
           fail-on-diff: true
+
+      - name: Run helm-docs for Maestrod
+        uses: losisin/helm-docs-github-action@v1
+        with:
+          chart-search-root: charts/maestrod
+          # git-push: true
+          fail-on-diff: true

.github/workflows/lint-test.yaml

@@ -11,18 +11,24 @@ on:
 
 permissions:
   contents: read
+  id-token: write  # required for OIDC to assume the ECR-pull IAM role
 
 jobs:
   lint-test:
     runs-on: ubuntu-latest
+    env:
+      MAESTROD_ECR_REGISTRY: 111300957880.dkr.ecr.eu-west-1.amazonaws.com
+      MAESTROD_ECR_REPOSITORY: maestrod
+      MAESTROD_ECR_TAG: nightly
+      AWS_REGION: eu-west-1
     steps:
       - name: Checkout
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           version: latest
 
@@ -41,6 +47,12 @@ jobs:
           if [[ -n "$changed" ]]; then
             echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
+          if echo "$changed" | grep -qx 'charts/maestrod'; then
+            echo "maestrod-changed=true" >> "$GITHUB_OUTPUT"
+          fi
+          if echo "$changed" | grep -v '^charts/maestrod$' | grep -q .; then
+            echo "non-maestrod-changed=true" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
@@ -50,16 +62,34 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         uses: helm/kind-action@v1
 
+      - name: Configure AWS credentials (for ECR pull)
+        if: steps.list-changed.outputs.maestrod-changed == 'true'
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ secrets.AWS_CI_ECR_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Log in to Amazon ECR
+        if: steps.list-changed.outputs.maestrod-changed == 'true'
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Side-load maestrod image into kind
+        if: steps.list-changed.outputs.maestrod-changed == 'true'
+        run: |
+          IMAGE="${MAESTROD_ECR_REGISTRY}/${MAESTROD_ECR_REPOSITORY}:${MAESTROD_ECR_TAG}"
+          docker pull "$IMAGE"
+          kind load docker-image "$IMAGE" --name chart-testing
+
       - name: Install Gateway API CRDs
-        if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.non-maestrod-changed == 'true'
         run: |
           kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.0/standard-install.yaml
           kubectl wait --for=condition=Established crd/gatewayclasses.gateway.networking.k8s.io --timeout=120s
           kubectl wait --for=condition=Established crd/gateways.gateway.networking.k8s.io --timeout=120s
           kubectl wait --for=condition=Established crd/httproutes.gateway.networking.k8s.io --timeout=120s
 
       - name: Install CloudNativePG
-        if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.non-maestrod-changed == 'true'
         run: |
           helm repo add cnpg https://cloudnative-pg.github.io/charts
           helm upgrade --install cnpg \
@@ -84,7 +114,7 @@ jobs:
             --timeout=300s
 
       - name: Install Garage
-        if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.non-maestrod-changed == 'true'
         run: |
           kubectl create namespace whatever --dry-run=client -o yaml | kubectl apply -f -
           cat <<'EOF' | kubectl apply -f -
@@ -226,11 +256,29 @@ jobs:
           EOF
           kubectl wait --namespace whatever --for=condition=complete job/garage-create-buckets --timeout=300s
 
-      - name: Run chart-testing (install)
-        if: steps.list-changed.outputs.changed == 'true'
+      - name: Run chart-testing (install) — public-image charts
+        if: steps.list-changed.outputs.non-maestrod-changed == 'true'
+        # Public Nutrient charts (document-engine, ai-assistant, …): keep the
+        # original `pullPolicy=Always` behaviour so the nightly tag is always
+        # re-pulled from Docker Hub. Maestrod is excluded here and installed
+        # separately below against its kind-loaded ECR image.
         run: |
           helm repo add nutrient https://pspdfkit.github.io/helm-charts
           ct install --target-branch ${{ github.event.repository.default_branch }} \
+                     --excluded-charts maestrod \
                      --helm-extra-args "--timeout 300s" \
                      --helm-extra-set-args "--set=image.tag=nightly" \
                      --helm-extra-set-args "--set=image.pullPolicy=Always"
+
+      - name: Run chart-testing (install) — maestrod (ECR side-loaded)
+        if: steps.list-changed.outputs.maestrod-changed == 'true'
+        # Maestrod's image lives in a private ECR; the workflow pulls it on
+        # the runner and side-loads it into the kind node above. We omit
+        # `pullPolicy=Always` here so kubelet uses the loaded image
+        # (the chart's `IfNotPresent` default) instead of trying to re-pull
+        # from a registry kind has no credentials for.
+        run: |
+          ct install --target-branch ${{ github.event.repository.default_branch }} \
+                     --charts charts/maestrod \
+                     --helm-extra-args "--timeout 300s" \
+                     --helm-extra-set-args "--set=image.tag=${MAESTROD_ECR_TAG}"

CLAUDE.md

@@ -15,14 +15,15 @@ Nutrient Helm Charts repository. Contains Kubernetes Helm charts for Nutrient pr
 |-------|-------------|
 | `document-engine` | Backend for document processing and automation workflows. Most complex chart. |
 | `ai-assistant` | AI Assistant application. Depends on `document-engine` chart. |
+| `maestrod` | Orchestration backend for Nutrient managed cloud workloads. Single stateless Deployment. |
 | `signing-service-example` | Example chart for demonstration. Excluded from CI. |
 | `simple-resource-wrapper` | Generic Kubernetes resource wrapper (Terraform workaround). |
 
 ## Code Generation — Do Not Edit Generated Files Directly
 
 ### README.md (helm-docs)
 
-README.md files for `document-engine` and `ai-assistant` are **auto-generated** by
+README.md files for `document-engine`, `ai-assistant`, and `maestrod` are **auto-generated** by
 [helm-docs](https://github.com/norwoodj/helm-docs). CI fails if they are out of sync.
 
 - **Template**: `charts/<chart>/README.md.gotmpl`
@@ -34,6 +35,7 @@ To regenerate locally:
 ```bash
 helm-docs --chart-search-root charts/document-engine
 helm-docs --chart-search-root charts/ai-assistant
+helm-docs --chart-search-root charts/maestrod
 ```
 
 ### values.schema.json (helm-values-schema-json)
@@ -49,6 +51,7 @@ To regenerate locally:
 ```bash
 cd charts/document-engine && helm schema -input values.yaml -draft 2020 -indent 2 -output values.schema.json
 cd charts/ai-assistant && helm schema -input values.yaml -draft 2020 -indent 2 -output values.schema.json
+cd charts/maestrod && helm schema
 ```
 
 ## values.yaml Comment Conventions
@@ -135,6 +138,7 @@ After modifying any chart, regenerate derived files before committing:
    ```bash
    helm-docs --chart-search-root charts/document-engine
    helm-docs --chart-search-root charts/ai-assistant
+   helm-docs --chart-search-root charts/maestrod
    ```
 2. **values.schema.json** — run `helm schema` whenever `values.yaml` schema annotations change:
    ```bash

README.md

@@ -21,6 +21,14 @@ helm upgrade --install -n document-engine \
      -f ./document-engine-values.yaml
 ```
 
+### Maestrod
+
+```
+helm upgrade --install -n maestrod \
+     maestrod nutrient/maestrod \
+     -f ./maestrod-values.yaml
+```
+
 ## Support, Issues and License Questions
 
 Nutrient offers support via https://support.nutrient.io/hc/en-us/requests/new

charts/maestrod/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/maestrod/.schema.yaml

@@ -0,0 +1,6 @@
+input:
+  - values.yaml
+
+draft: 2020
+indent: 2
+output: values.schema.json

charts/maestrod/CHANGELOG.md

@@ -0,0 +1,32 @@
+# Changelog
+
+- [Changelog](#changelog)
+  - [0.5.0 (2026-05-27)](#050-2026-05-27)
+    - [Added](#added)
+
+## 0.5.0 (2026-05-27)
+
+First public release. Value-compatible with the internal `0.3.4` chart; the
+following defaults changed — set them explicitly to preserve old behaviour:
+
+```yaml
+image:
+  repository: <account>.dkr.ecr.eu-west-1.amazonaws.com/maestrod  # now pspdfkit/maestrod
+  tag: nightly                  # now empty (→ appVersion)
+  pullPolicy: Always                                                   # now IfNotPresent
+imagePullSecrets: <...>
+podLabels: { component_name: maestrod }  # now {}
+restartJob:
+  registryAuthSecretName: "<...>" # now ""
+```
+
+### Added
+
+- `/health` HTTP defaults for `startupProbe` / `livenessProbe` / `readinessProbe`.
+- `NUTRIENT_SHOW_SCALAR` / `NATIVESDK_VISION_LOGS` via ConfigMap with
+  `checksum/config` rollout trigger.
+- `serviceAccount`, `autoscaling`, `podDisruptionBudget`, `deploymentAnnotations`,
+  `topologySpreadConstraints`, `schedulerName`, `lifecycle`, `extra*`,
+  `sidecars`, `initContainers`.
+- `licenseSecret.name: ""` skips the `NUTRIENT_LICENSE_KEY` env var.
+- Generated `README.md` + `values.schema.json`; `ci/` values; `helm test` probe.

charts/maestrod/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: maestrod
+type: application
+description: Maestrod, the orchestration backend for Nutrient managed cloud workloads.
+home: https://www.nutrient.io
+icon: https://cdn.prod.website-files.com/65fdb7696055f07a05048833/66e58e33c3880ff24aa34027_nutrient-logo.png
+version: 0.5.0
+appVersion: "v1.1.1"
+
+keywords:
+  - nutrient
+  - maestrod
+
+maintainers:
+  - name: Nutrient
+    email: support@nutrient.io
+    url: https://www.nutrient.io

charts/maestrod/LICENSE

@@ -0,0 +1,42 @@
+The Nutrient Sample applications are licensed with a modified BSD
+license. In plain language: you're allowed to do whatever you wish
+with the code, modify, redistribute, embed in your products (free or
+commercial), but you must include copyright, terms of usage and
+disclaimer as stated in the license.
+
+You will require a commercial Nutrient License to run these examples
+in non-demo mode. Please refer to sales@nutrient.io for details.
+
+Copyright © 2018-present PSPDFKit GmbH.
+All rights reserved.
+
+Redistribution and use in source or binary forms,
+with or without modification, are permitted provided
+that the following conditions are met:
+
+- Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+- Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the
+  distribution.
+
+- Redistributions of Nutrient Samples must include attribution to
+  Nutrient, either in documentation or other appropriate media.
+
+- Neither the name of the Nutrient, PSPDFKit GmbH, nor its developers
+  may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.