Merge mvp_demo changes to master

[chandrams]

Summary by Sourcery

Add a new Helm chart for deploying Kruize with configurable DB and UI components, along with platform-specific values and CI workflows.

New Features:

• Provide a fully featured Helm chart to deploy Kruize, including API, PostgreSQL database, and NGINX-based UI, with configurable resources and services for different environments.
• Add configurable cron jobs for database partition management and optional Prometheus ServiceMonitor and NetworkPolicy resources.

Build:

• Define the Kruize Helm chart metadata, default values, and schema for packaging and distribution.

CI:

• Add GitHub Actions workflows to lint the Helm chart and run helm-unittest with multiple values files.
• Add a GitHub Actions workflow to package and publish the Helm chart to GHCR on tagged releases.

Documentation:

• Document Helm-based installation, configuration, and testing for Kruize, including platform-specific guidance.

Tests:

• Introduce helm-unittest suites covering default, OpenShift, and Minikube configurations for Kruize core, DB, UI, RBAC, storage, cron jobs, monitoring, and network policies.

[sourcery-ai]

Reviewer's Guide

Introduces a fully structured Kruize Helm chart (including values for default, OpenShift, and Minikube), adds corresponding Kubernetes templates, and wires up CI workflows for linting, unit testing, and publishing the chart to GHCR.

File-Level Changes

Change	Details	Files
Add fully parameterized Kruize Helm chart with defaults and environment-specific overrides for OpenShift and Minikube.	Define chart metadata and helpers for names/labels in Chart.yaml and _helpers.tpl. Introduce default values.yaml plus values-openshift.yaml and values-minikube.yaml to capture platform-specific behaviors (RBAC, SA usage, resources, monitoring, storage). Document all values and installation flows in a detailed charts/kruize/README.md and surface it at repo root.	charts/kruize/Chart.yaml charts/kruize/_helpers.tpl charts/kruize/values.yaml charts/kruize/values-openshift.yaml charts/kruize/values-minikube.yaml charts/kruize/README.md README.md
Implement core Kubernetes templates for Kruize API, DB, UI, storage, RBAC, monitoring, and supporting resources.	Add Deployments, Services, ConfigMaps, and CronJobs for Kruize backend and DB, including config-driven env, resources, and init containers. Add UI nginx Deployment/Service and nginx ConfigMap for routing UI to the Kruize API. Add storage PV/PVC and a manual StorageClass, plus optional NetworkPolicy, ServiceMonitor, ServiceAccount, and ClusterRole/ClusterRoleBindings for recommendation updating, edit-ko, instaslices, monitoring, and OpenShift SCC.	charts/kruize/templates/kruize_deployment.yaml charts/kruize/templates/kruize_service.yaml charts/kruize/templates/kruize_db_deployment.yaml charts/kruize/templates/kruize_db_service.yaml charts/kruize/templates/configmap_kruize.yaml charts/kruize/templates/configmap_nginx.yaml charts/kruize/templates/kruize_ui_nginx_deployment.yaml charts/kruize/templates/kruize_ui_nginx_service.yaml charts/kruize/templates/storage_pv.yaml charts/kruize/templates/storage_pvc.yaml charts/kruize/templates/storage_manual.yaml charts/kruize/templates/service_account.yaml charts/kruize/templates/role.yaml charts/kruize/templates/rolebinding.yaml charts/kruize/templates/network_policy.yaml charts/kruize/templates/service_monitor.yaml charts/kruize/templates/cronjobs.yaml
Add extensive helm-unittest coverage for default, OpenShift, and Minikube configurations.	Introduce test suites validating core resources (deployments, services, configmaps, cronjobs, storage, RBAC, network policy, ServiceMonitor, UI) under default values. Add separate test suites for OpenShift-specific behavior (RBAC, service account, deployment) and Minikube-specific overrides (no resources, default SA, storage, monitoring, network policies). Provide tests README describing structure, execution patterns, and guidance for extending tests.	charts/kruize/tests/README.md charts/kruize/tests/with-default-values/configmap_test.yaml charts/kruize/tests/with-default-values/cronjobs_test.yaml charts/kruize/tests/with-default-values/kruize_db_deployment_test.yaml charts/kruize/tests/with-default-values/kruize_db_service_test.yaml charts/kruize/tests/with-default-values/kruize_service_test.yaml charts/kruize/tests/with-default-values/kruize_ui_test.yaml charts/kruize/tests/with-default-values/network_policy_test.yaml charts/kruize/tests/with-default-values/service_monitor_test.yaml charts/kruize/tests/with-default-values/storage_test.yaml charts/kruize/tests/with-openshift-values/kruize_deployment_test.yaml charts/kruize/tests/with-openshift-values/rbac_test.yaml charts/kruize/tests/with-minikube-values/kruize_db_deployment_minikube_test.yaml charts/kruize/tests/with-minikube-values/kruize_deployment_minikube_test.yaml charts/kruize/tests/with-minikube-values/network_policy_minikube_test.yaml charts/kruize/tests/with-minikube-values/rbac_minikube_test.yaml charts/kruize/tests/with-minikube-values/service_monitor_minikube_test.yaml charts/kruize/tests/with-minikube-values/storage_minikube_test.yaml
Introduce CI workflows for Helm linting, unit testing, and publishing chart releases to GHCR.	Add helm-lint GitHub Actions workflow to lint the chart with default, Minikube, and OpenShift values and validate required chart structure. Add helm-unittest workflow to run unit tests across all value sets, emit JUnit/HTML reports, upload artifacts, and enforce pass/fail based on parsed test results. Add release_to_ghcr workflow to package the chart on version tag pushes and push it as an OCI package to GHCR using helm registry login.	.github/workflows/helm-lint.yaml .github/workflows/helm-unittest.yaml .github/workflows/release_to_ghcr.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 5 issues, and left some high level feedback:

• The NetworkPolicy template hardcodes the prometheus pod label selector and port (app.kubernetes.io/name: prometheus, port 9090); consider making the target labels and port configurable via values so it can work with clusters that use different labels or ports for Prometheus.
• The cronjobs.yaml template derives LOGGING_LEVEL, DB_CONFIG_FILE, and KRUIZE_CONFIG_FILE by scanning kruize.env, which can become fragile if env var names change; you might want to drive those values directly from dedicated config keys (or helper functions) instead of coupling the cronjob behavior to the env array layout.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The NetworkPolicy template hardcodes the prometheus pod label selector and port (app.kubernetes.io/name: prometheus, port 9090); consider making the target labels and port configurable via values so it can work with clusters that use different labels or ports for Prometheus.
- The cronjobs.yaml template derives LOGGING_LEVEL, DB_CONFIG_FILE, and KRUIZE_CONFIG_FILE by scanning kruize.env, which can become fragile if env var names change; you might want to drive those values directly from dedicated config keys (or helper functions) instead of coupling the cronjob behavior to the env array layout.

## Individual Comments

### Comment 1
<location path="charts/kruize/templates/role.yaml" line_range="8-10" />
<code_context>
+metadata:
+  name: {{ $fullName }}-recommendation-updater
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - customresourcedefinitions
</code_context>
<issue_to_address>
**issue (bug_risk):** Avoid listing `customresourcedefinitions` under the core (`""`) API group to prevent role creation failures.

In this rule, `customresourcedefinitions` is incorrectly listed under `apiGroups: ["""]`; CRDs only exist in `apiextensions.k8s.io`, which you already cover in the next rule. This mismatch can cause ClusterRole creation to fail. Please remove `customresourcedefinitions` from this rule and rely on the `apiextensions.k8s.io` rule instead.
</issue_to_address>

### Comment 2
<location path="charts/kruize/templates/cronjobs.yaml" line_range="26-27" />
<code_context>
+metadata:
+  name: {{ .Release.Name }}-create-partition
+  namespace: {{ $namespace }}
+spec:
+  schedule: {{ default "0 0 25 * *" .Values.cronJob.createSchedule | quote }} # Run on 25th of every month at midnight
+  jobTemplate:
+    spec:
</code_context>
<issue_to_address>
**suggestion:** Both CronJobs share the same `createSchedule` value, making it impossible to independently configure delete schedule.

Since both the create- and delete-partition CronJobs read from `.Values.cronJob.createSchedule`, their schedules are unintentionally coupled and retention can’t be tuned separately. Please introduce a dedicated value (e.g., `.Values.cronJob.deleteSchedule`) for the delete CronJob so its schedule can be configured independently, while keeping a sensible default aligned with the create schedule.

Suggested implementation:

```
  schedule: {{ default "0 0 25 * *" .Values.cronJob.createSchedule | quote }} # Run on 25th of every month at midnight

```

```
  name: {{ .Release.Name }}-delete-partition
  namespace: {{ $namespace }}
spec:
  # Default precedence:
  # 1) .Values.cronJob.deleteSchedule (delete-specific override)
  # 2) .Values.cronJob.createSchedule (align with create schedule by default)
  # 3) "0 0 25 * *" (midnight on the 25th of every month)
  schedule: {{ default (default "0 0 25 * *" .Values.cronJob.createSchedule) .Values.cronJob.deleteSchedule | quote }}

```

1. In `values.yaml` (or the appropriate values file), introduce a new value under `cronJob`:
   ```yaml
   cronJob:
     createSchedule: "0 0 25 * *"
     # Optional, defaults to `createSchedule` when unset
     deleteSchedule: ""
   ```
   Leaving `deleteSchedule` empty (or omitting it) ensures it inherits the `createSchedule` value by default.
2. Update any documentation or Helm chart README to mention `cronJob.deleteSchedule` as a configurable value for the delete-partition CronJob.
</issue_to_address>

### Comment 3
<location path="charts/kruize/values.yaml" line_range="129-133" />
<code_context>
+      - ReadWriteMany
+  ## @param db.user User for Kruize DB container
+  user: admin
+  ## @param db.password User for Kruize DB container
+  password: admin
+  ## @param db.adminUser Admin User for Kruize DB container
+  adminUser: admin
+  ## @param db.adminPassword Admin password for Kruize DB container
+  adminPassword: admin
+  ## @param db.name Name of the Kruize DB
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Storing database credentials in plain text values and ConfigMaps is a security risk; consider using Kubernetes Secrets.

These fields are defined directly in `values.yaml` and rendered into `configmap_kruize.yaml` (`dbconfigjson`), so credentials are stored in plaintext and likely end up in source control. Please load them from Kubernetes Secrets (e.g., via `envFrom`/`valueFrom` or mounted files) and keep any chart defaults non-sensitive or limited to local/demo use only.

Suggested implementation:

```
  ## @param db.credentialsSecretName Name of the Kubernetes Secret containing DB user credentials
  ## The Secret is expected to provide:
  ##   - user: database username
  ##   - password: database password
  ## If empty, you must create and specify a Secret name before deploying in non-demo environments.
  credentialsSecretName: ""
  ## @param db.adminCredentialsSecretName Name of the Kubernetes Secret containing DB admin credentials
  ## The Secret is expected to provide:
  ##   - adminUser: admin database username
  ##   - adminPassword: admin database password
  ## If empty, you must create and specify a Secret name before deploying in non-demo environments.
  adminCredentialsSecretName: ""

```

To fully implement the change and avoid storing credentials in plaintext:
1. In `charts/kruize/templates/configmap_kruize.yaml` (or wherever `dbconfigjson` is rendered), stop inlining `db.user`, `db.password`, `db.adminUser`, and `db.adminPassword` into the ConfigMap. Instead, remove those fields from the JSON or mark them as being loaded from environment variables.
2. In the Deployment/StatefulSet template(s) for the Kruize DB container:
   - Add `env` entries that use `valueFrom.secretKeyRef` referencing `.Values.db.credentialsSecretName` and `.Values.db.adminCredentialsSecretName` for `user`, `password`, `adminUser`, and `adminPassword` as needed.
   - Ensure the keys in the Kubernetes Secrets match the names documented in `values.yaml` (`user`, `password`, `adminUser`, `adminPassword`).
3. Optionally, for local/demo use, you may provide an example Secret manifest (e.g., `examples/kruize-db-secret.yaml`) instead of embedding credentials in `values.yaml`.
</issue_to_address>

### Comment 4
<location path="charts/kruize/README.md" line_range="105" />
<code_context>
+| `kruize.config.monitoringEndPoint` | Monitoring endpoint | `prometheus-k8s` |
+| `kruize.config.saveToDB` | Enable saving data to database | `true` |
+| `kruize.config.dbDriver` | Database driver | `jdbc:postgresql://` |
+| `kruize.config.plots` | Enable plots generation | `true` |
+| `kruize.config.isROSEnabled` | Enable ROS (Resource Optimization Service) | `false` |
+| `kruize.config.local` | Run in local mode | `true` |
</code_context>
<issue_to_address>
**nitpick (typo):** Consider rephrasing "plots generation" to "plot generation" for better grammar.

Alternatively, you could use "Enable generation of plots," which is also grammatically correct and clear.

```suggestion
| `kruize.config.plots` | Enable plot generation | `true` |
```
</issue_to_address>

### Comment 5
<location path="charts/kruize/README.md" line_range="145" />
<code_context>
+| `kruize.config.datasource` | Array of datasource configurations | `[]` (empty, platform-specific) |
+
+**Note:** Datasource configuration is platform-specific:
+- **OpenShift**: Configured in `values-openshift.yaml` with prometheus-k8s and thanos-querier in openshift-monitoring namespace
+- **Minikube**: Configured in `values-minikube.yaml` with prometheus-k8s in monitoring namespace
+- **Generic Kubernetes**: Empty by default, configure based on your monitoring setup
</code_context>
<issue_to_address>
**nitpick (typo):** Consider adding "the" before "openshift-monitoring namespace" for grammatical clarity.

The current wording is fine, but updating it to "in the openshift-monitoring namespace" will read more naturally.

```suggestion
- **OpenShift**: Configured in `values-openshift.yaml` with prometheus-k8s and thanos-querier in the openshift-monitoring namespace
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Avoid listing customresourcedefinitions under the core ("") API group to prevent role creation failures.

In this rule, customresourcedefinitions is incorrectly listed under apiGroups: ["""]; CRDs only exist in apiextensions.k8s.io, which you already cover in the next rule. This mismatch can cause ClusterRole creation to fail. Please remove customresourcedefinitions from this rule and rely on the apiextensions.k8s.io rule instead.

[sourcery-ai]

suggestion: Both CronJobs share the same createSchedule value, making it impossible to independently configure delete schedule.

Since both the create- and delete-partition CronJobs read from .Values.cronJob.createSchedule, their schedules are unintentionally coupled and retention can’t be tuned separately. Please introduce a dedicated value (e.g., .Values.cronJob.deleteSchedule) for the delete CronJob so its schedule can be configured independently, while keeping a sensible default aligned with the create schedule.

Suggested implementation:

  schedule: {{ default "0 0 25 * *" .Values.cronJob.createSchedule | quote }} # Run on 25th of every month at midnight

  name: {{ .Release.Name }}-delete-partition
  namespace: {{ $namespace }}
spec:
  # Default precedence:
  # 1) .Values.cronJob.deleteSchedule (delete-specific override)
  # 2) .Values.cronJob.createSchedule (align with create schedule by default)
  # 3) "0 0 25 * *" (midnight on the 25th of every month)
  schedule: {{ default (default "0 0 25 * *" .Values.cronJob.createSchedule) .Values.cronJob.deleteSchedule | quote }}

1. In values.yaml (or the appropriate values file), introduce a new value under cronJob:

   cronJob:
     createSchedule: "0 0 25 * *"
     # Optional, defaults to `createSchedule` when unset
     deleteSchedule: ""

   Leaving deleteSchedule empty (or omitting it) ensures it inherits the createSchedule value by default.
2. Update any documentation or Helm chart README to mention cronJob.deleteSchedule as a configurable value for the delete-partition CronJob.

[sourcery-ai]

🚨 suggestion (security): Storing database credentials in plain text values and ConfigMaps is a security risk; consider using Kubernetes Secrets.

These fields are defined directly in values.yaml and rendered into configmap_kruize.yaml (dbconfigjson), so credentials are stored in plaintext and likely end up in source control. Please load them from Kubernetes Secrets (e.g., via envFrom/valueFrom or mounted files) and keep any chart defaults non-sensitive or limited to local/demo use only.

Suggested implementation:

  ## @param db.credentialsSecretName Name of the Kubernetes Secret containing DB user credentials
  ## The Secret is expected to provide:
  ##   - user: database username
  ##   - password: database password
  ## If empty, you must create and specify a Secret name before deploying in non-demo environments.
  credentialsSecretName: ""
  ## @param db.adminCredentialsSecretName Name of the Kubernetes Secret containing DB admin credentials
  ## The Secret is expected to provide:
  ##   - adminUser: admin database username
  ##   - adminPassword: admin database password
  ## If empty, you must create and specify a Secret name before deploying in non-demo environments.
  adminCredentialsSecretName: ""

To fully implement the change and avoid storing credentials in plaintext:

1. In charts/kruize/templates/configmap_kruize.yaml (or wherever dbconfigjson is rendered), stop inlining db.user, db.password, db.adminUser, and db.adminPassword into the ConfigMap. Instead, remove those fields from the JSON or mark them as being loaded from environment variables.
2. In the Deployment/StatefulSet template(s) for the Kruize DB container:
   • Add env entries that use valueFrom.secretKeyRef referencing .Values.db.credentialsSecretName and .Values.db.adminCredentialsSecretName for user, password, adminUser, and adminPassword as needed.
   • Ensure the keys in the Kubernetes Secrets match the names documented in values.yaml (user, password, adminUser, adminPassword).
3. Optionally, for local/demo use, you may provide an example Secret manifest (e.g., examples/kruize-db-secret.yaml) instead of embedding credentials in values.yaml.

[sourcery-ai]

nitpick (typo): Consider rephrasing "plots generation" to "plot generation" for better grammar.

Alternatively, you could use "Enable generation of plots," which is also grammatically correct and clear.

Suggested change

	| `kruize.config.plots` | Enable plots generation | `true` |
	| `kruize.config.plots` | Enable plot generation | `true` |

[sourcery-ai]

nitpick (typo): Consider adding "the" before "openshift-monitoring namespace" for grammatical clarity.

The current wording is fine, but updating it to "in the openshift-monitoring namespace" will read more naturally.

Suggested change

	- **OpenShift**: Configured in `values-openshift.yaml` with prometheus-k8s and thanos-querier in openshift-monitoring namespace
	- **OpenShift**: Configured in `values-openshift.yaml` with prometheus-k8s and thanos-querier in the openshift-monitoring namespace