Testintelligence

.gitignore

@@ -0,0 +1 @@
+values-secret.yaml

charts/roost/templates/NOTES.txt

@@ -1,20 +1,55 @@
 # Welcome to the RoostAI Helm Chart!
 
+## Secret Values (values-secret.yaml)
+
+Sensitive credentials (DB passwords, OAuth secrets, license key, ACM ARN, etc.)
+must NOT be committed to git. Store them in a separate file:
+
+  charts/roost/values-secret.yaml   ← listed in .gitignore
+
+Deploy with both files:
+  helm upgrade --install roost charts/roost \
+    -f charts/roost/values.yaml \
+    -f charts/roost/values-secret.yaml \
+    -n roost --create-namespace
+
 ## Accessing RoostAI
 
-{{- if or (eq .Values.cloudConfig.clusterType "gke") (eq .Values.cloudConfig.clusterType "aks") }}
-NOTE: It may take a few minutes for the Ingress Address IP to be available.
+{{- if .Values.gateway.enabled }}
+NOTE: Gateway API mode is enabled. NGINX Gateway Fabric must be installed in the cluster.
+      Install it with (use --skip-crds if Gateway API CRDs >= v1.5 are already present):
+        helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric \
+          --create-namespace -n nginx-gateway --skip-crds
+
+      It may take a few minutes for the Gateway address to become available.
+      Watch the gateway status:
+        kubectl get --namespace {{ .Release.Namespace }} gateway roost-gateway -w
+
+Get the RoostAI external address:
+export SERVICE_IP=$(kubectl get gateway --namespace {{ .Release.Namespace }} roost-gateway \
+  -o jsonpath="{.status.addresses[0].value}")
+echo "RoostAI URL: http://$SERVICE_IP"
+
+{{- if eq .Values.cloudConfig.clusterType "local" }}
+On Docker Desktop the LoadBalancer is exposed on localhost (127.0.0.1).
+Since '{{ .Values.enterprise.domainURL }}' resolves to 127.0.0.1 automatically,
+you can open your browser at: http://{{ .Values.enterprise.domainURL }}
+{{- end }}
+{{- else if or (eq .Values.cloudConfig.clusterType "gke") (eq .Values.cloudConfig.clusterType "aks") }}
+NOTE: It may take a few minutes for the Ingress address to be available.
         You can watch the status by running: 'kubectl get --namespace {{ .Release.Namespace }} ingress -w roost-{{ .Values.cloudConfig.clusterType }}-ingress'
 Get the roostai loadbalancer external IP by running these commands:
 
-export SERVICE_IP=$(kubectl get ingress --namespace {{ .Release.Namespace }} roost-{{ .Values.cloudConfig.clusterType }}-ingress -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+export SERVICE_IP=$(kubectl get ingress --namespace {{ .Release.Namespace }} roost-{{ .Values.cloudConfig.clusterType }}-ingress -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
 {{- else }}
 NOTE: It may take a few minutes for the LoadBalancer IP to be available.
         You can watch the status by running: 'kubectl get --namespace {{ .Release.Namespace }} svc -w roost-nginx-svc'
 Get the roostai loadbalancer external IP by running these commands:
-export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} roost-nginx-svc -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} roost-nginx-svc -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
 {{- end }}
+{{- if not .Values.gateway.enabled }}
 echo "RoostAI LoadBalancer URL: http://$SERVICE_IP"
+{{- end }}
 
 ## Mapping the RoostAI LoadBalancer IP to Your Domain
 
@@ -30,4 +65,4 @@ To map this LoadBalancer IP to your domain, follow these steps:
 
 4. Save the DNS record.
 
-5. It may take some time (DNS propagation) for your domain to point to the RoostAI LoadBalancer IP.
+5. It may take some time (DNS propagation) for your domain to point to the RoostAI LoadBalancer IP.

charts/roost/templates/_helpers.tpl

@@ -65,22 +65,28 @@ Create the name of the service account to use
 Storage Class Name
 */}}
 {{- define "cluster.storageClassName" -}}
-{{- if eq .Values.cloudConfig.clusterType "aks" }}
-storageClassName: roost-sc-azurefile-csi-nfs
+{{- if and .Values.storageClass .Values.storageClass }}
+storageClassName: {{ .Values.storageClass }}
+{{- else if eq .Values.cloudConfig.clusterType "aks" }}
+storageClassName: {{ .Values.storageClass }}
 {{- else if eq .Values.cloudConfig.clusterType "gke" }}
 storageClassName: standard-rwx
 {{- else if eq .Values.cloudConfig.clusterType "eks" }}
-storageClassName: roost-sc-efs
-{{- else }}
-# storageClassName: default
+storageClassName: {{ .Values.storageClass }}
+{{- else if eq .Values.cloudConfig.clusterType "local" }}
+storageClassName: {{ .Values.storageClass }}
 {{- end }}
 {{- end }}
 
 {{/*
 Roost Nginx Service Type
+When Gateway API is enabled the nginx service is always ClusterIP — the Gateway's
+LoadBalancer is the external entry point. Legacy mode preserves cloud-specific types.
 */}}
 {{- define "nginxService.type" -}}
-{{- if or (eq .Values.cloudConfig.clusterType "gke") (eq .Values.cloudConfig.clusterType "aks") }}
+{{- if .Values.gateway.enabled }}
+type: ClusterIP
+{{- else if or (eq .Values.cloudConfig.clusterType "gke") (eq .Values.cloudConfig.clusterType "aks") }}
 type: ClusterIP
 {{- else }}
 type: LoadBalancer

charts/roost/templates/roost-ai-code-analyzer.yaml

@@ -0,0 +1,179 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: roost-ai-code-analyzer-config
+  namespace: {{ .Release.Namespace }}
+data:
+  DATABASE_URL: 'postgresql://{{ .Values.aiCodeAnalyzer.db.user }}:{{ .Values.aiCodeAnalyzer.db.password }}@ai-code-analyzer-db-svc.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:5432/{{ .Values.aiCodeAnalyzer.db.database }}'
+  POSTGRES_DB: '{{ .Values.aiCodeAnalyzer.db.database }}'
+  POSTGRES_USER: '{{ .Values.aiCodeAnalyzer.db.user }}'
+  POSTGRES_PASSWORD: '{{ .Values.aiCodeAnalyzer.db.password }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ai-code-analyzer-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: ai-code-analyzer
+  ports:
+    - protocol: TCP
+      port: 5060
+      targetPort: 5060
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ai-code-analyzer-db-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: ai-code-analyzer-db
+  ports:
+    - protocol: TCP
+      port: 5432
+      targetPort: 5432
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ai-code-analyzer-pvc-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.aiCodeAnalyzer.storage.size }}
+{{- include "cluster.storageClassName" . | indent 2 }}
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ai-code-analyzer-db-pvc-{{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.aiCodeAnalyzer.db.storage.size }}
+{{- include "cluster.storageClassName" . | indent 2 }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ai-code-analyzer-db
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ai-code-analyzer-db
+  template:
+    metadata:
+      labels:
+        app: ai-code-analyzer-db
+    spec:
+      containers:
+        - name: ai-code-analyzer-db
+          image: postgres:18-alpine
+          envFrom:
+            - configMapRef:
+                name: roost-ai-code-analyzer-config
+          env:
+            - name: PGDATA
+              value: /var/lib/postgresql/data
+          ports:
+            - containerPort: 5432
+          volumeMounts:
+            - mountPath: /var/lib/postgresql/data
+              name: ai-code-analyzer-db-storage
+          livenessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - {{ .Values.aiCodeAnalyzer.db.user }}
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - {{ .Values.aiCodeAnalyzer.db.user }}
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          imagePullPolicy: Always
+      volumes:
+        - name: ai-code-analyzer-db-storage
+          persistentVolumeClaim:
+            claimName: ai-code-analyzer-db-pvc-{{ .Release.Namespace }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ai-code-analyzer
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.aiCodeAnalyzer.replicas }}
+  selector:
+    matchLabels:
+      app: ai-code-analyzer
+  template:
+    metadata:
+      labels:
+        app: ai-code-analyzer
+      annotations:
+        checksum/config: {{ toYaml (pick .Values "aiCodeAnalyzer") | sha256sum }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
+      initContainers:
+        - name: wait-for-db
+          image: postgres:18-alpine
+          command:
+            - sh
+            - -c
+            - |
+              until pg_isready -h ai-code-analyzer-db-svc -p 5432 -U {{ .Values.aiCodeAnalyzer.db.user }};
+              do
+                echo "Waiting for postgres..."
+                sleep 2
+              done
+      containers:
+        - name: ai-code-analyzer
+          image: zbio/ai-io:{{ .Values.aiCodeAnalyzer.imageTag }}
+          envFrom:
+            - configMapRef:
+                name: roost-ai-code-analyzer-config
+          ports:
+            - containerPort: 5060
+          volumeMounts:
+            - mountPath: /app/chroma_db
+              subPath: chroma_db
+              name: ai-code-analyzer-storage
+            - mountPath: /app/jobs
+              subPath: jobs
+              name: ai-code-analyzer-storage
+            - mountPath: /app/test_artifacts
+              subPath: test_artifacts
+              name: ai-code-analyzer-storage
+          imagePullPolicy: Always
+      volumes:
+        - name: ai-code-analyzer-storage
+          persistentVolumeClaim:
+            claimName: ai-code-analyzer-pvc-{{ .Release.Namespace }}
+
+---

charts/roost/templates/roost-ai-server.yaml

@@ -12,13 +12,13 @@ data:
   ROOST_VER: '{{ .Values.roostConfig.roostVersion }}'
   DEPLOYED_IN_K8S: 'true'
   ROOST_AI_NS: '{{ .Release.Namespace }}'
-  AI_SERVER_PVC: 'roost-ai-server-pvc'
+  AI_SERVER_PVC: roost-ai-server-pvc-{{ .Release.Namespace }}
 
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: roost-ai-server-pvc
+  name: roost-ai-server-pvc-{{ .Release.Namespace }}
   namespace: {{ .Release.Namespace }}
 spec:
   accessModes:
@@ -46,14 +46,26 @@ spec:
         app: roost-ai-server
         svc_group: roost-backend-svc
     spec:
+      securityContext: 
+        runAsNonRoot: true
+        runAsUser: 10001
+        runAsGroup: 10001
+        fsGroup: 10001
       containers:
         - name: roost-ai-server
           image: zbio/roostai-server:{{ .Values.roostConfig.roostVersion }}
+          # resources:
+          #   requests:
+          #     cpu: "100m"
+          #     memory: "256Mi"
+          #   limits:
+          #     cpu: "500m"
+          #     memory: "512Mi"
           envFrom:
             - configMapRef:
                 name: roost-ai-server-config
           volumeMounts:
-            - mountPath: /var/tmp/Roost/RoostGPT
+            - mountPath: /var/tmp/Roost
               name: roost-ai-server-data
           ports:
             - name: ai-server-port
@@ -62,7 +74,7 @@ spec:
       volumes:
         - name: roost-ai-server-data
           persistentVolumeClaim:
-            claimName: roost-ai-server-pvc
+            claimName: roost-ai-server-pvc-{{ .Release.Namespace }}
 
 ---
 {{- end }}