feat: added truvami-stream Helm chart

[michaelbeutler]

This pull request introduces a new Helm chart for the truvami-stream application, providing all the necessary resources and configuration to deploy the application on Kubernetes. The chart includes templates for deployment, service, ingress, autoscaling, network policy, and monitoring, along with supporting files for configuration and documentation.

The most important changes are:

Helm Chart Structure and Metadata

• Added Chart.yaml and .helmignore to define chart metadata, versioning, and packaging exclusions. [1] [2]
• Added a comprehensive README.md documenting all configurable values for the chart.

Core Kubernetes Resources

• Introduced templates for essential Kubernetes resources:
  • deployment.yaml for application deployment with support for secrets, probes, and resource management.
  • service.yaml for exposing the application via a ClusterIP service.
  • configmap.yaml for application configuration.
  • _helpers.tpl for reusable template helpers and label generation.

Ingress, Routing, and Networking

• Added support for HTTPRoute (Gateway API) and standard Ingress for flexible routing and exposure. [1] [2]
• Included a NetworkPolicy template to optionally restrict network access to the application pods.

Observability and Testing

• Added templates for ServiceMonitor (Prometheus monitoring integration) and a Helm test Pod to validate connectivity. [1] [2]

Scalability and Operations

• Provided HorizontalPodAutoscaler (HPA) template for optional CPU/memory-based autoscaling.
• Included support for custom ServiceAccounts and deployment notes for user guidance. [1] [2]

Summary by CodeRabbit

• New Features
  • Added a Helm chart to deploy Truvami Stream with configurable ingress/HTTPRoute, service, deployment, autoscaling, service account, config map, naming/label helpers, metrics, and network policy support
• Documentation
  • Chart README and release NOTES added with configuration reference and access instructions
• Tests
  • Included a Helm test to validate service connectivity
• Observability
  • Optional ServiceMonitor and metrics endpoint configurable via values.yaml

[github-actions]

📊 Chart Diagram

Visual representation of Kubernetes resources in changed charts:

truvami-stream (New/Updated)

💡 Diagrams generated with KubeDiagrams

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a complete Helm chart for truvami-stream: chart metadata, .helmignore, README, values, template helpers, deployment/service/configmap, ingress/HTTPRoute, HPA, NetworkPolicy, ServiceAccount, ServiceMonitor, NOTES, tests, and packaging rules. No application code changes.

Changes

Cohort / File(s)	Summary
Chart Metadata & Ignore charts/truvami-stream/.helmignore, charts/truvami-stream/Chart.yaml, charts/truvami-stream/README.md, charts/truvami-stream/values.yaml	Add chart descriptor, packaging ignore, documentation, and comprehensive default values for server, metrics, auth, DB, valkey, logging, probes, autoscaling, security, volumes, and observability.
Template Helpers charts/truvami-stream/templates/_helpers.tpl	Add name, fullname, chart, labels, selectorLabels, and serviceAccountName helper templates used across manifests.
Core Workload Templates charts/truvami-stream/templates/deployment.yaml, charts/truvami-stream/templates/service.yaml, charts/truvami-stream/templates/configmap.yaml	Add Deployment with env/secret logic, probes, optional metrics/volumes, Service exposing HTTP (and metrics), and ConfigMap rendering .Values.stream as YAML.
Ingress & Gateway charts/truvami-stream/templates/ingress.yaml, charts/truvami-stream/templates/httproute.yaml	Add conditional Ingress and Gateway API HTTPRoute templates supporting hosts, TLS, parentRefs, matches, and filters.
Networking & Security charts/truvami-stream/templates/networkpolicy.yaml, charts/truvami-stream/templates/serviceaccount.yaml	Add NetworkPolicy (ingress/egress rules) and optional ServiceAccount creation with annotations/automount.
Scaling & Observability charts/truvami-stream/templates/hpa.yaml, charts/truvami-stream/templates/servicemonitor.yaml	Add HPA (when autoscaling enabled) and ServiceMonitor (when enabled and metrics on).
Tests & Notes charts/truvami-stream/templates/tests/test-connection.yaml, charts/truvami-stream/templates/NOTES.txt	Add Helm test pod to verify HTTP connectivity and NOTES.txt providing post-install access instructions for HTTPRoute/Ingress/port-forward.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer (helm)
    participant Helm as Helm
    participant K8s as Kubernetes API
    participant App as truvami-stream Pod
    participant Prom as Prometheus

    Dev->>Helm: helm install ./charts/truvami-stream
    Helm->>K8s: apply manifests (ServiceAccount, ConfigMap, Deployment, Service, Ingress/HTTPRoute, HPA, NetworkPolicy, ServiceMonitor)
    K8s->>App: schedule Pod(s) from Deployment
    App->>K8s: expose ports via Service (HTTP, metrics)
    Prom->>K8s: scrape metrics endpoint via ServiceMonitor

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A chart arranged, templates in line,
Values set for scale and time,
Deployments spawn and monitors gleam,
Docs and tests to prove the stream,
Helm ties the pieces into a dream.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new Helm chart for the truvami-stream application, which is the primary focus of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/truvami-stream

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 13

🤖 Fix all issues with AI agents

In `@charts/truvami-stream/templates/configmap.yaml`:
- Around line 1-7: Replace the hardcoded ConfigMap name "config-stream" with the
chart fullname template so each release gets a unique resource; specifically
update the ConfigMap metadata.name to use the helper include
"truvami-stream.fullname" (e.g. metadata.name: {{ include
"truvami-stream.fullname" . }}) and also change the duplicate name entry in
values.yaml (the value currently set to "config-stream") to use the same
templated fullname reference so both templates reference the chart helper rather
than a fixed string.

In `@charts/truvami-stream/templates/deployment.yaml`:
- Around line 70-71: The current deployment is rendering .Values.securityContext
raw which provides no secure defaults; update the Pod/Container securityContext
block (where .Values.securityContext is rendered in deployment.yaml) to merge
sane defaults before applying overrides: set allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, runAsNonRoot: true with a non-root runAsUser
(e.g., 1000), drop all capabilities and explicitly list any added back, and set
seccompProfile: { type: RuntimeDefault } (and set fsGroup/runAsGroup as
appropriate); ensure these defaults are applied only if not provided by
.Values.securityContext so users can override via values.yaml.
- Around line 33-34: Ensure the pod securityContext uses secure defaults instead
of blindly trusting .Values.podSecurityContext: merge a default dict (e.g.,
runAsNonRoot: true and fsGroup: <sane default like 1000>) with the user-provided
.Values.podSecurityContext before rendering, then render the merged object in
the securityContext block (so update the template to compute a merged value and
pass that to toYaml). Target the securityContext section and the
.Values.podSecurityContext symbol and make sure runAsNonRoot and fsGroup are
present in the merged result.

In `@charts/truvami-stream/templates/httproute.yaml`:
- Around line 23-37: The rules list generation is outputting separate top-level
blocks for .matches, .filters, and backendRefs instead of a single list item per
rule; fix the template that iterates .Values.httpRoute.rules so each iteration
emits one list item (start the "- " for the rule once) and nest matches (if
present), filters (if present) and backendRefs inside that same item; ensure the
conditional branches reference .matches and .filters within the same rule
context and that backendRefs (with name: $fullName and port: $svcPort and
weight: 1) is indented inside the same list item so filters are not emitted as a
sibling when .matches is missing.
- Around line 15-18: The parentRefs block is double-indenting because you use
{{- with .Values.httpRoute.parentRefs }} plus toYaml . | nindent 4 which adds 4
spaces on top of the existing indentation; fix it by adjusting the indentation
call so rendered YAML has the correct level: change the toYaml pipeline to use
nindent 2 (e.g. toYaml . | nindent 2) or remove the extra surrounding
indentation block so that the combination of the literal "parentRefs:" line and
the toYaml call produces 4-space indentation; update the template referencing
parentRefs, .Values.httpRoute.parentRefs, toYaml and nindent accordingly.

In `@charts/truvami-stream/templates/ingress.yaml`:
- Around line 39-40: Ingress template is referencing a non-existent value
$.Values.service.port; update the port block in the ingress.yaml template so
port.number uses the existing value .Values.stream.server.port (replace
$.Values.service.port with .Values.stream.server.port) so it matches
service.yaml and networkpolicy.yaml and routes to the actual server port.

In `@charts/truvami-stream/templates/NOTES.txt`:
- Line 6: The template reads .Values.httpRoute.parentRefs via (first
.Values.httpRoute.parentRefs) without checking for empty parentRefs, so
APP_HOSTNAME assignment will fail when parentRefs is omitted; fix by adding a
guard around the kubectl extraction to only run when
.Values.httpRoute.parentRefs is non-empty (or fall back to .Release.Namespace) —
update the NOTES.txt line that sets APP_HOSTNAME to conditionally compute the
namespace/name using a Helm if/with/hasKey check on .Values.httpRoute.parentRefs
(or use default handling) so APP_HOSTNAME is only constructed when parentRefs
exists and otherwise uses a safe fallback.

In `@charts/truvami-stream/templates/servicemonitor.yaml`:
- Line 5: Replace the hardcoded resource name "truvami-stream" in the
ServiceMonitor template with the chart fullname helper to support release/name
scoping; specifically, update the name field in templates/servicemonitor.yaml to
use the Helm include invocation {{ include "truvami-stream.fullname" . }}
(matching the other templates) so that resources are unique per release and
honor custom names.

In `@charts/truvami-stream/templates/tests/test-connection.yaml`:
- Around line 1-15: The Pod test uses an unpinned BusyBox image and a wget arg
without a URL scheme; update the container spec for the container named "wget"
to pin the image (e.g., change image from "busybox" to a stable tag like
"busybox:1.36") and prepend "http://" to the wget argument (so the args value
becomes "http://{{ include \"truvami-stream.fullname\" . }}:{{
.Values.stream.server.port }}") to ensure consistent wget behavior across
versions.

In `@charts/truvami-stream/values.yaml`:
- Around line 179-184: The default autoscaling.maxReplicas value is set to 100
which is unreasonably high; change autoscaling.maxReplicas from 100 to a more
conservative default like 10 in the values under the autoscaling block
(referencing autoscaling, maxReplicas, minReplicas,
targetCPUUtilizationPercentage) so the Helm chart ships a sensible limit while
leaving users free to increase it if needed.
- Around line 83-87: The values.yaml sets image.pullPolicy to Always which
forces Kubernetes to pull images on every pod start; change image.pullPolicy to
IfNotPresent (and ensure image.tag is pinned to a specific version rather than
empty) so that tagged images are reused from node cache and pods aren't blocked
by registry hiccups; update the image.pullPolicy field and confirm image.tag is
set to a fixed tag for the chart's image.repository (ghcr.io/truvami/stream).
- Around line 10-12: Update the CORS origin entries in values.yaml to use HTTPS
instead of HTTP for the listed production/test domains—replace
"http://stream.truvami.com" and "http://stream.test.truvami.com" (and
"http://localhost:3000" if you run local dev over HTTPS) with
"https://stream.truvami.com", "https://stream.test.truvami.com" (and
"https://localhost:3000" only if local dev uses HTTPS); ensure the config key
that holds these values (the CORS origins array in values.yaml) only contains
secure schemes or environment-driven overrides so production browsers don’t
encounter mixed-content blocks.
- Around line 186-192: Replace the hardcoded ConfigMap name to a release-scoped
name: update the ConfigMap template (templates/configmap.yaml) metadata.name to
use the truvami-stream.fullname helper with a -config suffix (i.e. include
"truvami-stream.fullname" . + "-config"), and update the volumes entry in
values.yaml (the volumes -> configMap -> name field) to the same include
"truvami-stream.fullname" . + "-config" expression so the Deployment references
the release-specific ConfigMap and avoids collisions across releases.

[coderabbitai]

Actionable comments posted: 8

🤖 Fix all issues with AI agents

In `@charts/truvami-stream/README.md`:
- Around line 1-97: The autogenerated README has empty Description fields
because values.yaml lacks `@description` annotations; update values.yaml to add
`@description` comments for the top-level keys and important nested keys (e.g.,
database.host, database.secretName, image.repository, image.tag,
stream.server.port, stream.logging.level, stream.otel.endpoint,
stream.datasources.events.max_items, stream.valkey.stream_prefix,
fullnameOverride, replicaCount, resources.* and any other keys shown in README)
describing purpose, valid values and defaults, then re-run helm-docs to
regenerate the README so the Description column is populated.

In `@charts/truvami-stream/templates/configmap.yaml`:
- Around line 1-7: The ConfigMap template is writing .Values.stream (which may
contain secrets) into plaintext; change the manifest so sensitive data is stored
in a Secret instead or split out sensitive keys into a new Secret: replace the
ConfigMap usage that references {{ .Values.stream }} (template name
truvami-stream.fullname and key stream.yaml) with either a Secret manifest that
base64-encodes only the sensitive fields from .Values.stream or keep the
non-sensitive parts in the ConfigMap and move credentials into a new Secret
(e.g., create templates/stream-secret.yaml using .Values.stream.credentials or
similar), and update any consumers to read from the Secret rather than the
ConfigMap.

In `@charts/truvami-stream/templates/httproute.yaml`:
- Around line 23-37: The template always emits a bare "rules:" header and then
ranges over .Values.httpRoute.rules; add a fail-fast check to prevent an empty
list by validating .Values.httpRoute.rules before rendering — e.g., use Helm's
required (required "httpRoute.rules must contain at least one rule when
httpRoute is enabled" .Values.httpRoute.rules) or wrap the whole rules block in
an if that checks the list length (if and/or not (empty
.Values.httpRoute.rules)) so the chart errors out with a clear message instead
of producing an invalid httpRoute when the rules list is empty; update the block
that references "rules:" and the range over .Values.httpRoute.rules accordingly.

In `@charts/truvami-stream/templates/servicemonitor.yaml`:
- Around line 1-18: The ServiceMonitor currently renders whenever
.Values.serviceMonitor.enabled is true but still defines an endpoints port
"metrics" even if stream.metrics is disabled; update the template to only emit
the endpoints (or the entire ServiceMonitor) when both
.Values.serviceMonitor.enabled and .Values.stream.metrics.enabled are true by
adding a conditional that checks .Values.stream.metrics.enabled (reference
symbols: .Values.serviceMonitor.enabled, .Values.stream.metrics.enabled, the
ServiceMonitor resource and its endpoints block that defines port: metrics, and
the include "truvami-stream.selectorLabels" / "truvami-stream.fullname" usages)
so Prometheus scraping is only configured when the metrics port exists.

In `@charts/truvami-stream/values.yaml`:
- Around line 154-158: The HTTPRoute rules block currently uses an example path
value of "/headers" (see the rules -> matches -> path -> type: PathPrefix and
value: /headers), which is misleading for this chart; change the path value to a
sensible default such as "/" (or another service-appropriate prefix) so users
copying the values.yaml get a meaningful starting route; update the value under
the rules.matches.path.value field and keep PathPrefix as needed.
- Around line 93-102: The values.yaml currently sets serviceAccount.create:
false but serviceAccount.automount: true which is confusing and exposes API
credentials unnecessarily; change the default to serviceAccount.automount: false
(or conditionally set automount to false when serviceAccount.create is false) so
that the chart does not auto-mount API tokens for the default service account;
update the serviceAccount block comments to reflect the new secure default and
ensure references to serviceAccount.name remain unchanged.
- Around line 160-168: The CPU limit equals the CPU request under the resources
block which prevents any burst capacity, so update the resources section
(resources -> limits -> cpu and resources -> requests -> cpu) to either remove
the cpu limit entirely or set limits.cpu to a higher value than requests.cpu
(e.g., increase limits.cpu to provide headroom while keeping requests.cpu at
100m) to avoid Kubernetes throttling; leave memory limits/requests unchanged if
desired.
- Around line 170-177: The livenessProbe and readinessProbe are missing timing
settings which can cause premature restarts; update the livenessProbe and
readinessProbe blocks to include sensible probe timing fields (e.g.,
initialDelaySeconds, timeoutSeconds, periodSeconds, failureThreshold and
successThreshold) so the service has breathing room during startup—apply these
settings to the existing livenessProbe and readinessProbe entries (the httpGet
path /healthz and /readyz on port metrics) with values appropriate for your app
startup (for example initialDelaySeconds around 15, timeoutSeconds ~5,
periodSeconds ~10, failureThreshold 3) to prevent Kubernetes from killing the
pod before it finishes initializing.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/truvami-stream/templates/httproute.yaml`:
- Around line 26-38: The current template places the list item hyphen before the
conditional `{{- if .matches }}` which yields an empty `-` when `.matches` is
falsy; fix the template so the leading `-` for the rule is emitted only once and
inside the conditional blocks (or always present once with its block contents
conditionally indented) to avoid producing an empty list item before
`backendRefs`; update the `httproute.yaml` rendering around the `{{- if .matches
}}`, `{{- if .filters }}`, `matches:`, `filters:`, and `backendRefs:` sections
so the hyphen is not printed alone when `.matches` is absent and the
`backendRefs` (using `$fullName` and `$svcPort`) remain correctly nested.