feat: added truvami-stream Helm chart#54
Conversation
📊 Chart DiagramVisual representation of Kubernetes resources in changed charts:
|
📝 WalkthroughWalkthroughAdds a complete Helm chart for truvami-stream: chart metadata, .helmignore, README, values, template helpers, deployment/service/configmap, ingress/HTTPRoute, HPA, NetworkPolicy, ServiceAccount, ServiceMonitor, NOTES, tests, and packaging rules. No application code changes. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Dev as Developer (helm)
participant Helm as Helm
participant K8s as Kubernetes API
participant App as truvami-stream Pod
participant Prom as Prometheus
Dev->>Helm: helm install ./charts/truvami-stream
Helm->>K8s: apply manifests (ServiceAccount, ConfigMap, Deployment, Service, Ingress/HTTPRoute, HPA, NetworkPolicy, ServiceMonitor)
K8s->>App: schedule Pod(s) from Deployment
App->>K8s: expose ports via Service (HTTP, metrics)
Prom->>K8s: scrape metrics endpoint via ServiceMonitor
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 13
🤖 Fix all issues with AI agents
In `@charts/truvami-stream/templates/configmap.yaml`:
- Around line 1-7: Replace the hardcoded ConfigMap name "config-stream" with the
chart fullname template so each release gets a unique resource; specifically
update the ConfigMap metadata.name to use the helper include
"truvami-stream.fullname" (e.g. metadata.name: {{ include
"truvami-stream.fullname" . }}) and also change the duplicate name entry in
values.yaml (the value currently set to "config-stream") to use the same
templated fullname reference so both templates reference the chart helper rather
than a fixed string.
In `@charts/truvami-stream/templates/deployment.yaml`:
- Around line 70-71: The current deployment is rendering .Values.securityContext
raw which provides no secure defaults; update the Pod/Container securityContext
block (where .Values.securityContext is rendered in deployment.yaml) to merge
sane defaults before applying overrides: set allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, runAsNonRoot: true with a non-root runAsUser
(e.g., 1000), drop all capabilities and explicitly list any added back, and set
seccompProfile: { type: RuntimeDefault } (and set fsGroup/runAsGroup as
appropriate); ensure these defaults are applied only if not provided by
.Values.securityContext so users can override via values.yaml.
- Around line 33-34: Ensure the pod securityContext uses secure defaults instead
of blindly trusting .Values.podSecurityContext: merge a default dict (e.g.,
runAsNonRoot: true and fsGroup: <sane default like 1000>) with the user-provided
.Values.podSecurityContext before rendering, then render the merged object in
the securityContext block (so update the template to compute a merged value and
pass that to toYaml). Target the securityContext section and the
.Values.podSecurityContext symbol and make sure runAsNonRoot and fsGroup are
present in the merged result.
In `@charts/truvami-stream/templates/httproute.yaml`:
- Around line 23-37: The rules list generation is outputting separate top-level
blocks for .matches, .filters, and backendRefs instead of a single list item per
rule; fix the template that iterates .Values.httpRoute.rules so each iteration
emits one list item (start the "- " for the rule once) and nest matches (if
present), filters (if present) and backendRefs inside that same item; ensure the
conditional branches reference .matches and .filters within the same rule
context and that backendRefs (with name: $fullName and port: $svcPort and
weight: 1) is indented inside the same list item so filters are not emitted as a
sibling when .matches is missing.
- Around line 15-18: The parentRefs block is double-indenting because you use
{{- with .Values.httpRoute.parentRefs }} plus toYaml . | nindent 4 which adds 4
spaces on top of the existing indentation; fix it by adjusting the indentation
call so rendered YAML has the correct level: change the toYaml pipeline to use
nindent 2 (e.g. toYaml . | nindent 2) or remove the extra surrounding
indentation block so that the combination of the literal "parentRefs:" line and
the toYaml call produces 4-space indentation; update the template referencing
parentRefs, .Values.httpRoute.parentRefs, toYaml and nindent accordingly.
In `@charts/truvami-stream/templates/ingress.yaml`:
- Around line 39-40: Ingress template is referencing a non-existent value
$.Values.service.port; update the port block in the ingress.yaml template so
port.number uses the existing value .Values.stream.server.port (replace
$.Values.service.port with .Values.stream.server.port) so it matches
service.yaml and networkpolicy.yaml and routes to the actual server port.
In `@charts/truvami-stream/templates/NOTES.txt`:
- Line 6: The template reads .Values.httpRoute.parentRefs via (first
.Values.httpRoute.parentRefs) without checking for empty parentRefs, so
APP_HOSTNAME assignment will fail when parentRefs is omitted; fix by adding a
guard around the kubectl extraction to only run when
.Values.httpRoute.parentRefs is non-empty (or fall back to .Release.Namespace) —
update the NOTES.txt line that sets APP_HOSTNAME to conditionally compute the
namespace/name using a Helm if/with/hasKey check on .Values.httpRoute.parentRefs
(or use default handling) so APP_HOSTNAME is only constructed when parentRefs
exists and otherwise uses a safe fallback.
In `@charts/truvami-stream/templates/servicemonitor.yaml`:
- Line 5: Replace the hardcoded resource name "truvami-stream" in the
ServiceMonitor template with the chart fullname helper to support release/name
scoping; specifically, update the name field in templates/servicemonitor.yaml to
use the Helm include invocation {{ include "truvami-stream.fullname" . }}
(matching the other templates) so that resources are unique per release and
honor custom names.
In `@charts/truvami-stream/templates/tests/test-connection.yaml`:
- Around line 1-15: The Pod test uses an unpinned BusyBox image and a wget arg
without a URL scheme; update the container spec for the container named "wget"
to pin the image (e.g., change image from "busybox" to a stable tag like
"busybox:1.36") and prepend "http://" to the wget argument (so the args value
becomes "http://{{ include \"truvami-stream.fullname\" . }}:{{
.Values.stream.server.port }}") to ensure consistent wget behavior across
versions.
In `@charts/truvami-stream/values.yaml`:
- Around line 179-184: The default autoscaling.maxReplicas value is set to 100
which is unreasonably high; change autoscaling.maxReplicas from 100 to a more
conservative default like 10 in the values under the autoscaling block
(referencing autoscaling, maxReplicas, minReplicas,
targetCPUUtilizationPercentage) so the Helm chart ships a sensible limit while
leaving users free to increase it if needed.
- Around line 83-87: The values.yaml sets image.pullPolicy to Always which
forces Kubernetes to pull images on every pod start; change image.pullPolicy to
IfNotPresent (and ensure image.tag is pinned to a specific version rather than
empty) so that tagged images are reused from node cache and pods aren't blocked
by registry hiccups; update the image.pullPolicy field and confirm image.tag is
set to a fixed tag for the chart's image.repository (ghcr.io/truvami/stream).
- Around line 10-12: Update the CORS origin entries in values.yaml to use HTTPS
instead of HTTP for the listed production/test domains—replace
"http://stream.truvami.com" and "http://stream.test.truvami.com" (and
"http://localhost:3000" if you run local dev over HTTPS) with
"https://stream.truvami.com", "https://stream.test.truvami.com" (and
"https://localhost:3000" only if local dev uses HTTPS); ensure the config key
that holds these values (the CORS origins array in values.yaml) only contains
secure schemes or environment-driven overrides so production browsers don’t
encounter mixed-content blocks.
- Around line 186-192: Replace the hardcoded ConfigMap name to a release-scoped
name: update the ConfigMap template (templates/configmap.yaml) metadata.name to
use the truvami-stream.fullname helper with a -config suffix (i.e. include
"truvami-stream.fullname" . + "-config"), and update the volumes entry in
values.yaml (the volumes -> configMap -> name field) to the same include
"truvami-stream.fullname" . + "-config" expression so the Deployment references
the release-specific ConfigMap and avoids collisions across releases.
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Fix all issues with AI agents
In `@charts/truvami-stream/README.md`:
- Around line 1-97: The autogenerated README has empty Description fields
because values.yaml lacks `@description` annotations; update values.yaml to add
`@description` comments for the top-level keys and important nested keys (e.g.,
database.host, database.secretName, image.repository, image.tag,
stream.server.port, stream.logging.level, stream.otel.endpoint,
stream.datasources.events.max_items, stream.valkey.stream_prefix,
fullnameOverride, replicaCount, resources.* and any other keys shown in README)
describing purpose, valid values and defaults, then re-run helm-docs to
regenerate the README so the Description column is populated.
In `@charts/truvami-stream/templates/configmap.yaml`:
- Around line 1-7: The ConfigMap template is writing .Values.stream (which may
contain secrets) into plaintext; change the manifest so sensitive data is stored
in a Secret instead or split out sensitive keys into a new Secret: replace the
ConfigMap usage that references {{ .Values.stream }} (template name
truvami-stream.fullname and key stream.yaml) with either a Secret manifest that
base64-encodes only the sensitive fields from .Values.stream or keep the
non-sensitive parts in the ConfigMap and move credentials into a new Secret
(e.g., create templates/stream-secret.yaml using .Values.stream.credentials or
similar), and update any consumers to read from the Secret rather than the
ConfigMap.
In `@charts/truvami-stream/templates/httproute.yaml`:
- Around line 23-37: The template always emits a bare "rules:" header and then
ranges over .Values.httpRoute.rules; add a fail-fast check to prevent an empty
list by validating .Values.httpRoute.rules before rendering — e.g., use Helm's
required (required "httpRoute.rules must contain at least one rule when
httpRoute is enabled" .Values.httpRoute.rules) or wrap the whole rules block in
an if that checks the list length (if and/or not (empty
.Values.httpRoute.rules)) so the chart errors out with a clear message instead
of producing an invalid httpRoute when the rules list is empty; update the block
that references "rules:" and the range over .Values.httpRoute.rules accordingly.
In `@charts/truvami-stream/templates/servicemonitor.yaml`:
- Around line 1-18: The ServiceMonitor currently renders whenever
.Values.serviceMonitor.enabled is true but still defines an endpoints port
"metrics" even if stream.metrics is disabled; update the template to only emit
the endpoints (or the entire ServiceMonitor) when both
.Values.serviceMonitor.enabled and .Values.stream.metrics.enabled are true by
adding a conditional that checks .Values.stream.metrics.enabled (reference
symbols: .Values.serviceMonitor.enabled, .Values.stream.metrics.enabled, the
ServiceMonitor resource and its endpoints block that defines port: metrics, and
the include "truvami-stream.selectorLabels" / "truvami-stream.fullname" usages)
so Prometheus scraping is only configured when the metrics port exists.
In `@charts/truvami-stream/values.yaml`:
- Around line 154-158: The HTTPRoute rules block currently uses an example path
value of "/headers" (see the rules -> matches -> path -> type: PathPrefix and
value: /headers), which is misleading for this chart; change the path value to a
sensible default such as "/" (or another service-appropriate prefix) so users
copying the values.yaml get a meaningful starting route; update the value under
the rules.matches.path.value field and keep PathPrefix as needed.
- Around line 93-102: The values.yaml currently sets serviceAccount.create:
false but serviceAccount.automount: true which is confusing and exposes API
credentials unnecessarily; change the default to serviceAccount.automount: false
(or conditionally set automount to false when serviceAccount.create is false) so
that the chart does not auto-mount API tokens for the default service account;
update the serviceAccount block comments to reflect the new secure default and
ensure references to serviceAccount.name remain unchanged.
- Around line 160-168: The CPU limit equals the CPU request under the resources
block which prevents any burst capacity, so update the resources section
(resources -> limits -> cpu and resources -> requests -> cpu) to either remove
the cpu limit entirely or set limits.cpu to a higher value than requests.cpu
(e.g., increase limits.cpu to provide headroom while keeping requests.cpu at
100m) to avoid Kubernetes throttling; leave memory limits/requests unchanged if
desired.
- Around line 170-177: The livenessProbe and readinessProbe are missing timing
settings which can cause premature restarts; update the livenessProbe and
readinessProbe blocks to include sensible probe timing fields (e.g.,
initialDelaySeconds, timeoutSeconds, periodSeconds, failureThreshold and
successThreshold) so the service has breathing room during startup—apply these
settings to the existing livenessProbe and readinessProbe entries (the httpGet
path /healthz and /readyz on port metrics) with values appropriate for your app
startup (for example initialDelaySeconds around 15, timeoutSeconds ~5,
periodSeconds ~10, failureThreshold 3) to prevent Kubernetes from killing the
pod before it finishes initializing.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@charts/truvami-stream/templates/httproute.yaml`:
- Around line 26-38: The current template places the list item hyphen before the
conditional `{{- if .matches }}` which yields an empty `-` when `.matches` is
falsy; fix the template so the leading `-` for the rule is emitted only once and
inside the conditional blocks (or always present once with its block contents
conditionally indented) to avoid producing an empty list item before
`backendRefs`; update the `httproute.yaml` rendering around the `{{- if .matches
}}`, `{{- if .filters }}`, `matches:`, `filters:`, and `backendRefs:` sections
so the hyphen is not printed alone when `.matches` is absent and the
`backendRefs` (using `$fullName` and `$svcPort`) remain correctly nested.

This pull request introduces a new Helm chart for the
truvami-streamapplication, providing all the necessary resources and configuration to deploy the application on Kubernetes. The chart includes templates for deployment, service, ingress, autoscaling, network policy, and monitoring, along with supporting files for configuration and documentation.The most important changes are:
Helm Chart Structure and Metadata
Chart.yamland.helmignoreto define chart metadata, versioning, and packaging exclusions. [1] [2]README.mddocumenting all configurable values for the chart.Core Kubernetes Resources
deployment.yamlfor application deployment with support for secrets, probes, and resource management.service.yamlfor exposing the application via a ClusterIP service.configmap.yamlfor application configuration._helpers.tplfor reusable template helpers and label generation.Ingress, Routing, and Networking
Observability and Testing
Scalability and Operations
Summary by CodeRabbit