[feat][r2] optionally split rrGitServer into its own deployment

[JatinNanda]

Summary

Adds rrGitServer.separate.enabled to optionally run the git server as a dedicated deployment + service instead of in-process on the main backend, mirroring how the workload is split in Retool Cloud. The split-out git server is reached over normal Kubernetes service discovery.

Stacks on top of the in-process git server work (#296), so this PR targets r2-cleanup.

When rrGitServer.separate.enabled: true

• A dedicated <release>-git-server Deployment runs SERVICE_TYPE=RR_GIT_SERVER on RR_GIT_SERVER_PORT, with the Postgres connection, bootstrap secrets (license/JWT/encryption/pg password), blob-storage env, and telemetry. A matching Service (+ PDB) is rendered.
• The main backend drops RR_GIT_SERVER from its SERVICE_TYPE and proxies git traffic to the service via RR_GIT_SERVER_HOST / RR_GIT_SERVER_PORT.
• The MCP server (if enabled) is auto-pointed at the service via RETOOL_GIT_SERVER_URL, unless mcp.config.retoolGitServerUrl is set explicitly.

In-process mode (rrGitServer.enabled without separate) is unchanged.

Implementation notes

• Extracted the blob-storage + repack env block into a shared helper retool.rrGitServer.commonEnv so the in-process backend and the standalone deployment stay in sync.
• New helpers: retool.rrGitServer.{name,separateEnabled,port,url}.
• Both values.yaml files kept byte-identical (sync check).

⚠️ Needs confirmation

The backend→remote git server contract uses RR_GIT_SERVER_HOST (bare service DNS) + RR_GIT_SERVER_PORT, extending the documented in-process RR_GIT_SERVER_PORT. If the backend expects a different var (e.g. a full URL), it's a one-line change in deployment_backend.yaml. Default rrGitServer.separate.port is 3010.

Testing

• helm lint passes.
• Rendered + verified: separate mode (correct Service, backend pointer, git-server env, MCP URL, RR_GIT_SERVER absent from backend), in-process mode (unchanged), and default-off mode. All parse as valid YAML.
• Added ci/test-rr-git-server-separate-option.yaml exercising the split + S3 blob storage + MCP auto-wiring.

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR adds rrGitServer.separate.enabled to optionally run the Retool git server as a dedicated Kubernetes Deployment + Service instead of in-process on the main backend, mirroring Retool Cloud's topology. The blob-storage env block is extracted into a shared retool.rrGitServer.commonEnv helper so both modes stay in sync, and the MCP server is auto-wired to the standalone git server URL unless overridden.

• New deployment_git_server.yaml: Renders a Service + Deployment with SERVICE_TYPE=RR_GIT_SERVER, Postgres credentials, blob-storage env, and all global env/secret overrides; the main backend drops RR_GIT_SERVER from its SERVICE_TYPE and instead sets RR_GIT_SERVER_HOST/RR_GIT_SERVER_PORT proxy vars.
• Helper additions in _helpers.tpl: Four new named templates (retool.rrGitServer.{name,separateEnabled,port,url}) and the extracted retool.rrGitServer.commonEnv block keep both code paths DRY.
• MCP auto-wiring in deployment_mcp.yaml: When separate mode is on and no explicit mcp.config.retoolGitServerUrl is set, RETOOL_GIT_SERVER_URL is automatically pointed at the in-cluster git server service URL.

Confidence Score: 4/5

The core routing logic is sound — SERVICE_TYPE exclusion, RR_GIT_SERVER_HOST/PORT proxy vars, and MCP auto-wiring are all correct. The standalone git server deployment is missing a PodDisruptionBudget (claimed in the PR description) and telemetry env vars, both of which affect production observability and availability rather than basic functionality.

The helper extraction and mode-switching logic in the backend and MCP deployments are clean and well-guarded. The main gap is in the new deployment_git_server.yaml: it omits retool.telemetry.includeEnvVars (which every other service deployment includes, and which the PR description explicitly promises) and has no PodDisruptionBudget despite all peer deployments having one and the PR description stating one is rendered. Neither omission prevents the feature from working in a basic sense, but both reduce production readiness for a deployment that supports multiple replicas.

charts/retool/templates/deployment_git_server.yaml — missing PDB, missing telemetry env vars, and shared annotations applied to both Service and Pod without differentiation.

Important Files Changed

Filename	Overview
charts/retool/templates/deployment_git_server.yaml	New file rendering the standalone git server Service + Deployment; missing PDB (claimed by PR description), missing telemetry env vars, and shared annotations applied to both Service and Pod template without differentiation.
charts/retool/templates/_helpers.tpl	Adds retool.rrGitServer.{name,separateEnabled,port,url} helpers and extracts the blob-storage/repack env block into retool.rrGitServer.commonEnv; logic is correct and the separateEnabled guard properly requires both flags.
charts/retool/templates/deployment_backend.yaml	Correctly removes RR_GIT_SERVER from SERVICE_TYPE in separate mode and switches from commonEnv to RR_GIT_SERVER_HOST/PORT proxy vars; blob-storage vars are no longer duplicated onto the backend when git server is split out.
charts/retool/templates/deployment_mcp.yaml	MCP auto-wiring to the standalone git server URL is clean; explicit mcp.config.retoolGitServerUrl correctly takes precedence over the auto-computed URL.
charts/retool/values.yaml	Adds rrGitServer.separate stanza with sensible defaults (disabled, port 3010, 1 replica, empty affinity/resources/annotations/labels); mirrored identically to values.yaml at repo root.
charts/retool/ci/test-rr-git-server-separate-option.yaml	CI test values exercising separate mode with S3 blob storage and MCP auto-wiring; covers the main happy path.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Backend as Main Backend
    participant GitSvc as git-server Service (ClusterIP)
    participant GitDep as git-server Deployment
    participant MCP as MCP Server
    participant PG as PostgreSQL
    participant Blob as Blob Storage

    Note over Backend,GitDep: rrGitServer.separate.enabled = true

    Client->>Backend: "/api/ai/rr/git/v2/* request"
    Backend->>GitSvc: proxy via RR_GIT_SERVER_HOST:RR_GIT_SERVER_PORT
    GitSvc->>GitDep: route to git-server pod
    GitDep->>PG: read/write git metadata
    GitDep->>Blob: read/write git objects
    GitDep-->>Backend: git response
    Backend-->>Client: response

    MCP->>GitSvc: RETOOL_GIT_SERVER_URL (auto-wired)
    GitSvc->>GitDep: route to git-server pod

Loading

_{Reviews (1): Last reviewed commit: "[feat][r2] optionally split rrGitServer ..." | Re-trigger Greptile}

[greptile-apps]

Missing telemetry env vars on git server pod

Every other Retool service deployment (backend, jobs, workflows, workers, code-executor, js-executor) calls {{- include "retool.telemetry.includeEnvVars" . | nindent 10 }} to inject RTEL_ENABLED, RTEL_SERVICE_NAME, STATSD_HOST/PORT, and the K8S_* field refs that feed the telemetry sidecar. The standalone git server deployment omits this call entirely. The PR description explicitly lists "telemetry" as one of the env var groups the git server receives, but it is absent from the rendered pod spec. Additionally, the pod template does not set the telemetry.retool.com/service-name label required by RTEL_SERVICE_NAME, so if telemetry were added without that label the service-name fieldRef would resolve to an empty string.

[greptile-apps]

No PodDisruptionBudget rendered for git server

Every other multi-replica Retool service (backend, dbconnector, code-executor, js-executor, workflows, workers) renders a PodDisruptionBudget alongside its Deployment. The PR description states "A matching Service (+ PDB) is rendered" but the template ends after the Deployment — there is no PDB block. If this deployment is set to replicaCount: 2 (as the CI test does), a rolling node drain can take down all git-server pods simultaneously with no protection.

[greptile-apps]

Same annotations key applied to both the Service and the Pod template

$gitServerValues.annotations (i.e., rrGitServer.separate.annotations) is rendered into metadata.annotations on the Service (lines 16-21) and into the pod template metadata.annotations inside the Deployment (lines 53-55). Annotations for these two resources have different semantics: Service annotations are typically used for cloud load-balancer configuration or external-DNS, while pod annotations are used for things like Prometheus scraping or Vault injection. A user who sets a pod annotation (e.g., prometheus.io/scrape: "true") would also have it land on the Service, and vice versa. Consider splitting this into rrGitServer.separate.podAnnotations and rrGitServer.separate.serviceAnnotations, or at minimum document the dual application.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!