tryretool · JatinNanda · Jun 8, 2026
diff --git a/charts/retool/ci/test-rr-git-server-separate-option.yaml b/charts/retool/ci/test-rr-git-server-separate-option.yaml
@@ -0,0 +1,30 @@
+rrGitServer:
+  enabled: true
+  repackThreshold: 200
+  separate:
+    enabled: true
+    replicaCount: 2
+    port: 3010
+    resources:
+      requests:
+        cpu: 250m
+        memory: 512Mi
+    annotations:
+      test-annotation: "true"
+    labels:
+      test-label: "true"
+
+blobStorage:
+  s3:
+    bucket: test-rr-bucket
+    region: us-east-1
+    accessKeyId: AKIATEST
+    secretAccessKeySecretName: rr-blob-storage
+    secretAccessKeySecretKey: secret-access-key
+
+# Exercise the MCP auto-wiring to the standalone git server service.
+mcp:
+  enabled: true
+  config:
+    oauthMainDomain: https://oauth.example.com
+    oauthIntrospectionAuthToken: test-oauth-introspection-token
diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
@@ -681,6 +681,112 @@ Set MCP server service name
 {{ template "retool.fullname" . }}-mcp
 {{- end -}}
 
+{{/*
+Set git server deployment/service name (only used when rrGitServer.separate is enabled)
+*/}}
+{{- define "retool.rrGitServer.name" -}}
+{{ template "retool.fullname" . }}-git-server
+{{- end -}}
+
+{{/*
+Returns "1" when the git server should run as its own deployment/service
+(rrGitServer.enabled AND rrGitServer.separate.enabled), empty otherwise.
+*/}}
+{{- define "retool.rrGitServer.separateEnabled" -}}
+{{- if and .Values.rrGitServer.enabled (.Values.rrGitServer.separate | default dict).enabled -}}
+1
+{{- end -}}
+{{- end -}}
+
+{{/*
+Port the standalone git server listens on (RR_GIT_SERVER_PORT) and exposes via its service.
+*/}}
+{{- define "retool.rrGitServer.port" -}}
+{{- (.Values.rrGitServer.separate | default dict).port | default 3010 -}}
+{{- end -}}
+
+{{/*
+In-cluster URL of the standalone git server service, e.g. http://<release>-git-server:3010.
+Used to point the MCP server (and any other consumer) at the split-out git server.
+*/}}
+{{- define "retool.rrGitServer.url" -}}
+http://{{ template "retool.rrGitServer.name" . }}:{{ include "retool.rrGitServer.port" . }}
+{{- end -}}
+
+{{/*
+Blob-storage + git repack env vars shared by the in-process git server (main
+backend) and the standalone git server deployment. git_server stores all
+objects/packs in blob storage; the same RR_DEFAULT_* vars are also used by
+snapshots. Emits nothing when no blobStorage provider is configured (in which
+case the user is expected to plumb RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_*
+directly via environmentVariables / environmentSecrets).
+*/}}
+{{- define "retool.rrGitServer.commonEnv" -}}
+{{- $bs := .Values.blobStorage | default dict }}
+{{- if $bs.s3 }}
+- name: RR_BLOB_STORAGE_PROVIDER
+  value: "s3"
+- name: RR_DEFAULT_S3_BUCKET
+  value: {{ $bs.s3.bucket | quote }}
+{{- if $bs.s3.region }}
+- name: RR_DEFAULT_S3_REGION
+  value: {{ $bs.s3.region | quote }}
+{{- end }}
+{{- if $bs.s3.endpoint }}
+- name: RR_DEFAULT_S3_ENDPOINT
+  value: {{ $bs.s3.endpoint | quote }}
+{{- end }}
+{{- if $bs.s3.accessKeyId }}
+- name: RR_DEFAULT_S3_ACCESS_KEY_ID
+  value: {{ $bs.s3.accessKeyId | quote }}
+{{- end }}
+{{- if $bs.s3.secretAccessKeySecretName }}
+- name: RR_DEFAULT_S3_SECRET_ACCESS_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ $bs.s3.secretAccessKeySecretName }}
+      key: {{ $bs.s3.secretAccessKeySecretKey | default "secret-access-key" }}
+{{- else if $bs.s3.secretAccessKey }}
+- name: RR_DEFAULT_S3_SECRET_ACCESS_KEY
+  value: {{ $bs.s3.secretAccessKey | quote }}
+{{- end }}
+{{- else if $bs.gcs }}
+- name: RR_BLOB_STORAGE_PROVIDER
+  value: "gcs"
+- name: RR_DEFAULT_GCS_BUCKET
+  value: {{ $bs.gcs.bucket | quote }}
+{{- if $bs.gcs.credentialsSecretName }}
+- name: RR_DEFAULT_GCS_CREDENTIALS
+  valueFrom:
+    secretKeyRef:
+      name: {{ $bs.gcs.credentialsSecretName }}
+      key: {{ $bs.gcs.credentialsSecretKey | default "credentials.json" }}
+{{- else if $bs.gcs.credentials }}
+- name: RR_DEFAULT_GCS_CREDENTIALS
+  value: {{ $bs.gcs.credentials | quote }}
+{{- end }}
+{{- else if $bs.azure }}
+- name: RR_BLOB_STORAGE_PROVIDER
+  value: "azure"
+- name: RR_DEFAULT_AZURE_CONTAINER
+  value: {{ $bs.azure.container | quote }}
+{{- if $bs.azure.connectionStringSecretName }}
+- name: RR_DEFAULT_AZURE_CONNECTION_STRING
+  valueFrom:
+    secretKeyRef:
+      name: {{ $bs.azure.connectionStringSecretName }}
+      key: {{ $bs.azure.connectionStringSecretKey | default "connection-string" }}
+{{- else if $bs.azure.connectionString }}
+- name: RR_DEFAULT_AZURE_CONNECTION_STRING
+  value: {{ $bs.azure.connectionString | quote }}
+{{- end }}
+{{- end }}
+{{- if .Values.rrGitServer.repackThreshold }}
+- name: RR_GIT_REPACK_THRESHOLD
+  value: {{ .Values.rrGitServer.repackThreshold | quote }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Validate that exactly one blob-storage provider is configured when rrGitServer
 is enabled. Skipped when the user has plumbed the RR_BLOB_STORAGE_PROVIDER /

diff --git a/charts/retool/templates/deployment_backend.yaml b/charts/retool/templates/deployment_backend.yaml
@@ -101,7 +101,11 @@ spec:
           {{- if not ( include "retool.jobRunner.enabled" . ) }}
             {{- $serviceType = append $serviceType "JOBS_RUNNER" }}
           {{- end }}
-          {{- if .Values.rrGitServer.enabled }}
+          {{- /*
+            Run the git server in-process on the main backend unless it has been
+            split out into its own deployment (rrGitServer.separate.enabled).
+          */}}
+          {{- if and .Values.rrGitServer.enabled (not (include "retool.rrGitServer.separateEnabled" .)) }}
             {{- $serviceType = append $serviceType "RR_GIT_SERVER" }}
           {{- end }}
           - name: SERVICE_TYPE
@@ -257,68 +261,18 @@ spec:
           {{- end }}
           {{- end }}
           {{- if .Values.rrGitServer.enabled }}
-          {{- $bs := .Values.blobStorage }}
-          {{- if $bs.s3 }}
-          - name: RR_BLOB_STORAGE_PROVIDER
-            value: "s3"
-          - name: RR_DEFAULT_S3_BUCKET
-            value: {{ $bs.s3.bucket | quote }}
-          {{- if $bs.s3.region }}
-          - name: RR_DEFAULT_S3_REGION
-            value: {{ $bs.s3.region | quote }}
-          {{- end }}
-          {{- if $bs.s3.endpoint }}
-          - name: RR_DEFAULT_S3_ENDPOINT
-            value: {{ $bs.s3.endpoint | quote }}
-          {{- end }}
-          {{- if $bs.s3.accessKeyId }}
-          - name: RR_DEFAULT_S3_ACCESS_KEY_ID
-            value: {{ $bs.s3.accessKeyId | quote }}
-          {{- end }}
-          {{- if $bs.s3.secretAccessKeySecretName }}
-          - name: RR_DEFAULT_S3_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ $bs.s3.secretAccessKeySecretName }}
-                key: {{ $bs.s3.secretAccessKeySecretKey | default "secret-access-key" }}
-          {{- else if $bs.s3.secretAccessKey }}
-          - name: RR_DEFAULT_S3_SECRET_ACCESS_KEY
-            value: {{ $bs.s3.secretAccessKey | quote }}
-          {{- end }}
-          {{- else if $bs.gcs }}
-          - name: RR_BLOB_STORAGE_PROVIDER
-            value: "gcs"
-          - name: RR_DEFAULT_GCS_BUCKET
-            value: {{ $bs.gcs.bucket | quote }}
-          {{- if $bs.gcs.credentialsSecretName }}
-          - name: RR_DEFAULT_GCS_CREDENTIALS
-            valueFrom:
-              secretKeyRef:
-                name: {{ $bs.gcs.credentialsSecretName }}
-                key: {{ $bs.gcs.credentialsSecretKey | default "credentials.json" }}
-          {{- else if $bs.gcs.credentials }}
-          - name: RR_DEFAULT_GCS_CREDENTIALS
-            value: {{ $bs.gcs.credentials | quote }}
-          {{- end }}
-          {{- else if $bs.azure }}
-          - name: RR_BLOB_STORAGE_PROVIDER
-            value: "azure"
-          - name: RR_DEFAULT_AZURE_CONTAINER
-            value: {{ $bs.azure.container | quote }}
-          {{- if $bs.azure.connectionStringSecretName }}
-          - name: RR_DEFAULT_AZURE_CONNECTION_STRING
-            valueFrom:
-              secretKeyRef:
-                name: {{ $bs.azure.connectionStringSecretName }}
-                key: {{ $bs.azure.connectionStringSecretKey | default "connection-string" }}
-          {{- else if $bs.azure.connectionString }}
-          - name: RR_DEFAULT_AZURE_CONNECTION_STRING
-            value: {{ $bs.azure.connectionString | quote }}
-          {{- end }}
-          {{- end }}
-          {{- if .Values.rrGitServer.repackThreshold }}
-          - name: RR_GIT_REPACK_THRESHOLD
-            value: {{ .Values.rrGitServer.repackThreshold | quote }}
+          {{- if include "retool.rrGitServer.separateEnabled" . }}
+          {{- /*
+            git server runs in its own deployment; point the main backend's
+            proxy (/api/ai/rr/git/v2/*) at the git-server service instead of
+            localhost.
+          */}}
+          - name: RR_GIT_SERVER_HOST
+            value: {{ template "retool.rrGitServer.name" . }}
+          - name: RR_GIT_SERVER_PORT
+            value: {{ include "retool.rrGitServer.port" . | quote }}
+          {{- else }}
+          {{- include "retool.rrGitServer.commonEnv" . | nindent 10 }}
           {{- end }}
           {{- end }}
           {{- include "retool.env" .Values.env | nindent 10 }}