feat(helm): add global.ingress defaults shared across charts

.pre-commit-config.yaml

@@ -5,6 +5,8 @@ repos:
       - id: helm-docs
         args:
           - --sort-values-order=file
+          - --chart-search-root=charts
+        exclude: ^\.claude/
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0

charts/platform/CHANGELOG.md

@@ -5,12 +5,32 @@ All notable changes to this chart will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.33.0] - 2026-04-30
+
+### Added
+
+- **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services).
+- Add `seqera.ingress.host` template helper in each chart's `_helpers.tpl` returning that chart's primary domain. Lets users write `external-dns.alpha.kubernetes.io/hostname: '{{ include "seqera.ingress.host" . }}'` once in `global.ingress.annotations` and have it resolve to the correct host per chart at render time, without hard-coding hostnames.
+- Add `docs/conventions/ingress.md` documenting the Ingress conventions used across charts.
+
+### Changed
+
+- Update bitnami/common to 2.39.0
+- **BREAKING**: Default `ingress.defaultPathType` is now `Prefix` (was `ImplementationSpecific`). With the previous default and the chart's default `path: "/"`, routing behavior depended on the ingress controller — NGINX treated it as a prefix match, AWS ALB required `/*` for the same effect, GKE applied its own interpretation. The result was the same chart and values producing different routing across clusters. `Prefix` is part of the Kubernetes Ingress spec and produces consistent prefix-match semantics across NGINX, Traefik, AWS ALB, and most modern controllers, giving users a predictable out-of-the-box experience. Users whose controller still requires `ImplementationSpecific` (e.g. older GKE) can set `global.ingress.defaultPathType: ImplementationSpecific` once at the parent.
+- Update `examples/ingress-configurations/*` to drop now-redundant `defaultPathType: Prefix` overrides and showcase `global.ingress.ingressClassName` in `nginx-cert-manager.yaml`.
+
 ## [0.32.7] - 2026-04-30
 
 ### Changed
 
 - Bump `seqera-common` to 2.1.2, `wave` to 0.1.2, `agent-backend` to 0.4.11, `mcp` to 0.3.6, `pipeline-optimization` to 2.0.5, `portal-web` to 0.2.8, `studios` to 1.2.15 (Redis init container log message now reports `auth set` or `auth not set`)
 
+## [0.32.5] - 2026-04-30
+
+### Changed
+
+- Bump `seqera-common` dependency to 2.1.1, `wave` subchart to 0.1.1, `agent-backend` to 0.4.9, `mcp` to 0.3.4, `pipeline-optimization` to 2.0.4, `portal-web` to 0.2.6, `studios` to 1.2.13 to pick up the Redis init container fix that no longer logs the password
+
 ## [0.32.6] - 2026-04-30
 
 ### Changed

charts/platform/Chart.lock

@@ -1,27 +1,27 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.38.0
+  version: 2.39.0
 - name: seqera-common
   repository: file://../seqera-common
   version: 2.1.2
 - name: pipeline-optimization
   repository: file://charts/pipeline-optimization
-  version: 2.0.5
+  version: 2.0.6
 - name: studios
   repository: file://charts/studios
-  version: 1.2.15
+  version: 1.3.0
 - name: wave
   repository: file://charts/wave
-  version: 0.1.2
+  version: 0.2.0
 - name: mcp
   repository: file://charts/mcp
-  version: 0.3.6
+  version: 0.4.0
 - name: agent-backend
   repository: file://charts/agent-backend
-  version: 0.4.11
+  version: 0.5.0
 - name: portal-web
   repository: file://charts/portal-web
-  version: 0.2.8
-digest: sha256:27521223337ca1b5d2afbb18b9cd356f53e6693e30ce7e0cc70cf35c5ae3c569
-generated: "2026-04-30T17:17:57.223873+02:00"
+  version: 0.3.0
+digest: sha256:91713efc8b064ff4d302d405bf0f27ead8297706ebfada779ef5d15fd7419a6b
+generated: "2026-05-05T14:25:51.292458674+02:00"

charts/platform/Chart.yaml

@@ -37,7 +37,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.32.7
+version: 0.33.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -69,25 +69,25 @@ dependencies:
       - studios
     condition: studios.enabled
   - name: wave
-    version: "0.1.x"
+    version: "0.2.x"
     repository: "file://charts/wave"
     tags:
       - wave
     condition: wave.enabled
   - name: mcp
-    version: "0.3.x"
+    version: "0.4.x"
     repository: "file://charts/mcp"
     tags:
       - mcp
     condition: mcp.enabled
   - name: agent-backend
-    version: "0.4.x"
+    version: "0.5.x"
     repository: "file://charts/agent-backend"
     tags:
       - agent-backend
     condition: agent-backend.enabled
   - name: portal-web
-    version: "0.2.x"
+    version: "0.3.x"
     repository: "file://charts/portal-web"
     tags:
       - portal-web

charts/platform/README.md

@@ -2,7 +2,7 @@
 
 A Helm chart to deploy Seqera Platform (also referred to as Tower) on Kubernetes.
 
-![Version: 0.32.7](https://img.shields.io/badge/Version-0.32.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v25.3.4](https://img.shields.io/badge/AppVersion-v25.3.4-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v25.3.4](https://img.shields.io/badge/AppVersion-v25.3.4-informational?style=flat-square)
 
 > [!WARNING]
 > This chart is currently still in development and breaking changes are expected.
@@ -41,7 +41,7 @@ To install the chart with the release name `my-release`:
 
 ```console
 helm install my-release oci://public.cr.seqera.io/charts/platform \
-  --version 0.32.7 \
+  --version 0.33.0 \
   --namespace my-namespace \
   --create-namespace
 ```
@@ -63,12 +63,12 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md
 | Repository | Name | Version |
 |------------|------|---------|
 | file://../seqera-common | seqera-common | 2.x.x |
-| file://charts/agent-backend | agent-backend | 0.4.x |
-| file://charts/mcp | mcp | 0.3.x |
+| file://charts/agent-backend | agent-backend | 0.5.x |
+| file://charts/mcp | mcp | 0.4.x |
 | file://charts/pipeline-optimization | pipeline-optimization | 2.x.x |
-| file://charts/portal-web | portal-web | 0.2.x |
+| file://charts/portal-web | portal-web | 0.3.x |
 | file://charts/studios | studios | 1.x.x |
-| file://charts/wave | wave | 0.1.x |
+| file://charts/wave | wave | 0.2.x |
 | oci://registry-1.docker.io/bitnamicharts | common | 2.x.x |
 
 ## Values
@@ -85,6 +85,13 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md
 | global.mcpDomain | string | `"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"` | Domain where Seqera MCP listens. Evaluated as a template |
 | global.agentBackendDomain | string | `"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Agent Backend service listens. Evaluated as a template |
 | global.portalWebDomain | string | `"{{ printf \"ai.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Portal Web frontend listens. Evaluated as a template |
+| global.ingress.enabled | bool | `false` | Enable Ingress for the parent chart and every subchart that exposes one. Each chart's local `ingress.enabled` is OR'd with this — set this to `true` to turn on all Ingresses in one switch |
+| global.ingress.path | string | `"/"` | Default path applied to ingress rules when a chart's local `ingress.path` is not set. AWS ALB users should override to `/*`. |
+| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when a chart's local `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. Override to `ImplementationSpecific` only if your controller requires it (e.g. older GKE). |
+| global.ingress.ingressClassName | string | `""` | Default ingress class name applied to ingress rules when a chart's local `ingress.ingressClassName` is not set. Replaces the deprecated `kubernetes.io/ingress.class` annotation |
+| global.ingress.annotations | object | `{}` | Annotations merged into every chart's Ingress (e.g. cert-manager issuer, NGINX `proxy-body-size`, ALB SSL config). Local `ingress.annotations` wins on key collision. Evaluated as a template |
+| global.ingress.extraLabels | object | `{}` | Extra labels merged into every chart's Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template |
+| global.ingress.tls | list | `[]` | TLS entries concatenated with each chart's local `ingress.tls`. Useful for a single wildcard cert that covers all services. Evaluated as a template |
 | global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically |
 | global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically |
 | global.azure.images.platformBackend.registry | string | `nil` | Image registry for the Platform backend image deployed on Azure. Example: `myregistry.azurecr.io`. Evaluated as a template |
@@ -426,14 +433,14 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md
 | serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries |
 | serviceAccount.automountServiceAccountToken | bool | `false` | Automount service account token when the service account is generated |
 | ingress.enabled | bool | `false` | Enable ingress for Platform |
-| ingress.path | string | `"/"` | Path for the main ingress rule Note: this needs to be set to '/*' to be used with AWS ALB ingress controller |
-| ingress.contentPath | string | `"/"` | Path for the content domain ingress rule Note: this needs to be set to '/*' to be used with AWS ALB ingress controller |
-| ingress.defaultPathType | string | `"ImplementationSpecific"` | Default path type for the Ingress |
+| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` |
+| ingress.contentPath | string | `"/"` | Path for the content domain ingress rule |
+| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` |
 | ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress <name>' will report problems |
 | ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template |
 | ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template |
 | ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template |
-| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`) |
+| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` |
 | ingress.tls | list | `[]` | TLS configuration. Evaluated as a template |
 | extraDeploy | list | `[]` | Array of extra objects to deploy with the release |
 | commonAnnotations | object | `{}` | Annotations to add to all deployed objects |

charts/platform/charts/agent-backend/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to this chart will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.5.0] - 2026-05-05
+
+- **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services).
+- Add `seqera.ingress.host` template helper in each chart's `_helpers.tpl` returning that chart's primary domain. Lets users write `external-dns.alpha.kubernetes.io/hostname: '{{ include "seqera.ingress.host" . }}'` once in `global.ingress.annotations` and have it resolve to the correct host per chart at render time, without hard-coding hostnames.
+- Add `docs/conventions/ingress.md` documenting the Ingress conventions used across charts.
+
+### Changed
+
+- Update bitnami/common to 2.39.0
+- **BREAKING**: Default `ingress.defaultPathType` is now `Prefix` (was `ImplementationSpecific`). With the previous default and the chart's default `path: "/"`, routing behavior depended on the ingress controller — NGINX treated it as a prefix match, AWS ALB required `/*` for the same effect, GKE applied its own interpretation. The result was the same chart and values producing different routing across clusters. `Prefix` is part of the Kubernetes Ingress spec and produces consistent prefix-match semantics across NGINX, Traefik, AWS ALB, and most modern controllers, giving users a predictable out-of-the-box experience. Users whose controller still requires `ImplementationSpecific` (e.g. older GKE) can set `global.ingress.defaultPathType: ImplementationSpecific` once at the parent.
+
 ## [0.4.11] - 2026-04-30
 
 ### Changed

charts/platform/charts/agent-backend/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.38.0
+  version: 2.39.0
 - name: seqera-common
   repository: file://../../../seqera-common
   version: 2.1.2
-digest: sha256:4d1319075460f2901b92a5aa964db5992673e65275005b33671b597179c47c83
-generated: "2026-04-30T17:18:03.74270588+02:00"
+digest: sha256:3eac4511073f329f614981ce9b91e6cdda035aa007a3aeecd7069958c9ede539
+generated: "2026-05-05T14:17:14.074321992+02:00"

charts/platform/charts/agent-backend/Chart.yaml

@@ -19,7 +19,7 @@ apiVersion: v2
 name: agent-backend
 description: Backend service for Seqera CLI AI capabilities
 type: application
-version: 0.4.11
+version: 0.5.0
 appVersion: "2.0.0"
 maintainers:
   - name: Seqera Labs