diff --git a/charts/platform/CHANGELOG.md b/charts/platform/CHANGELOG.md index 9a45ba3..9e0d0c2 100644 --- a/charts/platform/CHANGELOG.md +++ b/charts/platform/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Refresh deployment snapshots after `platformServiceAddress` requirement (#131) and bump license-header year range on `templates/extra-list.yaml` / `tests/extra-list_test.yaml`. + ## [0.33.0] - 2026-04-30 ### Added diff --git a/charts/platform/charts/agent-backend/CHANGELOG.md b/charts/platform/charts/agent-backend/CHANGELOG.md index cbd32ae..f4fa306 100644 --- a/charts/platform/charts/agent-backend/CHANGELOG.md +++ b/charts/platform/charts/agent-backend/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Refresh deployment snapshot after `platformServiceAddress` requirement (#131). + ## [0.5.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/agent-backend/examples/standalone.yaml b/charts/platform/charts/agent-backend/examples/standalone.yaml new file mode 100644 index 0000000..5807b2d --- /dev/null +++ b/charts/platform/charts/agent-backend/examples/standalone.yaml @@ -0,0 +1,94 @@ +# Agent Backend - Standalone Deployment Example +# +# Use this file when deploying the agent-backend chart independently, +# without the parent platform chart. +# +# Prerequisites: +# - Seqera Platform already running and accessible +# - MySQL database provisioned +# - Redis provisioned +# - AWS Bedrock or Anthropic API access configured +# - AWS Load Balancer Controller installed in the cluster +# - ACM certificate ARN for TLS +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/agent-backend > values.yaml # pull full defaults to customise +# helm upgrade --install agent-backend seqera/agent-backend \ +# -f values.yaml \ +# -n seqera + +global: + # Domain where your existing Seqera Platform is accessible + platformExternalDomain: platform.example.com + + # Address of the Seqera Platform backend service. + # When Platform is deployed in the same cluster, use its internal service name: + # platformServiceAddress: my-platform-platform-backend + # When Platform is external, use its hostname: + platformServiceAddress: platform.example.com + # platformServicePort: 8080 # default + + # Domain where this agent-backend instance will be accessible + agentBackendDomain: ai-api.platform.example.com + +database: + host: mysql.example.com + # port: 3306 # default + name: agent_backend + username: agent_backend + existingSecretName: agent-backend-db-credentials + existingSecretKey: password + +redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: agent-backend-redis-credentials + existingSecretKey: password + +# AWS Bedrock configuration (required for AI capabilities) +bedrockAgentCoreArn: "arn:aws:bedrock:us-east-1:123456789012:agent-runtime/XXXXXXXXXX" +# Optional: cross-account access via an assumed role +# bedrockAssumeRoleArn: "arn:aws:iam::123456789012:role/BedrockAccessRole" + +embeddings: + bedrock: + region: us-east-1 + # modelId: amazon.titan-embed-text-v2:0 # default + # dimensions: "1024" # default + +# Alternatively, use Anthropic directly instead of Bedrock: +# anthropicApiKeyExistingSecretName: agent-backend-anthropic-credentials +# anthropicApiKeyExistingSecretKey: api-key + +# Token encryption key — must be a valid Fernet key. +# Generate one with: python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())" +tokenEncryptionKeyExistingSecretName: agent-backend-secrets +tokenEncryptionKeyExistingSecretKey: token-encryption-key + +# ALB requires NodePort service type +service: + type: NodePort + +ingress: + enabled: true + ingressClassName: alb + # ALB requires path "/*" instead of "/" + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + # TLS is handled by ACM; no tls section needed + tls: [] + +# resources: +# requests: +# cpu: "100m" +# memory: "1000Mi" +# limits: +# memory: "1000Mi" diff --git a/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap b/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap index 3717331..87642da 100644 --- a/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap @@ -129,7 +129,7 @@ should render a Deployment with default values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' (auth ${REDISCLI_AUTH:+set})" until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/charts/mcp/examples/standalone.yaml b/charts/platform/charts/mcp/examples/standalone.yaml new file mode 100644 index 0000000..316384c --- /dev/null +++ b/charts/platform/charts/mcp/examples/standalone.yaml @@ -0,0 +1,80 @@ +# MCP - Standalone Deployment Example +# +# Use this file when deploying the mcp chart independently, +# without the parent platform chart. +# +# Prerequisites: +# - Seqera Platform already running and accessible with OIDC enabled +# - The OIDC initial access token from Platform (used to register MCP as an OAuth client) +# - AWS Load Balancer Controller installed in the cluster +# - ACM certificate ARN for TLS +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/mcp > values.yaml # pull full defaults to customise +# helm upgrade --install mcp seqera/mcp \ +# -f values.yaml \ +# -n seqera + +global: + # Domain where your existing Seqera Platform is accessible + platformExternalDomain: platform.example.com + + # Address of the Seqera Platform backend service. + # When Platform is in the same cluster, use its internal service name: + # platformServiceAddress: my-platform-platform-backend + # When Platform is external, use its hostname: + platformServiceAddress: platform.example.com + # platformServicePort: 8080 # default + + # mcpDomain: mcp.platform.example.com # default: mcp. + # The OAuth redirect URL is automatically derived as: /oauth/callback + +# micronautEnvironments: # default: [oauth-platform] +# - oauth-platform +# Remove 'oauth-platform' and set oauth.issuerUrl explicitly if using a separate OIDC provider. + +# OIDC initial access token — must match the value configured in Seqera Platform. +# When deploying alongside the platform chart, this is wired up automatically. +# For standalone, retrieve it from the Platform backend Secret: +# kubectl get secret -o jsonpath='{.data.TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN}' | base64 -d +oidcToken: + existingSecretName: platform-backend-secret + existingSecretKey: TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN + +oauth: + # JWT seed used to sign MCP authentication tokens. + # Provide a stable value so tokens survive pod restarts and upgrades. + jwtSeedString: "" # or use jwtSeedSecretName / jwtSeedSecretKey + +# Disable the init container that waits for Platform since it is already running externally +initContainerDependencies: + waitForPlatform: + enabled: false + +# ALB requires NodePort service type +service: + type: NodePort + +ingress: + enabled: true + ingressClassName: alb + # ALB requires path "/*" instead of "/" + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + # TLS is handled by ACM; no tls section needed + tls: [] + +# resources: +# requests: +# cpu: "100m" +# memory: "512Mi" +# limits: +# memory: "512Mi" diff --git a/charts/platform/charts/pipeline-optimization/CHANGELOG.md b/charts/platform/charts/pipeline-optimization/CHANGELOG.md index b5499a7..1f23e5c 100644 --- a/charts/platform/charts/pipeline-optimization/CHANGELOG.md +++ b/charts/platform/charts/pipeline-optimization/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Bump license-header year range on configmap, secret, service templates and tests (no functional change). + ## [2.0.6] - 2026-05-05 ### Changed diff --git a/charts/platform/charts/pipeline-optimization/templates/configmap.yaml b/charts/platform/charts/pipeline-optimization/templates/configmap.yaml index 4fcba0b..59b07e5 100644 --- a/charts/platform/charts/pipeline-optimization/templates/configmap.yaml +++ b/charts/platform/charts/pipeline-optimization/templates/configmap.yaml @@ -1,5 +1,5 @@ {{/* - Copyright (c) 2025 Seqera Labs + Copyright (c) 2025 - 2026 Seqera Labs All rights reserved. SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/pipeline-optimization/templates/secret.yaml b/charts/platform/charts/pipeline-optimization/templates/secret.yaml index 207fcb8..cb6c3dd 100644 --- a/charts/platform/charts/pipeline-optimization/templates/secret.yaml +++ b/charts/platform/charts/pipeline-optimization/templates/secret.yaml @@ -1,5 +1,5 @@ {{/* - Copyright (c) 2025 Seqera Labs + Copyright (c) 2025 - 2026 Seqera Labs All rights reserved. SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/pipeline-optimization/templates/service.yaml b/charts/platform/charts/pipeline-optimization/templates/service.yaml index ae1b260..b80762b 100644 --- a/charts/platform/charts/pipeline-optimization/templates/service.yaml +++ b/charts/platform/charts/pipeline-optimization/templates/service.yaml @@ -1,5 +1,5 @@ {{/* - Copyright (c) 2025 Seqera Labs + Copyright (c) 2025 - 2026 Seqera Labs All rights reserved. SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/pipeline-optimization/tests/NOTES_test.yaml b/charts/platform/charts/pipeline-optimization/tests/NOTES_test.yaml index 0410b08..263a80b 100644 --- a/charts/platform/charts/pipeline-optimization/tests/NOTES_test.yaml +++ b/charts/platform/charts/pipeline-optimization/tests/NOTES_test.yaml @@ -1,6 +1,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json # -# Copyright (c) 2025 Seqera Labs +# Copyright (c) 2025 - 2026 Seqera Labs # All rights reserved. # # SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/pipeline-optimization/tests/configmap_test.yaml b/charts/platform/charts/pipeline-optimization/tests/configmap_test.yaml index 4234e6f..e38bfaa 100644 --- a/charts/platform/charts/pipeline-optimization/tests/configmap_test.yaml +++ b/charts/platform/charts/pipeline-optimization/tests/configmap_test.yaml @@ -1,6 +1,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json # -# Copyright (c) 2025 Seqera Labs +# Copyright (c) 2025 - 2026 Seqera Labs # All rights reserved. # # SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/pipeline-optimization/tests/secret_test.yaml b/charts/platform/charts/pipeline-optimization/tests/secret_test.yaml index 28ed6be..cb50392 100644 --- a/charts/platform/charts/pipeline-optimization/tests/secret_test.yaml +++ b/charts/platform/charts/pipeline-optimization/tests/secret_test.yaml @@ -1,6 +1,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json # -# Copyright (c) 2025 Seqera Labs +# Copyright (c) 2025 - 2026 Seqera Labs # All rights reserved. # # SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/pipeline-optimization/tests/service_test.yaml b/charts/platform/charts/pipeline-optimization/tests/service_test.yaml index da45aa8..2c76219 100644 --- a/charts/platform/charts/pipeline-optimization/tests/service_test.yaml +++ b/charts/platform/charts/pipeline-optimization/tests/service_test.yaml @@ -1,6 +1,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json # -# Copyright (c) 2025 Seqera Labs +# Copyright (c) 2025 - 2026 Seqera Labs # All rights reserved. # # SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/charts/portal-web/examples/standalone.yaml b/charts/platform/charts/portal-web/examples/standalone.yaml new file mode 100644 index 0000000..5ee3470 --- /dev/null +++ b/charts/platform/charts/portal-web/examples/standalone.yaml @@ -0,0 +1,50 @@ +# Portal Web - Standalone Deployment Example +# +# Use this file when deploying the portal-web chart independently, +# without the parent platform chart. +# +# Prerequisites: +# - Seqera Platform already running and accessible +# - Agent Backend already running and accessible +# - AWS Load Balancer Controller installed in the cluster +# - ACM certificate ARN for TLS +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/portal-web > values.yaml # pull full defaults to customise +# helm upgrade --install portal-web seqera/portal-web \ +# -f values.yaml \ +# -n seqera + +global: + # Domain where your existing Seqera Platform is accessible + platformExternalDomain: platform.example.com + + # agentBackendDomain: ai-api.platform.example.com # default: ai-api. + # portalWebDomain: ai.platform.example.com # default: ai. + +# ALB requires NodePort service type +service: + type: NodePort + +ingress: + enabled: true + ingressClassName: alb + # ALB requires path "/*" instead of "/" + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + # TLS is handled by ACM; no tls section needed + tls: [] + +# resources: # chart defaults: 100m CPU / 500Mi memory +# requests: +# cpu: "100m" +# memory: "500Mi" +# limits: +# memory: "500Mi" diff --git a/charts/platform/charts/studios/examples/standalone.yaml b/charts/platform/charts/studios/examples/standalone.yaml new file mode 100644 index 0000000..7842ae8 --- /dev/null +++ b/charts/platform/charts/studios/examples/standalone.yaml @@ -0,0 +1,91 @@ +# Studios - Standalone Deployment Example +# +# Use this file when deploying the studios chart independently, +# without the parent platform chart. +# +# Prerequisites: +# - Seqera Platform already running and accessible with OIDC enabled +# - Redis provisioned for session storage +# - Wildcard DNS configured: *.studios.platform.example.com -> your ALB +# - ACM wildcard certificate covering *.studios.platform.example.com +# - The OIDC initial access token from Platform (used to register Studios as an OAuth client) +# - AWS Load Balancer Controller installed in the cluster +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/studios > values.yaml # pull full defaults to customise +# helm upgrade --install studios seqera/studios \ +# -f values.yaml \ +# -n seqera + +global: + # Domain where your existing Seqera Platform is accessible + platformExternalDomain: platform.example.com + + # Address of the Seqera Platform backend service. + # When Platform is in the same cluster, use its internal service name: + # platformServiceAddress: my-platform-platform-backend + # When Platform is external, use its hostname: + platformServiceAddress: platform.example.com + # platformServicePort: 8080 # default + + # studiosDomain: studios.platform.example.com # default: studios. + # studiosConnectionUrl: 'https://connect.studios.platform.example.com' # default: https://connect. + # Each Studios session uses a unique subdomain, so DNS and the ACM certificate must cover the + # wildcard: *. + +redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: studios-redis-credentials + existingSecretKey: password + +proxy: + # OIDC initial access token — must match the value configured in Seqera Platform. + # When deploying alongside the platform chart, this is wired up automatically. + # For standalone, retrieve it from the Platform backend Secret: + # kubectl get secret -o jsonpath='{.data.TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN}' | base64 -d + oidcClientRegistrationTokenSecretName: platform-backend-secret + oidcClientRegistrationTokenSecretKey: TOWER_OIDC_REGISTRATION_INITIAL_ACCESS_TOKEN + + # ALB requires NodePort service type + service: + type: NodePort + + # resources: + # requests: + # cpu: "30m" + # memory: "64Mi" + # limits: + # memory: "64Mi" + +server: + # resources: + # requests: + # cpu: "20m" + # memory: "50Mi" + # limits: + # memory: "50Mi" + +# Disable the init container that waits for Platform since it is already running externally +initContainerDependencies: + waitForPlatform: + enabled: false + +# Studios requires a wildcard ingress so each session subdomain is routed correctly. +# The ACM certificate must cover the wildcard *.studios.platform.example.com +ingress: + enabled: true + ingressClassName: alb + # ALB requires path "/*" instead of "/" + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=3600 + # TLS is handled by ACM; no tls section needed + tls: [] diff --git a/charts/platform/charts/wave/CHANGELOG.md b/charts/platform/charts/wave/CHANGELOG.md index df4ce88..541351d 100644 --- a/charts/platform/charts/wave/CHANGELOG.md +++ b/charts/platform/charts/wave/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Refresh deployment snapshot after `platformServiceAddress` requirement (#131). + ## [0.2.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/wave/examples/standalone.yaml b/charts/platform/charts/wave/examples/standalone.yaml new file mode 100644 index 0000000..529b124 --- /dev/null +++ b/charts/platform/charts/wave/examples/standalone.yaml @@ -0,0 +1,73 @@ +# Wave - Standalone Deployment Example +# +# Use this file when deploying the wave chart independently, +# without the parent platform chart. +# +# Prerequisites: +# - PostgreSQL database provisioned +# - Redis provisioned +# - AWS Load Balancer Controller installed in the cluster +# - ACM certificate ARN for TLS +# +# Note: Wave can run independently of Seqera Platform. The platformExternalDomain +# global value is used to derive the waveDomain default; set waveDomain explicitly +# if your Wave instance lives on a different domain. +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/wave > values.yaml # pull full defaults to customise +# helm upgrade --install wave seqera/wave \ +# -f values.yaml \ +# -n seqera + +global: + platformExternalDomain: platform.example.com + + # waveDomain: wave.platform.example.com # default: wave. + +# micronautEnvironments: # default: [postgres, redis, lite] +# - postgres +# - redis +# - lite + +database: + host: postgres.example.com + # port: 5432 # default + name: wave + username: wave + existingSecretName: wave-db-credentials + existingSecretKey: password + +redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: wave-redis-credentials + existingSecretKey: password + +# ALB requires NodePort service type +service: + type: NodePort + +ingress: + enabled: true + ingressClassName: alb + # ALB requires path "/*" instead of "/" + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=3600 + # TLS is handled by ACM; no tls section needed + tls: [] + +# resources: +# requests: +# cpu: "200m" +# memory: "1400Mi" +# limits: +# memory: "1400Mi" diff --git a/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap b/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap index 1adda70..776673d 100644 --- a/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap @@ -130,7 +130,7 @@ should render a Deployment with default values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' (auth ${REDISCLI_AUTH:+set})" until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/examples/complete.yaml b/charts/platform/examples/complete.yaml new file mode 100644 index 0000000..bc6b8df --- /dev/null +++ b/charts/platform/examples/complete.yaml @@ -0,0 +1,246 @@ +# Seqera Platform - Complete Deployment Example +# +# Deploys the full Platform stack with all optional subcharts enabled: +# Studios, MCP, Wave, Agent Backend, Portal Web, and Pipeline Optimization. +# +# Prerequisites: +# - MySQL database provisioned (shared by Platform and Pipeline Optimization; +# Agent Backend uses a separate MySQL database) +# - PostgreSQL database provisioned (Wave) +# - Redis provisioned (Platform, Studios, Wave, Agent Backend each use one) +# - Seqera license key available +# - AWS Bedrock or Anthropic API access for Agent Backend +# - Wildcard DNS and ACM certificate for Studios: *.studios.platform.example.com +# - ACM certificate ARN for all other domains +# - AWS Load Balancer Controller installed in the cluster +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/platform > values.yaml # pull full defaults to customise +# helm upgrade --install platform seqera/platform \ +# -f values.yaml \ +# -n seqera + +global: + platformExternalDomain: platform.example.com + # contentDomain: user-data.platform.example.com # default: user-data. + # studiosDomain: studios.platform.example.com # default: studios. + # waveDomain: wave.platform.example.com # default: wave. + # mcpDomain: mcp.platform.example.com # default: mcp. + # agentBackendDomain: ai-api.platform.example.com # default: ai-api. + # portalWebDomain: ai.platform.example.com # default: ai. + +platformDatabase: + host: mysql.example.com + # port: 3306 # default + name: platform + username: platform + existingSecretName: platform-db-credentials + existingSecretKey: password + +redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: platform-redis-credentials + existingSecretKey: password + +platform: + contactEmail: support@example.com + licenseSecretName: platform-license + + # Stable secrets — must be set explicitly to avoid regeneration on upgrade + jwtSeedSecretName: platform-secrets + jwtSeedSecretKey: jwt-seed + cryptoSeedSecretName: platform-secrets + cryptoSeedSecretKey: crypto-seed + + smtp: + host: smtp.example.com + port: "587" + user: smtp-user + existingSecretName: platform-smtp-credentials + existingSecretKey: password + + # Required for Studios: Wave registry where custom session images are pushed + waveServerUrl: https://wave.platform.example.com + studios: + customImageRegistry: registry.example.com + customImageRepository: my-team/studios-sessions + + dataExplorer: + enabled: true + +# ALB requires NodePort on the frontend service +frontend: + service: + type: NodePort + +ingress: + enabled: true + ingressClassName: alb + path: "/*" + contentPath: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + tls: [] + +# -- Studios subchart +studios: + enabled: true + redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: studios-redis-credentials + existingSecretKey: password + # OIDC token is wired automatically from the platform backend secret + proxy: + service: + type: NodePort + ingress: + enabled: true + ingressClassName: alb + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/studios-wildcard-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=3600 + tls: [] + +# -- Wave subchart +wave: + enabled: true + database: + host: postgres.example.com + # port: 5432 # default + name: wave + username: wave + existingSecretName: wave-db-credentials + existingSecretKey: password + redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: wave-redis-credentials + existingSecretKey: password + service: + type: NodePort + ingress: + enabled: true + ingressClassName: alb + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=3600 + tls: [] + +# -- MCP subchart +# OIDC token is wired automatically from the platform backend secret +mcp: + enabled: true + oauth: + jwtSeedSecretName: mcp-secrets + jwtSeedSecretKey: jwt-seed + service: + type: NodePort + ingress: + enabled: true + ingressClassName: alb + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + tls: [] + +# -- Agent Backend subchart +agent-backend: + enabled: true + database: + host: mysql.example.com + # port: 3306 # default + name: agent_backend + username: agent_backend + existingSecretName: agent-backend-db-credentials + existingSecretKey: password + redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: agent-backend-redis-credentials + existingSecretKey: password + bedrockAgentCoreArn: "arn:aws:bedrock:us-east-1:123456789012:agent-runtime/XXXXXXXXXX" + embeddings: + bedrock: + region: us-east-1 + # modelId: amazon.titan-embed-text-v2:0 # default + tokenEncryptionKeyExistingSecretName: agent-backend-secrets + tokenEncryptionKeyExistingSecretKey: token-encryption-key + service: + type: NodePort + ingress: + enabled: true + ingressClassName: alb + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + tls: [] + +# -- Portal Web subchart +portal-web: + enabled: true + service: + type: NodePort + ingress: + enabled: true + ingressClassName: alb + path: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + tls: [] + +# -- Pipeline Optimization subchart +pipeline-optimization: + enabled: true + database: + host: mysql.example.com + # port: 3306 # default + name: pipeline_optimization + username: pipeline_optimization + existingSecretName: pipeline-optimization-db-credentials + existingSecretKey: password + platformDatabase: + host: mysql.example.com + # port: 3306 # default + name: platform + username: platform + existingSecretName: platform-db-credentials + existingSecretKey: password diff --git a/charts/platform/examples/platform-only.yaml b/charts/platform/examples/platform-only.yaml new file mode 100644 index 0000000..8e1ea4e --- /dev/null +++ b/charts/platform/examples/platform-only.yaml @@ -0,0 +1,95 @@ +# Seqera Platform - Core Deployment Example +# +# Deploys the core Platform components only (backend, cron, frontend). +# All optional subcharts (Studios, MCP, Wave, Agent Backend, Portal Web, +# Pipeline Optimization) are explicitly disabled. +# +# Prerequisites: +# - MySQL database provisioned +# - Redis provisioned +# - Seqera license key available +# - AWS Load Balancer Controller installed in the cluster +# - ACM certificate ARN for TLS +# +# Deploy with: +# helm repo add seqera https://seqeralabs.github.io/helm-charts +# helm show values seqera/platform > values.yaml # pull full defaults to customise +# helm upgrade --install platform seqera/platform \ +# -f values.yaml \ +# -n seqera + +global: + platformExternalDomain: platform.example.com + # contentDomain: user-data.platform.example.com # default: user-data. + +platformDatabase: + host: mysql.example.com + # port: 3306 # default + name: platform + username: platform + existingSecretName: platform-db-credentials + existingSecretKey: password + +redis: + host: redis.example.com + # port: 6379 # default + existingSecretName: platform-redis-credentials + existingSecretKey: password + +platform: + contactEmail: support@example.com + licenseSecretName: platform-license + + # Stable secrets — must be set explicitly to avoid regeneration on upgrade + jwtSeedSecretName: platform-secrets + jwtSeedSecretKey: jwt-seed + cryptoSeedSecretName: platform-secrets + cryptoSeedSecretKey: crypto-seed + + smtp: + host: smtp.example.com + port: "587" + user: smtp-user + existingSecretName: platform-smtp-credentials + existingSecretKey: password + +# ALB requires NodePort on the frontend service (the only service exposed via ingress by default) +frontend: + service: + type: NodePort + +ingress: + enabled: true + ingressClassName: alb + # ALB requires path "/*" instead of "/" + path: "/*" + contentPath: "/*" + defaultPathType: Prefix + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/ssl-redirect: "443" + alb.ingress.kubernetes.io/healthcheck-path: /health + # TLS is handled by ACM; no tls section needed + tls: [] + +# Disable all optional subcharts +studios: + enabled: false + +pipeline-optimization: + enabled: false + +mcp: + enabled: false + +agent-backend: + enabled: false + +portal-web: + enabled: false + +wave: + enabled: false diff --git a/charts/platform/templates/extra-list.yaml b/charts/platform/templates/extra-list.yaml index ff114e0..7b5cf37 100644 --- a/charts/platform/templates/extra-list.yaml +++ b/charts/platform/templates/extra-list.yaml @@ -1,5 +1,5 @@ {{/* - Copyright (c) 2025 Seqera Labs + Copyright (c) 2025 - 2026 Seqera Labs All rights reserved. SPDX-License-Identifier: Apache-2.0 diff --git a/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap b/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap index f6f40c5..39af34f 100644 --- a/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap +++ b/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap @@ -123,7 +123,7 @@ should produce a Deployment resource with minimal values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' (auth ${REDISCLI_AUTH:+set})" until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS @@ -364,7 +364,7 @@ should render the backend deployment with the correct checksums, labels and anno - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' (auth ${REDISCLI_AUTH:+set})" until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap b/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap index afbeec4..4cdf5b5 100644 --- a/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap +++ b/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap @@ -118,7 +118,7 @@ should produce a Deployment resource with minimal values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' (auth ${REDISCLI_AUTH:+set})" until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS @@ -355,7 +355,7 @@ should render the cron deployment with the correct checksums, labels and annotat - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' (auth ${REDISCLI_AUTH:+set})" until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/tests/extra-list_test.yaml b/charts/platform/tests/extra-list_test.yaml index 93b3e11..99f7a6d 100644 --- a/charts/platform/tests/extra-list_test.yaml +++ b/charts/platform/tests/extra-list_test.yaml @@ -1,6 +1,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json # -# Copyright (c) 2025 Seqera Labs +# Copyright (c) 2025 - 2026 Seqera Labs # All rights reserved. # # SPDX-License-Identifier: Apache-2.0