Update to Helm and Tofu (#325)

Author: gotsysdba

.github/workflows/pytest.yml

@@ -43,6 +43,16 @@ jobs:
           python -m pip install --upgrade pip wheel setuptools uv
           uv pip install torch==2.9.0+cpu -f https://download.pytorch.org/whl/cpu/torch --system
           uv pip install -e ".[all-test]" --system
+          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+      - name: Run yamllint on Code
+        run: yamllint .
+
+      - name: Run Helm Lint (basic structure)
+        run: helm lint helm/
+
+      - name: Run Helm Lint (with required values)
+        run: helm lint helm/ --set global.api.apiKey=test-api-key
 
       - name: Run Pylint on IaC Code
         run: pylint opentofu

.yamllint

@@ -0,0 +1,52 @@
+extends: default
+
+ignore: |
+  .venv/
+  docs/themes/
+  .github/
+  helm/templates/
+  opentofu/modules/*/templates/
+  src/client/spring_ai/templates/
+
+rules:
+  line-length:
+    max: 120
+    level: warning
+
+  indentation:
+    spaces: 2
+    indent-sequences: true
+
+  # Helm templates often use truthy values like yes/no, on/off
+  truthy:
+    allowed-values: ['true', 'false', 'yes', 'no', 'on', 'off']
+    check-keys: false
+
+  # Allow both quoted and unquoted strings
+  quoted-strings:
+    quote-type: any
+    required: false
+
+  # Don't require document start marker (---)
+  document-start: disable
+
+  # More lenient on comments
+  comments:
+    min-spaces-from-content: 1
+
+  # Disable for commented-out examples in Helm values
+  comments-indentation: disable
+
+  # Allow empty values (common in Helm templates)
+  empty-values:
+    forbid-in-block-mappings: false
+    forbid-in-flow-mappings: false
+
+  # Brackets and braces (lenient for Helm)
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1

helm/examples/values-kind-other.yaml

@@ -19,7 +19,7 @@ server:
       # service_name: "MYSERVICE"
     privAuthN:
       secretName: "db-priv-authn"
-      passwordKey: "password"    
+      passwordKey: "password"
 client:
   replicaCount: 1
   image:

helm/templates/_helpers.tpl

@@ -286,7 +286,7 @@ These helpers provide consistent database type checking across templates.
 Database Service Name Helper
 Returns the short database type prefix (sidb or adb) for service naming.
 *********************************************** */}}
-{{- define "server.database.shortType" -}}
+{{- define "server.database.dbName" -}}
 {{- $dbType := include "server.database.type" . -}}
 {{- if $dbType -}}
   {{- lower (split "-" $dbType)._0 -}}

helm/templates/server/database.yaml

@@ -3,13 +3,7 @@
 # spell-checker: ignore nindent freepdb1 oserror selectai sidb spfile sqlplus
 # spell-checker: ignore sqlcode sqlerror varchar nolog ptype sysdba tablespace tblspace
 
-# This file consolidates database-related Kubernetes resources:
-# - Secrets (auth, priv, wallet)
-# - Deployment (SIDB-FREE, ADB-FREE)
-# - Job (database initialization)
-# - AutonomousDatabase (ADB-S operator)
-#
-# Note: ConfigMap (initialization scripts) is now in db-configmap.yaml
+# This file consolidates database-related Kubernetes resources
 
 {{- if .Values.server.database }}
 
@@ -30,17 +24,17 @@ metadata:
     helm.sh/resource-policy: keep
 type: Opaque
 stringData:
-  username: "AI_OPTIMIZER"
-  password: {{ include "server.randomPassword" . | quote }}
+  {{ default "username" .Values.server.database.authN.usernameKey }}: "AI_OPTIMIZER"
+  {{ default "password" .Values.server.database.authN.passwordKey }}: {{ include "server.randomPassword" . | quote }}
   {{- if eq (include "server.database.isSIDB" .) "true" }}
-  service: "{{ .Release.Name }}-{{ include "server.database.shortType" . }}-1521:1521/FREEPDB1"
+  {{ default "service" .Values.server.database.authN.serviceKey }}: "{{ .Release.Name }}-{{ include "server.database.dbName" . }}-1521:1521/FREEPDB1"
   {{- else if eq (include "server.database.isADBFree" .) "true" }}
-  service: "{{ .Release.Name }}-{{ include "server.database.shortType" . }}-1521:1521/FREEPDB1"
+  {{ default "service" .Values.server.database.authN.serviceKey }}: "{{ .Release.Name }}-{{ include "server.database.dbName" . }}-1521:1521/FREEPDB1"
   {{- else if eq (include "server.database.isOther" .) "true" }}
     {{- if and .Values.server.database.other.dsn (ne (.Values.server.database.other.dsn | trim) "") }}
-  service: "{{ .Values.server.database.other.dsn }}"
+  {{ default "service" .Values.server.database.authN.serviceKey }}: "{{ .Values.server.database.other.dsn }}"
     {{- else }}
-  service: "{{ .Values.server.database.other.host }}:{{ .Values.server.database.other.port }}/{{ .Values.server.database.other.service_name }}"
+  {{ default "service" .Values.server.database.authN.serviceKey }}: "{{ .Values.server.database.other.host }}:{{ .Values.server.database.other.port }}/{{ .Values.server.database.other.service_name }}"
     {{- end }}
   {{- end }}
 {{- end }}
@@ -85,7 +79,7 @@ stringData:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "global.fullname" . }}-{{ include "server.database.shortType" . }}
+  name: {{ include "global.fullname" . }}-{{ include "server.database.dbName" . }}
   labels:
     app.kubernetes.io/component: database
     {{- include "global.labels" . | nindent 4}}
@@ -238,10 +232,6 @@ metadata:
   labels:
     app.kubernetes.io/component: database
     {{- include "global.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
 spec:
   action: "Sync"
   details:
@@ -253,7 +243,7 @@ spec:
         name: {{ .Release.Name }}-adb-wallet-pass-{{ .Release.Revision }}
   {{- if .Values.server.oci_config }}
   ociConfig:
-    configMapName: {{ .Release.Name }}-oci-config
+    configMapName: {{ .Values.server.oci_config.configMapName | default (printf "%s-oci-config" .Release.Name) }}
     {{- if .Values.server.oci_config.keySecretName }}
     secretName: {{ .Values.server.oci_config.keySecretName }}
     {{- end }}

helm/templates/server/oci-configmap.yaml

@@ -3,10 +3,18 @@
 # spell-checker: ignore nindent
 
 {{- if .Values.server.oci_config }}
+{{- /* Determine the ConfigMap name to use or create */ -}}
+{{- $configMapName := .Values.server.oci_config.configMapName | default (printf "%s-oci-config" .Release.Name) }}
+
+{{- /* Check if the ConfigMap already exists */ -}}
+{{- $configMapExists := lookup "v1" "ConfigMap" .Release.Namespace $configMapName }}
+
+{{- /* Only create ConfigMap if it doesn't exist */ -}}
+{{- if not $configMapExists }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ .Release.Name }}-oci-config
+  name: {{ $configMapName }}
   labels:
     app.kubernetes.io/component: server
     {{- include "global.labels" . | nindent 4 }}
@@ -25,4 +33,5 @@ data:
   region: {{ .region | quote }}
     {{- end }}
   {{- end }}
+{{- end }}
 {{- end -}}

helm/templates/server/service.yaml

@@ -25,7 +25,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Release.Name }}-{{ include "server.database.shortType" . }}-1521
+  name: {{ .Release.Name }}-{{ include "server.database.dbName" . }}-1521
   labels:
     app.kubernetes.io/component: database
     {{- include "global.labels" . | nindent 4 }}

helm/values.yaml

@@ -12,7 +12,9 @@ nameOverride: ""
 # -----------------------
 # -- Global Configuration
 global:
-  # -- Either provide the 'apiKey' directly or provide a secretName referring to an existing Secret containing the API key.
+  # -- Either:
+  # 1) Provide the 'apiKey' directly
+  # 2) Provide a secretName referring to an existing Secret containing the API key.
   api:
     # -- Key for making API calls to the server.
     # Recommended to supply at command line or use the secretName to avoid storing in the values file.
@@ -129,8 +131,10 @@ server:
 
   # -- Oracle Cloud Infrastructure Configuration
   oci_config:
-    # -- Enable Workload Identity Principals (WIP) (must be implemented)
+    # -- Enable Workload Identity Principals (IAM policies must exist)
     oke: false
+    # -- (Optional) Name of Pre-created configMap storing OCI API AuthN
+    configMapName: ""
     # -- Tenancy OCID.  Required when specifying keySecretName.
     tenancy: ""
     # -- User OCID.  Required when specifying keySecretName.
@@ -469,4 +473,4 @@ ollama:
   tolerations: []
     # - key: "key1"
     #   operator: "Exists"
-    #   effect: "NoSchedule"
+    #   effect: "NoSchedule"