npm - @crewhaus/helm-chart - Versions diffs - 0.1.1 → 0.1.2 - Mend

@crewhaus/helm-chart 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@crewhaus/helm-chart",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "type": "module",
   "description": "Kubernetes Helm chart (templates + values schema + ServiceMonitor + OTel collector sidecar) plus an in-process renderChart() for tests (Section 32)",
   "main": "src/index.ts",
@@ -12,14 +12,14 @@
     "test": "bun test src"
   },
   "dependencies": {
-    "@crewhaus/docker-images": "0.1.1",
-    "@crewhaus/errors": "0.1.1"
+    "@crewhaus/docker-images": "0.1.2",
+    "@crewhaus/errors": "0.1.2"
   },
   "license": "Apache-2.0",
   "author": {
     "name": "Max Meier",
-    "email": "max@studiomax.io",
-    "url": "https://studiomax.io"
+    "email": "max@crewhaus.ai",
+    "url": "https://crewhaus.ai"
   },
   "repository": {
     "type": "git",
@@ -31,12 +31,7 @@
     "url": "https://github.com/crewhaus/factory/issues"
   },
   "publishConfig": {
-    "access": "restricted"
+    "access": "public"
   },
-  "files": [
-    "src",
-    "README.md",
-    "LICENSE",
-    "NOTICE"
-  ]
+  "files": ["src", "README.md", "LICENSE", "NOTICE"]
 }

package/src/index.test.ts CHANGED Viewed

@@ -124,6 +124,55 @@ describe("renderTemplate primitives (T1)", () => {
     const ctx = renderContext({ ...defaultValues(), target: "channel" });
     expect(renderTemplate("{{ .Values.target | quote }}", ctx)).toBe(`"channel"`);
   });
+  // `and`/`or` operands are split at top-level spaces; the mini-evaluator
+  // resolves bare boolean dot-paths per operand. (Parenthesised operands are
+  // only special-cased for has/list, so we use plain boolean paths here.)
+  test("and predicate is true only when every operand is truthy", () => {
+    const bothOn = renderContext({
+      ...defaultValues(),
+      ingress: { ...defaultValues().ingress, enabled: true },
+      otel: { enabled: true, endpoint: "", headers: "" },
+    });
+    expect(
+      renderTemplate("{{ if and .Values.ingress.enabled .Values.otel.enabled }}A{{ end }}", bothOn),
+    ).toBe("A");
+    const oneOff = renderContext({
+      ...defaultValues(),
+      ingress: { ...defaultValues().ingress, enabled: true },
+      otel: { enabled: false, endpoint: "", headers: "" },
+    });
+    expect(
+      renderTemplate(
+        "{{ if and .Values.ingress.enabled .Values.otel.enabled }}A{{ else }}N{{ end }}",
+        oneOff,
+      ),
+    ).toBe("N");
+  });
+  test("or predicate is true when any operand is truthy", () => {
+    // first operand false, second true → true
+    const oneOn = renderContext({
+      ...defaultValues(),
+      ingress: { ...defaultValues().ingress, enabled: false },
+      otel: { enabled: true, endpoint: "", headers: "" },
+    });
+    expect(
+      renderTemplate("{{ if or .Values.ingress.enabled .Values.otel.enabled }}O{{ end }}", oneOn),
+    ).toBe("O");
+    // every operand false → false (exercises the else arm)
+    const allOff = renderContext({
+      ...defaultValues(),
+      ingress: { ...defaultValues().ingress, enabled: false },
+      otel: { enabled: false, endpoint: "", headers: "" },
+    });
+    expect(
+      renderTemplate(
+        "{{ if or .Values.ingress.enabled .Values.otel.enabled }}O{{ else }}N{{ end }}",
+        allOff,
+      ),
+    ).toBe("N");
+  });
 });
 describe("renderChart() — full render per shape (T1)", () => {
@@ -181,3 +230,197 @@ describe("renderChart() — full render per shape (T1)", () => {
     expect(out["deployment.yaml"]).not.toContain("SLACK_SIGNING_SECRET");
   });
 });
+describe("provider secrets + extraEnv (provider-agnostic deployments)", () => {
+  test("secrets.provider entries render as secretKeyRef env vars", () => {
+    const base = defaultValues();
+    const out = renderChart({
+      ...base,
+      target: "cli",
+      secrets: {
+        ...base.secrets,
+        provider: [
+          { name: "OPENAI_API_KEY", secretName: "crewhaus-creds", key: "OPENAI_API_KEY" },
+          { name: "GEMINI_API_KEY", secretName: "gemini-creds", key: "api-key" },
+        ],
+      },
+    });
+    const d = out["deployment.yaml"] ?? "";
+    expect(d).toContain("- name: OPENAI_API_KEY");
+    expect(d).toContain("name: crewhaus-creds");
+    expect(d).toContain("- name: GEMINI_API_KEY");
+    expect(d).toContain("name: gemini-creds");
+    expect(d).toContain("key: api-key");
+  });
+  test("extraEnv entries render as plain name/value env vars (quoted)", () => {
+    const out = renderChart({
+      ...defaultValues(),
+      target: "cli",
+      extraEnv: [
+        { name: "AWS_REGION", value: "us-east-1" },
+        { name: "OPENAI_BASE_URL", value: "http://vllm.internal:8000/v1" },
+      ],
+    });
+    const d = out["deployment.yaml"] ?? "";
+    expect(d).toContain("- name: AWS_REGION");
+    expect(d).toContain('value: "us-east-1"');
+    expect(d).toContain("- name: OPENAI_BASE_URL");
+    expect(d).toContain('value: "http://vllm.internal:8000/v1"');
+  });
+  test("default (empty) provider/extraEnv lists render nothing extra", () => {
+    const out = renderChart({ ...defaultValues(), target: "cli" });
+    const d = out["deployment.yaml"] ?? "";
+    expect(d).not.toContain("OPENAI_API_KEY");
+    expect(d).not.toContain("AWS_REGION");
+  });
+  test("validateValues rejects malformed provider/extraEnv entries", () => {
+    const base = defaultValues();
+    expect(() =>
+      validateValues({
+        ...base,
+        secrets: {
+          ...base.secrets,
+          provider: [{ name: "OPENAI_API_KEY", secretName: "", key: "k" }],
+        },
+      }),
+    ).toThrow(HelmChartError);
+    expect(() =>
+      validateValues({
+        ...base,
+        extraEnv: [{ name: "", value: "x" }],
+      }),
+    ).toThrow(HelmChartError);
+  });
+  test("non-daemon exec probes call doctor --liveness (plain doctor always failed in-pod)", () => {
+    const out = renderChart({ ...defaultValues(), target: "cli" });
+    const d = out["deployment.yaml"] ?? "";
+    expect(d).toContain('["bun", "/app/crewhaus.js", "doctor", "--liveness"]');
+    expect(d).not.toContain('"doctor"]');
+    // Daemon shapes keep their httpGet probes untouched.
+    const daemon = renderChart({ ...defaultValues(), target: "channel" });
+    expect(daemon["deployment.yaml"]).toContain("path: /healthz");
+    expect(daemon["deployment.yaml"]).not.toContain("--liveness");
+  });
+});
+describe("range / with bind dot (withDot)", () => {
+  // The `range` body re-binds `.` to each item; `.host` then resolves off
+  // the per-item dot rather than the outer context. This exercises withDot()
+  // and the resolveDotPath `_dot` branch.
+  test("range over a non-empty list rebinds `.` to each element", () => {
+    const ctx = renderContext({
+      ...defaultValues(),
+      ingress: {
+        ...defaultValues().ingress,
+        hosts: [
+          { host: "a.example.com", paths: [] },
+          { host: "b.example.com", paths: [] },
+        ],
+      },
+    });
+    const out = renderTemplate("{{ range .Values.ingress.hosts }}host={{ .host }};{{ end }}", ctx);
+    expect(out).toBe("host=a.example.com;host=b.example.com;");
+  });
+  test("range over an empty list yields nothing (no withDot call)", () => {
+    const ctx = renderContext({ ...defaultValues() });
+    const out = renderTemplate("{{ range .Values.ingress.hosts }}X{{ end }}", ctx);
+    expect(out).toBe("");
+  });
+  test("with binds `.` to a non-empty object", () => {
+    const ctx = renderContext({
+      ...defaultValues(),
+      ingress: {
+        ...defaultValues().ingress,
+        annotations: { "kubernetes.io/ingress.class": "nginx" },
+      },
+    });
+    // Non-empty object → `with` body executes and dot is rebound via withDot().
+    expect(renderTemplate("{{ with .Values.ingress.annotations }}IN{{ end }}", ctx)).toBe("IN");
+  });
+  test("with skips an empty object (falsy guard, no withDot call)", () => {
+    const ctx = renderContext({ ...defaultValues() });
+    // The mini-renderer's `with` has no else arm — the whole body (incl. any
+    // stray `else`) is skipped when the value is an empty object, so we get "".
+    expect(renderTemplate("{{ with .Values.ingress.annotations }}IN{{ end }}", ctx)).toBe("");
+  });
+});
+describe("toYaml filter (simpleYaml)", () => {
+  // toYaml is only reachable as a *pipe* filter: `{{ X | toYaml }}`. (The
+  // chart templates' `{{- toYaml . | nindent N }}` head form is treated as a
+  // literal by this mini-renderer, which is why simpleYaml was uncovered.)
+  test("renders a nested object with multiline children", () => {
+    // .Values.resources is { requests: {...}, limits: {...} } — exercises the
+    // object branch, the nested-object (inner includes '\n') branch, strings,
+    // and the recursive descent.
+    const ctx = renderContext({ ...defaultValues() });
+    const out = renderTemplate("{{ .Values.resources | toYaml }}", ctx);
+    expect(out).toContain("requests:");
+    expect(out).toContain('cpu: "100m"');
+    expect(out).toContain('memory: "256Mi"');
+    expect(out).toContain("limits:");
+    expect(out).toContain('cpu: "1000m"');
+  });
+  test("renders booleans and numbers unquoted", () => {
+    const ctx = renderContext({
+      ...defaultValues(),
+      podSecurityContext: { runAsNonRoot: true, runAsUser: 10001 },
+    });
+    const out = renderTemplate("{{ .Values.podSecurityContext | toYaml }}", ctx);
+    expect(out).toContain("runAsNonRoot: true");
+    expect(out).toContain("runAsUser: 10001");
+  });
+  test("renders a non-empty array as YAML list items", () => {
+    const ctx = renderContext({
+      ...defaultValues(),
+      image: {
+        ...defaultValues().image,
+        pullSecrets: [{ name: "regcred" }, { name: "ghcr" }],
+      },
+    });
+    const out = renderTemplate("{{ .Values.image.pullSecrets | toYaml }}", ctx);
+    expect(out).toContain('- name: "regcred"');
+    expect(out).toContain('- name: "ghcr"');
+  });
+  test("renders an empty array as []", () => {
+    const ctx = renderContext({ ...defaultValues() });
+    // defaultValues().image.pullSecrets is [].
+    expect(renderTemplate("{{ .Values.image.pullSecrets | toYaml }}", ctx)).toBe("[]");
+  });
+  test("renders an empty object as {}", () => {
+    const ctx = renderContext({ ...defaultValues() });
+    // defaultValues().serviceMonitor.labels is {}.
+    expect(renderTemplate("{{ .Values.serviceMonitor.labels | toYaml }}", ctx)).toBe("{}");
+  });
+  test("renders a missing path (undefined) as null", () => {
+    const ctx = renderContext({ ...defaultValues() });
+    expect(renderTemplate("{{ .Values.doesNotExist | toYaml }}", ctx)).toBe("null");
+  });
+  test("renders a nested array-of-objects (recursive list + object branch)", () => {
+    const ctx = renderContext({
+      ...defaultValues(),
+      ingress: {
+        ...defaultValues().ingress,
+        tls: [{ hosts: ["a.example.com", "b.example.com"], secretName: "tls-cert" }],
+      },
+    });
+    const out = renderTemplate("{{ .Values.ingress.tls | toYaml }}", ctx);
+    expect(out).toContain('secretName: "tls-cert"');
+    // hosts is a string array nested under an object inside a list item.
+    expect(out).toContain("a.example.com");
+    expect(out).toContain("b.example.com");
+  });
+});

package/src/index.ts CHANGED Viewed

@@ -78,7 +78,25 @@ export type ChartValues = {
       readonly signing: { readonly secretName: string; readonly key: string };
       readonly bot: { readonly secretName: string; readonly key: string };
     };
+    /**
+     * Generic provider secret list — one container env var per entry,
+     * each sourced from a Kubernetes Secret. The escape hatch for
+     * non-Anthropic models (OPENAI_API_KEY, GEMINI_API_KEY/GOOGLE_API_KEY,
+     * AWS_BEARER_TOKEN_BEDROCK/AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, …).
+     * Presets are documented in values.yaml.
+     */
+    readonly provider?: ReadonlyArray<{
+      readonly name: string;
+      readonly secretName: string;
+      readonly key: string;
+    }>;
   };
+  /**
+   * Plain (non-secret) env vars appended to the container — provider
+   * region/endpoint selectors like AWS_REGION, OPENAI_BASE_URL,
+   * GOOGLE_CLOUD_PROJECT.
+   */
+  readonly extraEnv?: ReadonlyArray<{ readonly name: string; readonly value: string }>;
   readonly service: {
     readonly type: "ClusterIP" | "LoadBalancer" | "NodePort";
     readonly port: number;
@@ -117,7 +135,9 @@ export function defaultValues(): ChartValues {
         signing: { secretName: "crewhaus-creds", key: "SLACK_SIGNING_SECRET" },
         bot: { secretName: "crewhaus-creds", key: "SLACK_BOT_TOKEN" },
       },
+      provider: [],
     },
+    extraEnv: [],
     service: { type: "ClusterIP", port: 80, targetPort: 3000 },
     ingress: {
       enabled: false,
@@ -160,6 +180,20 @@ export function validateValues(values: ChartValues): void {
   if (!values.image.tag) {
     throw new HelmChartError("image.tag must be non-empty");
   }
+  for (const entry of values.secrets.provider ?? []) {
+    if (!entry.name || !entry.secretName || !entry.key) {
+      throw new HelmChartError(
+        `secrets.provider entries need name + secretName + key; got ${JSON.stringify(entry)}`,
+      );
+    }
+  }
+  for (const entry of values.extraEnv ?? []) {
+    if (!entry.name || typeof entry.value !== "string") {
+      throw new HelmChartError(
+        `extraEnv entries need name + string value; got ${JSON.stringify(entry)}`,
+      );
+    }
+  }
 }
 // ─── Minimal helm-shape renderer ─────────────────────────────────────────────