Skip to content

init #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

init #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7518662
init
jsbroks Sep 30, 2025
8f43d10
add engine ss
jsbroks Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion charts/ctrlplane/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: ctrlplane
description: Ctrlplane Helm chart for Kubernetes
type: application
version: 0.4.4
version: 0.4.5
appVersion: "1.16.0"

maintainers:
Expand Down Expand Up @@ -39,3 +39,7 @@ dependencies:
condition: pty-proxy.install
version: "*.*.*"
repository: "file://charts/pty-proxy"
- name: workspace-engine
condition: workspace-engine.install
version: "*.*.*"
repository: "file://charts/workspace-engine"
33 changes: 33 additions & 0 deletions charts/ctrlplane/charts/event-queue/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,36 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{ define "pgbouncer.ini" }}

{{/* [databases] section */}}
{{- if $.Values.databases }}
{{ printf "[databases]" }}
{{- range $key, $value := .Values.databases }}
{{ $key }} ={{ range $k, $v := $value }} {{ $k }}={{ $v }}{{ end }}
{{- end }}
{{- end }}

{{/* [pgbouncer] section */}}
{{- if $.Values.pgbouncer }}
{{ printf "[pgbouncer]" }}
{{- range $k, $v := $.Values.pgbouncer }}
{{ $k }} = {{ $v }}
{{- end }}
{{- end }}

{{/* [users] section */}}
{{- if $.Values.users }}
{{ printf "[users]" }}
{{- range $k, $v := $.Values.users }}
{{ $k }} = {{ $v }}
{{- end }}
{{- end }}

{{/* include is a special configuration within [pgbouncer] section */}}
{{- if $.Values.include }}
{{ printf "%s %s" "%include" $.Values.include }}
{{- end }}

{{ end }}
Comment on lines +64 to +95
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Major: Incorrect value paths in pgbouncer.ini template.

The template has several issues:

  1. Line 77-78: The template iterates over $.Values.pgbouncer, but according to values.yaml, this contains nested structures (image, resources, internalPort, config). It should iterate over $.Values.pgbouncer.config instead.

  2. Line 70: The nested range loop for database parameters lacks proper spacing, producing malformed connection strings like host=localhostport=5432 instead of host=localhost port=5432.

  3. Line 91-93: The %include directive is placed outside the [pgbouncer] section, but it should be inside that section per PgBouncer configuration syntax.

Apply this diff to fix the template:

 {{ define "pgbouncer.ini" }}

 {{/* [databases] section */}}
 {{- if $.Values.databases }}
   {{ printf "[databases]" }}
   {{- range $key, $value := .Values.databases }}
-    {{ $key }} ={{ range $k, $v := $value }} {{ $k }}={{ $v }}{{ end }}
+    {{ $key }} = {{ range $k, $v := $value }}{{ $k }}={{ $v }} {{ end }}
   {{- end }}
 {{- end }}

 {{/* [pgbouncer] section */}}
-{{- if $.Values.pgbouncer }}
+{{- if $.Values.pgbouncer.config }}
   {{ printf "[pgbouncer]" }}
-  {{- range $k, $v := $.Values.pgbouncer }}
+  {{- range $k, $v := $.Values.pgbouncer.config }}
     {{ $k }} = {{ $v }}
   {{- end }}
-{{- end }}
-
-{{/* [users] section */}}
-{{- if $.Values.users }}
-  {{ printf "[users]" }}
-  {{- range $k, $v := $.Values.users }}
-    {{ $k }} = {{ $v }}
-  {{- end }}
-{{- end }}
-
-{{/* include is a special configuration within [pgbouncer] section */}}
-{{- if $.Values.include }}
+  {{/* include is a special configuration within [pgbouncer] section */}}
+  {{- if $.Values.include }}
   {{ printf "%s %s" "%include" $.Values.include }}
+  {{- end }}
 {{- end }}

+{{/* [users] section */}}
+{{- if $.Values.users }}
+  {{ printf "[users]" }}
+  {{- range $k, $v := $.Values.users }}
+    {{ $k }} = {{ $v }}
+  {{- end }}
+{{- end }}
+
 {{ end }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{ define "pgbouncer.ini" }}
{{/* [databases] section */}}
{{- if $.Values.databases }}
{{ printf "[databases]" }}
{{- range $key, $value := .Values.databases }}
{{ $key }} ={{ range $k, $v := $value }} {{ $k }}={{ $v }}{{ end }}
{{- end }}
{{- end }}
{{/* [pgbouncer] section */}}
{{- if $.Values.pgbouncer }}
{{ printf "[pgbouncer]" }}
{{- range $k, $v := $.Values.pgbouncer }}
{{ $k }} = {{ $v }}
{{- end }}
{{- end }}
{{/* [users] section */}}
{{- if $.Values.users }}
{{ printf "[users]" }}
{{- range $k, $v := $.Values.users }}
{{ $k }} = {{ $v }}
{{- end }}
{{- end }}
{{/* include is a special configuration within [pgbouncer] section */}}
{{- if $.Values.include }}
{{ printf "%s %s" "%include" $.Values.include }}
{{- end }}
{{ end }}
{{ define "pgbouncer.ini" }}
{{/* [databases] section */}}
{{- if $.Values.databases }}
{{ printf "[databases]" }}
{{- range $key, $value := .Values.databases }}
{{ $key }} = {{ range $k, $v := $value }}{{ $k }}={{ $v }} {{ end }}
{{- end }}
{{- end }}
{{/* [pgbouncer] section */}}
{{- if $.Values.pgbouncer.config }}
{{ printf "[pgbouncer]" }}
{{- range $k, $v := .Values.pgbouncer.config }}
{{ $k }} = {{ $v }}
{{- end }}
{{/* include is a special configuration within [pgbouncer] section */}}
{{- if $.Values.include }}
{{ printf "%s %s" "%include" $.Values.include }}
{{- end }}
{{- end }}
{{/* [users] section */}}
{{- if $.Values.users }}
{{ printf "[users]" }}
{{- range $k, $v := .Values.users }}
{{ $k }} = {{ $v }}
{{- end }}
{{- end }}
{{ end }}
🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/event-queue/templates/_helpers.tpl around lines 64 to
95, the pgbouncer.ini helper currently iterates the wrong path, emits
concatenated DB params without spaces, and places the %include outside the
[pgbouncer] section; update the template to iterate over
$.Values.pgbouncer.config (not $.Values.pgbouncer) for the [pgbouncer] section,
change the nested database-params range to print each key/value with a trailing
space between pairs (e.g., emit " {{ $k }}={{ $v }} " for each param) so
connection strings have spaces, and move the "%include" line into the
[pgbouncer] section so the include directive is inside that section.

26 changes: 25 additions & 1 deletion charts/ctrlplane/charts/event-queue/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,33 @@ spec:
- name: GITHUB_BOT_NAME
value: {{ .name }}
{{- end }}
- name: WORKSPACE_ENGINE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: WORKSPACE_ENGINE_STATEFUL_SET_NAME
value: {{ .Chart.Name }}-engine
- name: WORKSPACE_ENGINE_HEADLESS_SERVICE
value: {{ .Release.Name }}-engine
- name: WORKSPACE_ENGINE_PORT
value: "8081"
Comment on lines +99 to +108
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify WORKSPACE_ENGINE_STATEFUL_SET_NAME value.

The WORKSPACE_ENGINE_STATEFUL_SET_NAME uses {{ .Chart.Name }}-engine, which evaluates to event-queue-engine. However, based on the workspace-engine StatefulSet template (line 5 in statefulset.yaml), the actual name is {{ .Release.Name }}-engine.

Ensure this value correctly references the workspace-engine StatefulSet. If workspace-engine is deployed as a subchart under the same release, the name should be {{ .Release.Name }}-engine, not {{ .Chart.Name }}-engine.

🏁 Script executed:

#!/bin/bash
# Check the StatefulSet naming pattern in workspace-engine

echo "=== workspace-engine StatefulSet name template ==="
rg -n "name:.*-engine" charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml

echo -e "\n=== event-queue WORKSPACE_ENGINE_STATEFUL_SET_NAME ==="
rg -n "WORKSPACE_ENGINE_STATEFUL_SET_NAME" charts/ctrlplane/charts/event-queue/templates/deployment.yaml -A 1

Length of output: 288

Use .Release.Name for WORKSPACE_ENGINE_STATEFUL_SET_NAME
Change the value from {{ .Chart.Name }}-engine to {{ .Release.Name }}-engine so it matches the workspace-engine StatefulSet naming.

- value: {{ .Chart.Name }}-engine
+ value: {{ .Release.Name }}-engine
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: WORKSPACE_ENGINE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: WORKSPACE_ENGINE_STATEFUL_SET_NAME
value: {{ .Chart.Name }}-engine
- name: WORKSPACE_ENGINE_HEADLESS_SERVICE
value: {{ .Release.Name }}-engine
- name: WORKSPACE_ENGINE_PORT
value: "8081"
- name: WORKSPACE_ENGINE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: WORKSPACE_ENGINE_STATEFUL_SET_NAME
value: {{ .Release.Name }}-engine
- name: WORKSPACE_ENGINE_HEADLESS_SERVICE
value: {{ .Release.Name }}-engine
- name: WORKSPACE_ENGINE_PORT
value: "8081"
🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/event-queue/templates/deployment.yaml around lines 99
to 108, the WORKSPACE_ENGINE_STATEFUL_SET_NAME environment var is set to {{
.Chart.Name }}-engine but should use the release name; update the value to {{
.Release.Name }}-engine so it matches the workspace-engine StatefulSet naming
convention and keep the other env entries unchanged.


{{- include "ctrlplane.extraEnv" . | nindent 12 }}
{{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
- name: ENABLE_NEW_POLICY_ENGINE
value: {{ .Values.global.enableNewPolicyEngine | quote }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- toYaml .Values.resources | nindent 12 }}
- name: pgbouncer
image: "{{ .Values.pgbouncer.image.repository }}:{{ .Values.pgbouncer.image.tag }}"
imagePullPolicy: "{{ .Values.pgbouncer.image.pullPolicy }}"
ports:
- name: pgbouncer
containerPort: {{ .Values.pgbouncer.internalPort }}
volumeMounts:
- name: config
mountPath: /etc/pgbouncer
readOnly: true
resources:
{{- toYaml .Values.pgbouncer.resources | nindent 12 }}
Comment on lines +115 to +127
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Missing volumes section in deployment spec.

The pgbouncer container mounts a volume named "config" at /etc/pgbouncer, but there's no volumes section defined in the pod spec to provide this volume. This will cause the pod to fail with a mount error.

Add a volumes section to the pod spec that references the pgbouncer ConfigMap. Insert this after the containers section (around line 117):

+      volumes:
+        - name: config
+          configMap:
+            name: {{ template "pgbouncer.configFile" . }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{- toYaml .Values.resources | nindent 12 }}
- name: pgbouncer
image: "{{ .Values.pgbouncer.image.repository }}:{{ .Values.pgbouncer.image.tag }}"
imagePullPolicy: "{{ .Values.pgbouncer.image.pullPolicy }}"
ports:
- name: pgbouncer
containerPort: {{ .Values.pgbouncer.internalPort }}
volumeMounts:
- name: config
mountPath: /etc/pgbouncer
readOnly: true
resources:
{{- toYaml .Values.pgbouncer.resources | nindent 12 }}
{{- toYaml .Values.resources | nindent 12 }}
- name: pgbouncer
image: "{{ .Values.pgbouncer.image.repository }}:{{ .Values.pgbouncer.image.tag }}"
imagePullPolicy: "{{ .Values.pgbouncer.image.pullPolicy }}"
ports:
- name: pgbouncer
containerPort: {{ .Values.pgbouncer.internalPort }}
volumeMounts:
- name: config
mountPath: /etc/pgbouncer
readOnly: true
resources:
{{- toYaml .Values.pgbouncer.resources | nindent 12 }}
volumes:
- name: config
configMap:
name: {{ template "pgbouncer.configFile" . }}
🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/event-queue/templates/deployment.yaml around lines
104–116 the pgbouncer container mounts a volume named "config" but there is no
corresponding pod.spec.volumes entry; add a volumes section immediately after
the containers block (around line 117) that defines the "config" volume and
sources it from the pgbouncer ConfigMap (use the chart value for the ConfigMap
name if available, e.g. .Values.pgbouncer.configMapName or otherwise the
conventional pgbouncer configmap name) so the /etc/pgbouncer mount is backed by
that ConfigMap.


10 changes: 10 additions & 0 deletions charts/ctrlplane/charts/event-queue/templates/pgbouncer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "pgbouncer.configFile" . }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "pgbouncer.labels" . | nindent 4 }}
Comment on lines +4 to +7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Missing helper template definitions.

This ConfigMap references two helper templates that are not defined in _helpers.tpl:

  • pgbouncer.configFile (line 4)
  • pgbouncer.labels (line 7)

These missing templates will cause the chart to fail during rendering.

Add these helper template definitions to charts/ctrlplane/charts/event-queue/templates/_helpers.tpl:

{{/*
PgBouncer config file name
*/}}
{{- define "pgbouncer.configFile" -}}
{{- printf "%s-pgbouncer-config" (include "event-queue.fullname" .) }}
{{- end }}

{{/*
PgBouncer labels
*/}}
{{- define "pgbouncer.labels" -}}
{{ include "event-queue.labels" . }}
app.kubernetes.io/component: pgbouncer
{{- end }}
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 7-7: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/event-queue/templates/pgbouncer.yaml around lines 4
to 7, the ConfigMap references helper templates "pgbouncer.configFile" and
"pgbouncer.labels" which are not defined; add definitions for these helpers into
charts/ctrlplane/charts/event-queue/templates/_helpers.tpl: define
"pgbouncer.configFile" to return a config file name based on the release
fullname (e.g., "%s-pgbouncer-config" using include "event-queue.fullname"), and
define "pgbouncer.labels" to include the existing "event-queue.labels" and
append app.kubernetes.io/component: pgbouncer so rendering succeeds.

data:
pgbouncer.ini: |-
{{- include "pgbouncer.ini" . | indent 4}}
18 changes: 18 additions & 0 deletions charts/ctrlplane/charts/event-queue/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,24 @@ image:
tag: latest
pullPolicy: Always

pgbouncer:
image:
repository: ctrlplane/pgbouncer
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
internalPort: 6379
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix incorrect internalPort value.

The internalPort is set to 6379 (Redis default port), but it should be 6432 to match the listen_port in the config section (line 26). This inconsistency will cause the container port to not match the actual PgBouncer listening port.

Apply this diff:

-  internalPort: 6379
+  internalPort: 6432
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
internalPort: 6379
internalPort: 6432
🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/event-queue/values.yaml around line 23 the
internalPort is incorrectly set to 6379; update that value to 6432 so the
container port matches the PgBouncer listen_port defined in the config (line
26). Make the single-line change replacing 6379 with 6432 to keep ports
consistent.

config:
listen_addr: 0.0.0.0
listen_port: 6432
unix_socket_dir: ""

extraEnv: {}
extraEnvFrom: {}

Expand Down
23 changes: 23 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: workspace-engine
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.0.0"
63 changes: 63 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "workspace-engine.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "workspace-engine.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "workspace-engine.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "workspace-engine.labels" -}}
helm.sh/chart: {{ include "workspace-engine.chart" . }}
{{ include "workspace-engine.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "workspace-engine.selectorLabels" -}}
app.kubernetes.io/name: {{ include "workspace-engine.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "workspace-engine.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "workspace-engine.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

16 changes: 16 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "workspace-engine.serviceAccountName" . }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "workspace-engine.labels" . | nindent 4 }}
{{- if .Values.serviceAccount.labels -}}
{{- toYaml .Values.serviceAccount.labels | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.serviceAccount.annotations -}}
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end }}
97 changes: 97 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
{{- $imageCfg := dict "global" $.Values.global.image "local" $.Values.image -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .Release.Name }}-engine
labels:
{{- include "workspace-engine.labels" . | nindent 4 }}
{{- if .Values.deployment.labels -}}
{{- toYaml .Values.deployment.labels | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.deployment.annotations -}}
{{- toYaml .Values.deployment.annotations | nindent 4 }}
{{- end }}
spec:
serviceName: {{ .Release.Name }}-engine
replicas: {{ .Values.replica }}
selector:
matchLabels:
{{- include "ctrlplane.selectorLabels" $ | nindent 6 }}
{{- include "workspace-engine.labels" . | nindent 6 }}
Comment on lines +18 to +21
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify mixed selector labels usage.

The selector combines ctrlplane.selectorLabels (from parent chart) with workspace-engine.labels (from local chart). Ensure this is intentional and that:

  1. The parent chart's selector labels are appropriate for this subchart's pods
  2. The combined labels don't create conflicts or overly broad selectors
  3. Services and other resources can correctly select these pods

Run this script to examine the label structure:

🏁 Script executed:

#!/bin/bash
# Check what labels are generated by both helpers

echo "=== Checking ctrlplane helpers ==="
rg -n "define \"ctrlplane.selectorLabels\"" -A 10

echo -e "\n=== Checking workspace-engine helpers ==="
rg -n "define \"workspace-engine.labels\"" -A 10 charts/ctrlplane/charts/workspace-engine/

echo -e "\n=== Checking other uses of ctrlplane.selectorLabels in workspace-engine ==="
rg "ctrlplane.selectorLabels" charts/ctrlplane/charts/workspace-engine/

Length of output: 2202

🏁 Script executed:

#!/bin/bash
# Locate workspace-engine.selectorLabels definition
rg -n "define \"workspace-engine.selectorLabels\"" -A10 -B3 charts/ctrlplane/charts/workspace-engine/templates/_helpers.tpl

Length of output: 472

Remove duplicate selector labels.

The StatefulSet’s matchLabels merges ctrlplane.selectorLabels and workspace-engine.labels, but both define app.kubernetes.io/name and app.kubernetes.io/instance, causing duplicate keys and invalid YAML. Use only one selector helper (e.g. workspace-engine.selectorLabels) or adjust label definitions to avoid collisions.

🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml around
lines 18 to 21, the matchLabels block currently includes both
ctrlplane.selectorLabels and workspace-engine.labels which both set
app.kubernetes.io/name and app.kubernetes.io/instance, causing duplicate keys
and invalid YAML; fix by using only one selector helper (e.g. replace the two
includes with a single include of workspace-engine.selectorLabels) or modify the
helpers so only one provides selector labels (move non-selector metadata into
workspace-engine.labels and keep selector-only keys in
workspace-engine.selectorLabels) so matchLabels contains a single,
non-duplicated set of keys.

template:
metadata:
labels:
{{- include "workspace-engine.labels" . | nindent 8 }}
annotations:
{{- if .Values.pod.annotations -}}
{{- toYaml .Values.pod.annotations | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "workspace-engine.serviceAccountName" . }}
{{- if .tolerations }}
tolerations:
{{- toYaml .tolerations | nindent 8 }}
{{- end }}
{{- include "ctrlplane.nodeSelector" . | nindent 6 }}
{{- include "ctrlplane.priorityClassName" . | nindent 6 }}
{{- include "ctrlplane.podSecurityContext" .Values.pod.securityContext | nindent 6 }}
containers:
- name: workspace-engine
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
ports:
- name: http2
containerPort: 8081
protocol: TCP
env:
- name: KAFKA_BROKERS
value: {{ .Values.global.kafkaBrokers | quote }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KAFKA_PARTITION_ID
value: "$(echo $POD_NAME | sed 's/.*-//')"
Comment on lines +53 to +54
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Shell substitution in env var value won't execute.

The KAFKA_PARTITION_ID environment variable contains a shell command that won't be executed by Kubernetes. The literal string "$(echo $POD_NAME | sed 's/.*-//')" will be passed as the value, not the result of the command.

To extract the StatefulSet pod ordinal, consider these solutions:

Solution 1: Use a wrapper script in command/args

           env:
             - name: POD_NAME
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
-            - name: KAFKA_PARTITION_ID
-              value: "$(echo $POD_NAME | sed 's/.*-//')"
+          command:
+            - /bin/sh
+            - -c
+            - |
+              export KAFKA_PARTITION_ID=$(echo $POD_NAME | sed 's/.*-//')
+              exec /your-app-binary

Solution 2: Extract in application code
Remove the KAFKA_PARTITION_ID env var and have the application extract the ordinal from POD_NAME directly.

Solution 3: Use an initContainer
Create an initContainer that computes the partition ID and writes it to a shared volume, then read it in the main container.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml around
lines 53-54, the KAFKA_PARTITION_ID env var currently contains a shell
substitution string that Kubernetes will not execute; replace this with a
working solution such as: remove the literal substitution and either (a) add a
small wrapper script as the container entrypoint that reads POD_NAME, computes
the ordinal (e.g., strip prefix up to last dash), exports KAFKA_PARTITION_ID and
execs the app; or (b) change the application to compute the partition from the
POD_NAME env var at startup; alternatively, implement an initContainer that
writes the computed partition to a shared emptyDir file which the main container
reads into KAFKA_PARTITION_ID—pick one approach and update the StatefulSet to
remove the non-executed shell string and wire the chosen mechanism.

- name: GRPC_PORT
value: {{ .Values.grpc.port | quote }}
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-connections
key: REDIS_URL
- name: POSTGRES_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-connections
key: POSTGRES_URL
- name: VARIABLES_AES_256_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-encryption-key
key: AES_256_KEY
{{- with (include "ctrlplane.githubBot" . | fromYaml) }}
- name: GITHUB_BOT_APP_ID
value: {{ .appId | quote }}
- name: GITHUB_BOT_CLIENT_ID
value: {{ .clientId | quote }}
- name: GITHUB_BOT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ .secretRef }}
key: GITHUB_BOT_CLIENT_SECRET
optional: true
- name: GITHUB_BOT_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: {{ .secretRef }}
key: GITHUB_BOT_PRIVATE_KEY
optional: true
- name: GITHUB_BOT_NAME
value: {{ .name }}
{{- end }}
{{- include "ctrlplane.extraEnv" . | nindent 12 }}
{{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
- name: ENABLE_NEW_POLICY_ENGINE
value: {{ .Values.global.enableNewPolicyEngine | quote }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
29 changes: 29 additions & 0 deletions charts/ctrlplane/charts/workspace-engine/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
nameOverride: ""
fullnameOverride: ""

replica: 1

image:
repository: ctrlplane/workspace-engine
tag: latest
pullPolicy: Always

extraEnv: {}
extraEnvFrom: {}

tolerations: []
pod: {}

serviceAccount:
create: false
name: ""
labels: {}
annotations: {}

resources:
requests:
cpu: 1000m
memory: 1Gi
limits:
cpu: 4000m
memory: 4Gi
Loading