* feat(helm): add Pipelock ConfigMap, scanning config, and consolidate compose
- Add ConfigMap template rendering DLP, response scanning, MCP input/tool
scanning, and forward proxy settings from values
- Mount ConfigMap as /etc/pipelock/pipelock.yaml volume in deployment
- Add checksum/config annotation for automatic pod restart on config change
- Gate HTTPS_PROXY/HTTP_PROXY env injection on forwardProxy.enabled (skip
in MCP-only mode)
- Use hasKey for all boolean values to prevent Helm default swallowing false
- Single source of truth for ports (forwardProxy.port/mcpProxy.port)
- Pipelock-specific imagePullSecrets with fallback to app secrets
- Merge standalone compose.example.pipelock.yml into compose.example.ai.yml
- Add pipelock.example.yaml for Docker Compose users
- Add exclude-paths to CI workflow for locale file false positives
* Add CHANGELOG entry for Pipelock security proxy integration
* Missed v0.6.8 release
---------
Co-authored-by: Juan José Mata <jjmata@jjmata.com>
* Sync Helm chart and Rails app versions in CI and release workflows
- values.yaml: default image.tag to "" so it uses Chart.appVersion
(was hardcoded to stale "0.6.6" while app was at 0.6.8-alpha.13)
- chart-ci.yml: add version-sync job that fails if version.rb,
Chart.yaml version, and Chart.yaml appVersion diverge; trigger on
version.rb changes too
- chart-release.yml: derive chart version from version.rb (single
source of truth) instead of auto-incrementing independent chart-v* tags
https://claude.ai/code/session_01Eq3WHBn3Uwjezxb6ctdjMB
* Default to `false` AI_DEBUG_MODE
* Apply suggestions from CodeRabbit
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: Juan José Mata <jjmata@jjmata.com>
---------
Signed-off-by: Juan José Mata <jjmata@jjmata.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
These are optional app configuration values (not secrets), and listing
them in rails.secret.values alongside required keys like SECRET_KEY_BASE
makes users think they must be specified. Users who need them can set
them via rails.extraEnv or rails.settings instead.
https://claude.ai/code/session_01BP8Nr2cZWDdu9zGL9vD8Mw
Co-authored-by: Claude <noreply@anthropic.com>
The encryption initializer previously only supported environment variables
in self-hosted mode. In managed mode, it expected encryption credentials
to exist in Rails.application.credentials, which would cause boot failures
if they were missing.
This change updates the encryption configuration to support environment
variables in both managed and self-hosted modes:
- Environment variables (ACTIVE_RECORD_ENCRYPTION_*) now work in both modes
- Priority: env vars > auto-generation (self-hosted only) > credentials
- Updated documentation in .env.example and Helm chart README
This allows managed mode deployments to provide encryption keys via
environment variables instead of requiring Rails credentials.
Co-authored-by: Claude <noreply@anthropic.com>
* feat: updated redis-operator to 0.23.X
* chore: renamed redis-operator-redis to redis-sentinel
* chore: renamed 00-redis-operator-replication to redis-operator-replication
* feat: added podSecurityContext
* fix: added security context to fix PV mounting
* fix: removed reference to tag and image in managed
* Revert "fix: added security context to fix PV mounting"
This reverts commit 18aca83c73.
* chore: removed podSecurityContext as it is not necessary
* Add backup rendering logic and tests for CNPG Cluster CR
- Implemented logic in `cnpg-cluster.yaml` to render `.spec.backup` based on `cnpg.cluster.backup` values.
- Introduced validation for required fields and unsupported keys (e.g., `ttl`, `volumeSnapshot.enabled`) to avoid CRD warnings.
- Added Helm unit tests to validate backup rendering for various scenarios: missing/invalid fields, inferred `method`, and unsupported keys.
- Updated `README.md` and `values.yaml` with examples and documentation for backup configuration options.
* Add plugin rendering logic and tests for CNPG Cluster CR
- Implemented logic in `cnpg-cluster.yaml` to render `.spec.plugins` based on `cnpg.cluster.plugins` values.
- Added Helm unit tests to validate plugin rendering scenarios: unset plugins and configured plugin values.
- Updated `values.yaml` with examples and documentation for configuring CNPG plugins.
* Update chart to v1.0.1 with CNPG backup and plugin enhancements
- Add rendering logic for `Cluster.spec.backup`, inferring `method: volumeSnapshot` when applicable and validating required fields.
- Add support for `Cluster.spec.plugins`, enabling barman-cloud plugin and WAL archiver configuration.
- Strip unsupported keys (e.g., `backup.ttl`, `volumeSnapshot.enabled`) to prevent CRD warnings.
- Update examples and documentation in `README.md` and `values.yaml`.
* Keep Helm chart on same major version as app?
* Versioning with monorepo
* MD is tricky
---------
Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>
Co-authored-by: Juan José Mata <jjmata@jjmata.com>
* Add Helm chart for Sure Rails app deployment.
- Introduced initial Helm chart structure for deploying the Sure Rails app with Sidekiq on Kubernetes.
- Added optional CloudNativePG and Redis-Operator subcharts for high availability of PostgreSQL and Redis.
- Implemented configuration guards for mutual exclusivity between Redis operators.
- Included support for Horizontal Pod Autoscalers (HPAs) for web and worker deployments.
- Added default configurations for CronJobs, database migrations, and Ingress setup.
- Generated NOTES.txt for deployment guidance and troubleshooting.
- Added example profiles for simple and high-availability hosting setups in README.md.
- Enhanced templates with helper functions for reusable logic and secret management.
* Refactor Helm chart to use shared _env.tpl helper for environment variable injection.
- Added `_env.tpl` for managing environment variables across workloads (web, worker, jobs, etc.).
- Replaced repetitive inline environment configurations with reusable `sure.env` helper.
- Enhanced `redis-simple` configurations with support for dynamic persistence settings and resource limits.
- Updated `values.yaml` with improved defaults for multi-node cluster setups.
- Extended cleanup scripts to handle RedisSentinel CRs.
* Refactor Helm chart templates for consistency and improved readability
- Simplified `simplefin-backfill-job.yaml` by quoting backfill args for cleaner rendering.
- Removed unused `extraEnvFrom` logic from `_env.tpl`.
- Streamlined `redis-simple-deployment.yaml` by restructuring `volumeMounts` and `volumes` blocks for better condition handling.
* Bump Sure Helm chart version to 1.0.0 for initial stable release.
* Update README: Redis subchart to use OT redis-operator and improve secret management examples.
- Replaced `dandydev/redis-ha` with `OT-CONTAINER-KIT redis-operator`
- Added Redis secret configurations examples for flexible secret management.
- Updated README with new Redis configuration instructions, examples, and auto-wiring precedence adjustments.
* Enhance Redis-Operator Helm chart with managed scheduling, topology spreading, and fallback logic
- Introduced `managed.*` fields for optional RedisReplication configurations, prioritizing them over top-level settings.
- Added support for `nodeSelector`, `affinity`, `tolerations`, `topologySpreadConstraints`, and customized `workloadResources` for Redis pods.
- Updated default Redis image to `v8.4.0` in templates.
- Improved persistence configuration with fallback support.
- Updated README and values.yaml with examples and guidance for high-availability setups.
- Enhanced CNPG chart with scheduling options for consistency.
* Update README with improved Redis-Operator usage examples and secret placeholder guidance
- Added instructions for constructing `REDIS_URL` in Kubernetes manifests using placeholders.
- Replaced sensitive values in example secrets with non-sensitive placeholders (`__SET_SECRET__`).
- Included notes on linting Helm templates and YAML to avoid false-positive CI errors.
---------
Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>
