Merge pull request #162 from IBM/deployment-updates

Update helm charts for configurable secrets

Author: crivetimihai

charts/mcp-stack/.gitignore

@@ -0,0 +1 @@
+my-values.yaml

charts/mcp-stack/templates/_helpers.tpl

@@ -1,3 +1,6 @@
+{{- /* --------------------------------------------------------------------
+     Helper: mcp-stack.fullname
+     -------------------------------------------------------------------- */}}
 {{- define "mcp-stack.fullname" -}}
 {{- if .Values.global.fullnameOverride }}
 {{ .Values.global.fullnameOverride }}
@@ -11,8 +14,25 @@
 {{- end }}
 {{- end }}
 
+{{- /* --------------------------------------------------------------------
+     Helper: mcp-stack.labels
+     -------------------------------------------------------------------- */}}
 {{- define "mcp-stack.labels" -}}
 app.kubernetes.io/name: {{ include "mcp-stack.fullname" . }}
 helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
+
+{{- /* --------------------------------------------------------------------
+     Helper: mcp-stack.postgresSecretName
+     Returns the Secret name that the Postgres deployment should mount.
+     If users set `postgres.existingSecret`, that name is used.
+     Otherwise the chart-managed default "postgres-secret" is returned.
+     -------------------------------------------------------------------- */}}
+{{- define "mcp-stack.postgresSecretName" -}}
+{{- if .Values.postgres.existingSecret }}
+{{- .Values.postgres.existingSecret }}
+{{- else }}
+postgres-secret
+{{- end }}
+{{- end }}

charts/mcp-stack/templates/deployment-mcp.yaml

@@ -21,6 +21,7 @@ spec:
           ports:
             - containerPort: {{ .Values.mcpContextForge.containerPort }}
           env:
+            # ── core settings ────────────────────────────────────────────
             - name: HOST
               value: "{{ .Values.mcpContextForge.env.host }}"
             - name: POSTGRES_HOST
@@ -32,15 +33,24 @@ spec:
             - name: POSTGRES_USER
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: user
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_USER
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: password
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_PASSWORD
             - name: REDIS_HOST
               value: "{{ .Values.mcpContextForge.env.redis.host }}"
             - name: REDIS_PORT
               value: "{{ .Values.mcpContextForge.env.redis.port }}"
-          resources: {{- toYaml .Values.mcpContextForge.resources | nindent 12 }}
+
+            # ── extras injected via values.yaml (DATABASE_URL, etc.) ─────
+{{- if .Values.mcpContextForge.env.extras }}
+{{- range .Values.mcpContextForge.env.extras }}
+            - name: {{ .name }}
+              value: {{ .value | quote }}
+{{- end }}
+{{- end }}
+          resources:
+{{- toYaml .Values.mcpContextForge.resources | nindent 12 }}

charts/mcp-stack/templates/deployment-pgadmin.yaml

@@ -35,7 +35,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: postgres-secret
-                  key: password
+                  key: POSTGRES_PASSWORD
             - name: PGADMIN_LISTEN_PORT
               value: "{{ .Values.pgadmin.service.port }}"
           {{- with .Values.pgadmin.resources }}

charts/mcp-stack/templates/deployment-postgres.yaml

@@ -18,17 +18,17 @@ spec:
       containers:
         - name: postgres
           image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}"
-          imagePullPolicy: {{ .Values.postgres.image.pullPolicy }}
+          imagePullPolicy: "{{ .Values.postgres.image.pullPolicy }}"
           ports:
             - containerPort: {{ .Values.postgres.service.port }}
           envFrom:
             - configMapRef:
                 name: postgres-config
             - secretRef:
-                name: postgres-secret
+                name: {{ include "mcp-stack.postgresSecretName" . | trim | quote }}
           volumeMounts:
-            - mountPath: /var/lib/postgresql/data
-              name: postgredb
+            - name: postgredb
+              mountPath: /var/lib/postgresql/data
       volumes:
         - name: postgredb
           persistentVolumeClaim:

charts/mcp-stack/templates/secret-postgres.yaml

@@ -1,8 +1,13 @@
+# templates/secret-postgres.yaml
+{{- if and .Values.postgres.enabled (not .Values.postgres.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: postgres-secret
+  name: "{{ include "mcp-stack.postgresSecretName" . | trim }}"
 type: Opaque
 stringData:
-  user: {{ .Values.postgres.credentials.user | quote }}
-  password: {{ .Values.postgres.credentials.password | quote }}
+  # add the keys the Postgres image needs
+  POSTGRES_USER:      {{ .Values.postgres.credentials.user      | quote }}
+  POSTGRES_PASSWORD:  {{ .Values.postgres.credentials.password  | quote }}
+  POSTGRES_DB:        {{ .Values.postgres.credentials.database  | quote }}
+{{- end }}

charts/mcp-stack/values.yaml

@@ -3,31 +3,38 @@ global:
   nameOverride: ""
   fullnameOverride: ""
 
+# ───────────────────────────────────────────────────────────────────────────
 mcpContextForge:
   replicaCount: 1
+
   image:
     repository: ghcr.io/ibm/mcp-context-forge
-    tag: latest
+    tag: latest                 # pin a version tag in prod
     pullPolicy: IfNotPresent
+
   service:
     type: ClusterIP
     port: 80
+
   containerPort: 4444
+
   resources:
     limits:
       cpu: 200m
       memory: 1024Mi
     requests:
       cpu: 100m
       memory: 512Mi
+
   ingress:
     enabled: true
     className: nginx
-    host: gateway.local
+    host: gateway.local          # change to your domain
     path: /
     pathType: Prefix
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: /
+
   env:
     host: 0.0.0.0
     postgres:
@@ -39,26 +46,51 @@ mcpContextForge:
     redis:
       host: redis
       port: 6379
+    extras:
+      - name: CACHE_TYPE
+        value: redis
+      - name: REDIS_URL
+        value: "redis://$(REDIS_HOST):$(REDIS_PORT)/0"
+      - name: DATABASE_URL
+        value: "postgresql://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@$(POSTGRES_HOST):$(POSTGRES_PORT)/$(POSTGRES_DB)"
+
+  # Mount shared Secret & ConfigMap
+  envFrom:
+    - secretRef:
+        name: mcp-gateway-secret
+    - configMapRef:
+        name: mcp-gateway-config
 
+# ───────────────────────────────────────────────────────────────────────────
 postgres:
   enabled: true
+
   image:
     repository: postgres
     tag: "17"
     pullPolicy: IfNotPresent
+
   service:
     type: ClusterIP
     port: 5432
+
   persistence:
     enabled: true
-    storageClassName: manual
+    storageClassName: manual     # pick your StorageClass
     accessModes: [ReadWriteMany]
     size: 5Gi
+
+  # Leave this empty to have Helm autogenerate postgres-secret
+  # (based on the credentials block below).  If you already have
+  # a Secret with the correct keys, put its name here instead.
+  existingSecret: ""
+
   credentials:
     database: postgresdb
     user: admin
-    password: test123
+    password: test123            # replace in production
 
+# ───────────────────────────────────────────────────────────────────────────
 redis:
   enabled: true
   image:
@@ -69,8 +101,9 @@ redis:
     type: ClusterIP
     port: 6379
 
+# ───────────────────────────────────────────────────────────────────────────
 pgadmin:
-  enabled: false
+  enabled: true
   image:
     repository: dpage/pgadmin4
     tag: latest
@@ -79,11 +112,12 @@ pgadmin:
     type: ClusterIP
     port: 80
   env:
-    email: admin@local.test
-    password: admin123
+    email: admin@example.com
+    password: admin123           # replace in production
 
+# ───────────────────────────────────────────────────────────────────────────
 redisCommander:
-  enabled: false
+  enabled: true
   image:
     repository: rediscommander/redis-commander
     tag: latest