fix(helm): production-ready Helm chart aligned with ha-raft subsystem

[robfrank]

Fixes #4034

Summary

• Fix ${HOSTNAME} / ${rootPassword} shell syntax - not expanded in Kubernetes exec-form command: arrays; replaced with $(VAR) K8s-native substitution and explicit downward-API env declarations
• Fix Raft port: service.rpc.port default 2424 → 2434 (ha-raft gRPC port)
• Remove -Darcadedb.ha.replicationIncomingHost (not a valid ha-raft property)
• Make HA args conditional on replicaCount > 1 || autoscaling.enabled
• Add publishNotReadyAddresses: true to headless service (prevents HA bootstrap deadlock)
• Fix ingress backend: point to -http ClusterIP service; fix service.http.port key
• Add Raft quorum guard to HPA: helm template fails when minReplicas < floor(maxReplicas/2)+1
• Add opt-in NetworkPolicy: HTTP open to cluster, Raft gRPC restricted to ArcadeDB pods
• Security: runAsNonRoot, drop ALL caps, serviceAccount.automount: false, ClusterIP default
• Persistence: volumeClaimTemplate for arcadedb-data enabled by default (8Gi)
• HPA: nodenames helper sized to maxReplicas for KubernetesAutoJoin scale-up support
• Fix NOTES.txt port references, add ephemeral data warning
• Guard extra-manifests.yaml bare --- separator
• Update README.md: fix stale defaults (port, service type, mode), add persistence/networkPolicy sections

Test plan

• helm lint k8s/helm/ passes with 0 failures
• helm template k8s/helm/ (default, replicaCount=1) - no HA args, PVC present, no ${HOSTNAME} shell syntax, no port 2424
• helm template k8s/helm/ --set replicaCount=3 - HA args present, port 2434, publishNotReadyAddresses: true
• helm template k8s/helm/ --set autoscaling.enabled=true --set autoscaling.minReplicas=3 --set autoscaling.maxReplicas=5 - HPA rendered, serverList has 5 entries
• helm template k8s/helm/ --set autoscaling.enabled=true --set autoscaling.minReplicas=1 --set autoscaling.maxReplicas=5 - quorum guard fires
• helm template k8s/helm/ --set ingress.enabled=true - backend is -http service, port 2480
• helm template k8s/helm/ --set networkPolicy.enabled=true - two NetworkPolicy resources rendered

🤖 Generated with Claude Code

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Coverage ∅ diff coverage · -7.89% coverage variation

Metric	Results
Coverage variation	✅ -7.89% coverage variation
Diff coverage	✅ ∅ diff coverage

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (7d94afb)	120170	87923	73.17%
Head commit (1ce68f2)	151534 (+31364)	98920 (+10997)	65.28% (-7.89%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#4035)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[claude]

Code Review - Helm Chart Production-Readiness Fixes

This PR addresses several real production blockers in the Helm chart. The core fixes are correct and the overall direction is sound. A few issues worth discussing before merge:

---

Bug: secret.key conditional removed

statefulset.yaml (around the secretKeyRef block)

The old template guarded the key: field with {{- if .Values.arcadedb.credentials.rootPassword.secret.key }}. That guard was removed:

# After this PR:
valueFrom:
  secretKeyRef:
    name: {{ .Values.arcadedb.credentials.rootPassword.secret.name }}
    key: {{ .Values.arcadedb.credentials.rootPassword.secret.key }}   # can render as null
    optional: false

When a user sets secret.name but leaves secret.key: null (the default), this renders key: which fails Kubernetes validation - secretKeyRef.key is a required, non-empty string field. The original if guard was load-bearing. Suggest restoring it:

{{- if .Values.arcadedb.credentials.rootPassword.secret.key }}
key: {{ .Values.arcadedb.credentials.rootPassword.secret.key }}
{{- end }}

---

Bug: volumeClaimTemplates: always emitted

statefulset.yaml (bottom of file)

When persistence.enabled=false and volumeClaimTemplates=[], the template renders:

volumeClaimTemplates:

This is a null value in YAML. While Kubernetes tolerates it, it is cleaner and safer to gate the whole key:

{{- if or .Values.persistence.enabled .Values.volumeClaimTemplates }}
volumeClaimTemplates:
  ...
{{- end }}

---

Minor: Redundant condition in HPA quorum guard

hpa.yaml

{{- if .Values.autoscaling.enabled }}
{{- if or (gt (int .Values.replicaCount) 1) .Values.autoscaling.enabled }}

The inner or always evaluates to true here because we are already inside {{- if .Values.autoscaling.enabled }}. The replicaCount > 1 branch never has any effect. If the intent is to also apply the quorum guard for static HA deployments (no HPA), move the guard outside the autoscaling.enabled block. If the quorum guard is only needed for HPA, simplify to remove the inner if or.

---

Breaking changes (worth calling out in release notes)

Value	Old default	New default
service.http.type	LoadBalancer	ClusterIP
service.rpc.port	2424	2434
arcadedb.defaultDatabases	"Universe[foo:bar]"	""
autoscaling.maxReplicas	100	5
serviceAccount.automount	true	false
podSecurityContext	{}	{runAsNonRoot: true, fsGroup: 1000}
securityContext	{}	{runAsUser: 1000, runAsGroup: 1000, allowPrivilegeEscalation: false, capabilities.drop: [ALL]}

Existing users upgrading without overriding values will silently lose external access (ClusterIP), gain security hardening, and lose the example database. These are individually correct changes but should be prominently documented or gated behind a chart major version bump.

---

Positive highlights

• Shell expansion fix (${HOSTNAME} → $(HOSTNAME) + downward API env var): Correct and critical. Kubernetes exec-form does not invoke a shell, so ${...} was never expanded.
• publishNotReadyAddresses: true: The right fix for HA bootstrap deadlock - without it, pods can't resolve each other's DNS before readiness passes, which prevents readiness from ever passing.
• Conditional HA args (replicaCount > 1 || autoscaling.enabled): Clean and correct. Single-node deployments should not carry HA arguments.
• arcadedb.ha.raftPort added, arcadedb.ha.replicationIncomingHost removed: Correct alignment with the ha-raft subsystem.
• NetworkPolicy template: Sensible split - HTTP open to cluster, Raft gRPC restricted to ArcadeDB pods only. Opt-in via networkPolicy.enabled=false default is the right call for compatibility.
• Quorum guard on HPA: Catching misconfigured minReplicas < quorum at helm template time is a good developer experience improvement.
• affinity label key: key: app → key: app.kubernetes.io/name is the correct standard label.
• extraManifests guard: Prevents bare --- emission when extraManifests is empty.
• Persistence section: Promoting the PVC to a first-class persistence.enabled toggle with a sensible 8Gi default is much better UX than the previous approach of leaving it to volumeClaimTemplates.

---

Suggestions (non-blocking)

• Consider adding startupProbe with a longer timeout threshold - JVM startup + HA leader election can take longer than the default liveness probe tolerates on cold starts.
• The HTTP NetworkPolicy has no from selector, allowing any pod in the cluster to reach port 2480. This is intentional but worth a comment in the template noting it is cluster-wide, not namespace-scoped.

[gemini-code-assist]

Code Review

This pull request updates the ArcadeDB Helm chart to version 26.5.1, introducing NetworkPolicy resources, a quorum guard for HorizontalPodAutoscaler, and support for the Raft-based HA subsystem. It also refactors persistence management and updates default service types and resource recommendations. Review feedback points out that the unconditional rendering of volumeMounts and volumeClaimTemplates in the StatefulSet could lead to invalid YAML if they are empty. Additionally, the reviewer recommends restoring default values for the RPC port and safety guards for secret keys to ensure template stability and backward compatibility.

[gemini-code-assist]

The volumeMounts: key (line 81) is now rendered unconditionally because the previous with guard was removed. If persistence.enabled is false and volumeMounts is empty, this will result in an empty volumeMounts: field in the container spec, which is invalid Kubernetes YAML. Consider wrapping the parent key in a conditional check like {{- if or .Values.persistence.enabled .Values.volumeMounts }}.

[gemini-code-assist]

The volumeClaimTemplates: key (line 130) is now rendered unconditionally. If persistence.enabled is false and no extra volumeClaimTemplates are provided, this will result in an empty volumeClaimTemplates: field in the StatefulSet spec, which is invalid. Consider wrapping the parent key in a conditional check like {{- if or .Values.persistence.enabled .Values.volumeClaimTemplates }}.

[gemini-code-assist]

Removing the default value for service.rpc.port might cause the template to fail if users are using an older values.yaml file that doesn't define this key. It's safer to provide a default value, especially since the port has changed in this version.

{{- $rpcPort := int (default 2434 .Values.service.rpc.port) -}}

[gemini-code-assist]

Removing the guard for secret.key makes the template fragile. If a user provides an existing secret name but omits the key in their values, the template will render an invalid secretKeyRef with an empty key. It is recommended to use the required function to enforce the presence of the key when a custom secret name is used, or restore the conditional check.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.23%. Comparing base (7d94afb) to head (1ce68f2).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4035      +/-   ##
==========================================
- Coverage   64.25%   64.23%   -0.03%     
==========================================
  Files        1597     1597              
  Lines      120170   120279     +109     
  Branches    25589    25618      +29     
==========================================
+ Hits        77220    77262      +42     
- Misses      32278    32326      +48     
- Partials    10672    10691      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Code Review - PR #4035: Helm chart removal and dedicated repo migration

Overview

This PR removes the entire k8s/helm/ directory from the monorepo, adds a redirect k8s/README.md, and checks in two planning/design documents under docs/superpowers/. The intent is to migrate the Helm chart to a dedicated ArcadeData/arcadedb-helm repository.

Note on PR description vs diff mismatch: The title says "fix(helm): production-ready Helm chart aligned with ha-raft subsystem" and the summary lists many specific chart fixes (port corrections, HA args, security hardening, etc.), but the actual diff contains none of those fixes - it only deletes the chart. Those fixes presumably live in the new arcadedb-helm repo. The PR description should be updated to reflect that this PR is a removal/migration, not a bugfix.

---

Issues

Critical - URL inconsistency

k8s/README.md uses:

helm repo add arcadedb https://helm.arcadedb.com/

But docs/superpowers/specs/2026-04-29-helm-chart-dedicated-repo-design.md and the plan doc both use:

https://arcadedata.github.io/arcadedb-helm/

If helm.arcadedb.com is a custom domain that has not been configured yet, users following the redirect README will get a 404. Either use the GitHub Pages URL (which is automatically available once the repo/Pages are set up), or ensure the custom domain is live before merging.

Critical - Ordering risk: chart removed before new repo is ready

This PR deletes the chart from the monorepo. If it merges before:

• The ArcadeData/arcadedb-helm repository is created
• The chart is published and GitHub Pages is serving index.yaml

...there will be a window where no installable chart exists. The plan doc's Task 7 (cleanup) is explicitly marked as the last step, but this PR mixes the monorepo cleanup with the planning docs without a clear gate. Recommend blocking merge on the new repo being live and verifiable via helm search repo.

Minor - Planning documents in source control

docs/superpowers/plans/ and docs/superpowers/specs/ contain step-by-step bash commands for bootstrapping a separate GitHub repository. These are ephemeral implementation notes, not persistent documentation about the ArcadeDB codebase. Once the migration is complete they have no ongoing value and become stale. Consider keeping them as GitHub issues/discussions instead, or at least note that they can be deleted after the migration is complete.

Minor - Design doc has a self-contradictory Pages configuration

docs/superpowers/specs/...design.md says:

GitHub Pages is enabled on the main branch root (/).

But docs/superpowers/plans/...plan.md (Task 5, Step 4) says:

Branch: gh-pages

helm/chart-releaser-action pushes index.yaml to the gh-pages branch, so the spec description of "main branch root" is incorrect and could confuse whoever executes the migration.

---

What looks good

• Moving the Helm chart to a dedicated repo is the right call - it gives the chart an independent release cadence and makes it discoverable via helm search hub.
• The redirect README is clear and includes install commands.
• The old chart is deleted completely rather than left as dead code.
• The design doc's versioning convention (chart version independent of appVersion) is sensible.

---

Suggested checklist before merge

• Confirm ArcadeData/arcadedb-helm exists and the chart is published at the URL in k8s/README.md
• Verify helm repo add arcadedb <url> && helm search repo arcadedb returns the chart
• Align k8s/README.md URL with the actual live URL (GitHub Pages or custom domain)
• Fix the Pages-branch discrepancy in the design spec
• Update PR title/description to reflect this is a removal/migration, not a chart bugfix

🤖 Generated with Claude Code