Skip to content

Conversation

aryankumar04
Copy link

@aryankumar04 aryankumar04 commented Jun 19, 2025

Summary by CodeRabbit

  • New Features

    • Added a complete Helm chart to deploy Wren AI on Kubernetes: configurable Deployments, Services, Ingress, PVCs, ConfigMaps, Secrets, and helpers for consistent naming/labels.
    • Built-in templates for AI service, engine, UI, and ibis server plus NOTES to retrieve service URLs and status.
    • Declared Helm dependencies for Qdrant and PostgreSQL.
  • Documentation

    • Added a comprehensive README with prerequisites, secrets, deployment steps, and verification.
  • Chores

    • Added default values for versions, images, ports, telemetry, persistence, and resource configuration.

Copy link
Contributor

coderabbitai bot commented Jun 19, 2025

Walkthrough

Adds a complete Helm chart for Wren AI: chart metadata, defaults, templates (Deployments, Services, ConfigMaps, Secrets, PVC, Ingress), NOTES and README for installation, and dependencies on Qdrant and PostgreSQL.

Changes

Cohort / File(s) Change Summary
Chart & Metadata
deployment/helm-chart/Chart.yaml, deployment/helm-chart/values.yaml
Added chart metadata and comprehensive default values including component versions, secrets management, Qdrant and PostgreSQL dependencies, and extensive configurable settings.
Docs & Notes
deployment/helm-chart/README.md, deployment/helm-chart/NOTES.txt
Added README with prerequisites, deployment steps, Minikube guidance, and NOTES template that prints access URLs for UI and AI service based on Service type.
Template helpers & labels
deployment/helm-chart/templates/_helpers.tpl
Added helper templates for consistent naming, fullname, chart label, selector labels, and secret name resolution.
Config & AI service config
deployment/helm-chart/templates/configmap.yaml
Added ConfigMap templates: env-style config and a multi-document config.yaml for AI pipeline (LLMs, embedders, engines, document stores, pipeline stages, and runtime settings).
Secrets
deployment/helm-chart/templates/secrets.yaml
Added conditional Secret template to create Opaque secrets from .Values.secrets.values when enabled.
Deployments (all components)
deployment/helm-chart/templates/ai-service-deployment.yaml, .../engine-deployment.yaml, .../ibis-deployment.yaml, .../ui-deployment.yaml
Added Deployment templates for ai-service, engine (with initContainer and PVC mount), ibis-server, and ui — all parameterized for replicas, images, env, resources, nodeSelector/affinity/tolerations and secret/config injection.
Services, Ingress, PVC
deployment/helm-chart/templates/service.yaml, .../ingress.yaml, .../pvc.yaml
Added Service definitions for UI, engine (http/sql), AI service, and ibis-server; conditional Ingress for UI with TLS and annotations; conditional PVC template for engine persistence.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Helm
    participant Repo as ChartRepo (charts: qdrant, postgresql)
    participant K8s
    participant Wren as WrenPods

    User->>Helm: helm install wren ./deployment/helm-chart
    Helm->>Repo: resolve dependencies (qdrant, postgresql)
    Helm->>K8s: render & apply manifests (ConfigMaps, Secrets, PVC, Services, Deployments, Ingress)
    K8s->>Wren: schedule pods (ui, engine, ai-service, ibis)
    K8s->>Wren: inject ConfigMaps & Secrets, mount PVC
    User->>K8s: access UI/AI via Ingress / NodePort / port-forward
    Wren->>K8s: connect to dependencies (postgresql, qdrant) and external APIs (OpenAI/Gemini)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

deployment, wren-ai-service, module/ai-service, ai-env-changed

Suggested reviewers

  • paopa
  • imAsterSun
  • wwwy3y3

Poem

🐇
Charts unfurl like leaves in spring,
Secrets safe and services sing.
Pods take root and hop in line,
Configs feed the AI vine.
A carrot-coded chart—deploy and dine!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title "added helm chart support" accurately and concisely summarizes the primary change—adding a Helm chart and related templates, values, and docs to enable Helm-based deployment—and is directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (15)
deployment/helm-chart/templates/_helpers.tpl (1)

4-6: Naming consistency: consider aligning helper prefixes with chart name.

Helpers are defined under "wren-ai", while Chart.yaml uses name: wren. To avoid confusion, align the helper prefix with the actual chart name (e.g., use "wren").

deployment/helm-chart/values.yaml (1)

368-368: Add newline at end of file.

YAML requires a trailing newline at EOF. Please append a blank line to comply with POSIX and YAML specifications.

deployment/helm-chart/templates/ingress.yaml (1)

1-28: Suppress blank manifests: use template whitespace control.

Wrap conditionals with {{- if ... }} and {{- end }} (note the leading/trailing hyphens) to trim unwanted newlines and prevent empty YAML documents when .Values.ui.ingress.enabled is false.

deployment/helm-chart/templates/pvc.yaml (1)

21-21: Add newline at end-of-file.
Ensure a trailing newline for POSIX compliance and to prevent lint warnings.

deployment/helm-chart/templates/secrets.yaml (1)

40-40: Add newline at end-of-file.
Append a trailing newline to satisfy POSIX and avoid lint warnings.

deployment/helm-chart/templates/ibis-deployment.yaml (1)

54-54: Add newline at end-of-file.
Include a trailing newline to satisfy POSIX and avoid lint issues.

deployment/helm-chart/templates/engine-deployment.yaml (1)

77-77: Add newline at end-of-file.
Include a trailing newline to satisfy POSIX and avoid lint issues.

deployment/helm-chart/templates/ai-service-deployment.yaml (1)

117-117: Add newline character at end of file.
Ensure the file ends with a newline to comply with POSIX standards and avoid lint errors.

deployment/helm-chart/templates/ui-deployment.yaml (2)

99-99: Remove trailing whitespace.
Trim the extra spaces on these lines to clean up unnecessary whitespace.

-            - name: TELEMETRY_ENABLED 
+            - name: TELEMETRY_ENABLED
-                valueFrom: 
+                valueFrom:

Also applies to: 116-116


133-133: Add newline character at end of file.
Ensure the file ends with a newline to satisfy POSIX conventions and avoid lint errors.

deployment/helm-chart/README.md (3)

7-7: Remove trailing punctuation in headings.
Avoid ending Markdown headings with a colon for cleaner style. E.g., change ## Steps to deploy:## Steps to deploy.

Also applies to: 14-14, 69-69


16-16: Fix loose punctuation and spacing.
Clean up extra spaces and stray backticks in this line. E.g.,

- `Suggestion`: Before deploying, check out the Helm values in the `deployment/helm ` file...
+ `Suggestion`: Before deploying, check out the Helm values in the `deployment/helm` folder...

72-72: Correct “its” to “it’s”.
Use the contraction “it’s” (it is) for clarity:

- its less likely you need to modify them
+ it’s less likely you need to modify them
deployment/helm-chart/templates/configmap.yaml (2)

20-20: Align spacing after colon.
Remove the extra space so there’s exactly one space after the colon:

-  IBIS_SERVER_VERSION:  {{ .Values.global.versions.ibisServer | quote }}
+  IBIS_SERVER_VERSION: {{ .Values.global.versions.ibisServer | quote }}

214-214: Add newline character at end of file.
Ensure the file ends with a newline to comply with POSIX standards.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b1a5b9 and dbc056c.

📒 Files selected for processing (14)
  • deployment/helm-chart/Chart.yaml (1 hunks)
  • deployment/helm-chart/NOTES.txt (1 hunks)
  • deployment/helm-chart/README.md (1 hunks)
  • deployment/helm-chart/templates/_helpers.tpl (1 hunks)
  • deployment/helm-chart/templates/ai-service-deployment.yaml (1 hunks)
  • deployment/helm-chart/templates/configmap.yaml (1 hunks)
  • deployment/helm-chart/templates/engine-deployment.yaml (1 hunks)
  • deployment/helm-chart/templates/ibis-deployment.yaml (1 hunks)
  • deployment/helm-chart/templates/ingress.yaml (1 hunks)
  • deployment/helm-chart/templates/pvc.yaml (1 hunks)
  • deployment/helm-chart/templates/secrets.yaml (1 hunks)
  • deployment/helm-chart/templates/service.yaml (1 hunks)
  • deployment/helm-chart/templates/ui-deployment.yaml (1 hunks)
  • deployment/helm-chart/values.yaml (1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
deployment/helm-chart/templates/pvc.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployment/helm-chart/templates/ingress.yaml

[error] 2-2: syntax error: expected '', but found ''

(syntax)


[warning] 20-20: wrong indentation: expected 8 but found 10

(indentation)

deployment/helm-chart/templates/ibis-deployment.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)


[warning] 13-13: wrong indentation: expected 4 but found 6

(indentation)


[warning] 18-18: wrong indentation: expected 6 but found 8

(indentation)


[warning] 21-21: wrong indentation: expected 4 but found 6

(indentation)


[error] 54-54: no new line character at the end of file

(new-line-at-end-of-file)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/templates/engine-deployment.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)


[warning] 13-13: wrong indentation: expected 4 but found 6

(indentation)


[warning] 18-18: wrong indentation: expected 6 but found 8

(indentation)


[warning] 21-21: wrong indentation: expected 4 but found 6

(indentation)


[error] 77-77: no new line character at the end of file

(new-line-at-end-of-file)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/templates/service.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)


[warning] 17-17: wrong indentation: expected 2 but found 4

(indentation)


[warning] 25-25: wrong indentation: expected 2 but found 4

(indentation)


[warning] 39-39: wrong indentation: expected 2 but found 4

(indentation)


[warning] 47-47: wrong indentation: expected 2 but found 4

(indentation)


[warning] 57-57: wrong indentation: expected 2 but found 4

(indentation)


[warning] 65-65: wrong indentation: expected 2 but found 4

(indentation)


[warning] 75-75: wrong indentation: expected 2 but found 4

(indentation)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/templates/secrets.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)


[error] 40-40: no new line character at the end of file

(new-line-at-end-of-file)

deployment/helm-chart/templates/ai-service-deployment.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)


[warning] 13-13: wrong indentation: expected 4 but found 6

(indentation)


[warning] 18-18: wrong indentation: expected 6 but found 8

(indentation)


[warning] 21-21: wrong indentation: expected 4 but found 6

(indentation)


[error] 117-117: no new line character at the end of file

(new-line-at-end-of-file)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/values.yaml

[error] 19-19: trailing spaces

(trailing-spaces)


[error] 27-27: trailing spaces

(trailing-spaces)


[error] 34-34: trailing spaces

(trailing-spaces)


[error] 38-38: trailing spaces

(trailing-spaces)


[error] 52-52: trailing spaces

(trailing-spaces)


[error] 84-84: trailing spaces

(trailing-spaces)


[error] 135-135: trailing spaces

(trailing-spaces)


[error] 145-145: trailing spaces

(trailing-spaces)


[error] 162-162: trailing spaces

(trailing-spaces)


[error] 176-176: trailing spaces

(trailing-spaces)


[error] 247-247: trailing spaces

(trailing-spaces)


[error] 248-248: trailing spaces

(trailing-spaces)


[error] 287-287: trailing spaces

(trailing-spaces)


[error] 294-294: trailing spaces

(trailing-spaces)


[error] 302-302: trailing spaces

(trailing-spaces)


[warning] 347-347: wrong indentation: expected 10 but found 9

(indentation)


[error] 368-368: no new line character at the end of file

(new-line-at-end-of-file)

deployment/helm-chart/templates/configmap.yaml

[warning] 20-20: too many spaces after colon

(colons)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/templates/ui-deployment.yaml

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)


[warning] 13-13: wrong indentation: expected 4 but found 6

(indentation)


[warning] 18-18: wrong indentation: expected 6 but found 8

(indentation)


[warning] 21-21: wrong indentation: expected 4 but found 6

(indentation)


[error] 99-99: trailing spaces

(trailing-spaces)


[error] 116-116: trailing spaces

(trailing-spaces)


[error] 133-133: no new line character at the end of file

(new-line-at-end-of-file)


[error] 4-4: syntax error: expected , but found ''

(syntax)

🪛 LanguageTool
deployment/helm-chart/NOTES.txt

[uncategorized] ~3-~3: Loose punctuation mark.
Context: ...ervices {{ include "wren-ai.fullname" . }}-ui-svc) export NODE_IP=$(kubectl get...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~8-~8: Loose punctuation mark.
Context: ... svc -w {{ include "wren-ai.fullname" . }}-ui-svc' export SERVICE_IP=$(kubectl ...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~9-~9: Loose punctuation mark.
Context: ...pace }} {{ include "wren-ai.fullname" . }}-ui-svc --template "{{"{{ range (index ...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~12-~12: Loose punctuation mark.
Context: ...tes.io/name={{ include "wren-ai.name" . }},app.kubernetes.io/instance1. Get the a...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~14-~14: Loose punctuation mark.
Context: ...ervices {{ include "wren-ai.fullname" . }}-ai-service-svc) export NODE_IP=$(kub...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~19-~19: Loose punctuation mark.
Context: ... svc -w {{ include "wren-ai.fullname" . }}-ai-service-svc' export SERVICE_IP=$(...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~20-~20: Loose punctuation mark.
Context: ...pace }} {{ include "wren-ai.fullname" . }}-ai-service-svc --template "{{"{{ range...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~23-~23: Loose punctuation mark.
Context: ...tes.io/name={{ include "wren-ai.name" . }},app.kubernetes.io/instance={{ .Release...

(UNLIKELY_OPENING_PUNCTUATION)

deployment/helm-chart/README.md

[uncategorized] ~16-~16: Loose punctuation mark.
Context: ...helm ## Steps to deploy: Suggestion: Before deploying, check out the Helm va...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~71-~71: “its” (belonging to it) seems less likely than “it’s” (it is)
Context: ...ns the core Wren AI manifest templates, its less likely you need to modify them, bu...

(AI_HYDRA_LEO_CPT_ITS_ITIS)


[grammar] ~72-~72: In the grammatical structure ‘pronoun + be/get + used + to + verb’, the verb ‘used’ is used with the gerund.
Context: ...ing helm dependency add, and they are used to deploy third-party services alongside Wren AI....

(ADMIT_ENJOY_VB)


[uncategorized] ~77-~77: Loose punctuation mark.
Context: ... same namespace as wren-ai. - postgres: Database that will be installed in the ...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~81-~81: Possible missing comma found.
Context: ...ame(first) and password(second) for the database respectively, separated by a colon. In ...

(AI_HYDRA_LEO_MISSING_COMMA)


[uncategorized] ~82-~82: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...erver is running in a Kubernetes cluster and it is named "wren-postgresql" in the *s...

(COMMA_COMPOUND_SENTENCE)


[uncategorized] ~122-~122: “you” seems less likely than “your” (belonging to you).
Context: ...mize some values. It can be usefull for you GitOps workflow and can be used in conj...

(AI_HYDRA_LEO_CP_YOU_YOUR)


[style] ~122-~122: ‘in conjunction with’ might be wordy. Consider a shorter alternative.
Context: ...for you GitOps workflow and can be used in conjunction with FluxCD or ArgoCD.

(EN_WORDINESS_PREMIUM_IN_CONJUNCTION_WITH)

🪛 Checkov (3.2.334)
deployment/helm-chart/values.yaml

[MEDIUM] 33-34: Basic Auth Credentials

(CKV_SECRET_4)

🪛 Gitleaks (8.26.0)
deployment/helm-chart/README.md

35-35: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)


41-41: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)


42-42: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 markdownlint-cli2 (0.17.2)
deployment/helm-chart/README.md

7-7: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)


14-14: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)


16-16: Spaces inside code span elements
null

(MD038, no-space-in-code)


69-69: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

🔇 Additional comments (28)
deployment/helm-chart/Chart.yaml (1)

1-27: Helm chart metadata review: Approve.

The Chart.yaml correctly defines apiVersion: v2, chart name, version, dependencies, and maintainers. Ensure the file ends with a newline to satisfy POSIX and tooling requirements.

deployment/helm-chart/templates/_helpers.tpl (1)

29-31: Label version templating: approve.

The "wren-ai.chart" helper formats the chart name and version correctly, replacing + characters and enforcing DNS length limits.

deployment/helm-chart/templates/ingress.yaml (1)

2-5: Ingress spec: approve.

The apiVersion, kind, metadata, and naming conventions integrate correctly with the Helm helper templates and user values.

deployment/helm-chart/templates/pvc.yaml (2)

1-3: Conditional PVC creation is clear and concise.
Using .Values.engine.persistence.enabled to guard PVC creation aligns with best practices for optional persistence.


14-20: Nested if for storageClassName handles the "-" sentinel well.
The logic to set an empty storageClassName when the value is "-" and quote non-empty values is precise.

deployment/helm-chart/templates/secrets.yaml (1)

1-1: Ignore YAMLlint false positive on templating.
The {{- if ... }} syntax at file start is valid Helm template syntax; static YAML linters misinterpret it.

deployment/helm-chart/templates/ibis-deployment.yaml (5)

4-4: Ignore YAMLlint indentation and block-end warnings.
Helm templating constructs commonly trigger false-positive syntax and indentation issues in pure YAML linters.

Also applies to: 7-7, 13-13, 18-18, 21-21


1-9: Deployment metadata and replica configuration are consistent.
The ibis-server deployment uses correct naming, labels, and a default replica fallback, aligning with other component deployments.


10-18: Selector and Pod template labels are accurate.
Using include "wren-ai.selectorLabels" and component-specific labelling ensures correct service selection and observability.


20-31: Node scheduling configuration is flexible.
Parameterizing nodeSelector, affinity, and tolerations via with blocks offers robust cluster placement control.


32-40: Container spec for wren-ibis is comprehensive.
Image configuration, ports, and environment variable sourcing from ConfigMaps follow chart conventions.

deployment/helm-chart/templates/engine-deployment.yaml (7)

4-4: Ignore YAMLlint false positives.
Helm Go templating triggers syntax and indentation warnings in pure YAML linters; these can be safely ignored.

Also applies to: 7-7, 13-13, 18-18, 21-21


1-9: Engine Deployment metadata and replica config look good.
Naming, labels, and default replica fallback align with chart standards.


10-18: Selector and template labels are correctly parameterized.
Using shared selectorLabels and component labelling ensures pod-service binding consistency.


20-31: Node scheduling parameters are properly exposed.
The inclusion of nodeSelector, affinity, and tolerations via with blocks offers flexibility for complex cluster topologies.


32-35: Persistent volume claim volume is correctly referenced.
Volume name (wren-data) and claimName match the PVC template, ensuring reliable mounts.


36-59: Init container setup is thorough.
The bootstrap container correctly sources ConfigMap and secret values for database credentials and mounts the data volume.


60-77: Main container config aligns with other components.
Image, ports, volume mounts, and resource blocks mirror established patterns across the chart.

deployment/helm-chart/NOTES.txt (7)

3-3: Ignore LanguageTool spurious warnings.
Loose punctuation warnings are caused by Helm templating and do not affect functionality.

Also applies to: 8-8, 9-9, 12-12, 14-14, 19-19, 20-20, 23-23


2-6: UI NodePort instructions are clear.
Extracting NODE_PORT and NODE_IP and echoing the URL matches Helm post-install guidance.


7-10: UI LoadBalancer instructions are accurate.
Advising on external IP readiness and using JSONPath for extraction is correct.


13-17: AI Service NodePort instructions are correct.
Commands mirror the UI pattern and reference the proper service suffix.


17-21: AI Service LoadBalancer block is fine.
It correctly notes potential delays and uses the loadBalancer.ingress path extraction.


21-27: AI Service ClusterIP instructions align with standards.
Pattern matches UI's fixed block and provides a consistent port-forward workflow.


29-33: Verify AI Service port reference.
Ensure .Values.config.ports.aiService matches the port defined in the AI Service templates. If the port lives under a different key, update accordingly.

deployment/helm-chart/templates/ai-service-deployment.yaml (1)

4-4: Ignore static-analysis indentation/syntax warnings.
These YAMLlint and syntax errors are false positives due to Helm templating and intentional indentation for nindent. No change needed.

Also applies to: 7-7, 13-13, 18-18, 21-21

deployment/helm-chart/templates/ui-deployment.yaml (1)

4-4: Ignore static-analysis indentation/syntax warnings.
The reported indentation and syntax errors stem from Helm templating and do not reflect actual YAML issues.

Also applies to: 7-7, 13-13, 18-18, 21-21

deployment/helm-chart/templates/configmap.yaml (1)

4-4: Ignore static-analysis syntax/spacing warnings.
These errors are false positives due to Helm templating; the syntax and spacing are valid.

Also applies to: 20-20

Comment on lines +3 to +75
metadata:
name: {{ include "wren-ai.fullname" . }}-ui-svc
labels:
{{- include "wren-ai.labels" . | nindent 4 }}
app.kubernetes.io/component: ui
spec:
type: {{ .Values.ui.service.type }}
ports:
- port: {{ .Values.ui.service.port }}
targetPort: http
protocol: TCP
name: http-ui
selector:
{{- include "wren-ai.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: ui
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "wren-ai.fullname" . }}-engine-svc
labels:
{{- include "wren-ai.labels" . | nindent 4 }}
app.kubernetes.io/component: engine
spec:
type: {{ .Values.engine.service.type }}
ports:
- port: {{ .Values.engine.service.ports.engine }}
targetPort: http
protocol: TCP
name: wren-engine
- port: {{ .Values.engine.service.ports.sql }}
targetPort: sql
protocol: TCP
name: wren-engine-sql
selector:
{{- include "wren-ai.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: engine
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "wren-ai.fullname" . }}-ai-service-svc
labels:
{{- include "wren-ai.labels" . | nindent 4 }}
app.kubernetes.io/component: ai-service
spec:
type: {{ .Values.aiService.service.type }}
ports:
- port: {{ .Values.aiService.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "wren-ai.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: ai-service
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "wren-ai.fullname" . }}-ibis-server-svc
labels:
{{- include "wren-ai.labels" . | nindent 4 }}
app.kubernetes.io/component: ibis-server
spec:
type: {{ .Values.ibisServer.service.type }}
ports:
- port: {{ .Values.ibisServer.service.port }}
targetPort: http
protocol: TCP
name: wren-ibis
selector:
{{- include "wren-ai.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: ibis-server No newline at end of file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix indentation across all Service definitions.

Multiple blocks (metadata, spec, ports, selector) are misaligned by 2 spaces. Nested keys should be indented by 2 spaces per level (e.g., under metadata:, name: and labels: need an extra 2-space indent). Address these misalignments to ensure valid YAML parsing.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 7-7: wrong indentation: expected 2 but found 4

(indentation)


[warning] 17-17: wrong indentation: expected 2 but found 4

(indentation)


[warning] 25-25: wrong indentation: expected 2 but found 4

(indentation)


[warning] 39-39: wrong indentation: expected 2 but found 4

(indentation)


[warning] 47-47: wrong indentation: expected 2 but found 4

(indentation)


[warning] 57-57: wrong indentation: expected 2 but found 4

(indentation)


[warning] 65-65: wrong indentation: expected 2 but found 4

(indentation)


[warning] 75-75: wrong indentation: expected 2 but found 4

(indentation)


[error] 4-4: syntax error: expected , but found ''

(syntax)

🤖 Prompt for AI Agents
In deployment/helm-chart/templates/service.yaml from lines 3 to 75, the
indentation of keys under metadata, spec, ports, and selector is incorrect by 2
spaces. Fix this by ensuring each nested key is indented exactly 2 spaces more
than its parent key, for example, indent name and labels 2 spaces under
metadata, and similarly adjust all nested blocks consistently to maintain valid
YAML structure.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (2)
deployment/helm-chart/values.yaml (2)

15-27: Remove trailing whitespace & secure default secret management.

This secrets block has trailing spaces flagged by YAMLlint, and defaults expose dummy credentials.

  • Strip all trailing whitespace in this block.
  • Consider defaulting to useExistingSecret: true for production or omitting dummy values.

338-348: Fix indentation of Qdrant TLS hosts.

The dash under tls.hosts is one space too few, causing parse errors. Align it with other list items.

Example diff:

   tls:
-    - hosts:
-       - qdrant-ai.myhost.net
+    - hosts:
+      - qdrant-ai.myhost.net
     secretName: qdrant-ai.myhost.net-tls
🧹 Nitpick comments (3)
deployment/helm-chart/values.yaml (2)

278-283: Inconsistent secret property naming in PostgreSQL auth.

You use existingSecret here but existingSecretName in the top-level secrets section. Unify these keys to avoid confusion.

Example:

 postgresql:
   auth:
-    existingSecret: "wren-secret"
+    existingSecretName: "wren-secret"
     secretKeys:
       adminPasswordKey: "PG_ADMIN_PASSWORD"
       userPasswordKey: "PG_PASSWORD"

1-369: Remove trailing whitespace throughout the file.

Multiple lines contain trailing spaces flagged by YAMLlint. Strip them globally to ensure lint passes.

deployment/helm-chart/templates/configmap.yaml (1)

15-21: Too many spaces after colon.

Line 20 has two spaces before the value, triggering a YAMLlint warning. Standardize to one.

Example:

-  IBIS_SERVER_VERSION:  {{ .Values.global.versions.ibisServer | quote }}
+  IBIS_SERVER_VERSION: {{ .Values.global.versions.ibisServer | quote }}
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbc056c and 982d1cb.

📒 Files selected for processing (2)
  • deployment/helm-chart/templates/configmap.yaml (1 hunks)
  • deployment/helm-chart/values.yaml (1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
deployment/helm-chart/templates/configmap.yaml

[warning] 20-20: too many spaces after colon

(colons)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/values.yaml

[error] 19-19: trailing spaces

(trailing-spaces)


[error] 27-27: trailing spaces

(trailing-spaces)


[error] 34-34: trailing spaces

(trailing-spaces)


[error] 38-38: trailing spaces

(trailing-spaces)


[error] 52-52: trailing spaces

(trailing-spaces)


[error] 84-84: trailing spaces

(trailing-spaces)


[error] 135-135: trailing spaces

(trailing-spaces)


[error] 145-145: trailing spaces

(trailing-spaces)


[error] 162-162: trailing spaces

(trailing-spaces)


[error] 176-176: trailing spaces

(trailing-spaces)


[error] 247-247: trailing spaces

(trailing-spaces)


[error] 248-248: trailing spaces

(trailing-spaces)


[error] 287-287: trailing spaces

(trailing-spaces)


[error] 294-294: trailing spaces

(trailing-spaces)


[error] 302-302: trailing spaces

(trailing-spaces)


[warning] 347-347: wrong indentation: expected 10 but found 9

(indentation)

🪛 Checkov (3.2.334)
deployment/helm-chart/values.yaml

[MEDIUM] 33-34: Basic Auth Credentials

(CKV_SECRET_4)

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (4)
deployment/helm-chart/README.md (1)

35-43: Replace placeholder API keys with generic placeholders.

The README includes realistic-looking API keys that could pose security risks. These should be replaced with clear placeholders.

Apply this diff to address the security concern:

-OPENAI_API_KEY=<Paste OPENAI_API_KEY here>
+OPENAI_API_KEY=<YOUR_OPENAI_API_KEY>
-LANGFUSE_PUBLIC_KEY=<Paste LANGFUSE_PUBLIC_KEY here>
+LANGFUSE_PUBLIC_KEY=<YOUR_LANGFUSE_PUBLIC_KEY>
-LANGFUSE_SECRET_KEY=<Paste LANGFUSE_SECRET_KEY here>
+LANGFUSE_SECRET_KEY=<YOUR_LANGFUSE_SECRET_KEY>
-POSTHOG_API_KEY=<Paste POSTHOG_API_KEY here>
+POSTHOG_API_KEY=<YOUR_POSTHOG_API_KEY>
deployment/helm-chart/values.yaml (2)

140-142: Missing global.namespace (duplicate from previous review)

Templates reference .Values.global.namespace, but the key is still absent. Either add it here or wrap references with default .Release.Namespace.


347-349: Wrong indentation in tls.hosts list (duplicate)

The dash before - qdrant-ai.myhost.net is indented 9 spaces; YAML expects 10. Helm fails to render. Fix as previously suggested.

deployment/helm-chart/templates/configmap.yaml (1)

60-76: Model keys mismatch (duplicate of prior feedback)

context_window_size, kwargs.maxTokens, and kwargs.seed are rendered here but not present in values.yaml. Helm will output empty values, breaking the AI-service config.

Either add the keys to every model item in values.yaml or guard with default:

-      context_window_size: {{ .contextWindowSize }}
+{{- if .contextWindowSize }}
+      context_window_size: {{ .contextWindowSize }}
+{{- end }}

Same for maxTokens, seed.

🧹 Nitpick comments (14)
deployment/helm-chart/templates/secrets.yaml (1)

1-42: Fix formatting issue - missing newline at end of file.

The secret template logic is correct and properly handles conditional secret creation with base64 encoding. However, there's a formatting issue that should be addressed.

Apply this diff to fix the formatting:

   {{- end }}
-{{- end }}
+{{- end }}
+
deployment/helm-chart/templates/engine-deployment.yaml (1)

1-78: Fix formatting issue - missing newline at end of file.

The deployment template is well-structured with proper use of init containers, persistent volumes, and environment variable configuration. The logic is sound and follows Kubernetes best practices.

Apply this diff to fix the formatting:

           {{- end }}
+
deployment/helm-chart/templates/ui-deployment.yaml (3)

100-100: Remove trailing spaces.

-            valueFrom: 
+            valueFrom:

117-117: Remove trailing spaces.

-            valueFrom: 
+            valueFrom:

1-134: Fix formatting issue - missing newline at end of file.

The UI deployment template is comprehensive and well-configured with proper environment variable management. The extensive configuration supports the UI component's needs effectively.

Apply this diff to fix the formatting:

           {{- end }}
+
deployment/helm-chart/README.md (2)

16-16: Fix markdown formatting in suggestion callout.

-`Suggestion`: Before deploying, check out the Helm values in the `deployment/helm ` file and modify them to suit your Kubernetes environment.
+**Suggestion**: Before deploying, check out the Helm values in the `deployment/helm` file and modify them to suit your Kubernetes environment.

71-71: Fix grammar - use "it's" instead of "its".

-manifests the core Wren AI manifest templates, its less likely you need to modify them, but check just in case
+manifests the core Wren AI manifest templates, it's less likely you need to modify them, but check just in case
deployment/helm-chart/templates/ai-service-deployment.yaml (3)

37-40: Mount path but no read-only flag

config-volume contains static configuration; mounting it read-only avoids accidental mutation inside the container:

-            - name: config-volume
-              mountPath: /app/data
+            - name: config-volume
+              mountPath: /app/data
+              readOnly: true

71-78: Hard-coded UI endpoint duplicates value in ConfigMap

WREN_UI_ENDPOINT is set here from .Values.config.endpoints.ui, but the ConfigMap already defines the same variable. Keeping both increases drift risk. Consider removing it from one place and referencing via the shared ConfigMap only.


118-118: Add a final newline

POSIX tools expect a trailing newline; add one to avoid lint errors.

deployment/helm-chart/values.yaml (2)

20-42: Strip trailing whitespace to pass YAMLlint

Multiple lines in this block (and throughout the file) end with spaces, breaking CI. Run yq eval or yamllint -d relaxed locally and remove the trailing blanks.


369-369: Terminate file with a newline

Add a final newline to satisfy linters and Git diff hygiene.

deployment/helm-chart/templates/configmap.yaml (2)

20-20: Extra spaces after colon

IBIS_SERVER_VERSION: has two spaces before the value, flagged by YAMLlint. Remove the extra space for consistency.


54-224: ConfigMap too large—consider ConfigMap+Secret or mounted file

config.yaml is ~300 lines; large ConfigMaps hit the 1 MiB limit quickly and are hard to diff. Storing the file in a values template and mounting via projected volume or a separate chart sub-directory is cleaner.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 982d1cb and 4f1fdbe.

📒 Files selected for processing (8)
  • deployment/helm-chart/README.md (1 hunks)
  • deployment/helm-chart/templates/_helpers.tpl (1 hunks)
  • deployment/helm-chart/templates/ai-service-deployment.yaml (1 hunks)
  • deployment/helm-chart/templates/configmap.yaml (1 hunks)
  • deployment/helm-chart/templates/engine-deployment.yaml (1 hunks)
  • deployment/helm-chart/templates/secrets.yaml (1 hunks)
  • deployment/helm-chart/templates/ui-deployment.yaml (1 hunks)
  • deployment/helm-chart/values.yaml (1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
deployment/helm-chart/templates/ai-service-deployment.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)


[warning] 14-14: wrong indentation: expected 4 but found 6

(indentation)


[warning] 19-19: wrong indentation: expected 6 but found 8

(indentation)


[warning] 22-22: wrong indentation: expected 4 but found 6

(indentation)


[error] 118-118: no new line character at the end of file

(new-line-at-end-of-file)

deployment/helm-chart/templates/configmap.yaml

[warning] 20-20: too many spaces after colon

(colons)


[error] 4-4: syntax error: expected , but found ''

(syntax)

deployment/helm-chart/templates/engine-deployment.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)


[warning] 14-14: wrong indentation: expected 4 but found 6

(indentation)


[warning] 19-19: wrong indentation: expected 6 but found 8

(indentation)


[warning] 22-22: wrong indentation: expected 4 but found 6

(indentation)


[error] 78-78: no new line character at the end of file

(new-line-at-end-of-file)

deployment/helm-chart/templates/secrets.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)


[error] 42-42: no new line character at the end of file

(new-line-at-end-of-file)

deployment/helm-chart/templates/ui-deployment.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)


[warning] 14-14: wrong indentation: expected 4 but found 6

(indentation)


[warning] 19-19: wrong indentation: expected 6 but found 8

(indentation)


[warning] 22-22: wrong indentation: expected 4 but found 6

(indentation)


[error] 100-100: trailing spaces

(trailing-spaces)


[error] 117-117: trailing spaces

(trailing-spaces)


[error] 134-134: no new line character at the end of file

(new-line-at-end-of-file)

deployment/helm-chart/values.yaml

[error] 20-20: trailing spaces

(trailing-spaces)


[error] 28-28: trailing spaces

(trailing-spaces)


[error] 35-35: trailing spaces

(trailing-spaces)


[error] 39-39: trailing spaces

(trailing-spaces)


[error] 53-53: trailing spaces

(trailing-spaces)


[error] 85-85: trailing spaces

(trailing-spaces)


[error] 136-136: trailing spaces

(trailing-spaces)


[error] 146-146: trailing spaces

(trailing-spaces)


[error] 163-163: trailing spaces

(trailing-spaces)


[error] 177-177: trailing spaces

(trailing-spaces)


[error] 248-248: trailing spaces

(trailing-spaces)


[error] 249-249: trailing spaces

(trailing-spaces)


[error] 288-288: trailing spaces

(trailing-spaces)


[error] 295-295: trailing spaces

(trailing-spaces)


[error] 303-303: trailing spaces

(trailing-spaces)


[warning] 348-348: wrong indentation: expected 10 but found 9

(indentation)


[error] 369-369: no new line character at the end of file

(new-line-at-end-of-file)

🪛 LanguageTool
deployment/helm-chart/README.md

[uncategorized] ~16-~16: Loose punctuation mark.
Context: ...helm ## Steps to deploy: Suggestion: Before deploying, check out the Helm va...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~71-~71: “its” (belonging to it) seems less likely than “it’s” (it is)
Context: ...ns the core Wren AI manifest templates, its less likely you need to modify them, bu...

(AI_HYDRA_LEO_CPT_ITS_ITIS)


[grammar] ~72-~72: In the grammatical structure ‘pronoun + be/get + used + to + verb’, the verb ‘used’ is used with the gerund.
Context: ...ing helm dependency add, and they are used to deploy third-party services alongside Wren AI....

(ADMIT_ENJOY_VB)


[uncategorized] ~77-~77: Loose punctuation mark.
Context: ... same namespace as wren-ai. - postgres: Database that will be installed in the ...

(UNLIKELY_OPENING_PUNCTUATION)


[uncategorized] ~81-~81: Possible missing comma found.
Context: ...ame(first) and password(second) for the database respectively, separated by a colon. In ...

(AI_HYDRA_LEO_MISSING_COMMA)


[uncategorized] ~82-~82: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...erver is running in a Kubernetes cluster and it is named "wren-postgresql" in the *s...

(COMMA_COMPOUND_SENTENCE)


[uncategorized] ~87-~87: You might be missing the article “the” here.
Context: ...the Steps to deploy section to deploy Wren AI app into your k8s. ```shell minikube...

(AI_EN_LECTOR_MISSING_DETERMINER_THE)


[uncategorized] ~122-~122: “you” seems less likely than “your” (belonging to you).
Context: ...mize some values. It can be usefull for you GitOps workflow and can be used in conj...

(AI_HYDRA_LEO_CP_YOU_YOUR)


[style] ~122-~122: ‘in conjunction with’ might be wordy. Consider a shorter alternative.
Context: ...for you GitOps workflow and can be used in conjunction with FluxCD or ArgoCD.

(EN_WORDINESS_PREMIUM_IN_CONJUNCTION_WITH)

🪛 markdownlint-cli2 (0.17.2)
deployment/helm-chart/README.md

7-7: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)


14-14: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)


16-16: Spaces inside code span elements
null

(MD038, no-space-in-code)


69-69: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

🪛 Checkov (3.2.334)
deployment/helm-chart/values.yaml

[MEDIUM] 34-35: Basic Auth Credentials

(CKV_SECRET_4)

🔇 Additional comments (3)
deployment/helm-chart/templates/_helpers.tpl (1)

1-62: LGTM! Well-structured Helm template helpers.

The template helpers follow Helm best practices and provide consistent naming, labeling, and secret management across the chart. The implementation correctly handles:

  • DNS-compliant name truncation and trimming
  • Standard Kubernetes labels
  • Flexible secret name resolution

These helpers provide a solid foundation for the other templates in the chart.

deployment/helm-chart/templates/ai-service-deployment.yaml (2)

93-95: CONFIG_PATH must align with mounted file

The volume mounts /app/data/config.yaml, matching the default value. If users override aiService.env.configPath, the file may not exist. Guard with a default:

value: {{ default "/app/data/config.yaml" .Values.aiService.env.configPath | quote }}

11-14: Fix selector / matchLabels indentation

matchLabels is two levels deep under selector, so keys beneath it should be indented 8 spaces, not 6. Helm’s nindent 6 macro produces invalid YAML:

-      {{- include "wren-ai.selectorLabels" . | nindent 6 }}
-      app.kubernetes.io/component: ai-service
+        {{- include "wren-ai.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: ai-service

Running helm template . | kubeval currently fails. Adjust the indent or change the helper to nindent 8.

Likely an incorrect or invalid review comment.

Comment on lines +1 to +2
{{- $secretName := include "wren-ai.secretName" . }}
apiVersion: apps/v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Insert a YAML document start to silence linter syntax error

YAMLlint flags a “syntax error: expected the node content, but found ‘-’” on line 1.
Add an explicit document delimiter/blank line after the local template assignment so the rendered YAML starts cleanly:

{{- $secretName := include "wren-ai.secretName" . }}
+
+---
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{- $secretName := include "wren-ai.secretName" . }}
apiVersion: apps/v1
{{- $secretName := include "wren-ai.secretName" . }}
---
apiVersion: apps/v1
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents
In deployment/helm-chart/templates/ai-service-deployment.yaml at lines 1 to 2,
the YAML linter reports a syntax error due to the local template assignment line
not being separated from the YAML content. Fix this by adding a YAML document
start delimiter (---) or a blank line immediately after the local template
assignment line to ensure the rendered YAML begins cleanly and resolves the
linter syntax error.

Comment on lines +69 to +71
# If qdrant.enabled is true, qdrantHost defaults to {{ Release.Name }}-qdrant
qdrantHost: ""

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Empty qdrantHost leads to wrong ENV when qdrant disabled

When qdrant.enabled=false and documentStore.qdrantHost is empty, the deployment still defaults to <release>-qdrant, which won’t resolve. Make the default conditional:

qdrantHost: "{{- if .Values.qdrant.enabled }}{{ .Release.Name }}-qdrant{{- end }}"
🤖 Prompt for AI Agents
In deployment/helm-chart/values.yaml around lines 69 to 71, the qdrantHost is
set to an empty string which causes the deployment to default to
<release>-qdrant even when qdrant.enabled is false, leading to an incorrect
environment variable. Fix this by making the qdrantHost default conditional on
qdrant.enabled being true, using Helm templating syntax to set qdrantHost to
"{{- if .Values.qdrant.enabled }}{{ .Release.Name }}-qdrant{{- end }}".

Comment on lines +15 to +24
secrets:
# Option 1: Use existing secret (recommended for production)
useExistingSecret: true
annotations: {}
existingSecretName: "wren-secret"

# Option 2: Create secret from values (for development/testing)
# Set useExistingSecret to false and provide values below
createFromValues: false
values:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Plain-text dummy secrets are committed

OPENAI_API_KEY, GEMINI_API_KEY, PG_PASSWORD, etc. sit in the repo—even though marked dummy, they encourage bad practice and can be mistakenly deployed.
Provide only the keys, empty by default, or move them to secrets.values.example excluded via .helmignore.

-    GEMINI_API_KEY: "dummy"
+    # GEMINI_API_KEY: ""

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 20-20: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents
In deployment/helm-chart/values.yaml around lines 15 to 24, remove all dummy
secret values such as OPENAI_API_KEY, GEMINI_API_KEY, and PG_PASSWORD from the
file to avoid committing sensitive data. Instead, provide only the keys with
empty default values or move these secret values to a separate file like
secrets.values.example, which should be excluded from the repository using
.helmignore. This prevents accidental deployment of dummy secrets and encourages
better secret management practices.

@dnascimento
Copy link

@aryankumar04 when will this change be merged? Good work 🚀

@aryankumar04
Copy link
Author

Hey @dnascimento , Thanks for your reviews, I have commited the suggested changes. @wwwy3y3 Can you please check this PR ? Thanks in advance!

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (1)
deployment/helm-chart/README.md (1)

34-43: Secrets now look sanitized — good.

Previous gitleaks concern appears addressed; keys are placeholders. Keep it that way.

🧹 Nitpick comments (7)
deployment/helm-chart/README.md (7)

98-105: Remove duplicate external-dns install; add provider note.

external-dns is installed twice; keep the parameterized one. Also remind users to set a provider (e.g., AWS/GCP/Cloudflare) or skip for Minikube.

-helm install external-dns bitnami/external-dns
-helm install \
-  external-dns bitnami/external-dns \
+helm install \
+  external-dns bitnami/external-dns \
   --namespace external-dns \
   --version 7.5.2 \
   --create-namespace \
-  --set installCRDs=true
+  --set provider=<your-dns-provider> \
+  --set txtOwnerId=wren-minikube
+# For local Minikube without a real DNS provider, you can skip external-dns.

4-4: Tighten up grammar, headings, and markdownlint nits.

Fix typos and MD026/MD038 warnings; improves readability.

-3. Secrets vales can be deployed together or separately.
+3. Secrets values can be deployed together or separately.

-## Dependencies used in this kustomization:
+## Dependencies used in this setup

-## Steps to deploy:
+## Steps to deploy

-`Suggestion`: Before deploying, check out the Helm values in the `deployment/helm ` file and modify them to suit your Kubernetes environment.
+`Suggestion`: Before deploying, review the Helm values in `deployment/helm-chart` and modify them to suit your Kubernetes environment.

-### Notes on Helm:
+### Notes on Helm

-- `deployment/helm/values.yaml` is the main file responsible for versions of other apps such as Qdrant and PostgreSQL, version of your Wren AI app. It also combines resourses from the manifest such as ConfigMaps, Deployments, and Services. And example Ingress and Secrets.
+- `deployment/helm-chart/values.yaml` is the main file responsible for versions of other apps such as Qdrant and PostgreSQL, and your Wren AI app. It also combines resources from the manifests such as ConfigMaps, Deployments, Services, example Ingress, and Secrets.

-# GitOps Patches
+# GitOps patches

Also applies to: 7-7, 14-14, 16-16, 69-69, 70-70, 121-121


45-55: Quote secret literals to avoid word-splitting; keep namespace flag first.

Safer for values containing special chars or spaces.

-kubectl create secret generic wren-secret \
+kubectl create secret generic wren-secret -n wren \
   --from-literal=OPENAI_API_KEY=$OPENAI_API_KEY \
-  --from-literal=PG_USERNAME=$PG_USERNAME \
-  --from-literal=PG_PASSWORD=$PG_PASSWORD \
-  --from-literal=PG_ADMIN_PASSWORD=$PG_ADMIN_PASSWORD \
-  --from-literal=PG_URL=$PG_URL \
-  --from-literal=LANGFUSE_PUBLIC_KEY=$LANGFUSE_PUBLIC_KEY \
-  --from-literal=LANGFUSE_SECRET_KEY=$LANGFUSE_SECRET_KEY \
-  --from-literal=POSTHOG_API_KEY=$POSTHOG_API_KEY \
-  --from-literal=USER_UUID=$USER_UUID \
-  -n wren
+  --from-literal=PG_USERNAME="$PG_USERNAME" \
+  --from-literal=PG_PASSWORD="$PG_PASSWORD" \
+  --from-literal=PG_ADMIN_PASSWORD="$PG_ADMIN_PASSWORD" \
+  --from-literal=PG_URL="$PG_URL" \
+  --from-literal=LANGFUSE_PUBLIC_KEY="$LANGFUSE_PUBLIC_KEY" \
+  --from-literal=LANGFUSE_SECRET_KEY="$LANGFUSE_SECRET_KEY" \
+  --from-literal=POSTHOG_API_KEY="$POSTHOG_API_KEY" \
+  --from-literal=USER_UUID="$USER_UUID"

76-77: Use consistent namespace wording.

Docs say “same namespace as wren-ai” but earlier we created namespace wren. Align wording.

-Starting with wren-ui version 0.6.0 by default the postgres database is used for wren-ui in this helm chart and will be installed in the same namespace as wren-ai.
-- `postgres`: Database that will be installed in the same namespace as wren-ai. You *must* update `PG_URL` in the Secret manifest.
+Starting with wren-ui version 0.6.0 the PostgreSQL database is used for wren-ui in this chart and will be installed in the same namespace (wren).
+- `postgres`: Database installed in the same namespace (wren). You *must* update `PG_URL` in the Secret manifest.

86-117: Minikube guidance: add brief TLS/Ingress note and MetalLB IP pool pointer.

Without TLS config and an address pool, users may stall. Consider a short note.

Suggested addendum (after MetalLB enable):

 minikube addons enable metallb
+# Configure a MetalLB address pool (example range depends on your network):
+# https://minikube.sigs.k8s.io/docs/handbook/addons/metallb/
 ...
 helm repo add jetstack https://charts.jetstack.io
 ...
 kubectl get pods -n cert-manager
+
+# When deploying with TLS, ensure your values set ingress.tls and provide a DNS name.
+# For local tests without DNS, you can use a self-signed ClusterIssuer in cert-manager.

1-6: Call out authentication options.

You already warn about running without auth. Link or mention supported auth patterns (Ingress basic auth, OIDC, or upstream auth) so users can secure deployments.


32-43: Optional: avoid shell history leaks for secrets.

Use read -s or env files; recommend SealedSecrets/ExternalSecrets for production.

Example:

-OPENAI_API_KEY=<YOUR_OPENAI_API_KEY>
+read -r -s OPENAI_API_KEY # paste and press Enter; value stays out of shell history
+echo

And consider describing SealedSecrets/ExternalSecrets alternatives.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f1fdbe and b5bb75a.

📒 Files selected for processing (1)
  • deployment/helm-chart/README.md (1 hunks)
🧰 Additional context used
🪛 markdownlint-cli2 (0.17.2)
deployment/helm-chart/README.md

7-7: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)


14-14: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)


16-16: Spaces inside code span elements

(MD038, no-space-in-code)


69-69: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

Comment on lines +16 to +19
`Suggestion`: Before deploying, check out the Helm values in the `deployment/helm ` file and modify them to suit your Kubernetes environment.

The `deployment/helm` folder contains a `values.yaml` file that will inflate the manifests into a `deployment/helm/template` files used to deploy the app to your Kubernetes cluster.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix path inconsistencies: use deployment/helm-chart everywhere.

Current text mixes deployment/helm and deployment/helm-chart, and the -f path points to a non-existent file. This will cause failed installs.

Apply:

-`Suggestion`: Before deploying, check out the Helm values in the `deployment/helm ` file and modify them to suit your Kubernetes environment.
+`Suggestion`: Before deploying, check out the Helm values in the `deployment/helm-chart` folder and modify them to suit your Kubernetes environment.

-The `deployment/helm` folder contains a `values.yaml` file that will inflate the manifests into a `deployment/helm/template` files used to deploy the app to your Kubernetes cluster.
+The `deployment/helm-chart` folder contains a `values.yaml` file that renders templates under `deployment/helm-chart/templates` used to deploy the app to your Kubernetes cluster.

-# Download Wren AI dependency charts like Qdrant or postgresql
-helm dependency build ./deployment/helm-chart
+# Download Wren AI dependency charts like Qdrant or PostgreSQL
+helm dependency build deployment/helm-chart

 # Deploy Wren AI with Helm
-helm upgrade --install wrenai ./deployment/helm-chart \
+helm upgrade --install wrenai deployment/helm-chart \
   --namespace wren \
-  -f deployment/helm/values.yaml \
+  -f deployment/helm-chart/values.yaml \

-### Notes on Helm:
-- `deployment/helm/values.yaml` is the main file responsible for versions of other apps such as Qdrant and PostgreSQL, version of your Wren AI app. It also combines resourses from the manifest such as ConfigMaps, Deployments, and Services. And example Ingress and Secrets.
-- `deployment/helm/template` is the manifests folder that contains the core Wren AI manifest templates, its less likely you need to modify them, but check just in case
-- `deployment/helm/charts` is directory contains any dependent Helm charts (subcharts) required by Wren AI, such as PostgreSQL or Qdrant. These dependencies are either added manually or using `helm dependency add`, and they are used to deploy third-party services alongside Wren AI.
-- `deployment/helm/Chart.yaml` This file defines the metadata for the Helm chart used to deploy Wren AI. It includes the chart name, version, application version, dependencies and a description. Helm uses this file to identify and manage the chart during installation and upgrades.
+### Notes on Helm
+- `deployment/helm-chart/values.yaml` is the main file responsible for versions of other apps such as Qdrant and PostgreSQL, and the Wren AI app. It also combines resources from the manifests such as ConfigMaps, Deployments, Services, example Ingress, and Secrets.
+- `deployment/helm-chart/templates` contains the core Wren AI manifest templates; it’s less likely you need to modify them—verify first.
+- `deployment/helm-chart/charts` contains dependent Helm charts (subcharts) required by Wren AI, such as PostgreSQL or Qdrant. These are added via `helm dependency add` and deployed alongside Wren AI.
+- `deployment/helm-chart/Chart.yaml` defines chart metadata (name, version, appVersion, dependencies, description) used during install/upgrade.

Also applies to: 58-65, 69-74

🧰 Tools
🪛 markdownlint-cli2 (0.17.2)

16-16: Spaces inside code span elements

(MD038, no-space-in-code)

🤖 Prompt for AI Agents
In deployment/helm-chart/README.md around lines 16 to 19 (also apply same fixes
to lines 58-65 and 69-74), update all occurrences of the incorrect path
"deployment/helm" to the canonical "deployment/helm-chart", and fix any example
-f flags or file references so they point to the existing
deployment/helm-chart/values.yaml (and template references to
deployment/helm-chart/templates or deployment/helm-chart/templates/* as
appropriate); ensure every mention and command uses the exact same
deployment/helm-chart path so installs reference real files.

Comment on lines +20 to +27
```shell
# Clone the repository with Helm chart
git clone https://github.com/Canner/WrenAI.git
cd WrenAI

# Create namespace
kubectl create namespace wren

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

Verify chart/secret wiring matches docs.

Ensure templates reference wren-secret and the exact key names (OPENAI_API_KEY, PG_URL, etc.), and that NOTES/values align with README.

Also applies to: 58-67, 69-74, 75-85


🏁 Script executed:

#!/bin/bash
# Confirm secret refs and values paths
rg -n -C2 -g 'deployment/helm-chart/**' \
  -e 'secretKeyRef:\s*name:\s*wren-secret' \
  -e 'key:\s*(OPENAI_API_KEY|PG_URL|PG_USERNAME|PG_PASSWORD|PG_ADMIN_PASSWORD|LANGFUSE_PUBLIC_KEY|LANGFUSE_SECRET_KEY|POSTHOG_API_KEY|USER_UUID)'
echo "---- Check values file and NOTES paths ----"
rg -n -C1 -g 'deployment/helm-chart/**' 'values.yaml|wren-secret|ingress|tls|postgresql'

Length of output: 15247


Update README secret creation to match chart templates' secret keys

  • Templates reference the secret via {{ $secretName }} (values.yaml sets existingSecretName/existingSecret = "wren-secret": deployment/helm-chart/values.yaml:19,283) and expect these keys: OPENAI_API_KEY (or GEMINI_API_KEY alternative), PG_URL, PG_USERNAME, PG_PASSWORD, USER_UUID, POSTHOG_API_KEY, LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY — see deployment/helm-chart/templates/{ai-service-deployment.yaml,ui-deployment.yaml,engine-deployment.yaml}.
  • README's example only creates wren-secret with OPENAI_API_KEY (deployment/helm-chart/README.md:45-46). Update README/NOTES to create all required secret keys or clearly document which keys are optional/conditional (e.g., GEMINI vs OPENAI, Langfuse/PostHog).
🤖 Prompt for AI Agents
In deployment/helm-chart/README.md around lines 20 to 27, the README currently
only shows creating the namespace and later creates a secret with just
OPENAI_API_KEY; update the README/NOTES to either (A) show creating the expected
Kubernetes secret (wren-secret) populated with all keys referenced by the chart
templates—OPENAI_API_KEY (or GEMINI_API_KEY alternative), PG_URL, PG_USERNAME,
PG_PASSWORD, USER_UUID, POSTHOG_API_KEY, LANGFUSE_PUBLIC_KEY,
LANGFUSE_SECRET_KEY—or (B) clearly document which keys are optional and which
are mutually exclusive (e.g., GEMINI vs OPENAI, Langfuse vs PostHog) and where
to set existingSecretName/values; adjust examples and NOTES accordingly so the
secret names/keys match deployment/helm-chart/templates and values.yaml.

Comment on lines +32 to +43
# MODIFY/GENERATE values of secret and apply kubectl command to create secret (recommended for production)

# Generate secure passwords
OPENAI_API_KEY=<Paste OPENAI_API_KEY here>
PG_USERNAME=wrenai
PG_PASSWORD=$(openssl rand -base64 32)
PG_ADMIN_PASSWORD=$(openssl rand -base64 32)
PG_URL=postgres://wrenai-user:wrenai-pass@wren-postgresql:5432/wrenai
LANGFUSE_PUBLIC_KEY=<Paste LANGFUSE_PUBLIC_KEY here>
LANGFUSE_SECRET_KEY=<Paste LANGFUSE_SECRET_KEY here>
POSTHOG_API_KEY=<Paste POSTHOG_API_KEY here>
USER_UUID=$(openssl rand -base64 32)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Standardize PostgreSQL credentials and PG_URL; fix mismatch with examples.

Variables (PG_USERNAME/PG_PASSWORD) don’t match PG_URL (wrenai-user:wrenai-pass). Also the bullet claims both creds are “postgres.” This will break connections.

Apply:

-# Generate secure passwords
-OPENAI_API_KEY=<Paste OPENAI_API_KEY here>
-PG_USERNAME=wrenai
-PG_PASSWORD=$(openssl rand -base64 32)
-PG_ADMIN_PASSWORD=$(openssl rand -base64 32)
-PG_URL=postgres://wrenai-user:wrenai-pass@wren-postgresql:5432/wrenai
+# Generate secrets (sample: app user + admin user)
+OPENAI_API_KEY=<YOUR_OPENAI_API_KEY>
+PG_USERNAME=wrenai_user
+PG_PASSWORD=$(openssl rand -base64 32)
+PG_ADMIN_PASSWORD=$(openssl rand -base64 32)
+# Build PG_URL from variables to avoid drift
+PG_URL="postgres://${PG_USERNAME}:${PG_PASSWORD}@wren-postgresql:5432/wrenai"
 LANGFUSE_PUBLIC_KEY=<Paste LANGFUSE_PUBLIC_KEY here>
 LANGFUSE_SECRET_KEY=<Paste LANGFUSE_SECRET_KEY here>
 POSTHOG_API_KEY=<Paste POSTHOG_API_KEY here>
 USER_UUID=$(openssl rand -base64 32)
-Example: `PG_URL: "postgres://wrenai-user:wrenai-pass@wren-postgresql:5432/wrenai"`
+Example: `PG_URL: "postgres://<DB_USER>:<DB_PASSWORD>@wren-postgresql:5432/wrenai"`
 - `postgres://`        This is the protocol. It tells the system that you’re connecting to a PostgreSQL database.
-- `wrenai-user:wrenai-pass`  These are the username(first) and password(second) for the database respectively, separated by a colon. In this case, both the username and password are “postgres”.
+- `<DB_USER>:<DB_PASSWORD>`  Username (first) and password (second) separated by a colon.
 - `@wren-postgresql`   This is the hostname of the database server. "wren-postgresql" means the database server is running in a Kubernetes cluster and it is named "wren-postgresql" in the *same* namespace. If you are using another namespace you must provide the full hostname, example: `wren-postgresql.wren.svc.cluster.local`, "wren" is the namespace name, "svc.cluster.local" is the default domain name for Kubernetes services no need to change it.
 - `:5432`              This is the port number. PostgreSQL servers listen on port 5432 by default.
-- `/wrenai`          This is the name of the database you’re connecting to. In this case, the database name is `wrenai`. It can be found in the helm values file in the auth.database parameter.
+- `/wrenai`            Database name. See the Helm values under the PostgreSQL subchart (auth.database).

Also applies to: 79-85

🤖 Prompt for AI Agents
deployment/helm-chart/README.md lines 32-43 (also apply same fix at 79-85):
PG_USERNAME/PG_PASSWORD values do not match the hardcoded credentials in PG_URL
and the doc wrongly states both creds are “postgres”; update the README so
PG_URL is constructed from the PG_USERNAME and PG_PASSWORD variables (remove the
hardcoded wrenai-user:wrenai-pass), ensure the example credentials and
descriptive bullet correctly reflect the actual variable names/values, and
mirror these same corrections in the section at lines 79-85.

condition: qdrant.enabled
- name: postgresql
version: "15.5.30"
repository: "https://charts.bitnami.com/bitnami"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/bitnami/charts
this was deprecated

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, let me update it with most used opensource postgressql chart available. Thanks @dnascimento

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants