chore: Support helm deploy on KinD in makefile

[lachen-nv]

Description

Add helm deploy command into the Makefile

Type of Change

• Feature - New feature or functionality (feat:)
• Fix - Bug fixes (fix:)
• Chore - Modification or removal of existing functionality (chore:)
• Refactor - Refactoring of existing functionality (refactor:)
• Docs - Changes in documentation or OpenAPI schema (docs:)
• CI - Changes in Github workflows. Requires additional scrutiny (ci:)
• Version - Issuing a new release version (version:)

Services Affected

• API - API models or endpoints updated
• Workflow - Workflow service updated
• DB - DB DAOs or migrations updated
• Site Manager - Site Manager updated
• Cert Manager - Cert Manager updated
• Site Agent - Site Agent updated
• RLA - RLA service updated
• Powershelf Manager - Powershelf Manager updated

Related Issues (Optional)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

---

Test Report: Helm Deployment via make kind-reset

Environment

• Remote host: Ubuntu 24.04 LTS, x86_64
• Kind: v0.29.0 / kubectl: v1.35.2 / Docker: 28.3.3 / Go: 1.25.4

Test: make kind-reset (Helm path)

Ran make kind-reset end-to-end on a fresh remote machine. All steps completed successfully:

• Kind cluster creation
• Docker image builds
• cert-manager, PKI, PostgreSQL, Temporal, Keycloak
• helm upgrade --install carbide-rest (umbrella chart)
• helm upgrade --install carbide-rest-site-agent
• setup-local.sh site-agent bootstrap

Final pod status (carbide-rest namespace)

carbide-rest-api 1/1 Running 0
carbide-rest-cert-manager 1/1 Running 0
carbide-rest-cloud-worker 1/1 Running 0
carbide-rest-db-migration 0/1 Completed 0
carbide-rest-mock-core 1/1 Running 0
carbide-rest-site-agent-0 1/1 Running 0
carbide-rest-site-manager 1/1 Running 0
carbide-rest-site-worker 1/1 Running 0
keycloak 1/1 Running 0

Bug found & fixed during testing

Site-agent was CrashLooping after bootstrap.
Root cause: the temporal-client-site-agent-certs secret was not pre-created by the Helm chart, so the bootstrap code's secretIf.Get() returned NotFound and failed. The Kustomize path already
had a placeholder secret (temporal-client-site-agent-certs.yaml) but it was missing from the Helm chart.

Fix: added helm/charts/carbide-rest-site-agent/templates/temporal-certs-secret.yaml as an empty placeholder secret, matching the Kustomize behavior. Also added create verb to the site-agent RBAC Role for completeness.

Summary by CodeRabbit

• New Features

  • Added Helm-based orchestration with new deploy/verify/uninstall commands and targeted site-agent workflows.
  • Added Kustomize as an alternative full-stack deployment path.
  • Expanded local Kind reset/deploy flows with dedicated infra, Kustomize, and Helm variants.

• Documentation

  • Updated local deployment guide to document both Helm umbrella-chart and Kustomize overlay workflows and commands.

• Chores

  • Broadened RBAC permissions for the site-agent and added a managed secret for Temporal client TLS certificates.

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-03-11 12:04:46 UTC | Commit: 6bb4192}

[github-actions]

🛡️ Vulnerability Scan

🚨 Found 64 vulnerability(ies)
📊 vs main: 64 (no change)

Severity Breakdown:

• 🔴 Critical/High: 64
• 🟡 Medium: 0
• 🔵 Low/Info: 0

🔗 View full details in Security tab

_{🕐 Last updated: 2026-03-11 12:04:56 UTC | Commit: 6bb4192}

[thossain-nv]

Looks good, thank you @lachen-nv for getting the Helm installation complete. Looks like we should increment the version.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 667b2c66-d124-41e0-b22d-e5c80c28d1d9

📥 Commits

Reviewing files that changed from the base of the PR and between cb866c0 and a22818f.

📒 Files selected for processing (1)

• helm/charts/carbide-rest-site-agent/Chart.yaml

---

📝 Walkthrough

Walkthrough

Added Helm and Kustomize deployment orchestration and new Makefile targets for multi-path Kind deployments; updated README with Helm and Kustomize workflows; added Role "create" verbs for certificaterequests/secrets and a new Temporal TLS Secret template in the carbide-rest-site-agent chart.

Changes

Cohort / File(s)	Summary
Build Orchestration Makefile	Added public Helm variables (UMBRELLA_CHART, SITE_AGENT_CHART, HELM_SET, HELM_SET_KEYCLOAK) and new targets (helm-lint, helm-template, helm-deploy, helm-deploy-site-agent, helm-deploy-all, helm-redeploy, helm-verify, helm-verify-site-agent, helm-uninstall). Introduced specialized Kind reset targets (kind-reset-infra, kind-reset-kustomize, kind-reset-helm) and aliased kind-reset → kind-reset-helm.
Documentation README.md	Expanded Local Deployment section to document Helm umbrella-chart and Kustomize overlay alternatives, added example commands (e.g., make kind-reset-kustomize) and updated maintenance/operational commands to include Helm-specific operations (helm-redeploy, helm-verify, helm-uninstall).
Site-Agent RBAC & Secrets helm/charts/carbide-rest-site-agent/templates/rbac.yaml, helm/charts/carbide-rest-site-agent/templates/temporal-certs-secret.yaml, helm/charts/carbide-rest-site-agent/Chart.yaml	RBAC: added "create" verb for certificaterequests and secrets in the Role. Added new Secret template for Temporal client TLS certs with stringData placeholders (otp, cacertificate, certificate, key). Bumped chart version 0.1.3 → 0.1.4.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Dev as Developer (make)
participant Make as Makefile
participant Kind as Kind cluster
participant Helm as Helm umbrella
participant Kustomize as Kustomize overlays
participant SiteAgent as Site-Agent

Dev->>Make: run target (e.g., kind-reset / helm-deploy / kind-reset-kustomize)
Make->>Kind: prepare/reset infra (kind-reset-infra)
alt Helm path
    Make->>Helm: helm template/lint/deploy umbrella chart
    Helm->>SiteAgent: deploy site-agent chart (`SITE_AGENT_CHART`)
    Helm->>Make: report readiness
else Kustomize path
    Make->>Kustomize: apply overlays
    Kustomize->>Kind: deploy manifests
    Kustomize->>Make: report readiness
end
Make->>Dev: verification output (helm-verify / kind-verify)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 In Makefile meadows I hop and compile,

Helm umbrellas shelter, Kustomize stacks reconcile,
RBAC seeds planted, certs snug in a nest,
Charts bumped and ready — deployments at rest. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding Helm deployment support to the Makefile for Kind clusters, which aligns with the substantial additions of Helm-related targets and variables.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Makefile (1)

254-254: Add a conventional all target for Makefile best practices.

The Makefile lacks a standard all target entry point. While all helm-related targets on line 254 are properly defined, adding an all target (or similar convention) would align with Makefile standards and reduce checkmake linter warnings.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 254, Add a conventional top-level "all" Makefile target and
include it in the .PHONY list alongside the existing targets; implement "all" as
a short alias/dependency that invokes the existing collective target (e.g., make
all should depend on helm-deploy-all or another appropriate aggregate target),
and update the .PHONY declaration (the line containing .PHONY: helm-lint
helm-template ... helm-uninstall) to include "all" so the linter and users have
a standard entry point.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helm/charts/carbide-rest-site-agent/templates/temporal-certs-secret.yaml`:
- Line 23: The template uses a whitespace-trim left delimiter at the labels
include which breaks YAML linting; modify the include invocation in the
temporal-certs-secret template to use the standard delimiter (remove the leading
'-') so the line reads an ordinary include of "carbide-rest-site-agent.labels"
piped to nindent 4, ensuring the nindent 4 filter still controls indentation and
the rendered YAML remains valid.

In `@Makefile`:
- Around line 541-543: The Helm upgrade/install command for the site agent
currently swallows failures via "|| true"; remove that failure suppression so
the Make target fails on real Helm errors (locate the line containing "helm
upgrade --install carbide-rest-site-agent $(SITE_AGENT_CHART)/ --namespace
carbide-rest $(HELM_SET) --timeout 1m || true" and delete the "|| true"). If you
want retries, implement explicit retry logic or a conditional that logs and
exits non‑zero instead of silencing errors.

---

Nitpick comments:
In `@Makefile`:
- Line 254: Add a conventional top-level "all" Makefile target and include it in
the .PHONY list alongside the existing targets; implement "all" as a short
alias/dependency that invokes the existing collective target (e.g., make all
should depend on helm-deploy-all or another appropriate aggregate target), and
update the .PHONY declaration (the line containing .PHONY: helm-lint
helm-template ... helm-uninstall) to include "all" so the linter and users have
a standard entry point.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7fe1ecef-0228-48b1-9c9d-bc2708bd27fc

📥 Commits

Reviewing files that changed from the base of the PR and between 0fffc26 and cb866c0.

📒 Files selected for processing (4)

• Makefile
• README.md
• helm/charts/carbide-rest-site-agent/templates/rbac.yaml
• helm/charts/carbide-rest-site-agent/templates/temporal-certs-secret.yaml