Add Helm chart deployment support to plugin framework

[eliorerz]

Summary

• Add Helm chart deployment phase to plugin lifecycle — plugins can declare helm[] in plugin.yaml to install Helm charts after operators, before tasks/deploy.yaml
• Remote charts: set repo (Helm repo URL) + chart (chart name) + optional version — fetched via helm repo add
• Local charts: set chart (path relative to plugin dir) or omit for default charts/<release>
• Jinja2 values templates or static values files (schema rejects both set together)
• Configurable namespace, timeout, wait, createNamespace, and retry logic with logging
• Schema updated with helm_chart definition including repo, version, chart fields
• Validation script updated to allow helm field, charts/ and templates/ directories
• Documentation updated with Helm in lifecycle, field table, and plugin checklist

Updated plugin lifecycle:

 1. Load plugin.yaml + defaults + validate requirements
 2. tasks/pre-validate.yaml
 3. Mirror (disconnected)
 4. Patch MCE registries
 5. Install OLM operators
 6. Deploy Helm charts            ← NEW
 7. tasks/deploy.yaml
 8. tasks/post-validate.yaml

Backward compatible — plugins without helm[] skip the step.

Test plan

• scripts/verification/validate_plugins.sh passes for all plugins
• All plugin.yaml files validate against schemas/plugin.yaml
• Schema rejects ambiguous valuesTemplate + valuesFile combinations
• make deploy-plugin PLUGIN=lvms still works (no helm = skip)

Summary by CodeRabbit

• New Features

  • Added Helm chart deployment support to the plugin lifecycle, executing between post-operators and deploy phases.
  • Plugins can now declare Helm charts in their configuration with support for local and remote chart repositories.
  • Plugin structure now accepts charts/ and templates/ directories.

• Documentation

  • Updated plugin architecture documentation to reflect new Helm deployment capabilities and execution order.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1c02dae6-4ecf-4c9b-8f42-54887f5df0d1

📥 Commits

Reviewing files that changed from the base of the PR and between 180c98a and d6c2752.

📒 Files selected for processing (5)

• docs/PLUGIN_ARCHITECTURE.md
• playbooks/tasks/deploy_plugin.yaml
• playbooks/tasks/helm_deploy.yaml
• schemas/plugin.yaml
• scripts/verification/validate_plugins.sh

🚧 Files skipped from review as they are similar to previous changes (4)

• playbooks/tasks/deploy_plugin.yaml
• playbooks/tasks/helm_deploy.yaml
• schemas/plugin.yaml
• docs/PLUGIN_ARCHITECTURE.md

---

Walkthrough

Adds declarative Helm chart deployment to the plugin lifecycle: introduces a helm field in plugin.yaml, supports charts/ and templates/ dirs, adds a reusable Ansible helm deploy task, runs Helm between post-operators and deploy, and updates validators and docs accordingly.

Changes

Cohort / File(s)	Summary
Documentation docs/PLUGIN_ARCHITECTURE.md	Documents new Helm phase and updated execution order: post-operators -> helm -> deploy -> post-validate; documents optional charts/, templates/, and files/ plugin layout and new helm field.
Playbooks / Helm Tasks playbooks/tasks/deploy_plugin.yaml, playbooks/tasks/helm_deploy.yaml	Adds conditional loop in deploy_plugin.yaml to run Helm per plugin.helm; new helm_deploy.yaml handles repo add/update, local chart validation, values templating/copying, helm upgrade --install with logging, retries, and status checks.
Schema schemas/plugin.yaml	Adds definitions.helm_chart and top-level helm array; enforces required release and namespace, conditional chart when repo set, disallows both valuesTemplate and valuesFile, and forbids additional properties.
Validation Scripts scripts/verification/validate_plugins.sh	Allows helm in top-level plugin.yaml fields and permits charts/ and templates/ as valid plugin directory entries; updates validation messages accordingly.

Sequence Diagram(s)

sequenceDiagram
    actor Orchestrator
    participant PostOps as post-operators.yaml
    participant HelmTask as helm_deploy.yaml
    participant HelmRepo as Helm/Kubernetes
    participant DeployTask as deploy.yaml

    Orchestrator->>PostOps: include post-operators (if present)
    PostOps->>Orchestrator: complete
    Orchestrator->>HelmTask: for each entry in plugin.helm
    loop per helm_chart
        HelmTask->>HelmRepo: add/update repo (if repo set)
        HelmTask->>HelmTask: render/copy values (valuesTemplate or valuesFile)
        HelmTask->>HelmRepo: helm upgrade --install (with flags, timeout)
        HelmRepo-->>HelmTask: install result / logs
        HelmTask->>HelmRepo: helm status (verify)
        HelmRepo-->>HelmTask: status output
    end
    Orchestrator->>DeployTask: include deploy task
    DeployTask->>HelmRepo: run remaining deployment steps

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Helm chart deployment support to plugin framework' clearly and specifically summarizes the main change: introducing Helm chart deployment capability to the plugin system.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch post-operators-helm-framework

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

schemas/plugin.yaml (1)

100-133: ⚡ Quick win

Disallow ambiguous valuesTemplate + valuesFile combinations.

Allowing both fields at once creates unclear config intent (runtime currently gives precedence to template). Add a schema rule to reject both being set together.

Suggested fix

   helm_chart:
     type: object
     additionalProperties: false
+    not:
+      allOf:
+        - required: [valuesTemplate]
+        - required: [valuesFile]
     properties:
       chart:
         type: string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@schemas/plugin.yaml` around lines 100 - 133, The helm_chart schema currently
allows both valuesTemplate and valuesFile to be set (ambiguous), so update the
helm_chart object schema to reject configurations that include both properties;
add a JSON Schema constraint (e.g., a "not" clause that disallows an object with
required ["valuesTemplate","valuesFile"]) inside the helm_chart definition so
any instance containing both valuesTemplate and valuesFile will fail validation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/PLUGIN_ARCHITECTURE.md`:
- Around line 91-101: Clarify that tasks/early-validate.yaml is executed during
the earlier validation phase (not by deploy_plugin.yaml) by adding a short
parenthetical note after "tasks/early-validate.yaml" saying it runs in the
pre-deployment validation phase (no cluster access) and is invoked before
deploy_plugin.yaml; update the same clarification near the duplicate mention at
lines 106-107 so both places consistently specify that early-validate.yaml is
run by the validation stage, not the deployment task.

In `@playbooks/tasks/deploy_plugin.yaml`:
- Around line 156-164: The include of "{{ plugin_dir
}}/tasks/post-operators.yaml" is only gated by file existence and runs even when
operators are not meant to be installed; update the when condition on the
include to require both the file to exist and that operator installation is
enabled (e.g., installOperators is true OR the operators list is non-empty) so
post-operators run only when operators are being installed; modify the when to
combine lookup('ansible.builtin.fileglob', plugin_dir ~
'/tasks/post-operators.yaml') | length > 0 with checks against installOperators
and/or operators (refer to the include task that references plugin_dir and
post-operators.yaml).

In `@playbooks/tasks/helm_deploy.yaml`:
- Around line 7-10: The task "Helm | Set chart path for {{ helm_chart.release
}}" currently sets _helm_chart_ref using helm_chart.chart as-is which can be a
relative path resolved against the wrong CWD; update the set_fact to normalize
helm_chart.chart relative to plugin_dir when it's provided and not an absolute
path: if helm_chart.chart is defined and does not start with '/' (or a Windows
drive letter) then set _helm_chart_ref to plugin_dir ~ '/' ~ helm_chart.chart,
otherwise use helm_chart.chart as given; if helm_chart.chart is not defined fall
back to plugin_dir ~ '/charts/' ~ helm_chart.release. Ensure this logic is
applied where _helm_chart_ref is assigned so references to helm_chart.chart,
plugin_dir and _helm_chart_ref are used.
- Around line 52-66: The helm task's pipeline currently uses "helm ... | tee {{
_helm_log }}" which yields tee's exit code so r_helm_install incorrectly sees
success; update the ansible.builtin.shell invocation in
playbooks/tasks/helm_deploy.yaml to enable bash pipefail by prefixing the
command with "set -o pipefail" (so the pipeline fails if helm fails) and set
executable: /bin/bash so pipefail is supported; keep the existing helm upgrade
invocation, _helm_values_arg and _helm_log but ensure the register target
remains r_helm_install and the retry/until logic will then behave correctly.

---

Nitpick comments:
In `@schemas/plugin.yaml`:
- Around line 100-133: The helm_chart schema currently allows both
valuesTemplate and valuesFile to be set (ambiguous), so update the helm_chart
object schema to reject configurations that include both properties; add a JSON
Schema constraint (e.g., a "not" clause that disallows an object with required
["valuesTemplate","valuesFile"]) inside the helm_chart definition so any
instance containing both valuesTemplate and valuesFile will fail validation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d47260a7-7b33-459e-94a3-187d7b9c37fd

📥 Commits

Reviewing files that changed from the base of the PR and between bb39773 and 1d1cbe5.

📒 Files selected for processing (7)

• docs/PLUGIN_ARCHITECTURE.md
• playbooks/tasks/deploy_plugin.yaml
• playbooks/tasks/helm_deploy.yaml
• playbooks/tasks/mirror_plugin.yaml
• schemas/plugin.yaml
• scripts/verification/validate_plugins.sh
• templates/plugin-imageset.yaml.j2

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Gate post-operators.yaml on operator-install conditions too.

At Line 163, this hook runs whenever the file exists, even when operators are skipped (installOperators: false or empty operators list). That breaks the intended phase semantics and can fail tasks expecting installed operator resources.

Suggested fix

 - name: Run post-operators
   ansible.builtin.include_tasks:
     file: "{{ plugin_dir }}/tasks/post-operators.yaml"
     apply:
       tags: post-operators
       environment:
         KUBECONFIG: "{{ workingDir }}/ocp-cluster/auth/kubeconfig"
-  when: lookup('ansible.builtin.fileglob', plugin_dir ~ '/tasks/post-operators.yaml') | length > 0
+  when:
+    - plugin.operators | default([]) | length > 0
+    - plugin.installOperators | default(true)
+    - lookup('ansible.builtin.fileglob', plugin_dir ~ '/tasks/post-operators.yaml') | length > 0
   tags: post-operators

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@playbooks/tasks/deploy_plugin.yaml` around lines 156 - 164, The include of
"{{ plugin_dir }}/tasks/post-operators.yaml" is only gated by file existence and
runs even when operators are not meant to be installed; update the when
condition on the include to require both the file to exist and that operator
installation is enabled (e.g., installOperators is true OR the operators list is
non-empty) so post-operators run only when operators are being installed; modify
the when to combine lookup('ansible.builtin.fileglob', plugin_dir ~
'/tasks/post-operators.yaml') | length > 0 with checks against installOperators
and/or operators (refer to the include task that references plugin_dir and
post-operators.yaml).

[maorfr]

supporting helm is a nice addition!

this PR requires an approach change to use remote charts, versioning should also be considered.

[maorfr]

same as above, not sure why this is re-added

[maorfr]

would it be possible to split the post-operators hook and the helm implementation to separate PRs?

[eliorerz]

supporting helm is a nice addition!

this PR requires an approach change to use remote charts, versioning should also be considered.

@maorfr Good point. I'll add support for remote charts. helm_chart will accept a repo field (Helm repo URL) and a version field. When repo is set, the deploy task will helm repo add and install from the repo instead of a local path. Local charts will still be supported as a fallback. The schema will be updated to include repo and version fields. WDYT?

[maorfr]

supporting helm is a nice addition!
this PR requires an approach change to use remote charts, versioning should also be considered.

@maorfr Good point. I'll add support for remote charts. helm_chart will accept a repo field (Helm repo URL) and a version field. When repo is set, the deploy task will helm repo add and install from the repo instead of a local path. Local charts will still be supported as a fallback. The schema will be updated to include repo and version fields. WDYT?

sounds great!

[github-actions]

Tarball created: quay.io/edge-infrastructure/enclave:da5dbdece76a8fb7bd9c20116be7908298af15dd (da5dbde)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

playbooks/tasks/deploy_plugin.yaml (1)

156-164: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Gate post-operators on operator installation.

This include still runs whenever the file exists, even if operator installation is skipped. That can break plugins that only need Helm deployment or explicitly disable operators.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@playbooks/tasks/deploy_plugin.yaml` around lines 156 - 164, The "Run
post-operators" include currently only checks for file existence and still
executes even when operators are skipped; update the include_tasks conditional
to also require the operator-installation flag (e.g., install_operators or
operators_enabled) so the post-operators file runs only when operators are
actually being installed. Locate the "Run post-operators" task (ansible
include_tasks referencing "{{ plugin_dir }}/tasks/post-operators.yaml") and
change its when to combine the existing fileglob check with a boolean gate such
as (install_operators | default(true)) or (operators_enabled | default(false))
so both the file exists and operator installation is enabled before including
post-operators.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@schemas/plugin.yaml`:
- Around line 100-143: The helm_chart schema allows repo without chart; add an
if/then rule so that when the helm_chart property "repo" is present the schema
requires "chart". Modify the helm_chart object to include an "if: { required:
[\"repo\"] }" and corresponding "then: { required: [\"chart\"] }" constraint so
deployments using the helm_chart (symbols: helm_chart, repo, chart) will
validate before playbook execution.

---

Duplicate comments:
In `@playbooks/tasks/deploy_plugin.yaml`:
- Around line 156-164: The "Run post-operators" include currently only checks
for file existence and still executes even when operators are skipped; update
the include_tasks conditional to also require the operator-installation flag
(e.g., install_operators or operators_enabled) so the post-operators file runs
only when operators are actually being installed. Locate the "Run
post-operators" task (ansible include_tasks referencing "{{ plugin_dir
}}/tasks/post-operators.yaml") and change its when to combine the existing
fileglob check with a boolean gate such as (install_operators | default(true))
or (operators_enabled | default(false)) so both the file exists and operator
installation is enabled before including post-operators.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9fdd3a97-5560-4043-a076-ace8beeb0a23

📥 Commits

Reviewing files that changed from the base of the PR and between 1d1cbe5 and 180c98a.

📒 Files selected for processing (5)

• docs/PLUGIN_ARCHITECTURE.md
• playbooks/tasks/deploy_plugin.yaml
• playbooks/tasks/helm_deploy.yaml
• schemas/plugin.yaml
• scripts/verification/validate_plugins.sh

✅ Files skipped from review due to trivial changes (1)

• playbooks/tasks/helm_deploy.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/PLUGIN_ARCHITECTURE.md

[eliorerz]

would it be possible to split the post-operators hook and the helm implementation to separate PRs?

Created #325 and updated the current one.

[github-actions]

Tarball created: quay.io/edge-infrastructure/enclave:70cbf0a9da7c4462a37a14122960b89c8cf26912 (70cbf0a)

[github-actions]

Tarball created: quay.io/edge-infrastructure/enclave:cb27b9dcfabc9695a553d2cc1af20758ecbedc2a (cb27b9d)

[github-actions]

Tarball created: quay.io/edge-infrastructure/enclave:eebdb11575a9d7517e5888aab0b3320536c6499c (eebdb11)