test-zeus-ai · secops-zeus · Sep 20, 2025 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+name: trace-viewer
+version: 1.0.0
+description: Playwright trace viewer
+type: application
+
+dependencies:
+  - name: service-template
+    version: "~0.5.0"
+    repository: "oci://us-central1-docker.pkg.dev/prod-testarmy/helm-repository-prod"
diff --git a/helm/README.md b/helm/README.md
@@ -0,0 +1,60 @@
+# Helm Documentation: testzeus-traceviewer
+
+This directory contains the Helm chart for deploying `testzeus-traceviewer` to GKE.
+
+## Deployment
+
+### Development
+```bash
+helm upgrade --install traceviewer ./helm -f ./helm/values-dev.yaml --namespace testzeus-dev
+```
+
+### Production
+```bash
+helm upgrade --install traceviewer ./helm -f ./helm/values-prod.yaml --namespace testzeus-prod
+```
+
+## Infrastructure Notes
+
+- **Ingress**: Managed through Gateway API in the target environment.
+- **Workload Identity**: `values-dev.yaml` and `values-prod.yaml` annotate the Kubernetes service account with the shared runtime GSA for each environment. The matching IAM `roles/iam.workloadIdentityUser` binding must exist in GCP.
+
+## Dev2/Dev3 Deploys
+
+To deploy into the shared dev2/dev3 namespaces:
+
+```bash
+# Dev2
+helm upgrade <release-name> . -f values-dev2.yaml -n testzeus-dev2 --install
+
+# Dev3
+helm upgrade <release-name> . -f values-dev3.yaml -n testzeus-dev3 --install
+```
+
+These values files are intended for branch overrides in dev2/dev3 while `dev` remains the fixed dev environment.
+
+## Deployment Guide: dev / dev2 / dev3
+
+### dev (testzeus-dev)
+- **Branch:** `dev` (fixed)
+- **Trigger:** push to `dev`
+- **Namespace:** `testzeus-dev`
+- **Values:** `values-dev.yaml`
+
+### dev2 / dev3 (branch overrides)
+- **Trigger:** GitHub Actions `workflow_dispatch`
+- **Namespaces:** `testzeus-dev2`, `testzeus-dev3`
+- **Values:** `values-dev2.yaml`, `values-dev3.yaml`
+- **Branch:** any branch provided in the workflow inputs
+
+**Workflow inputs:**
+- `target_env`: `dev2` or `dev3`
+- `branch`: the branch you want to deploy (e.g. `feature/foo`)
+
+**Example:**
+- `target_env=dev2`, `branch=feature/foo`
+- `target_env=dev3`, `branch=bugfix/streaming`
+
+Notes:
+- `dev` remains fixed to `testzeus-dev` and always deploys from `dev` branch.
+- `dev2`/`dev3` are intended for branch testing only.
diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
@@ -0,0 +1,33 @@
+{{- $values := index .Values "service-template" -}}
+{{- $serviceName := $values.fullnameOverride | default (printf "%s-service-template" .Release.Name) -}}
+1. Get the application URL by running these commands:
+{{- if $values.service }}
+  {{- if contains "LoadBalancer" ($values.service.type | default "ClusterIP") }}
+    NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+          You can watch the status by running 'kubectl get svc -w {{ $serviceName }}'
+    export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ $serviceName }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+    echo http://$SERVICE_IP:{{ $values.service.port | default 80 }}
+  {{- else if contains "ClusterIP" ($values.service.type | default "ClusterIP") }}
+    {{- $appName := $values.fullnameOverride | default "service-template" -}}
+    export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ $appName }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+    echo "Visit http://127.0.0.1:8080 to use your application"
+    {{- $containerPort := 8080 -}}
+    {{- if $values.containers -}}
+      {{- if (index $values.containers 0).ports -}}
+        {{- $containerPort = (index (index $values.containers 0).ports 0).containerPort | default 8080 -}}
+      {{- end -}}
+    {{- end -}}
+    kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:{{ $containerPort }}
+  {{- else if contains "NodePort" ($values.service.type | default "ClusterIP") }}
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ $serviceName }})
+    export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+    echo http://$NODE_IP:$NODE_PORT
+  {{- end }}
+{{- end }}
+
+{{- if and $values.autoscaling (and $values.autoscaling.enabled (and $values.vpa $values.vpa.enabled)) }}
+WARNING: Both HPA and VPA are enabled. This is a conflicting configuration as both will try to manage resources for the same workload.
+{{- end }}
+{{- if and $values.persistentStorage (and $values.persistentStorage.enabled (eq $values.persistentStorage.accessMode "ReadWriteOnce") (gt (int ($values.replicaCount | default 1)) 1)) }}
+WARNING: persistentStorage is enabled with ReadWriteOnce access mode but replicaCount is greater than 1. Only one pod will be able to mount the volume.
+{{- end }}
diff --git a/helm/values-dev.yaml b/helm/values-dev.yaml
@@ -0,0 +1,74 @@
+service-template:
+  fullnameOverride: "testzeus-traceviewer"
+  replicaCount: 1
+
+  serviceAccount:
+    create: true
+    name: "testzeus-traceviewer-sa"
+    automount: false  # nginx does not call the K8s API
+    annotations:
+      iam.gke.io/gcp-service-account: "gke-runtime-dev@dev-testzeus.iam.gserviceaccount.com"
+
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  containers:
+    - name: trace-viewer
+      image:
+        repository: "us-central1-docker.pkg.dev/GCP_PROJECT_ID_DEV/GAR_DOCKER_REPOSITORY_DEV"
+        tag: latest
+        pullPolicy: Always
+      ports:
+        - containerPort: 80
+      env:
+        - name: HOST
+          value: "0.0.0.0"
+        - name: PORT
+          value: "80"
+        - name: NODE_ENV
+          value: development
+      resources:
+        requests:
+          cpu: "250m"
+          memory: "512Mi"
+        limits:
+          cpu: "500m"
+          memory: "512Mi"
+      readinessProbe:
+        httpGet:
+          path: /
+          port: 80
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        failureThreshold: 3
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 80
+        initialDelaySeconds: 10
+        periodSeconds: 20
+        failureThreshold: 3
+      securityContext: {}
+
+  service:
+    enabled: true
+    type: ClusterIP
+    port: 80
+    targetPort: 80
+
+  httpRoute:
+    enabled: true
+    parentRefs:
+      - name: testzeus-gateway
+        namespace: testzeus
+        sectionName: https
+    hostnames:
+      - "tzviewer.dev.testzeus.app"
+    rules:
+      - matches:
+          - path: /
+            pathType: PathPrefix
+
+  secrets:
+    enabled: false # No secrets for trace-viewer yet
diff --git a/helm/values-dev4.yaml b/helm/values-dev4.yaml
@@ -0,0 +1,74 @@
+service-template:
+  fullnameOverride: "testzeus-traceviewer"
+  replicaCount: 1
+
+  serviceAccount:
+    create: true
+    name: "testzeus-traceviewer-sa"
+    automount: false  # nginx does not call the K8s API
+    annotations:
+      iam.gke.io/gcp-service-account: "gke-runtime-dev@dev-testzeus.iam.gserviceaccount.com"
+
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  containers:
+    - name: trace-viewer
+      image:
+        repository: "us-central1-docker.pkg.dev/GCP_PROJECT_ID_DEV/GAR_DOCKER_REPOSITORY_DEV"
+        tag: latest
+        pullPolicy: Always
+      ports:
+        - containerPort: 80
+      env:
+        - name: HOST
+          value: "0.0.0.0"
+        - name: PORT
+          value: "80"
+        - name: NODE_ENV
+          value: development
+      resources:
+        requests:
+          cpu: "250m"
+          memory: "512Mi"
+        limits:
+          cpu: "500m"
+          memory: "512Mi"
+      readinessProbe:
+        httpGet:
+          path: /
+          port: 80
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        failureThreshold: 3
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 80
+        initialDelaySeconds: 10
+        periodSeconds: 20
+        failureThreshold: 3
+      securityContext: {}
+
+  service:
+    enabled: true
+    type: ClusterIP
+    port: 80
+    targetPort: 80
+
+  httpRoute:
+    enabled: true
+    parentRefs:
+      - name: testzeus-gateway
+        namespace: testzeus
+        sectionName: https
+    hostnames:
+      - "tzviewer.dev4.testzeus.app"
+    rules:
+      - matches:
+          - path: /
+            pathType: PathPrefix
+
+  secrets:
+    enabled: false # No secrets for trace-viewer yet
diff --git a/helm/values-dev5.yaml b/helm/values-dev5.yaml
@@ -0,0 +1,74 @@
+service-template:
+  fullnameOverride: "testzeus-traceviewer"
+  replicaCount: 1
+
+  serviceAccount:
+    create: true
+    name: "testzeus-traceviewer-sa"
+    automount: false  # nginx does not call the K8s API
+    annotations:
+      iam.gke.io/gcp-service-account: "gke-runtime-dev@dev-testzeus.iam.gserviceaccount.com"
+
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
+
+  containers:
+    - name: trace-viewer
+      image:
+        repository: "us-central1-docker.pkg.dev/GCP_PROJECT_ID_DEV/GAR_DOCKER_REPOSITORY_DEV"
+        tag: latest
+        pullPolicy: Always
+      ports:
+        - containerPort: 80
+      env:
+        - name: HOST
+          value: "0.0.0.0"
+        - name: PORT
+          value: "80"
+        - name: NODE_ENV
+          value: development
+      resources:
+        requests:
+          cpu: "250m"
+          memory: "512Mi"
+        limits:
+          cpu: "500m"
+          memory: "512Mi"
+      readinessProbe:
+        httpGet:
+          path: /
+          port: 80
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        failureThreshold: 3
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 80
+        initialDelaySeconds: 10
+        periodSeconds: 20
+        failureThreshold: 3
+      securityContext: {}
+
+  service:
+    enabled: true
+    type: ClusterIP
+    port: 80
+    targetPort: 80
+
+  httpRoute:
+    enabled: true
+    parentRefs:
+      - name: testzeus-gateway
+        namespace: testzeus
+        sectionName: https
+    hostnames:
+      - "tzviewer.dev5.testzeus.app"
+    rules:
+      - matches:
+          - path: /
+            pathType: PathPrefix
+
+  secrets:
+    enabled: false # No secrets for trace-viewer yet