[deploy] add Helm chart

[capcom6]

Summary by CodeRabbit

• New Features
  • Official Helm chart to deploy SMS Gateway on Kubernetes including Deployment, Service, Ingress (TLS), optional internal MariaDB with PVC, ServiceAccount, Secrets, HPA autoscaling, and post-install NOTES.
• Documentation
  • Comprehensive Helm chart README with installation, configuration examples, custom options, and security notes.
• Tests
  • Minikube end-to-end test script and Helm test pod for health checks.
• Chores
  • CI workflow to package and publish the Helm chart to an S3-backed repository.

[coderabbitai]

Walkthrough

Adds a new Helm chart for sms-gateway (Chart, templates, values, README, NOTES, tests), a Minikube test script, and a GitHub Actions workflow to package and push the chart to an S3-backed Helm repo (package + push; index update not included).

Changes

Cohort / File(s)	Summary
GitHub Actions: Helm publish .github/workflows/publish-helm-chart.yml	New workflow triggered on pushes under deployments/helm-chart to master and on releases. Checks out code, sets up Helm, installs helm-s3 plugin, packages the chart (uses release tag or 0.0.0-dev), initializes/adds S3 repo if missing, pushes packaged chart to S3, and removes generated artifacts.
Helm chart core deployments/helm-chart/Chart.yaml, deployments/helm-chart/values.yaml, deployments/helm-chart/README.md	Adds chart metadata, comprehensive default values (image, service, ingress, autoscaling, database, gateway, env, resources, persistence, etc.), and a README with installation, configuration, and usage guidance.
Templating helpers & labels deployments/helm-chart/templates/_helpers.tpl	Adds helper templates: sms-gateway.fullname, sms-gateway.name, sms-gateway.chart, sms-gateway.selectorLabels, sms-gateway.labels, and sms-gateway.serviceAccountName.
Application manifests & extras deployments/helm-chart/templates/deployment.yaml, deployments/helm-chart/templates/service.yaml, deployments/helm-chart/templates/ingress.yaml, deployments/helm-chart/templates/hpa.yaml, deployments/helm-chart/templates/serviceaccount.yaml, deployments/helm-chart/templates/NOTES.txt, deployments/helm-chart/templates/tests/test-connection.yaml	Adds Deployment with conditional env wiring (internal/external DB, private/public gateway modes), Service, conditional Ingress (host/TLS handling), conditional HPA, optional ServiceAccount, NOTES post-install guidance covering multiple access methods and DB info, and a Helm test Pod for health checks.
Database & secrets deployments/helm-chart/templates/database.yaml, deployments/helm-chart/templates/secrets.yaml	Conditionally provisions internal MariaDB resources (StatefulSet, Service, PVC, Secret) when database.deployInternal is true, and creates a chart Secret with base64-encoded DB password plus optional gateway secrets (private token, FCM credentials).
Local test script scripts/test-helm-minikube.sh	New end-to-end test script for Minikube: validates tooling, starts Minikube and configures Docker, creates test namespace, installs/upgrades chart with internal DB and test credentials, waits for readiness, port-forwards and verifies /health, runs Helm tests, then cleans up namespace and port-forward.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Helm as Helm CLI
  participant S3 as AWS S3 (helm-s3 plugin)

  Dev->>GH: Push to master (deployments/helm-chart) or create release
  GH->>GH: Checkout repo
  GH->>Helm: Setup Helm + install helm-s3 plugin
  GH->>Helm: helm package deployments/helm-chart (tag or 0.0.0-dev)
  GH->>S3: helm s3 init / helm s3 add repo (if missing)
  GH->>S3: helm s3 push <chart.tgz> s3://bucket/repo
  GH-->>Dev: Workflow completes (artifacts cleaned)

Loading

sequenceDiagram
  autonumber
  actor Operator as Cluster Operator
  participant Helm as Helm CLI
  participant K8s as Kubernetes API
  participant App as sms-gateway
  participant DB as MariaDB

  Operator->>Helm: helm install/upgrade sms-gateway -f values.yaml
  Helm->>K8s: Apply manifests (Deployment, Service, ...)
  alt database.deployInternal = true
    K8s->>K8s: Create StatefulSet/Service/PVC/Secret for MariaDB
    App->>DB: Connect via internal service
  else
    App->>DB: Connect to external DB host/port
  end
  K8s->>App: Pods become Ready
  Operator->>App: Access via Ingress / Service / NodePort / LoadBalancer

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “[deploy] add Helm chart” succinctly captures the primary change of introducing a Helm chart and associated deployment workflow, matching the added chart files and CI configuration. It is concise, clear, and specific enough for teammates to understand the main purpose of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch deploy/helm-chart

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (8)

deployments/helm-chart/README.md (1)

54-57: Align docs with actual values key

The chart templates expect gateway.fcmCredentials, but the table documents gateway.fcmKey. Please update the docs (or the values) so the key matches reality; otherwise users will set the wrong field.

deployments/helm-chart/values.yaml (1)

73-73: Database host should reference the internal service name.

When database.deployInternal is true, the database host should match the generated service name pattern (i.e., <fullname>-db) rather than a static db value. The deployment template correctly handles this at lines 44-50 of deployment.yaml, but the default value here is misleading.

Consider updating the default or adding a comment:

 database:
-  host: db
+  host: ""  # Auto-configured when deployInternal is true, otherwise set your external DB host
   port: 3306

deployments/helm-chart/templates/database.yaml (2)

46-57: Consider adding initial delay to probes.

The readiness and liveness probes start immediately, which might cause unnecessary failures during MariaDB initialization, especially for the first startup.

Add initial delays:

           readinessProbe:
+            initialDelaySeconds: 30
+            periodSeconds: 10
             exec:
               command:
                 - healthcheck.sh
                 - --connect
                 - --innodb_initialized
           livenessProbe:
+            initialDelaySeconds: 60
+            periodSeconds: 30
             exec:
               command:
                 - healthcheck.sh
                 - --connect
                 - --innodb_initialized

---

102-106: Consider making storage class configurable.

The PersistentVolumeClaim doesn't specify a storageClassName, which means it will use the cluster's default storage class. This may not be suitable for all environments.

Add a configurable storage class in values.yaml and reference it here:

In values.yaml:

database:
  mariadb:
    persistence:
      enabled: true
      size: 8Gi
      storageClass: ""  # Use default if empty

In database.yaml:

   resources:
     requests:
       storage: {{ .Values.database.mariadb.persistence.size }}
+  {{- if .Values.database.mariadb.persistence.storageClass }}
+  storageClassName: {{ .Values.database.mariadb.persistence.storageClass }}
+  {{- end }}
 {{- end }}

deployments/helm-chart/templates/deployment.yaml (2)

83-90: Add initial delays and timeouts to health probes.

The health probes lack initial delay and timeout configurations, which could cause premature failures during application startup or when the application is under load.

Add probe configuration:

           livenessProbe:
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
             httpGet:
               path: /health
               port: http
           readinessProbe:
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
             httpGet:
               path: /health
               port: http

---

60-76: Verify mutual exclusivity of gateway modes.

The template assumes that either privateToken or fcmCredentials is set, but doesn't handle the case where both are set or neither is set. This could lead to an incomplete deployment configuration.

Consider adding validation or documentation:

1. Add a comment explaining the modes:

            {{- if .Values.gateway.privateToken }}
            # Private gateway mode - uses private token for authentication
            - name: GATEWAY__MODE

2. Consider adding a validation check that fails deployment if the configuration is invalid. Would you like me to help generate a validation helper that checks these conditions?

scripts/test-helm-minikube.sh (2)

66-69: Consider less aggressive cleanup option.

Deleting the entire Minikube cluster (minikube delete) is aggressive and will destroy all resources, not just the test namespace. This could be problematic if the user has other workloads in the cluster.

Consider only deleting the namespace:

 # Cleanup
 echo "Cleaning up..."
 kill $PORT_FORWARD_PID
-minikube delete
+kubectl delete namespace $NAMESPACE

+echo "Note: Minikube cluster is still running. Run 'minikube delete' to remove it."

Or make it optional:

 # Cleanup
 echo "Cleaning up..."
 kill $PORT_FORWARD_PID
+
+# Delete namespace
+kubectl delete namespace $NAMESPACE
+
+# Optionally delete Minikube cluster
+read -p "Delete Minikube cluster? (y/N): " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+    minikube delete
+fi

---

50-56: Improve reliability of port-forward setup.

The script uses a fixed 5-second sleep to wait for port-forward, which may be insufficient on slower systems or excessive on faster ones.

Consider actively waiting for the port:

 # Port forward to access the service
 echo "Port forwarding to service (http://localhost:8080)..."
 kubectl port-forward --namespace $NAMESPACE service/sms-gateway-test 8080:3000 &
 PORT_FORWARD_PID=$!

-# Give it a moment to establish the connection
-sleep 5
+# Wait for port-forward to be ready
+echo "Waiting for port-forward to be ready..."
+for i in {1..30}; do
+    if curl -s http://localhost:8080/health > /dev/null 2>&1; then
+        echo "Port-forward is ready!"
+        break
+    fi
+    if [ $i -eq 30 ]; then
+        echo "Error: Port-forward failed to establish"
+        kill $PORT_FORWARD_PID
+        exit 1
+    fi
+    sleep 1
+done

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6fad3c1 and fcc29e1.

📒 Files selected for processing (15)

• .github/workflows/publish-helm-chart.yml (1 hunks)
• deployments/helm-chart/Chart.yaml (1 hunks)
• deployments/helm-chart/README.md (1 hunks)
• deployments/helm-chart/templates/NOTES.txt (1 hunks)
• deployments/helm-chart/templates/_helpers.tpl (1 hunks)
• deployments/helm-chart/templates/database.yaml (1 hunks)
• deployments/helm-chart/templates/deployment.yaml (1 hunks)
• deployments/helm-chart/templates/hpa.yaml (1 hunks)
• deployments/helm-chart/templates/ingress.yaml (1 hunks)
• deployments/helm-chart/templates/secrets.yaml (1 hunks)
• deployments/helm-chart/templates/service.yaml (1 hunks)
• deployments/helm-chart/templates/serviceaccount.yaml (1 hunks)
• deployments/helm-chart/templates/tests/test-connection.yaml (1 hunks)
• deployments/helm-chart/values.yaml (1 hunks)
• scripts/test-helm-minikube.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-05T08:37:28.077Z

Learnt from: eznix86
PR: android-sms-gateway/server#172
File: deployments/kubernetes/sms-gateway-server/Chart.yaml:9-10
Timestamp: 2025-09-05T08:37:28.077Z
Learning: In the android-sms-gateway/server project, the Helm chart's appVersion in Chart.yaml is set to "latest" as a placeholder because CI automatically updates it with the actual version from git tags during the release process via the bump-chart-app-version.yaml workflow.

Applied to files:

• deployments/helm-chart/README.md
• deployments/helm-chart/Chart.yaml

🪛 Shellcheck (0.11.0)

scripts/test-helm-minikube.sh

[warning] 27-27: Quote this to prevent word splitting.

(SC2046)

🪛 YAMLlint (1.37.1)

deployments/helm-chart/templates/service.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/hpa.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/secrets.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

deployments/helm-chart/templates/ingress.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/database.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/serviceaccount.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/tests/test-connection.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

deployments/helm-chart/templates/deployment.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: E2E
• GitHub Check: Analyze (go)

🔇 Additional comments (7)

deployments/helm-chart/values.yaml (1)

1-99: LGTM overall structure!

The values.yaml structure is well-organized with comprehensive configuration options for deployment, service, ingress, resources, autoscaling, database, and gateway settings. The defaults are reasonable for development/testing scenarios.

deployments/helm-chart/templates/hpa.yaml (1)

1-28: LGTM!

The HorizontalPodAutoscaler template is correctly configured with:

• Proper conditional rendering based on .Values.autoscaling.enabled
• autoscaling/v2 API version
• Both CPU and memory utilization metrics
• Correct reference to the target deployment

Note: The YAMLlint syntax error is a false positive caused by Helm template syntax (the {{- delimiter).

deployments/helm-chart/templates/NOTES.txt (1)

1-33: Well-structured post-deployment guidance.

The NOTES.txt provides comprehensive instructions for accessing the application across different service types and includes helpful health check and database information.

deployments/helm-chart/templates/database.yaml (1)

1-107: Well-structured database deployment template.

The database.yaml correctly configures a StatefulSet with:

• Proper secret references for passwords
• Health checks using MariaDB's built-in healthcheck script
• Persistent volume for data
• Appropriate labels and selectors

deployments/helm-chart/templates/deployment.yaml (1)

1-102: Excellent deployment template structure!

The deployment.yaml is well-configured with:

• Proper environment variable handling for both internal and external database modes
• Conditional gateway mode configuration
• Correct secret references
• Resource limits and security contexts
• Comprehensive pod scheduling options (nodeSelector, affinity, tolerations)

scripts/test-helm-minikube.sh (1)

1-72: Well-structured test automation script!

The script provides comprehensive end-to-end testing with proper error handling, prerequisite checks, and clear progress output. The overall flow is logical and helpful for testing the Helm chart.

deployments/helm-chart/templates/_helpers.tpl (1)

1-42: LGTM! Standard Helm helpers implementation.

The helper templates follow Helm best practices with:

• Proper fullname generation with override support and truncation
• Standard label templates for consistent resource labeling
• Service account name resolution logic
• Correct handling of chart versioning in labels

These helpers provide the foundation for consistent naming and labeling across all chart resources.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fcc29e1 and 7cb62c8.

📒 Files selected for processing (8)

• .github/workflows/publish-helm-chart.yml (1 hunks)
• deployments/helm-chart/Chart.yaml (1 hunks)
• deployments/helm-chart/README.md (1 hunks)
• deployments/helm-chart/templates/NOTES.txt (1 hunks)
• deployments/helm-chart/templates/database.yaml (1 hunks)
• deployments/helm-chart/templates/deployment.yaml (1 hunks)
• deployments/helm-chart/values.yaml (1 hunks)
• scripts/test-helm-minikube.sh (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• deployments/helm-chart/README.md

🚧 Files skipped from review as they are similar to previous changes (3)

• deployments/helm-chart/values.yaml
• deployments/helm-chart/Chart.yaml
• scripts/test-helm-minikube.sh

🧰 Additional context used

🪛 YAMLlint (1.37.1)

deployments/helm-chart/templates/database.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/deployment.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: E2E
• GitHub Check: Analyze (go)

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

deployments/helm-chart/templates/tests/test-connection.yaml (1)

7-14: Add a hook-delete policy for Helm tests.

Without a helm.sh/hook-delete-policy annotation, successful test Pods linger unless the operator passes helm test --cleanup. Add before-hook-creation,hook-succeeded so repeated test runs stay tidy.

   annotations:
     "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

deployments/helm-chart/templates/database.yaml (1)

62-113: Prefer StatefulSet volumeClaimTemplates over detached PVCs.

Hard-wiring a single PVC with claimName couples the StatefulSet to a pre-created volume and blocks any scale-out or re-creation without manual cleanup. Define the storage in volumeClaimTemplates so Kubernetes provisions per-pod PVCs automatically.

-      volumes:
-        - name: mariadb-data
-          persistentVolumeClaim:
-            claimName: {{ include "sms-gateway.fullname" . }}-db-pvc
+  volumeClaimTemplates:
+    - metadata:
+        name: mariadb-data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: {{ .Values.database.mariadb.persistence.size }}
+        {{- if .Values.database.mariadb.persistence.storageClass }}
+        storageClassName: {{ .Values.database.mariadb.persistence.storageClass }}
+        {{- end }}

And drop the standalone PVC manifest below.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b87ed07 and 6123028.

📒 Files selected for processing (15)

• .github/workflows/publish-helm-chart.yml (1 hunks)
• deployments/helm-chart/Chart.yaml (1 hunks)
• deployments/helm-chart/README.md (1 hunks)
• deployments/helm-chart/templates/NOTES.txt (1 hunks)
• deployments/helm-chart/templates/_helpers.tpl (1 hunks)
• deployments/helm-chart/templates/database.yaml (1 hunks)
• deployments/helm-chart/templates/deployment.yaml (1 hunks)
• deployments/helm-chart/templates/hpa.yaml (1 hunks)
• deployments/helm-chart/templates/ingress.yaml (1 hunks)
• deployments/helm-chart/templates/secrets.yaml (1 hunks)
• deployments/helm-chart/templates/service.yaml (1 hunks)
• deployments/helm-chart/templates/serviceaccount.yaml (1 hunks)
• deployments/helm-chart/templates/tests/test-connection.yaml (1 hunks)
• deployments/helm-chart/values.yaml (1 hunks)
• scripts/test-helm-minikube.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• deployments/helm-chart/values.yaml
• deployments/helm-chart/README.md
• scripts/test-helm-minikube.sh
• deployments/helm-chart/templates/_helpers.tpl
• .github/workflows/publish-helm-chart.yml
• deployments/helm-chart/Chart.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

deployments/helm-chart/templates/secrets.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

deployments/helm-chart/templates/tests/test-connection.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

deployments/helm-chart/templates/hpa.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/database.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/deployment.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/ingress.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/service.yaml

[error] 6-6: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/serviceaccount.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: E2E
• GitHub Check: Analyze (go)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6123028 and 9f650d0.

📒 Files selected for processing (3)

• deployments/helm-chart/templates/NOTES.txt (1 hunks)
• deployments/helm-chart/templates/ingress.yaml (1 hunks)
• deployments/helm-chart/templates/tests/test-connection.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

deployments/helm-chart/templates/ingress.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

deployments/helm-chart/templates/tests/test-connection.yaml

[error] 4-4: syntax error: expected , but found ''

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: E2E
• GitHub Check: Analyze (go)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Pin the curl test image for reproducibility and supply-chain safety.

curlimages/curl:latest drifts over time, so CI runs can pull different images with breaking changes or unpatched CVEs. Please lock it to a specific tag (ideally with a digest) and bump intentionally later.

-      image: curlimages/curl:latest
+      image: curlimages/curl:8.11.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	image: curlimages/curl:latest
	image: curlimages/curl:8.11.0

🤖 Prompt for AI Agents

In deployments/helm-chart/templates/tests/test-connection.yaml around line 13,
the test pod image uses the floating tag "curlimages/curl:latest"; replace it
with a pinned image tag or digest (e.g., curlimages/curl:<specific-version> or
curlimages/curl@sha256:<digest>) to ensure reproducible CI runs and supply-chain
safety, updating the chart values or template accordingly and documenting the
chosen version so it can be intentionally bumped later.