fix(charts): address PR #12787 review comments

P1 fixes:
- Quote all user-provided secret values in object-store-secret and db-secret
- Replace hardcoded kubeflow namespace in Argo workflowNamespaces with
  empty list (defaults to release namespace via singleNamespace: true)
- Remove dead seaweedfs.enabled knob (templates use objectStore.type)

P2 Helm best-practice improvements:
- Add fullnameOverride/nameOverride support in _helpers.tpl
- Add standard K8s labels (app.kubernetes.io/name, version, selectorLabels)
- Add .gitignore for chart archives
- Tighten dependency versions to ~X.Y.0 ranges
- Add global.imagePullSecrets with helper included in all deployments
- Add Helm test for API server health endpoint
- Add values.schema.json for config validation
- Default publicConfig version to .Chart.AppVersion instead of "dev"
- Add per-component replicas parameter in values and deployments
- Add PodDisruptionBudgets for apiServer, metadataGrpc, cacheServer
- Add global nodeSelector/tolerations/affinity with component-level fallback

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

Author: jsonmp-k8

charts/kubeflow-pipelines/.gitignore

@@ -0,0 +1 @@
+charts/*.tgz

charts/kubeflow-pipelines/Chart.yaml

@@ -16,23 +16,23 @@ maintainers:
   - name: Kubeflow Pipelines Authors
 dependencies:
   - name: argo-workflows
-    version: 0.45.x
+    version: ~0.45.0
     repository: https://argoproj.github.io/argo-helm
     condition: argo-workflows.enabled
   - name: mysql
-    version: 12.x.x
+    version: ~12.3.0
     repository: https://charts.bitnami.com/bitnami
     condition: mysql.enabled
   - name: postgresql
-    version: 16.x.x
+    version: ~16.7.0
     repository: https://charts.bitnami.com/bitnami
     condition: postgresql.enabled
   - name: minio
-    version: 5.x.x
+    version: ~5.4.0
     repository: https://charts.min.io/
     condition: minio.enabled
   - name: metacontroller-helm
-    version: 4.x.x
+    version: ~4.12.0
     repository: oci://ghcr.io/metacontroller
     condition: metacontroller.enabled
     alias: metacontroller

charts/kubeflow-pipelines/templates/_helpers.tpl

@@ -1,10 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubeflow-pipelines.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "kubeflow-pipelines.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Chart label value.
+*/}}
+{{- define "kubeflow-pipelines.chart" -}}
+{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+{{- end }}
+
 {{/*
 Common labels
 */}}
 {{- define "kubeflow-pipelines.labels" -}}
+helm.sh/chart: {{ include "kubeflow-pipelines.chart" . }}
+{{ include "kubeflow-pipelines.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubeflow-pipelines.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubeflow-pipelines.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
 {{- end }}
 
 {{/*
@@ -113,3 +152,13 @@ Object store endpoint port
 {{- define "kubeflow-pipelines.objectStorePort" -}}
 9000
 {{- end }}
+
+{{/*
+imagePullSecrets
+*/}}
+{{- define "kubeflow-pipelines.imagePullSecrets" -}}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}

charts/kubeflow-pipelines/templates/apiserver/deployment.yaml

@@ -6,6 +6,7 @@ metadata:
     {{- include "kubeflow-pipelines.labels" . | nindent 4 }}
   name: ml-pipeline
 spec:
+  replicas: {{ .Values.apiServer.replicas }}
   selector:
     matchLabels:
       app: ml-pipeline
@@ -16,6 +17,7 @@ spec:
       annotations:
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
     spec:
+      {{- include "kubeflow-pipelines.imagePullSecrets" . | nindent 6 }}
       securityContext:
         seccompProfile:
           type: RuntimeDefault
@@ -204,15 +206,15 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
       serviceAccountName: ml-pipeline
-      {{- with .Values.apiServer.nodeSelector }}
+      {{- with .Values.apiServer.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.apiServer.tolerations }}
+      {{- with .Values.apiServer.tolerations | default .Values.global.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.apiServer.affinity }}
+      {{- with .Values.apiServer.affinity | default .Values.global.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}

charts/kubeflow-pipelines/templates/apiserver/pdb.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.apiServer.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: ml-pipeline
+  labels:
+    app: ml-pipeline
+    {{- include "kubeflow-pipelines.labels" . | nindent 4 }}
+spec:
+  minAvailable: {{ .Values.apiServer.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      app: ml-pipeline
+{{- end }}

charts/kubeflow-pipelines/templates/cache-deployer/deployment.yaml

@@ -17,6 +17,7 @@ spec:
       labels:
         app: cache-deployer
     spec:
+      {{- include "kubeflow-pipelines.imagePullSecrets" . | nindent 6 }}
       securityContext:
         seccompProfile:
           type: RuntimeDefault
@@ -43,15 +44,15 @@ spec:
         {{- end }}
       serviceAccountName: kubeflow-pipelines-cache-deployer-sa
       restartPolicy: Always
-      {{- with .Values.cacheDeployer.nodeSelector }}
+      {{- with .Values.cacheDeployer.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cacheDeployer.tolerations }}
+      {{- with .Values.cacheDeployer.tolerations | default .Values.global.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cacheDeployer.affinity }}
+      {{- with .Values.cacheDeployer.affinity | default .Values.global.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}

charts/kubeflow-pipelines/templates/cache/deployment.yaml

@@ -6,7 +6,7 @@ metadata:
     app: cache-server
     {{- include "kubeflow-pipelines.labels" . | nindent 4 }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.cacheServer.replicas }}
   selector:
     matchLabels:
       app: cache-server
@@ -15,6 +15,7 @@ spec:
       labels:
         app: cache-server
     spec:
+      {{- include "kubeflow-pipelines.imagePullSecrets" . | nindent 6 }}
       securityContext:
         seccompProfile:
           type: RuntimeDefault
@@ -122,15 +123,15 @@ spec:
         secret:
           secretName: webhook-server-tls
       serviceAccountName: kubeflow-pipelines-cache
-      {{- with .Values.cacheServer.nodeSelector }}
+      {{- with .Values.cacheServer.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cacheServer.tolerations }}
+      {{- with .Values.cacheServer.tolerations | default .Values.global.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cacheServer.affinity }}
+      {{- with .Values.cacheServer.affinity | default .Values.global.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}

charts/kubeflow-pipelines/templates/cache/pdb.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.cacheServer.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: cache-server
+  labels:
+    app: cache-server
+    {{- include "kubeflow-pipelines.labels" . | nindent 4 }}
+spec:
+  minAvailable: {{ .Values.cacheServer.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      app: cache-server
+{{- end }}

charts/kubeflow-pipelines/templates/kubeflow-pipelines-public-configmap.yaml

@@ -5,4 +5,4 @@ metadata:
   labels:
     {{- include "kubeflow-pipelines.labels" . | nindent 4 }}
 data:
-  kubeflow_pipelines_version: {{ .Values.publicConfig.kubeflowPipelinesVersion | quote }}
+  kubeflow_pipelines_version: {{ .Values.publicConfig.kubeflowPipelinesVersion | default .Chart.AppVersion | quote }}

charts/kubeflow-pipelines/templates/metadata-writer/deployment.yaml

@@ -6,7 +6,7 @@ metadata:
     app: metadata-writer
     {{- include "kubeflow-pipelines.labels" . | nindent 4 }}
 spec:
-  replicas: 1
+  replicas: {{ .Values.metadataWriter.replicas }}
   selector:
     matchLabels:
       app: metadata-writer
@@ -15,6 +15,7 @@ spec:
       labels:
         app: metadata-writer
     spec:
+      {{- include "kubeflow-pipelines.imagePullSecrets" . | nindent 6 }}
       securityContext:
         seccompProfile:
           type: RuntimeDefault
@@ -44,15 +45,15 @@ spec:
           {{- toYaml . | nindent 10 }}
         {{- end }}
       serviceAccountName: kubeflow-pipelines-metadata-writer
-      {{- with .Values.metadataWriter.nodeSelector }}
+      {{- with .Values.metadataWriter.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.metadataWriter.tolerations }}
+      {{- with .Values.metadataWriter.tolerations | default .Values.global.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.metadataWriter.affinity }}
+      {{- with .Values.metadataWriter.affinity | default .Values.global.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}