feat(aisix-cloud): add AISIX private-deployment control-plane chart

[jarvis9443]

Part of api7/AISIX-Cloud#789 (AISIX CP private/offline deployment).

Publishes the AISIX control plane (cp-api, dp-manager, dashboard) as a public Helm chart so users can install it from https://charts.api7.ai:

helm repo add api7 https://charts.api7.ai
helm install my-aisix api7/aisix-cloud --namespace aisix --create-namespace

Details

• Ported from api7/AISIX-Cloud helm/aisix-cloud (that internal copy stays the source of truth — it's what the dev ArgoCD app + ci-helm deploy). Uses the aisix-cp-* image names.
• For public use the image tags now default to the chart appVersion (and the DP image to ghcr.io/api7/aisix:<appVersion>), so a versioned install pulls matching release images instead of :dev.
• Independently versioned (like ingress-controller / developer-portal-fe): chart 0.1.0, appVersion 0.1.0.
• Added to ct lint + helm-docs (README generated). Not added to ct install — there's no published release image at the appVersion yet, and real install coverage already runs in the AISIX-Cloud ci-helm pipeline (builds images from source + installs into kind).

Merge ordering

This chart references aisix-cp-*:0.1.0 / aisix:0.1.0 images, which don't exist until the first v0.1.0 release of the data-plane + control-plane repos. Merge this after that release so the published chart resolves to real images. (CI here only lints/renders, so it's green regardless.)

Summary by CodeRabbit

• New Features

  • Added AISIX Cloud Helm chart for deploying the control plane, including API server, dashboard UI, and data-plane manager with configurable database support (PostgreSQL built-in or external), security contexts, and resource management options.

• Chores

  • Updated CI workflow to include ingress-controller chart linting.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a complete new aisix-cloud Helm chart (charts/aisix-cloud/) with chart metadata, a 186-line values schema, shared template helpers, Kubernetes Deployments and Services for three components (api, dpm, ui), credential Secrets with helm-time validation, a conditional ServiceAccount, and user-facing docs. CI lint and AGENTS.md are updated to register the new chart.

Changes

aisix-cloud Helm Chart

Layer / File(s)	Summary
Chart metadata, values schema, and CI registration charts/aisix-cloud/Chart.yaml, charts/aisix-cloud/.helmignore, charts/aisix-cloud/values.yaml, AGENTS.md, .github/workflows/ci.yaml	Defines chart identity with a conditional Bitnami PostgreSQL dependency, the full values schema for all components (global, api, dpm, ui, serviceAccount, secrets, postgresql, externalDatabase), and registers the chart in AGENTS.md and the CI lint target list.
Helm template helpers charts/aisix-cloud/templates/_helpers.tpl	Adds all shared helpers: naming/label generation, PostgreSQL connection parameter resolution switching between builtin and external modes, databaseURL construction with runtime $(PGPASSWORD) substitution, secret name resolution, serviceAccountName branching, imagePullSecrets, and the pgWaitInitContainer init-container template using pg_isready.
Credential secrets and ServiceAccount charts/aisix-cloud/templates/secret.yaml, charts/aisix-cloud/templates/external-db-secret.yaml, charts/aisix-cloud/templates/serviceaccount.yaml	Renders a master-key/better-auth-secret Secret with helm-time validation rejecting empty or CHANGE_ME placeholders, a conditional external DB password Secret, and a conditional ServiceAccount with automountServiceAccountToken: false.
API (cp-api) Deployment and Service charts/aisix-cloud/templates/api-deployment.yaml, charts/aisix-cloud/templates/api-service.yaml	Deployment with pgWaitInitContainer, env vars for DB URL, master-key, dashboard URL, DPMGR URL, OAuth toggle, and DP image; HTTP /healthz probes on port 8080; Service exposing that port.
DPM Deployment and Service charts/aisix-cloud/templates/dpm-deployment.yaml, charts/aisix-cloud/templates/dpm-service.yaml	Deployment exposing TLS port 7944 with pgWaitInitContainer, PG password and master-key from Secrets, TCP liveness/readiness probes; Service with optional nodePort field when type is NodePort.
UI Deployment and Service charts/aisix-cloud/templates/ui-deployment.yaml, charts/aisix-cloud/templates/ui-service.yaml	Deployment exposing HTTP port 3000 with secret-backed PGPASSWORD/BETTER_AUTH_SECRET, database URL, and locale env vars, plus HTTP probes on /; Service parameterized from ui.service.*.
Chart README and NOTES.txt charts/aisix-cloud/README.md, charts/aisix-cloud/templates/NOTES.txt	README provides a full values reference table; NOTES.txt gives post-install access instructions with a conditional branch between NodePort and ClusterIP data-plane exposure guidance.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Security Check	❌ Error	Two unresolved critical issues from review comments: (1) pgSecretName helper missing postgresql.auth.existingSecret check causes deployment failure when using existing secrets; (2) NOTES.txt hardco...	Apply both proposed fixes from review: Add existingSecret check to pgSecretName helper (lines 131-143); replace hardcoded :dev with templated version in NOTES.txt line 33.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a new Helm chart for the AISIX Cloud control plane, which is the primary purpose of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	This PR adds a Helm chart (declarative YAML), not executable code. The E2E test quality check is designed for application code with unit/E2E tests. Helm charts are validated via ct lint (included...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-aisix-cloud-chart

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/aisix-cloud/templates/_helpers.tpl`:
- Around line 131-143: The aisix-cloud.pgSecretName template definition does not
check for postgresql.auth.existingSecret when postgresql.builtin is true,
causing the template to always return a generated secret name and ignore any
existing secret the user has configured. In the builtin branch (the first if
block starting with postgresql.builtin), add a condition to check if
postgresql.auth.existingSecret is set and return that value before falling back
to checking postgresql.fullnameOverride or the default generated PostgreSQL
secret name.

In `@charts/aisix-cloud/templates/NOTES.txt`:
- Line 33: The NOTES.txt file contains a hardcoded reference to
ghcr.io/api7/aisix:dev which uses the mutable dev tag instead of a versioned
release tag. Replace the :dev tag suffix with a Helm template variable that
references the actual chart version or app version (typically using {{
.Chart.AppVersion }} or {{ .Chart.Version }}) to ensure users are directed to
stable, versioned images that align with the chart's versioned-install contract.

In `@charts/aisix-cloud/templates/ui-deployment.yaml`:
- Line 4: The metadata.name field in the ui-deployment.yaml file contains an
unquoted Helm template expression that can cause YAML parsing failures when
tooling reads the template before Helm rendering. Wrap the entire value of the
name field (which contains the include "aisix-cloud.fullname" helper and the
"-ui" suffix) in double quotes to properly escape the template expression and
prevent YAML parser breakage.

In `@charts/aisix-cloud/templates/ui-service.yaml`:
- Line 4: The metadata.name field in the ui-service.yaml template contains an
unquoted templated value that poses a YAML parsing risk. Wrap the templated
value `{{ include "aisix-cloud.fullname" . }}-ui` in quotes (either single or
double) to ensure proper YAML parsing and compatibility with static analysis
tools. This change should be applied to the name field in the metadata section
to match the same quoting pattern that should be used for templated values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 67e91771-78d6-435a-8c86-c8a240ea1852

📥 Commits

Reviewing files that changed from the base of the PR and between f82a6e7 and ae5f0b5.

⛔ Files ignored due to path filters (1)

• charts/aisix-cloud/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (18)

• .github/workflows/ci.yaml
• AGENTS.md
• charts/aisix-cloud/.helmignore
• charts/aisix-cloud/Chart.yaml
• charts/aisix-cloud/README.md
• charts/aisix-cloud/charts/postgresql-12.12.10.tgz
• charts/aisix-cloud/templates/NOTES.txt
• charts/aisix-cloud/templates/_helpers.tpl
• charts/aisix-cloud/templates/api-deployment.yaml
• charts/aisix-cloud/templates/api-service.yaml
• charts/aisix-cloud/templates/dpm-deployment.yaml
• charts/aisix-cloud/templates/dpm-service.yaml
• charts/aisix-cloud/templates/external-db-secret.yaml
• charts/aisix-cloud/templates/secret.yaml
• charts/aisix-cloud/templates/serviceaccount.yaml
• charts/aisix-cloud/templates/ui-deployment.yaml
• charts/aisix-cloud/templates/ui-service.yaml
• charts/aisix-cloud/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Honor postgresql.auth.existingSecret in builtin secret-name resolution.

At Line 132, builtin mode always resolves to the generated PostgreSQL secret name, so when postgresql.auth.existingSecret is set, app pods can reference a non-existent secret and fail startup.

🔧 Proposed fix

 {{- define "aisix-cloud.pgSecretName" -}}
 {{- if .Values.postgresql.builtin }}
-{{- if .Values.postgresql.fullnameOverride }}
+{{- if .Values.postgresql.auth.existingSecret }}
+{{- .Values.postgresql.auth.existingSecret }}
+{{- else if .Values.postgresql.fullnameOverride }}
 {{- .Values.postgresql.fullnameOverride }}
 {{- else }}
 {{- printf "%s-postgresql" .Release.Name }}
 {{- end }}
 {{- else if .Values.externalDatabase.existingSecret }}
 {{- .Values.externalDatabase.existingSecret }}
 {{- else }}
 {{- printf "%s-external-db" (include "aisix-cloud.fullname" .) }}
 {{- end }}
 {{- end }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/aisix-cloud/templates/_helpers.tpl` around lines 131 - 143, The
aisix-cloud.pgSecretName template definition does not check for
postgresql.auth.existingSecret when postgresql.builtin is true, causing the
template to always return a generated secret name and ignore any existing secret
the user has configured. In the builtin branch (the first if block starting with
postgresql.builtin), add a condition to check if postgresql.auth.existingSecret
is set and return that value before falling back to checking
postgresql.fullnameOverride or the default generated PostgreSQL secret name.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use a versioned DP image in notes instead of :dev.

Line 33 hardcodes ghcr.io/api7/aisix:dev, which conflicts with the chart’s versioned-install contract and can point users to mutable/non-release images.

Suggested fix

-      ghcr.io/api7/aisix:dev
+      {{ .Values.api.dpImage | default (printf "ghcr.io/api7/aisix:%s" .Chart.AppVersion) }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ghcr.io/api7/aisix:dev
	{{ .Values.api.dpImage | default (printf "ghcr.io/api7/aisix:%s" .Chart.AppVersion) }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/aisix-cloud/templates/NOTES.txt` at line 33, The NOTES.txt file
contains a hardcoded reference to ghcr.io/api7/aisix:dev which uses the mutable
dev tag instead of a versioned release tag. Replace the :dev tag suffix with a
Helm template variable that references the actual chart version or app version
(typically using {{ .Chart.AppVersion }} or {{ .Chart.Version }}) to ensure
users are directed to stable, versioned images that align with the chart's
versioned-install contract.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote templated metadata.name to avoid YAML parser/lint breakage.

Line 4 is vulnerable to raw-YAML parsing failures (matching the reported syntax error) when tooling reads templates before Helm rendering.

Suggested fix

-  name: {{ include "aisix-cloud.fullname" . }}-ui
+  name: '{{ include "aisix-cloud.fullname" . }}-ui'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: {{ include "aisix-cloud.fullname" . }}-ui
	name: '{{ include "aisix-cloud.fullname" . }}-ui'

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 4-4: syntax error: expected , but found ''

(syntax)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/aisix-cloud/templates/ui-deployment.yaml` at line 4, The metadata.name
field in the ui-deployment.yaml file contains an unquoted Helm template
expression that can cause YAML parsing failures when tooling reads the template
before Helm rendering. Wrap the entire value of the name field (which contains
the include "aisix-cloud.fullname" helper and the "-ui" suffix) in double quotes
to properly escape the template expression and prevent YAML parser breakage.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote templated metadata.name here as well for YAML tooling compatibility.

Line 4 has the same raw-template YAML parse risk flagged by static analysis.

Suggested fix

-  name: {{ include "aisix-cloud.fullname" . }}-ui
+  name: '{{ include "aisix-cloud.fullname" . }}-ui'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: {{ include "aisix-cloud.fullname" . }}-ui
	name: '{{ include "aisix-cloud.fullname" . }}-ui'

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 4-4: syntax error: expected , but found ''

(syntax)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/aisix-cloud/templates/ui-service.yaml` at line 4, The metadata.name
field in the ui-service.yaml template contains an unquoted templated value that
poses a YAML parsing risk. Wrap the templated value `{{ include
"aisix-cloud.fullname" . }}-ui` in quotes (either single or double) to ensure
proper YAML parsing and compatibility with static analysis tools. This change
should be applied to the name field in the metadata section to match the same
quoting pattern that should be used for templated values.

Source: Linters/SAST tools