openabdev · thekkagent · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
@@ -51,9 +51,65 @@ app.kubernetes.io/component: {{ .agent }}
 {{- end }}
 {{- end }}
 
-{{/* Resolve imagePullPolicy: global default (per-agent image string has no pullPolicy) */}}
+{{/* Resolve imagePullPolicy: per-agent override or global default */}}
 {{- define "openab.agentImagePullPolicy" -}}
-{{- .ctx.Values.image.pullPolicy }}
+{{- default .ctx.Values.image.pullPolicy .cfg.imagePullPolicy }}
+{{- end }}
+
+{{/* Resolve imagePullSecrets: per-agent override (if explicitly set, including empty list) or global default */}}
+{{- define "openab.agentImagePullSecrets" -}}
+{{- $pullSecrets := .ctx.Values.imagePullSecrets -}}
+{{- if hasKey .cfg "imagePullSecrets" -}}
+{{- $pullSecrets = .cfg.imagePullSecrets -}}
+{{- end }}
+{{- range $pullSecrets }}
+{{- if kindIs "map" . }}
+- name: {{ .name | quote }}
+{{- else }}
+- name: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Resolve serviceAccountName:
+- If serviceAccount.create is true: use serviceAccount.name or fallback to <agentFullname>
+- Else: use serviceAccountName (for referencing externally-created SAs), or empty (namespace default)
+*/}}
+{{- define "openab.agentServiceAccountName" -}}
+{{- if (.cfg.serviceAccount).create -}}
+{{- default (include "openab.agentFullname" .) .cfg.serviceAccount.name -}}
+{{- else -}}
+{{- default "" .cfg.serviceAccountName -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+Pod annotations: global baseline + per-agent override, with reserved
+chart-managed annotations (checksum/config) merged last so users cannot
+clobber them and produce duplicate YAML keys.
+*/}}
+{{- define "openab.agentPodAnnotations" -}}
+{{- $reserved := dict "checksum/config" (.cfg | toJson | sha256sum) -}}
+{{- $annotations := mergeOverwrite (dict)
+    (.ctx.Values.podAnnotations | default (dict))
+    (.cfg.podAnnotations | default (dict))
+    $reserved -}}
+{{- toYaml $annotations }}
+{{- end }}
+
+{{/*
+Pod labels: global baseline + per-agent override, with reserved selector
+labels merged last so users cannot hijack them. Hijacking would produce
+duplicate YAML keys AND break Deployment→Pod selector matching.
+*/}}
+{{- define "openab.agentPodLabels" -}}
+{{- $reserved := include "openab.selectorLabels" . | fromYaml -}}
+{{- $labels := mergeOverwrite (dict)
+    (.ctx.Values.podLabels | default (dict))
+    (.cfg.podLabels | default (dict))
+    $reserved -}}
+{{- toYaml $labels }}
 {{- end }}
 
 {{/* Agent enabled: default true unless explicitly set to false */}}
@@ -65,3 +121,8 @@ app.kubernetes.io/component: {{ .agent }}
 {{- define "openab.persistenceEnabled" -}}
 {{- if and . .persistence (eq (.persistence.enabled | toString) "false") }}false{{ else }}true{{ end }}
 {{- end }}
+
+{{/* Discord adapter enabled: default true unless explicitly set to false; returns false when discord config is absent */}}
+{{- define "openab.discordEnabled" -}}
+{{- if and . .discord (ne (.discord.enabled | toString) "false") }}true{{ else }}false{{ end }}
+{{- end }}
@@ -0,0 +1,20 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- if ($cfg.rbac).createClusterRole }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+{{- with $cfg.rbac.clusterRules }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- else }}
+rules: []
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,22 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- if ($cfg.rbac).createClusterRole }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "openab.agentFullname" $d }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "openab.agentServiceAccountName" $d }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -10,7 +10,7 @@ metadata:
     {{- include "openab.labels" $d | nindent 4 }}
 data:
   config.toml: |
-    {{- if ($cfg.discord).enabled }}
+    {{- if ne (include "openab.discordEnabled" $cfg) "false" }}
     [discord]
     bot_token = "${DISCORD_BOT_TOKEN}"
     {{- range $cfg.discord.allowedChannels }}
@@ -81,8 +81,16 @@ data:
     command = "{{ $cfg.command }}"
     args = {{ if $cfg.args }}{{ $cfg.args | toJson }}{{ else }}[]{{ end }}
     working_dir = "{{ $cfg.workingDir | default "/home/agent" }}"
-    {{- if $cfg.env }}
-    env = { {{ $first := true }}{{ range $k, $v := $cfg.env }}{{ if not $first }}, {{ end }}{{ $k }} = "{{ $v }}"{{ $first = false }}{{ end }} }
+    {{- $stringEnv := dict }}
+    {{- range $k, $v := $cfg.env }}
+    {{- if kindIs "slice" $v }}
+    {{- fail (printf "env.%s is a list — env values must be strings or maps (valueFrom)" $k) }}
+    {{- else if not (kindIs "map" $v) }}
+    {{- $_ := set $stringEnv $k $v }}
+    {{- end }}
+    {{- end }}
+    {{- if $stringEnv }}
+    env = { {{ $first := true }}{{ range $k, $v := $stringEnv }}{{ if not $first }}, {{ end }}{{ $k }} = {{ $v | toJson }}{{ $first = false }}{{ end }} }
     {{- end }}
 
     [pool]

@@ -21,14 +21,27 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: {{ $cfg | toJson | sha256sum }}
+        {{- include "openab.agentPodAnnotations" $d | nindent 8 }}
       labels:
-        {{- include "openab.selectorLabels" $d | nindent 8 }}
+        {{- include "openab.agentPodLabels" $d | nindent 8 }}
     spec:
+      {{- $imagePullSecrets := include "openab.agentImagePullSecrets" $d | trim }}
+      {{- if $imagePullSecrets }}
+      imagePullSecrets:
+        {{- $imagePullSecrets | nindent 8 }}
+      {{- end }}
+      {{- $serviceAccountName := include "openab.agentServiceAccountName" $d | trim }}
+      {{- if $serviceAccountName }}
+      serviceAccountName: {{ $serviceAccountName }}
+      {{- end }}
       {{- with $.Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with $cfg.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: openab
           image: {{ include "openab.agentImage" $d | quote }}
@@ -38,7 +51,7 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
-            {{- if and (ne (toString ($cfg.discord).enabled) "false") ($cfg.discord).botToken }}
+            {{- if and (ne (include "openab.discordEnabled" $cfg) "false") ($cfg.discord).botToken }}
             - name: DISCORD_BOT_TOKEN
               valueFrom:
                 secretKeyRef:
@@ -69,8 +82,15 @@ spec:
             - name: HOME
               value: {{ $cfg.workingDir | default "/home/agent" }}
             {{- range $k, $v := $cfg.env }}
+            {{- if kindIs "slice" $v }}
+            {{- fail (printf "env.%s is a list — env values must be strings or maps (valueFrom)" $k) }}
+            {{- end }}
             - name: {{ $k }}
+              {{- if kindIs "map" $v }}
+              {{- toYaml $v | nindent 14 }}
+              {{- else }}
               value: {{ $v | quote }}
+              {{- end }}
             {{- end }}
           {{- with $cfg.envFrom }}
           envFrom:
@@ -80,6 +100,22 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with $cfg.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with $cfg.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with $cfg.startupProbe }}
+          startupProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with $cfg.lifecycle }}
+          lifecycle:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: config
               mountPath: /etc/openab
@@ -99,6 +135,12 @@ spec:
               mountPath: {{ $cfg.workingDir | default "/home/agent" }}/GEMINI.md
               subPath: AGENTS.md
             {{- end }}
+            {{- with $cfg.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+        {{- with $cfg.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- with $cfg.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -120,5 +162,8 @@ spec:
           persistentVolumeClaim:
             claimName: {{ include "openab.agentFullname" $d }}
         {{- end }}
+        {{- with $cfg.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
 {{- end }}
 {{- end }}
@@ -0,0 +1,29 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- if ($cfg.podDisruptionBudget).enabled }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+{{- $pdb := $cfg.podDisruptionBudget }}
+{{- if and (hasKey $pdb "minAvailable") (hasKey $pdb "maxUnavailable") (ne $pdb.minAvailable nil) (ne $pdb.maxUnavailable nil) }}
+{{- fail (printf "agents.%s.podDisruptionBudget: cannot set both minAvailable and maxUnavailable" $name) }}
+{{- end }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+spec:
+  {{- if ne ($pdb.minAvailable | toString) "<nil>" }}
+  minAvailable: {{ $pdb.minAvailable }}
+  {{- else if ne ($pdb.maxUnavailable | toString) "<nil>" }}
+  maxUnavailable: {{ $pdb.maxUnavailable }}
+  {{- else }}
+  {{- fail (printf "agents.%s.podDisruptionBudget: must set either minAvailable or maxUnavailable" $name) }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "openab.selectorLabels" $d | nindent 6 }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,20 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- if ($cfg.rbac).create }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+{{- with $cfg.rbac.rules }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- else }}
+rules: []
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,22 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- if ($cfg.rbac).create }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "openab.agentFullname" $d }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "openab.agentServiceAccountName" $d }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -1,6 +1,6 @@
 {{- range $name, $cfg := .Values.agents }}
 {{- if ne (include "openab.agentEnabled" $cfg) "false" }}
-{{- $hasDiscord := and (ne (toString ($cfg.discord).enabled) "false") ($cfg.discord).botToken }}
+{{- $hasDiscord := and (ne (include "openab.discordEnabled" $cfg) "false") ($cfg.discord).botToken }}
 {{- $hasSlack := and ($cfg.slack).enabled (or ($cfg.slack).botToken ($cfg.slack).appToken) }}
 {{- $hasStt := and ($cfg.stt).enabled ($cfg.stt).apiKey }}
 {{- if or $hasDiscord $hasSlack $hasStt }}

@@ -0,0 +1,23 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if ne (include "openab.agentEnabled" $cfg) "false" }}
+{{- if ($cfg.serviceAccount).create }}
+{{- $d := dict "ctx" $ "agent" $name "cfg" $cfg }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "openab.agentServiceAccountName" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+  {{- with $cfg.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- if hasKey $cfg.serviceAccount "automountServiceAccountToken" }}
+automountServiceAccountToken: {{ $cfg.serviceAccount.automountServiceAccountToken }}
+{{- else }}
+automountServiceAccountToken: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}