OPS-2703: Leverage upstream chart for persistency#50
Conversation
enys
commented
Apr 8, 2026
enys
commented
- Start using memgraph official chart
- values
enys
changed the title
enys
added
cd:preview
|
Currently blocked by memgraph/helm-charts#226 |
|
Application memgraph-pr-50 is now running new version of deployments manifests. |
There was a problem hiding this comment.
Pull request overview
This PR converts the local Memgraph Helm chart into an umbrella chart that delegates the core workloads to the official upstream memgraph and memgraph-lab sub-charts, while keeping local templates for ingress/network-policy glue.
Changes:
- Switched
charts/memgraphto an umbrella chart with upstreammemgraph+memgraph-labdependencies and updated values accordingly. - Removed in-repo templates for StatefulSet/Service/ServiceAccount/HPA/tests/exporter in favor of upstream chart resources.
- Updated umbrella templates (IngressRoute, NetworkPolicies, NOTES, helpers) and adjusted Tilt config for a preprod context.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/memgraph/values.yaml | Restructured values to pass through to upstream sub-charts and added umbrella-only settings. |
| charts/memgraph/templates/tests/test-connection.yaml | Removed Helm test pod template. |
| charts/memgraph/templates/statefulset.yaml | Removed local StatefulSet template (now provided by upstream sub-chart). |
| charts/memgraph/templates/serviceaccount.yaml | Removed local ServiceAccount template (now provided by upstream sub-chart). |
| charts/memgraph/templates/service.yaml | Removed local Service template (now provided by upstream sub-chart). |
| charts/memgraph/templates/namespace-netpol.yaml | Reworked NetworkPolicies to target DB/Lab/exporter resources in the new umbrella setup. |
| charts/memgraph/templates/mg-exporter.yaml | Removed local exporter resources (now expected from upstream configuration). |
| charts/memgraph/templates/init-file-configmap.yaml | Moved init-file configmap to umbrella-level values. |
| charts/memgraph/templates/ingressroute.yaml | Updated IngressRoute to target Memgraph Lab service. |
| charts/memgraph/templates/hpa.yaml | Removed HPA template. |
| charts/memgraph/templates/_helpers.tpl | Updated helpers to support DB/Lab service naming and selectors under umbrella chart. |
| charts/memgraph/templates/NOTES.txt | Updated post-install notes for umbrella chart endpoints and access instructions. |
| charts/memgraph/Chart.yaml | Updated chart metadata/version and added upstream dependencies. |
| Tiltfile | Adjusted Tilt context gating and Helm release naming for preprod. |
| .version | Bumped chart version. |
| .bumpversion.cfg | Updated bumpversion current_version. |
Comments suppressed due to low confidence (1)
Tiltfile:14
- Tilt is now gated on a
k8s-preprodcontext, but it still hard-fails unless the namespace ends withdev. This combination will likely prevent Tilt from running in the intended preprod namespaces; align the namespace guard (or the context guard) with the environments you actually want Tilt to support.
if ctx.endswith('k8s-preprod'):
allow_k8s_contexts(ctx)
if not k8s_namespace().endswith("dev"):
fail("You are not targeting a dev namespace")
| - from: | ||
| - podSelector: | ||
| matchLabels: | ||
| {{- include "memgraphExporter.selectorLabels" . | nindent 12 }} | ||
| app: mg-exporter | ||
| {{- $promNs := (index .Values "memgraph" "prometheus" "namespace") }} | ||
| {{- if and $promNs (ne ($promNs | toString) (.Release.Namespace | toString)) }} | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| kubernetes.io/metadata.name: {{ $promNs }} | ||
| {{- end }} |
There was a problem hiding this comment.
In the DB NetworkPolicy, the from peers for the Prometheus exporter are split into separate list items (podSelector and namespaceSelector). In NetworkPolicy semantics these peers are OR'ed, so when prometheus.namespace is set this will allow all pods from that namespace, not just the exporter pods. Combine namespaceSelector and podSelector in the same peer entry to restrict access to only the exporter pods in that namespace.
| - to: | ||
| - podSelector: | ||
| matchLabels: | ||
| {{- include "memgraph.selectorLabels" . | nindent 12 }} | ||
| {{- if ne (.Values.prometheus.namespace | default .Release.Namespace) .Release.Namespace }} | ||
| {{- include "memgraph.dbSelectorLabels" . | nindent 12 }} | ||
| {{- $promNs := (index .Values "memgraph" "prometheus" "namespace") }} | ||
| {{- if and $promNs (ne ($promNs | toString) (.Release.Namespace | toString)) }} | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| name: {{ .Release.Namespace }} | ||
| kubernetes.io/metadata.name: {{ .Release.Namespace }} | ||
| {{- end }} |
There was a problem hiding this comment.
In the exporter egress NetworkPolicy, to peers are also split into separate list items (podSelector and namespaceSelector). If the exporter runs in a different namespace than Memgraph, this ends up allowing egress to any pod in the Memgraph namespace on the monitoring port. Combine namespaceSelector + podSelector in a single to peer so egress is limited to the Memgraph pods only.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Fixed in d900039. Both the DB NetworkPolicy from peers and the exporter egress to peers now combine podSelector and namespaceSelector in a single list entry (AND semantics) when the exporter runs in a different namespace, preventing over-broad access.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…er entries Agent-Logs-Url: https://github.com/Linkurious/docker-memgraph/sessions/d5dc5b78-68cd-4423-a226-3b14669023fd Co-authored-by: enys <36994826+enys@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
The only thing remaining to do is to add the container init for the dataset. |
