Docs/Tools/Helm

Kubernetes

helm_gen.py

Generates a production-grade Helm chart with security contexts, resource limits, liveness/readiness probes, KEDA scale-to-zero, ESO secrets, and Prometheus alerting built in from day one.

What it does

Copies templates/helm/chart/ to <service>/helm/, substitutes {{SERVICE_NAME}}, {{PORT}}, and {{APP_VERSION}}, then injects cloud-appropriate ServiceAccount annotations.

After generation it runs helm lint --strict and, if the helm-unittest plugin is installed, helm unittest.

CLI Usage

bash

python3 tools/helm_gen.py \
  --service payment-api \
  --cloud aws \
  --port 8000

Generated Chart Contents

DeploymentRolling update strategy, pod anti-affinity, resource limits

ServiceClusterIP (default) or LoadBalancer via values.yaml

Ingressnginx / ALB annotations, TLS via cert-manager

HPACPU + memory autoscaler, configurable min/max replicas

KEDA HTTPScaledObjectScale-to-zero (opt-in: keda.enabled: true)

ExternalSecretESO manifest pulling from the cloud secrets manager

ServiceMonitorPrometheus scrape config for /metrics endpoint

PrometheusRule4 alert rules: error rate, latency p99, restart rate, CPU

Grafana Dashboard ConfigMapPre-built dashboard JSON mounted via sidecar

PodDisruptionBudgetMinimum available: 1 for prod workloads

Security Defaults (values.yaml)

runAsNonRoottrue

readOnlyRootFilesystemtrue

capabilities.drop[ALL]

allowPrivilegeEscalationfalse

KEDA Scale-to-Zero Integration

Set keda.enabled: true in values.yaml to activate the HTTPScaledObject for the car-painter scale-to-zero pattern.

yaml

# values.yaml
keda:
  enabled: true
  minReplicaCount: 0
  maxReplicaCount: 10
  scaledownPeriod: 300          # 5 min idle → scale to zero
  targetPendingRequests: 100

ServiceAccount Annotations

For AWS, the ServiceAccount is annotated with eks.amazonaws.com/role-arn. For Azure and GCP, Workload Identity annotations are injected instead. No static cloud credentials are ever written into the chart.

Next step: CI/CD →