feat(helm)!: Replace hostPath-based aws_config_directory with chart-managed Secret (resolves #2162).

[junhaoliao]

Description

The Helm chart's aws_config_directory volume uses hostPath, which mounts a directory from the Kubernetes node's filesystem. This doesn't work on managed Kubernetes clusters (e.g., EKS) where hostPath is either unavailable or restricted by PodSecurityStandards.

This PR replaces the hostPath-based aws_config_directory value with a new aws_config object.
Users provide their AWS config file contents via Helm's --set-file flag, and the chart creates a Kubernetes Secret from those contents. The Secret is then mounted as a volume in all pods that need AWS config access (compression-scheduler, compression-worker, query-worker, garbage-collector, webui).

Usage:

helm install <release> <chart> \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config

Changes:

• values.yaml: Replaced aws_config_directory: null with aws_config: null and documented
  --set-file usage.
• templates/aws-config-secret.yaml (new): Creates a Secret from aws_config.credentials and
  aws_config.config file contents.
• templates/_helpers.tpl: clp.awsConfigVolume now emits a secret volume instead of hostPath; clp.awsConfigVolumeMount hardcodes /opt/clp/.aws as the mount path.
• templates/configmap.yaml: Condition and rendered path updated to use aws_config.
• 5 deployment templates: Condition updated from aws_config_directory to aws_config.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

helm template renders no AWS resources when aws_config is null (default)

Task: Verify that when aws_config is not set (default null), no AWS-related resources are
rendered.

Command:

helm template test tools/deployment/package-helm/ 2>&1 | grep -c "aws"

Output:

0

No AWS resources are emitted when aws_config is disabled — all deployments omit the volume and volumeMount, and no Secret is created.

helm template renders Secret and mounts correctly with aws_config

Task: Verify that setting aws_config via --set-file creates a Secret and mounts it in all 5 deployments.

Command:

helm template test tools/deployment/package-helm/ \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  2>&1 | grep -c "secretName: test-clp-aws-config"

Output:

5

All 5 deployments (compression-scheduler, compression-worker, query-worker, garbage-collector,
webui) reference the chart-managed Secret as a volume source.

Command (verify configmap sets aws_config_directory):

helm template test tools/deployment/package-helm/ \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  2>&1 | grep -A1 "aws_config_directory"

Output:

    aws_config_directory: "/opt/clp/.aws"

The configmap correctly hardcodes the aws_config_directory path when aws_config is provided.

Single-node cluster: S3 compress, search, and stream extraction

Task: Deploy with set-up-test.sh, upgrade with S3 + aws_config, and verify compress, search, and stream extraction all work.

Command:

cd tools/deployment/package-helm && bash set-up-test.sh

Output:

All jobs completed and services are ready.

Command (upgrade with S3 + aws_config):

helm upgrade test ../../tools/deployment/package-helm/ \
  -f test-s3-values.yaml \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config

Output:

Release "test" has been upgraded. Happy Helming!
STATUS: deployed
REVISION: 2

Command (verify Secret exists and contains expected keys):

kubectl get secret test-clp-aws-config -o jsonpath='{.data}' | python3 -c "import sys,json; print(list(json.load(sys.stdin).keys()))"

Output:

['config', 'credentials']

Command (submit S3 compression job):

curl -sv -X POST http://localhost:30302/s3_scanner -H "Content-Type: application/json" \
  -d '{"bucket_name": "<BUCKET_NAME>", "key_prefix": "<KEY_PREFIX>", \
       "region": "<REGION>", "timestamp_key": "timestamp", \
       "buffer_config": {"flush_threshold_bytes": 1, "timeout_sec": 10}}'

Output:

{"id":1}

Command (check compression worker logs):

kubectl logs -l app.kubernetes.io/component=compression-worker --tail=5

Output:

[job_id=1 task_id=1] COMPRESSION STARTED.
Uploading archive 69daee8f-9d42-40b8-ac63-efbd842f2e80 to S3...
Finished uploading archive 69daee8f-9d42-40b8-ac63-efbd842f2e80 to S3.
[job_id=1 task_id=1] COMPRESSION COMPLETED.

Explanation: The compression worker successfully read the AWS credentials from the Secret-mounted volume at /opt/clp/.aws, connected to S3, and uploaded the archive.

Command (search via Playwright):

Search for postgres in the WebUI.

Result: Success - search job 3 found 10 results in 0.301 seconds (13.4 kB/s)

Command (stream extraction via Playwright):

Click "Original file" link on a search result.

Result: New tab opens showing the decompressed stream file contents from S3 — confirms the
webui correctly reads AWS config from the Secret-mounted volume.

Multi-node shared cluster: S3 compress and search

Task: Deploy with set-up-multi-shared-test.sh, upgrade with S3 + aws_config, and verify
compress and search work across worker nodes.

Command:

cd tools/deployment/package-helm && bash set-up-multi-shared-test.sh

Output:

All jobs completed and services are ready.

Command (upgrade + compress + search):

helm upgrade test ../../tools/deployment/package-helm/ \
  -f test-s3-values.yaml \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  --set "distributedDeployment=true" \
  --set "compressionWorker.replicas=2" \
  --set "queryWorker.replicas=2" \
  --set "reducer.replicas=2"

Output:

Release "test" has been upgraded. Happy Helming!
STATUS: deployed
REVISION: 2

Result: S3 compression completed successfully. Search found 10 results in 0.352 seconds.

Multi-node dedicated cluster: S3 compress, search, and stream extraction

Task: Deploy with set-up-multi-dedicated-test.sh, upgrade with S3 + aws_config (including nodeSelector), and verify compress, search, and stream extraction work on dedicated worker nodes.

Command:

cd tools/deployment/package-helm && bash set-up-multi-dedicated-test.sh

Output:

All jobs completed and services are ready.

Command (upgrade with nodeSelector):

helm upgrade test ../../tools/deployment/package-helm/ \
  -f test-s3-values.yaml \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  --set "distributedDeployment=true" \
  --set "compressionWorker.replicas=2" \
  --set "compressionWorker.scheduling.nodeSelector.yscope\.io/nodeType=compression" \
  --set "queryWorker.replicas=2" \
  --set "queryWorker.scheduling.nodeSelector.yscope\.io/nodeType=query" \
  --set "reducer.replicas=2" \
  --set "reducer.scheduling.nodeSelector.yscope\.io/nodeType=query"

Output:

Release "test" has been upgraded. Happy Helming!
STATUS: deployed
REVISION: 2

Result: S3 compression completed successfully. Search found 10 results in 0.317 seconds. Stream extraction via "Original file" link opened a new tab showing the decompressed file contents from S3.

Summary by CodeRabbit

• Chores
  • Bumped Helm chart to 0.3.0-dev.1 and app version to 0.11.1-dev.
  • AWS configuration is now supplied via chart values (inline content) instead of pointing to host directories and is generated as a chart-managed Secret mounted into pods.
  • Enabling of AWS config mounts is controlled by a new aws_config setting.

[coderabbitai]

Walkthrough

Chart version bumped; AWS config moved from a hostPath directory value to a chart-managed Secret. Templates, helpers, values and deployments were updated to use .Values.clpConfig.aws_config, render an aws-config Secret, and mount it at /opt/clp/.aws when enabled.

Changes

Cohort / File(s)	Summary
Chart Versioning tools/deployment/package-helm/Chart.yaml	Bumped chart version to 0.3.0-dev.1 and appVersion to 0.11.1-dev.
Template Helpers & Secret tools/deployment/package-helm/templates/_helpers.tpl, tools/deployment/package-helm/templates/aws-config-secret.yaml	clp.awsConfigVolumeMount now uses fixed mountPath: "/opt/clp/.aws"; clp.awsConfigVolume changed from a hostPath to a secret referencing {{ include "clp.fullname" . }}-aws-config. Added conditional aws-config Secret template sourcing .Values.clpConfig.aws_config.
Deployment Conditionals tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml, .../compression-worker-deployment.yaml, .../garbage-collector-deployment.yaml, .../query-worker-deployment.yaml, .../webui-deployment.yaml	All deployment templates now gate inclusion of the AWS config volumeMount and volume on .Values.clpConfig.aws_config (replacing checks for .Values.clpConfig.aws_config_directory).
ConfigMap & Values tools/deployment/package-helm/templates/configmap.yaml, tools/deployment/package-helm/values.yaml	clp-config now hard-codes aws_config_directory: "/opt/clp/.aws" when enabled; values.yaml replaces aws_config_directory with new aws_config key intended to supply secret contents (e.g., via --set-file).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Helm as Helm chart renderer
participant K8sAPI as Kubernetes API
participant Pod as Pod / Container
Helm->>Helm: Read .Values.clpConfig.aws_config
alt aws_config set
Helm->>K8sAPI: Render & apply Secret (clp-fullname-aws-config)
Helm->>K8sAPI: Render Deployments mounting Secret at /opt/clp/.aws
K8sAPI->>Pod: Mount Secret into Pod filesystem at /opt/clp/.aws
Pod->>Pod: Application reads AWS config from /opt/clp/.aws
else aws_config not set
Helm->>K8sAPI: Do not render Secret or mounts
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: replacing a hostPath-based AWS configuration approach with a chart-managed Kubernetes Secret, and references the resolved issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/deployment/package-helm/values.yaml`:
- Around line 259-265: Add a new Helm Secret template named
aws-config-secret.yaml that mirrors the pattern used by database-secret.yaml,
queue-secret.yaml, and redis-secret.yaml: read clpConfig.aws_config.credentials
and clpConfig.aws_config.config values and create a Secret (named using the
release name, e.g., {{ include "clp.fullname" . }}-aws-config) with keys for
credentials and config so the clp.awsConfigVolume helper can mount them into
pods; ensure the template is conditional on .Values.clpConfig.aws_config not
being null and uses proper tpl/quote handling for multi-line file content.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ae49a1b6-74b2-4506-9b0e-e4a84879baf6

📥 Commits

Reviewing files that changed from the base of the PR and between 22c1275 and de74347.

📒 Files selected for processing (9)

• tools/deployment/package-helm/Chart.yaml
• tools/deployment/package-helm/templates/_helpers.tpl
• tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml
• tools/deployment/package-helm/templates/compression-worker-deployment.yaml
• tools/deployment/package-helm/templates/configmap.yaml
• tools/deployment/package-helm/templates/garbage-collector-deployment.yaml
• tools/deployment/package-helm/templates/query-worker-deployment.yaml
• tools/deployment/package-helm/templates/webui-deployment.yaml
• tools/deployment/package-helm/values.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/deployment/package-helm/templates/aws-config-secret.yaml`:
- Around line 8-14: When .Values.clpConfig.aws_config is present but neither
.Values.clpConfig.aws_config.credentials nor .Values.clpConfig.aws_config.config
is provided, the two with-blocks in the stringData section (credentials and
config) are skipped producing an empty stringData; add a Helm validation check
that detects this case and fails early with a clear message (e.g., using an if
that tests .Values.clpConfig.aws_config and the absence of both
.Values.clpConfig.aws_config.credentials and
.Values.clpConfig.aws_config.config, then call fail with a descriptive message)
so templates/aws-config-secret.yaml does not render an empty secret.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: adb2ccca-9f56-4fa3-b055-208d60aca59b

📥 Commits

Reviewing files that changed from the base of the PR and between de74347 and 48424d4.

📒 Files selected for processing (1)

• tools/deployment/package-helm/templates/aws-config-secret.yaml

[hoophalab]

Overall good. Some comments.

[hoophalab]

Can we comment that this variable needs to be in sync with CONTAINER_AWS_CONFIG_DIRECTORY in clp_py_utils/clp_config.py?

[hoophalab]

Since the package doesn't actually handle the volume mount in Helm, this variable could be set to any string, null, or even omitted entirely, right?

[hoophalab]

Shall we update https://docs.yscope.com/clp/main/user-docs/guides-using-object-storage/aws-s3/clp-config.html#profile as well?