feat(aisix-cloud): add AISIX private-deployment control-plane chart

[jarvis9443]

Part of api7/AISIX-Cloud#789 (AISIX CP private/offline deployment).

Publishes the AISIX control plane (cp-api, dp-manager, dashboard) as a public Helm chart so users can install it from https://charts.api7.ai:

helm repo add api7 https://charts.api7.ai
helm install my-aisix api7/aisix-cloud --namespace aisix --create-namespace

Details

• Ported from api7/AISIX-Cloud helm/aisix-cloud (that internal copy stays the source of truth — it's what the dev ArgoCD app + ci-helm deploy). Uses the aisix-cp-* image names.
• For public use the image tags now default to the chart appVersion (and the DP image to ghcr.io/api7/aisix:<appVersion>), so a versioned install pulls matching release images instead of :dev.
• Independently versioned (like ingress-controller / developer-portal-fe): chart 0.1.0, appVersion 0.1.0.
• Added to ct lint + helm-docs (README generated). Not added to ct install — there's no published release image at the appVersion yet, and real install coverage already runs in the AISIX-Cloud ci-helm pipeline (builds images from source + installs into kind).

Merge ordering

This chart references aisix-cp-*:0.1.0 / aisix:0.1.0 images, which don't exist until the first v0.1.0 release of the data-plane + control-plane repos. Merge this after that release so the published chart resolves to real images. (CI here only lints/renders, so it's green regardless.)

Summary by CodeRabbit

• New Features

  • Added the AISIX Cloud Helm chart to deploy the control plane API, dashboard UI, and data-plane manager.
  • Supports PostgreSQL using either built-in provisioning or an external database/secret, with configurable services, security contexts, and resource/scheduling options.

• Documentation

  • Added chart README and deployment NOTES with access guidance and exposure instructions.

• Chores

  • Updated CI linting to include the ingress-controller chart.
  • Expanded the chart/version matrix and improved chart packaging to exclude Git metadata.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c9d0ad1-a433-4190-9728-71bb505b0207

📥 Commits

Reviewing files that changed from the base of the PR and between ae5f0b5 and 9186a63.

📒 Files selected for processing (2)

• charts/aisix-cloud/templates/NOTES.txt
• charts/aisix-cloud/templates/_helpers.tpl

✅ Files skipped from review due to trivial changes (1)

• charts/aisix-cloud/templates/NOTES.txt

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/aisix-cloud/templates/_helpers.tpl

---

📝 Walkthrough

Walkthrough

Adds a complete new aisix-cloud Helm chart with chart metadata, a 186-line values schema, shared template helpers, Kubernetes Deployments and Services for three components (api, dpm, ui), credential Secrets with helm-time validation, a conditional ServiceAccount, and user-facing docs. CI lint and AGENTS.md are updated to register the new chart.

Changes

aisix-cloud Helm Chart

Layer / File(s)	Summary
Chart metadata, values schema, and CI registration charts/aisix-cloud/Chart.yaml, charts/aisix-cloud/.helmignore, charts/aisix-cloud/values.yaml, AGENTS.md, .github/workflows/ci.yaml	Defines chart identity with a conditional Bitnami PostgreSQL dependency, the full values schema for all components (global, api, dpm, ui, serviceAccount, secrets, postgresql, externalDatabase), and registers the chart in AGENTS.md and the CI lint target list.
Helm template helpers charts/aisix-cloud/templates/_helpers.tpl	Adds all shared helpers: naming/label generation, PostgreSQL connection parameter resolution switching between builtin and external modes, databaseURL construction with runtime $(PGPASSWORD) substitution, secret name resolution, serviceAccountName branching, imagePullSecrets, and the pgWaitInitContainer init-container template using pg_isready.
Credential secrets and ServiceAccount charts/aisix-cloud/templates/secret.yaml, charts/aisix-cloud/templates/external-db-secret.yaml, charts/aisix-cloud/templates/serviceaccount.yaml	Renders a master-key/better-auth-secret Secret with helm-time validation rejecting empty or CHANGE_ME placeholders, optional PostgreSQL credential validation for builtin mode, a conditional external DB password Secret, and a conditional ServiceAccount with automountServiceAccountToken: false.
API (cp-api) Deployment and Service charts/aisix-cloud/templates/api-deployment.yaml, charts/aisix-cloud/templates/api-service.yaml	Deployment with pgWaitInitContainer, env vars for DB URL, master-key, dashboard URL, DPMGR URL, OAuth toggle, and DP image; HTTP /healthz probes on port 8080; Service exposing that port.
DPM Deployment and Service charts/aisix-cloud/templates/dpm-deployment.yaml, charts/aisix-cloud/templates/dpm-service.yaml	Deployment exposing TLS port 7944 with pgWaitInitContainer, PG password and master-key from Secrets, TCP liveness/readiness probes; Service with optional nodePort field when type is NodePort.
UI Deployment and Service charts/aisix-cloud/templates/ui-deployment.yaml, charts/aisix-cloud/templates/ui-service.yaml	Deployment exposing HTTP port 3000 with secret-backed PGPASSWORD/BETTER_AUTH_SECRET, database URL, and locale env vars, plus HTTP probes on /; Service parameterized from ui.service.*.
Chart README and NOTES.txt charts/aisix-cloud/README.md, charts/aisix-cloud/templates/NOTES.txt	README provides a full values reference table; NOTES.txt gives post-install access instructions with a conditional branch between NodePort and ClusterIP data-plane exposure guidance.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
E2e Test Quality Review	❓ Inconclusive	The custom check expects E2E tests and application code quality review, but this PR is purely a Helm chart infrastructure publication with no test code. The check criteria are inapplicable to this...	This PR adds Helm chart templates for AISIX control plane, not application code. The custom check appears designed for application/code PRs with test suites. For Helm charts, relevant checks are: syntax validation (ct lint ✓), schema val...

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new Helm chart for the AISIX Cloud control plane to the repository, which is the primary focus of this pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	The Helm chart implements proper secret handling with base64 encoding, environment variable-based password injection, and render-time validation rejecting placeholder values. No hardcoded credentia...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-aisix-cloud-chart

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/aisix-cloud/templates/_helpers.tpl`:
- Around line 131-143: The aisix-cloud.pgSecretName template definition does not
check for postgresql.auth.existingSecret when postgresql.builtin is true,
causing the template to always return a generated secret name and ignore any
existing secret the user has configured. In the builtin branch (the first if
block starting with postgresql.builtin), add a condition to check if
postgresql.auth.existingSecret is set and return that value before falling back
to checking postgresql.fullnameOverride or the default generated PostgreSQL
secret name.

In `@charts/aisix-cloud/templates/NOTES.txt`:
- Line 33: The NOTES.txt file contains a hardcoded reference to
ghcr.io/api7/aisix:dev which uses the mutable dev tag instead of a versioned
release tag. Replace the :dev tag suffix with a Helm template variable that
references the actual chart version or app version (typically using {{
.Chart.AppVersion }} or {{ .Chart.Version }}) to ensure users are directed to
stable, versioned images that align with the chart's versioned-install contract.

In `@charts/aisix-cloud/templates/ui-deployment.yaml`:
- Line 4: The metadata.name field in the ui-deployment.yaml file contains an
unquoted Helm template expression that can cause YAML parsing failures when
tooling reads the template before Helm rendering. Wrap the entire value of the
name field (which contains the include "aisix-cloud.fullname" helper and the
"-ui" suffix) in double quotes to properly escape the template expression and
prevent YAML parser breakage.

In `@charts/aisix-cloud/templates/ui-service.yaml`:
- Line 4: The metadata.name field in the ui-service.yaml template contains an
unquoted templated value that poses a YAML parsing risk. Wrap the templated
value `{{ include "aisix-cloud.fullname" . }}-ui` in quotes (either single or
double) to ensure proper YAML parsing and compatibility with static analysis
tools. This change should be applied to the name field in the metadata section
to match the same quoting pattern that should be used for templated values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 67e91771-78d6-435a-8c86-c8a240ea1852

📥 Commits

Reviewing files that changed from the base of the PR and between f82a6e7 and ae5f0b5.

⛔ Files ignored due to path filters (1)

• charts/aisix-cloud/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (18)

• .github/workflows/ci.yaml
• AGENTS.md
• charts/aisix-cloud/.helmignore
• charts/aisix-cloud/Chart.yaml
• charts/aisix-cloud/README.md
• charts/aisix-cloud/charts/postgresql-12.12.10.tgz
• charts/aisix-cloud/templates/NOTES.txt
• charts/aisix-cloud/templates/_helpers.tpl
• charts/aisix-cloud/templates/api-deployment.yaml
• charts/aisix-cloud/templates/api-service.yaml
• charts/aisix-cloud/templates/dpm-deployment.yaml
• charts/aisix-cloud/templates/dpm-service.yaml
• charts/aisix-cloud/templates/external-db-secret.yaml
• charts/aisix-cloud/templates/secret.yaml
• charts/aisix-cloud/templates/serviceaccount.yaml
• charts/aisix-cloud/templates/ui-deployment.yaml
• charts/aisix-cloud/templates/ui-service.yaml
• charts/aisix-cloud/values.yaml