feat: Allow helm chart to separate Kubewatch and Robusta Runner

[hfoxy]

Summary

Allow the Helm chart installation to be separated, providing support for a source and destination cluster. Not all features are supported in this way, for example some graphs and logs are not included in alerts.

Testing

We have been running this version of the Helm chart for a few weeks now without issue other than the above mentioned.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

This pull request adds conditional rendering to Helm chart templates using enabled flags for the kubewatch forwarder and runner services. The service account resources now require both the enabled and createServiceAccount flags to be true, while deployment manifests and configuration resources are gated solely by their respective enabled flags. New configuration values introduce kubewatch.enabled, runner.enabled, and kubewatch.overrideUrl to the values file.

Changes

Cohort / File(s)	Summary
Service Account Templates helm/robusta/templates/forwarder-service-account.yaml, helm/robusta/templates/runner-service-account.yaml	Added .Values.*.enabled checks alongside existing createServiceAccount conditions to gate ClusterRole rendering; fixed trailing newlines.
Deployment Templates helm/robusta/templates/forwarder.yaml, helm/robusta/templates/runner.yaml	Wrapped deployment and related manifests with .Values.*.enabled conditionals to prevent resource creation when services are disabled.
Configuration Files helm/robusta/templates/kubewatch-configmap.yaml, helm/robusta/templates/playbooks-config.yaml, helm/robusta/values.yaml	Conditioned configmap and playbooks-config secret rendering on enabled flags; added kubewatch.enabled, kubewatch.overrideUrl, and runner.enabled to values with configurable endpoint URL fallback.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ROB-2586 allow disable svc account #1959: Both PRs modify the same service-account templates to gate RBAC rendering—that PR introduces the initial createServiceAccount guard, while this PR extends it to additionally require .Values.*.enabled checks.

Suggested reviewers

• arikalon1

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Allow helm chart to separate Kubewatch and Robusta Runner' directly describes the main change: adding support for separating Kubewatch and Runner components via Helm configuration options.
Description check	✅ Passed	The description explains the purpose (multi-cluster support with separate source/destination clusters), acknowledges testing, and notes feature limitations, all relevant to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

helm/robusta/templates/forwarder-service-account.yaml (1)

1-1: ⚡ Quick win

Guard against missing forwarder ServiceAccount when creation is disabled.

Line 1 can suppress SA creation while helm/robusta/templates/forwarder.yaml Line 32 still defaults to {{ include "robusta.fullname" . }}-forwarder-service-account. With kubewatch.enabled=true, kubewatch.createServiceAccount=false, and empty kubewatch.customServiceAccount, the Deployment references a non-existent SA.

Proposed guard

+{{- if and .Values.kubewatch.enabled (not .Values.kubewatch.createServiceAccount) (empty .Values.kubewatch.customServiceAccount) }}
+{{- fail "kubewatch.customServiceAccount must be set when kubewatch.createServiceAccount=false" }}
+{{- end }}
 {{- if and .Values.kubewatch.enabled .Values.kubewatch.createServiceAccount }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm/robusta/templates/forwarder-service-account.yaml` at line 1, The
Deployment may reference a non-existent ServiceAccount because
forwarder-service-account.yaml only creates the SA when
.Values.kubewatch.createServiceAccount is true while forwarder.yaml
unconditionally sets serviceAccountName to {{ include "robusta.fullname" .
}}-forwarder-service-account; update forwarder.yaml’s serviceAccountName logic
to guard: set serviceAccountName to .Values.kubewatch.customServiceAccount if
provided, otherwise only set the generated "{{ include "robusta.fullname" .
}}-forwarder-service-account" when .Values.kubewatch.createServiceAccount is
true (or omit the field entirely when neither is true), using the same keys
(.Values.kubewatch.enabled, .Values.kubewatch.createServiceAccount,
.Values.kubewatch.customServiceAccount) to locate and fix the issue.

helm/robusta/templates/runner-service-account.yaml (1)

1-1: ⚡ Quick win

Add a fail-fast guard for service-account configuration mismatch.

Line 1 can skip SA creation while helm/robusta/templates/runner.yaml Line 35 still defaults the Deployment to {{ include "robusta.fullname" . }}-runner-service-account. If runner.enabled=true, runner.createServiceAccount=false, and runner.customServiceAccount is empty, the rendered Deployment points to a missing SA.

Proposed guard

+{{- if and .Values.runner.enabled (not .Values.runner.createServiceAccount) (empty .Values.runner.customServiceAccount) }}
+{{- fail "runner.customServiceAccount must be set when runner.createServiceAccount=false" }}
+{{- end }}
 {{- if and .Values.runner.enabled .Values.runner.createServiceAccount }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm/robusta/templates/runner-service-account.yaml` at line 1, Add a
fail-fast guard that errors during chart rendering when runner.enabled is true,
runner.createServiceAccount is false, and runner.customServiceAccount is empty
so the Deployment in templates/runner.yaml won't reference a missing SA;
implement this by adding a conditional check using .Values.runner.enabled,
.Values.runner.createServiceAccount and .Values.runner.customServiceAccount
(e.g. in templates/runner-service-account.yaml or at the top of
templates/runner.yaml) and call Helm's fail with a clear message when the
condition is met.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@helm/robusta/templates/kubewatch-configmap.yaml`:
- Line 11: The current default in kubewatch-configmap.yaml unconditionally falls
back to "http://{{ include "robusta.fullname" . }}-runner:80/api/handle", which
silently routes to a non-existent service when .Values.runner.enabled is false;
change the url logic to fail-fast or require an explicit override: update the
url template (the line using include "robusta.fullname" and
.Values.kubewatch.overrideUrl) to check .Values.runner.enabled and either (a)
use the runner URL only when .Values.runner.enabled is true, or (b) call
required("kubewatch.overrideUrl must be set when runner.enabled=false",
.Values.kubewatch.overrideUrl) when runner.enabled is false so Helm template
rendering fails unless an explicit override is provided; reference the include
"robusta.fullname", .Values.kubewatch.overrideUrl and .Values.runner.enabled
symbols when making the change.

---

Nitpick comments:
In `@helm/robusta/templates/forwarder-service-account.yaml`:
- Line 1: The Deployment may reference a non-existent ServiceAccount because
forwarder-service-account.yaml only creates the SA when
.Values.kubewatch.createServiceAccount is true while forwarder.yaml
unconditionally sets serviceAccountName to {{ include "robusta.fullname" .
}}-forwarder-service-account; update forwarder.yaml’s serviceAccountName logic
to guard: set serviceAccountName to .Values.kubewatch.customServiceAccount if
provided, otherwise only set the generated "{{ include "robusta.fullname" .
}}-forwarder-service-account" when .Values.kubewatch.createServiceAccount is
true (or omit the field entirely when neither is true), using the same keys
(.Values.kubewatch.enabled, .Values.kubewatch.createServiceAccount,
.Values.kubewatch.customServiceAccount) to locate and fix the issue.

In `@helm/robusta/templates/runner-service-account.yaml`:
- Line 1: Add a fail-fast guard that errors during chart rendering when
runner.enabled is true, runner.createServiceAccount is false, and
runner.customServiceAccount is empty so the Deployment in templates/runner.yaml
won't reference a missing SA; implement this by adding a conditional check using
.Values.runner.enabled, .Values.runner.createServiceAccount and
.Values.runner.customServiceAccount (e.g. in
templates/runner-service-account.yaml or at the top of templates/runner.yaml)
and call Helm's fail with a clear message when the condition is met.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 245fa5bc-3828-4599-be34-66d6ed549617

📥 Commits

Reviewing files that changed from the base of the PR and between b147fb8 and dc8f041.

📒 Files selected for processing (7)

• helm/robusta/templates/forwarder-service-account.yaml
• helm/robusta/templates/forwarder.yaml
• helm/robusta/templates/kubewatch-configmap.yaml
• helm/robusta/templates/playbooks-config.yaml
• helm/robusta/templates/runner-service-account.yaml
• helm/robusta/templates/runner.yaml
• helm/robusta/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Prevent silent misrouting when runner is disabled.

Line 11 falls back to http://<release>-runner:80/api/handle even when runner.enabled=false (see helm/robusta/templates/runner.yaml Line 1). In multi-cluster mode this can silently route to a non-existent local service unless kubewatch.overrideUrl is set.

Proposed fail-fast validation

 {{- if .Values.kubewatch.enabled }}
+{{- if and (not .Values.runner.enabled) (empty .Values.kubewatch.overrideUrl) }}
+{{- fail "kubewatch.overrideUrl must be set when runner.enabled=false" }}
+{{- end }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@helm/robusta/templates/kubewatch-configmap.yaml` at line 11, The current
default in kubewatch-configmap.yaml unconditionally falls back to "http://{{
include "robusta.fullname" . }}-runner:80/api/handle", which silently routes to
a non-existent service when .Values.runner.enabled is false; change the url
logic to fail-fast or require an explicit override: update the url template (the
line using include "robusta.fullname" and .Values.kubewatch.overrideUrl) to
check .Values.runner.enabled and either (a) use the runner URL only when
.Values.runner.enabled is true, or (b) call required("kubewatch.overrideUrl must
be set when runner.enabled=false", .Values.kubewatch.overrideUrl) when
runner.enabled is false so Helm template rendering fails unless an explicit
override is provided; reference the include "robusta.fullname",
.Values.kubewatch.overrideUrl and .Values.runner.enabled symbols when making the
change.