bluewave-labs · KarolayneAmabile · May 12, 2026
@@ -1,6 +1,16 @@
 apiVersion: v2
 name: checkmate-chart
-description: A Helm chart for Checkmate App
+description: Helm chart for Checkmate — open-source uptime and infrastructure monitoring
 type: application
-version: 0.1.0
+version: 0.2.0
 appVersion: "2.3"
+keywords:
+  - monitoring
+  - uptime
+  - infrastructure
+  - observability
+  - checkmate
+home: https://github.com/bluewave-labs/Checkmate
+maintainers:
+  - name: Bluewave Labs
+    url: https://github.com/bluewave-labs
@@ -21,24 +21,22 @@ cd checkmate/charts/helm/checkmate
 Edit `values.yaml` to update:
 - `client.ingress.host` and `server.ingress.host` with your domain names
 - `server.protocol` (usually http or https)
-- **If upgrading**: Migrate persistence settings from flat structure to nested:
-  - Old: `persistence.mongodbSize` → New: `persistence.mongo.size`
-  - Old: `persistence.redisSize` → New: `persistence.redis.size`
-  - Add: `persistence.mongo.storageClass` and `persistence.redis.storageClass` (leave empty for default)
-- Secrets under the `secrets` section (`JWT_SECRET`, email credentials, API keys, etc.) — replace all change_me values
+- Secrets under the `secrets` section (`JWT_SECRET`, email credentials, API keys, etc.) — replace all `change_me` values
 - **For TLS/HTTPS**: Configure ingress TLS settings (see section below)
+- **For external databases**: Set `mongodb.enabled: false` and provide `secrets.DB_CONNECTION_STRING`, or set `redis.enabled: true` to use the bundled Redis
+- **To use a pre-existing Kubernetes Secret**: Set `secrets.existingSecret: "your-secret-name"` instead of inline values
 
 ### 3. Deploy the Helm chart
 ```bash
-helm install checkmate ./charts/helm/checkmate
+helm install checkmate ./charts/helm/checkmate --namespace checkmate --create-namespace
 ```
-This will deploy the client, server, MongoDB, and Redis components.
+This will deploy the client, server, and MongoDB. Redis is disabled by default — set `redis.enabled: true` in `values.yaml` to include it.
 
 ### 4. Verify the deployment
 Check pods and services:
 ```bash
-kubectl get pods
-kubectl get svc
+kubectl get pods -n checkmate
+kubectl get svc -n checkmate
 ```
 
 Once all pods are `Running` and `Ready`, you can access Checkmate via the configured ingress hosts.
@@ -72,7 +70,7 @@ server:
   protocol: https
   ingress:
     enabled: true
-    host: checkmate.example.com
+    host: api.checkmate.example.com
     className: nginx
     annotations:
       cert-manager.io/cluster-issuer: "letsencrypt-prod"
@@ -103,14 +101,27 @@ After deployment, cert-manager will automatically create the TLS secrets. You ca
 
 ```bash
 # Check certificates
-kubectl get certificates
+kubectl get certificates -n checkmate
 
 # Check certificate details
-kubectl describe certificate checkmate-client-tls
-kubectl describe certificate checkmate-server-tls
+kubectl describe certificate checkmate-client-tls -n checkmate
+kubectl describe certificate checkmate-server-tls -n checkmate
 
 # Verify the secrets were created
-kubectl get secrets | grep checkmate-tls
+kubectl get secrets -n checkmate | grep tls
 ```
 
 The ingress will automatically use these secrets to enable HTTPS access to your Checkmate instance.
+
+## Upgrading from v0.1.x
+
+Persistence keys moved to component-scoped locations. The old keys are still accepted for backward compatibility, but new installations should use the new paths:
+
+| Old (v0.1.x)                    | New (v0.2.0+)                      |
+|---------------------------------|------------------------------------|
+| `persistence.mongo.size`        | `mongodb.persistence.size`         |
+| `persistence.redis.size`        | `redis.persistence.size`           |
+| `persistence.mongo.storageClass`| `mongodb.persistence.storageClass` |
+| `persistence.redis.storageClass`| `redis.persistence.storageClass`   |
+
+Redis is now disabled by default. If you were using the bundled Redis, add `redis.enabled: true` to your values.
@@ -0,0 +1,68 @@
+Thank you for installing {{ .Chart.Name }} v{{ .Chart.AppVersion }}!
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ACCESSING CHECKMATE
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+{{- if .Values.client.ingress.enabled }}
+
+  Frontend  ➜  {{ .Values.client.protocol }}://{{ .Values.client.ingress.host }}
+{{- else if .Values.client.httproute.enabled }}
+  {{- if .Values.client.httproute.hostnames }}
+
+  Frontend  ➜  {{ .Values.client.protocol }}://{{ first .Values.client.httproute.hostnames }}
+  {{- else }}
+
+  Frontend  ➜  (HTTPRoute — check your Gateway for the external address)
+  {{- end }}
+{{- end }}
+{{- if .Values.server.ingress.enabled }}
+  API       ➜  {{ .Values.server.protocol }}://{{ .Values.server.ingress.host }}/api/v1
+  Docs      ➜  {{ .Values.server.protocol }}://{{ .Values.server.ingress.host }}/api-docs
+{{- else if .Values.server.httproute.enabled }}
+  {{- if .Values.server.httproute.hostnames }}
+  API       ➜  {{ .Values.server.protocol }}://{{ first .Values.server.httproute.hostnames }}/api/v1
+  Docs      ➜  {{ .Values.server.protocol }}://{{ first .Values.server.httproute.hostnames }}/api-docs
+  {{- else }}
+  API       ➜  (HTTPRoute — check your Gateway for the external address)
+  {{- end }}
+{{- end }}
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+VERIFY PODS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  kubectl get pods -n {{ include "checkmate.namespace" . }} \
+    -l app.kubernetes.io/instance={{ .Release.Name }}
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+DATABASES
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+{{- if .Values.mongodb.enabled }}
+
+  MongoDB  ✔ in-cluster StatefulSet
+             ({{ include "checkmate.fullname" . }}-mongodb.{{ include "checkmate.namespace" . }}.svc)
+{{- else }}
+
+  MongoDB  ✔ external — ensure secrets.DB_CONNECTION_STRING is correct
+{{- end }}
+{{- if .Values.redis.enabled }}
+
+  Redis    ✔ in-cluster StatefulSet
+             ({{ include "checkmate.fullname" . }}-redis.{{ include "checkmate.namespace" . }}.svc)
+{{- else }}
+
+  Redis    — disabled
+             Set redis.enabled=true to deploy Redis,
+             or add REDIS_HOST/REDIS_PORT to secrets for an external instance.
+{{- end }}
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+SECRETS MODE
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+{{- if .Values.secrets.existingSecret }}
+
+  Using existing Secret: {{ .Values.secrets.existingSecret }}
+{{- else }}
+
+  Using chart-managed Secret: {{ include "checkmate.fullname" . }}-secrets
+{{- end }}
@@ -0,0 +1,205 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "checkmate.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully-qualified app name, truncated at 63 chars.
+If the release name already contains the chart name, the chart name is omitted.
+*/}}
+{{- define "checkmate.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Chart name + version as a label value.
+*/}}
+{{- define "checkmate.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Namespace — honours namespaceOverride when set.
+*/}}
+{{- define "checkmate.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride }}
+{{- end }}
+
+{{/*
+Common labels applied to every resource (includes chart version — do not use in selectors).
+*/}}
+{{- define "checkmate.labels" -}}
+helm.sh/chart: {{ include "checkmate.chart" . }}
+{{ include "checkmate.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.global.labels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels — immutable after first deploy, must NOT include chart version.
+*/}}
+{{- define "checkmate.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "checkmate.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Component-specific selector labels (used in Deployment.spec.selector and Service.spec.selector).
+Usage: {{ include "checkmate.componentSelectorLabels" (dict "root" . "component" "client") }}
+*/}}
+{{- define "checkmate.componentSelectorLabels" -}}
+{{ include "checkmate.selectorLabels" .root }}
+app.kubernetes.io/component: {{ .component }}
+{{- end }}
+
+{{/*
+Full label set for a specific component (common labels + component selector).
+Usage: {{ include "checkmate.componentLabels" (dict "root" . "component" "client") }}
+*/}}
+{{- define "checkmate.componentLabels" -}}
+{{ include "checkmate.labels" .root }}
+app.kubernetes.io/component: {{ .component }}
+{{- end }}
+
+{{/*
+Name of the Secret resource holding server environment variables.
+Returns the existingSecret name when provided, otherwise the chart-generated name.
+*/}}
+{{- define "checkmate.secretName" -}}
+{{- if .Values.secrets.existingSecret }}
+{{- .Values.secrets.existingSecret }}
+{{- else }}
+{{- printf "%s-secrets" (include "checkmate.fullname" .) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Derive the MongoDB connection string.
+Priority: explicit secrets.DB_CONNECTION_STRING > auto-generated (when mongodb.enabled) > fail.
+*/}}
+{{- define "checkmate.mongodbConnectionString" -}}
+{{- if .Values.secrets.DB_CONNECTION_STRING }}
+{{- .Values.secrets.DB_CONNECTION_STRING }}
+{{- else if .Values.mongodb.enabled }}
+{{- printf "mongodb://%s-mongodb.%s.svc:%d/uptime_db"
+    (include "checkmate.fullname" .)
+    (include "checkmate.namespace" .)
+    (int .Values.mongodb.port) }}
+{{- else }}
+{{- fail "secrets.DB_CONNECTION_STRING must be set when mongodb.enabled is false (external MongoDB)" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Derive CLIENT_HOST (base URL of the frontend, used by the server for CORS).
+Priority: explicit secrets.CLIENT_HOST > Ingress host > first HTTPRoute hostname > fail.
+"change_me" is treated as unset so the auto-derivation still applies.
+*/}}
+{{- define "checkmate.clientHost" -}}
+{{- if and .Values.secrets.CLIENT_HOST (ne .Values.secrets.CLIENT_HOST "change_me") (ne .Values.secrets.CLIENT_HOST "") }}
+{{- .Values.secrets.CLIENT_HOST }}
+{{- else if .Values.client.ingress.enabled }}
+{{- printf "%s://%s" .Values.client.protocol .Values.client.ingress.host }}
+{{- else if and .Values.client.httproute.enabled .Values.client.httproute.hostnames }}
+{{- printf "%s://%s" .Values.client.protocol (first .Values.client.httproute.hostnames) }}
+{{- else }}
+{{- fail "secrets.CLIENT_HOST must be set when it cannot be auto-derived from client.ingress.host or client.httproute.hostnames" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Derive the server API base URL injected into the client container at runtime.
+Priority:
+  1. server.apiBaseURL explicit override (useful for local/port-forward access)
+  2. server Ingress host
+  3. first server HTTPRoute hostname
+  4. empty string — set server.apiBaseURL when no routing is configured
+*/}}
+{{- define "checkmate.serverAPIBaseURL" -}}
+{{- if and .Values.server.apiBaseURL (ne .Values.server.apiBaseURL "") }}
+{{- .Values.server.apiBaseURL }}
+{{- else if .Values.server.ingress.enabled }}
+{{- printf "%s://%s/api/v1" .Values.server.protocol .Values.server.ingress.host }}
+{{- else if and .Values.server.httproute.enabled .Values.server.httproute.hostnames }}
+{{- printf "%s://%s/api/v1" .Values.server.protocol (first .Values.server.httproute.hostnames) }}
+{{- else }}
+{{- "" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TLS Secret name for the client Ingress.
+Defaults to "<release>-client-tls" when tls.secretName is not specified.
+*/}}
+{{- define "checkmate.clientIngressTLSSecretName" -}}
+{{- default (printf "%s-client-tls" .Release.Name) .Values.client.ingress.tls.secretName }}
+{{- end }}
+
+{{/*
+TLS Secret name for the server Ingress.
+Defaults to "<release>-server-tls" when tls.secretName is not specified.
+*/}}
+{{- define "checkmate.serverIngressTLSSecretName" -}}
+{{- default (printf "%s-server-tls" .Release.Name) .Values.server.ingress.tls.secretName }}
+{{- end }}
+
+{{/*
+MongoDB PVC size — new mongodb.persistence.size location wins; legacy persistence.mongo.size
+overrides it when non-empty (backward compatibility with chart v0.1.x).
+*/}}
+{{- define "checkmate.mongodbPVCSize" -}}
+{{- if .Values.persistence.mongo.size }}
+{{- .Values.persistence.mongo.size }}
+{{- else }}
+{{- .Values.mongodb.persistence.size }}
+{{- end }}
+{{- end }}
+
+{{/*
+MongoDB PVC storageClass — legacy persistence.mongo.storageClass overrides when non-empty.
+*/}}
+{{- define "checkmate.mongodbStorageClass" -}}
+{{- if .Values.persistence.mongo.storageClass }}
+{{- .Values.persistence.mongo.storageClass }}
+{{- else }}
+{{- .Values.mongodb.persistence.storageClass }}
+{{- end }}
+{{- end }}
+
+{{/*
+Redis PVC size — legacy persistence.redis.size overrides when non-empty.
+*/}}
+{{- define "checkmate.redisPVCSize" -}}
+{{- if .Values.persistence.redis.size }}
+{{- .Values.persistence.redis.size }}
+{{- else }}
+{{- .Values.redis.persistence.size }}
+{{- end }}
+{{- end }}
+
+{{/*
+Redis PVC storageClass — legacy persistence.redis.storageClass overrides when non-empty.
+*/}}
+{{- define "checkmate.redisStorageClass" -}}
+{{- if .Values.persistence.redis.storageClass }}
+{{- .Values.persistence.redis.storageClass }}
+{{- else }}
+{{- .Values.redis.persistence.storageClass }}
+{{- end }}
+{{- end }}