chore: add default resources, auth/encryption config, and improve docs

[brendan-kellam]

Summary

• Add default resource requests/limits for all components (Sourcebot: 2 CPU/4Gi, PostgreSQL: 2 CPU/4Gi, Redis: 1 CPU/1.5Gi)
• Add sourcebot.authSecret and sourcebot.encryptionKey fields to values.yaml, supporting both direct values and existing secret references
• Fix PostgreSQL secretKeys defaults to match Bitnami-generated key names, fixing helm upgrade failures
• Fix Redis subchart key from master to primary to match Bitnami Valkey chart (resources were not being applied)
• Move sourcebot config to standalone config.json with --set-json for schema validation and syntax highlighting
• Rewrite README with installation steps, persistence docs, sizing guidance, and examples
• Add CONTRIBUTING.md with local development workflow and minikube setup

Test plan

• Deploy minimal installation example to a fresh cluster
• Verify resource requests/limits are applied to all pods (kubectl describe pod)
• Verify authSecret and encryptionKey are injected as env vars
• Test helm upgrade succeeds without secretKeys errors
• Validate chart with helm lint and helm template

Fixes #36

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Configurable resource requests and limits for all application components (app, database, and cache).
  • New authentication secret and encryption key configuration options supporting direct values or secret references.

• Bug Fixes

  • Corrected database credential key naming to resolve Helm upgrade failures.
  • Fixed resource configuration mapping for database and cache services.

• Documentation

  • Added CHANGELOG documenting project changes and versioning.
  • Added contribution guidelines for local development setup.
  • Expanded installation and configuration documentation with improved examples.

[coderabbitai]

Walkthrough

Adds project docs (CHANGELOG, CONTRIBUTING), moves Sourcebot runtime config to a separate JSON file, introduces authSecret and encryptionKey values with secret-or-value support, adds explicit CPU/memory requests/limits for Sourcebot/Postgres/Redis, and updates examples to use config.json and consolidated secrets.

Changes

Cohort / File(s)	Summary
Project docs CHANGELOG.md, CONTRIBUTING.md	Add changelog (Keep a Changelog + SemVer) and a CONTRIBUTING guide with local Helm development, dependency build, deployment, validation, and doc generation steps.
Repository README README.md	Rewrite install/config guidance to a two-file workflow (config.json + values.yaml), update Helm commands to use --set-json for sourcebot.config, expand env/secret configuration docs, and reorganize persistence and sizing sections with per-component defaults and examples.
Chart docs & schema charts/sourcebot/README.md, charts/sourcebot/values.schema.json	Document and schema-add sourcebot.authSecret and sourcebot.encryptionKey; change default Postgres secret key names (postgresql-password → postgres-password/password); add request/limit fields for sourcebot, postgresql.primary, and redis.primary.
Chart values charts/sourcebot/values.yaml	Introduce sourcebot.authSecret and sourcebot.encryptionKey (support value or existingSecret/existingSecretKey), replace sourcebot.resources with explicit requests/limits, add postgresql.primary.resources and redis.primary.resources, update Postgres secret key defaults.
Chart template charts/sourcebot/templates/deployment.yaml	Conditionally inject AUTH_SECRET and SOURCEBOT_ENCRYPTION_KEY env vars when sourcebot.authSecret or sourcebot.encryptionKey (value or existingSecret) are set, using sourcebot.getValueOrSecret.
Examples examples/minimal-installation/*, examples/minimal-installation/config.json	Add config.json with connection example; update example secrets to use authSecret/encryptionKey keys in sourcebot-secrets; update example values.yaml and README to reference config.json and to use existingSecret/existingSecretKey for secrets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding default resources, auth/encryption configuration, and documentation improvements. It directly reflects the primary objectives.
Linked Issues check	✅ Passed	The PR successfully addresses issue #36 by moving Sourcebot configuration from embedded YAML to a standalone config.json file and updating all examples and documentation accordingly.
Out of Scope Changes check	✅ Passed	All changes align with the PR objectives: resource defaults, auth/encryption config fields, PostgreSQL/Redis key fixes, documentation rewrites, and JSON configuration migration as per issue #36.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/chart-defaults-and-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Helm Unit Test Results

11 tests  ±0   11 ✅ ±0   0s ⏱️ ±0s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 0ad6f53. ± Comparison against base commit 9c1ebf1.

♻️ This comment has been updated with latest results.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

examples/minimal-installation/secrets.yaml (1)

9-10: Good move to placeholders for app secrets; consider extending this to DB/Redis too.

For consistency and safer copy/paste defaults, replace literal password values in the same secret with placeholders and generation instructions as well.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/minimal-installation/secrets.yaml` around lines 9 - 10, The file
currently uses explicit placeholders for authSecret and encryptionKey; do the
same for any database/redis password entries by replacing literal "password"
values with descriptive placeholders (e.g., dbPassword / redisPassword) and add
generation instructions (for example `openssl rand -base64 ...`) next to them so
they match authSecret and encryptionKey style; update the secret names/keys
where the plain "password" appears and ensure the comment shows how to generate
a secure value.

README.md (1)

95-128: Clarify that these resource values are already the defaults.

The text states "By default, the chart will run with the minimum resources" and implies users should adjust for production, but the values shown (2 CPU/4Gi for Sourcebot and PostgreSQL, 1 CPU/1.5Gi for Redis) are already the defaults in values.yaml. Consider rewording to clarify these are the current defaults or provide different recommendations for scaling up/down.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 95 - 128, The README wording is ambiguous about
whether the shown resource blocks are defaults; update the Sizing paragraph to
state that the shown values under sourcebot.resources,
postgresql.primary.resources, and redis.primary.resources are the current
defaults in values.yaml and then add a short recommendation sentence on when to
increase them for production (e.g., high traffic or large datasets). Modify the
text to explicitly say "These values are the defaults in values.yaml" and keep
the example YAML as-is.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/sourcebot/values.schema.json`:
- Around line 66-71: The authSecret and encryptionKey schemas are currently
unconstrained objects, allowing missing or invalid keys (like existingSecretKey)
to pass validation and break secret injection logic; update both authSecret and
encryptionKey to explicit object schemas that require a string existingSecretKey
(and optionally allow an enum of permitted keys or an optional
secretName/namespace strings if used by deployment logic), e.g., replace
"type":"object" with an object schema that includes "type":"object",
"required":["existingSecretKey"], and
"properties":{"existingSecretKey":{"type":"string"},
"secretName":{"type":"string"}, "secretNamespace":{"type":"string"}} so the
chart validator ensures the keys the deployment template expects are present and
correctly typed.

In `@charts/sourcebot/values.yaml`:
- Around line 41-57: The values.yaml defines authSecret and encryptionKey but
the deployment templates don’t validate them; update the Helm templates that set
env vars (the same places where postgresql.auth.password and redis.auth.password
use the required() function) to call required() for authSecret.value /
authSecret.existingSecret and encryptionKey.value / encryptionKey.existingSecret
so install fails if neither a value nor an existingSecret is provided; ensure
the error messages reference AUTH_SECRET and SOURCEBOT_ENCRYPTION_KEY (the
existingSecretKey names) so the required() calls make clear which secret is
missing.

In `@README.md`:
- Around line 137-150: The README's example uses a jsonc fence with a leading
comment line ("// config.json") which makes the snippet invalid JSON for tools
like --set-json; update the fenced block to use ```json (not ```jsonc) and
remove the comment line so the object starts with {, preserving the existing
keys like "$schema" and "connections" in the snippet; ensure the snippet
beginning contains only valid JSON (no // comment) so it can be consumed by JSON
parsers/tools.
- Line 307: The heading "### Configuring a ingress" has a grammatical error;
update the text to "### Configuring an ingress" by editing the README heading
string so it uses "an" instead of "a" (locate the heading titled "Configuring a
ingress" and correct the article).
- Line 18: Update the README line that reads "See the [minimal installation
example](./examples/minimal-installation/) for a example deployment." to fix the
grammar by replacing "a example" with "an example" so it reads "See the [minimal
installation example](./examples/minimal-installation/) for an example
deployment."
- Around line 22-35: The README's config.json example is written as a jsonc
block (with comments) which will break standard JSON parsers and Helm's
--set-json; replace the jsonc example with a plain JSON code block (change the
fence language from jsonc to json) and remove any comments so the snippet is
valid JSON, and add a one-line note near the "Create a config.json" step stating
that the file must be valid JSON (no comments) before running --set-json or Helm
commands; reference the example snippet shown under the "Create a config.json"
section and the fenced code block language to locate where to change.

---

Nitpick comments:
In `@examples/minimal-installation/secrets.yaml`:
- Around line 9-10: The file currently uses explicit placeholders for authSecret
and encryptionKey; do the same for any database/redis password entries by
replacing literal "password" values with descriptive placeholders (e.g.,
dbPassword / redisPassword) and add generation instructions (for example
`openssl rand -base64 ...`) next to them so they match authSecret and
encryptionKey style; update the secret names/keys where the plain "password"
appears and ensure the comment shows how to generate a secure value.

In `@README.md`:
- Around line 95-128: The README wording is ambiguous about whether the shown
resource blocks are defaults; update the Sizing paragraph to state that the
shown values under sourcebot.resources, postgresql.primary.resources, and
redis.primary.resources are the current defaults in values.yaml and then add a
short recommendation sentence on when to increase them for production (e.g.,
high traffic or large datasets). Modify the text to explicitly say "These values
are the defaults in values.yaml" and keep the example YAML as-is.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 26a2dfeb-90df-42f3-b94f-114c0c188197

📥 Commits

Reviewing files that changed from the base of the PR and between 9c1ebf1 and eceb197.

📒 Files selected for processing (11)

• CHANGELOG.md
• CONTRIBUTING.md
• README.md
• charts/sourcebot/README.md
• charts/sourcebot/templates/deployment.yaml
• charts/sourcebot/values.schema.json
• charts/sourcebot/values.yaml
• examples/minimal-installation/README.md
• examples/minimal-installation/config.json
• examples/minimal-installation/secrets.yaml
• examples/minimal-installation/values.yaml