HYPERFLEET-1121 - feat: add safe-to-evict annotation to maestro agent/db/mqtt pods

[kuudori]

Summary

• Add podAnnotations with cluster-autoscaler.kubernetes.io/safe-to-evict: "false" to maestro-agent, maestro-db (postgresql), and maestro-mqtt (mosquitto) pod templates
• Bump chart dependency versions to 0.1.1 to consume upstream podAnnotations hooks from HYPERFLEET-1120 - feat(charts): expose podAnnotations and priorityClassName on agent/postgresql/mosquitto templates openshift-online/maestro#542

Verification

Tested locally on kind cluster with upstream PR branch — all three deployments render the annotation:

maestro-agent: {"cluster-autoscaler.kubernetes.io/safe-to-evict":"false"}
maestro-db: {"cluster-autoscaler.kubernetes.io/safe-to-evict":"false"}
maestro-mqtt: {"cluster-autoscaler.kubernetes.io/safe-to-evict":"false"}

Test plan

• Upstream HYPERFLEET-1120 - feat(charts): expose podAnnotations and priorityClassName on agent/postgresql/mosquitto templates openshift-online/maestro#542 merges to main
• helm dependency update helm/maestro succeeds
• make install-maestro DRY_RUN=true passes
• kubectl get deploy maestro-agent maestro-db maestro-mqtt -n maestro -o jsonpath='{range .items[*]}{.metadata.name}: {.spec.template.metadata.annotations}{"\n"}{end}' shows annotation on all three
• No ScaleDown events targeting these pods over 7-day observation window

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 143f281d-8073-4e90-80c8-1f3ed5674f2f

📥 Commits

Reviewing files that changed from the base of the PR and between b155e8c and f476b6b.

📒 Files selected for processing (2)

• helm/maestro/Chart.yaml
• helm/maestro/values.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

✅ Files skipped from review due to trivial changes (1)

• helm/maestro/Chart.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• helm/maestro/values.yaml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Bumped Helm chart version to 0.1.1, aligning umbrella chart and subcharts.
  • Added pod eviction protection for PostgreSQL, message broker, and agent components to enhance cluster stability.

Walkthrough

The umbrella Helm chart helm/maestro/Chart.yaml is bumped from 0.1.0 to 0.1.1, with both maestro-server and maestro-agent subchart dependency versions updated to match. In helm/maestro/values.yaml, podAnnotations with cluster-autoscaler.kubernetes.io/safe-to-evict: "false" are added to the postgresql, mosquitto, and agent component configurations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding safe-to-evict annotations to maestro agent, database, and MQTT pods, with version bump to support the feature.
Description check	✅ Passed	The description is directly related to the changeset, explaining the annotation addition, version bumps, and providing verification steps and test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only YAML Helm configuration files with no log statements containing secrets, tokens, passwords, or credentials.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected. The placeholder 'maestro-password' is a development/demo example value with explicit documentation, not a real credential or secrets introduction in this PR.
No Weak Cryptography	✅ Passed	Helm chart YAML configuration changes contain no cryptographic primitives, custom crypto implementations, or weak cipher usage. No MD5, DES, RC4, SHA1, or non-constant-time comparisons detected.
No Injection Vectors	✅ Passed	No injection vectors detected. Changes are hardcoded Helm YAML values for Kubernetes annotations (cluster-autoscaler.kubernetes.io/safe-to-evict: "false"); no dynamic queries, command execution, te...
No Privileged Containers	✅ Passed	No privileged container declarations found. Changes add safe-to-evict pod annotations and update Helm chart/dependency versions only.
No Pii Or Sensitive Data In Logs	✅ Passed	PR contains only Helm YAML configuration changes (Chart.yaml, values.yaml). No logging statements (fmt.Print*, slog, logr, zap, log) present; therefore no PII/sensitive data exposed via logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/maestro/Chart.yaml`:
- Around line 10-15: The Chart.yaml file uses `ref=main` for both the
maestro-server and maestro-agent chart repository references, which are mutable
branch references creating supply chain risk. Replace `ref=main` with the
immutable commit SHA or tag that corresponds to chart version 0.1.1 for both the
maestro-server repository (currently at line 11) and the maestro-agent
repository (currently at line 15). Additionally, create or update a Chart.lock
file to record the resolved immutable digests and dependencies, ensuring
reproducible and deterministic Helm chart deployments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 87a86a77-b079-4c76-9508-3ec31180fc57

📥 Commits

Reviewing files that changed from the base of the PR and between 9034fc3 and b155e8c.

📒 Files selected for processing (2)

• helm/maestro/Chart.yaml
• helm/maestro/values.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[rafabene]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rafabene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment