chore(helm): move REST charts from rest-api/helm to helm/rest (#1755)

.github/workflows/ci.yaml

@@ -60,6 +60,7 @@ jobs:
               - '**'
               - '!rest-api/**'
               - '!.github/workflows/rest-*.yml'
+              - '!helm/rest/**'
 
       - name: Decide whether Core CI should run
         id: gate

.github/workflows/rest-ci.yml

@@ -38,6 +38,7 @@ jobs:
             rest_api:
               - 'rest-api/**'
               - '.github/workflows/rest-*.yml'
+              - 'helm/rest/**'
 
       - name: Decide whether REST CI should run
         id: gate

.github/workflows/rest-helm-workflows.yml

@@ -26,9 +26,9 @@ jobs:
     strategy:
       matrix:
         include:
-          - chart: rest-api/helm/charts/nico-rest
+          - chart: helm/rest/nico-rest
             valueOverrides: '["nico-rest-api.config.keycloak.enabled=true","nico-rest-api.config.keycloak.baseURL=http://keycloak:8082","nico-rest-api.config.keycloak.realm=test","nico-rest-api.config.keycloak.clientID=test"]'
-          - chart: rest-api/helm/charts/nico-rest-site-agent
+          - chart: helm/rest/nico-rest-site-agent
             valueOverrides: '[]'
     steps:
       - name: Checkout code
@@ -51,8 +51,8 @@ jobs:
     strategy:
       matrix:
         chart:
-          - rest-api/helm/charts/nico-rest
-          - rest-api/helm/charts/nico-rest-site-agent
+          - helm/rest/nico-rest
+          - helm/rest/nico-rest-site-agent
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

book/src/configuration/configurability.md

@@ -732,7 +732,7 @@ Temporal is deployed by `setup.sh` Phase 7f using the upstream Temporal
 helm chart with mTLS enabled. The mTLS issuer (`nico-rest-ca-issuer`) is
 installed in Phase 7b. Operators usually don't touch Temporal config
 directly; see the temporal subchart values in
-[`infra-controller-rest/helm/charts/temporal/values.yaml`](https://github.com/NVIDIA/ncx-infra-controller-rest)
+`rest-api/temporal-helm/temporal/values-kind.yaml`
 if you need to tune retention or task queue counts.
 
 ### Keycloak (dev IdP)
@@ -814,7 +814,7 @@ also re-applies operator-chart defaults that may not match your
 production tuning.
 
 For the REST stack the equivalent is `helm upgrade nico-rest …` against
-`infra-controller-rest/helm/charts/nico-rest`.
+`helm/rest/nico-rest`.
 
 See [`helm/README.md` → Upgrading](../../../helm/README.md#upgrading) for
 the diff-then-apply pattern.

docs/getting-started/installation-options/reference-install.md

@@ -256,7 +256,7 @@ kubectl exec -n temporal deploy/temporal-admintools -- \
 _ncx_docker_cfg="$(printf '{"auths":{"nvcr.io":{"username":"$oauthtoken","password":"%s"}}}' \
     "${REGISTRY_PULL_SECRET}" | base64 | tr -d '\n')"
 
-helm upgrade --install nico-rest "${NCX_REPO}/helm/charts/nico-rest" \
+helm upgrade --install nico-rest "${NCX_REPO}/../helm/rest/nico-rest" \
     --namespace nico-rest \
     -f values/ncx-rest.yaml \
     --set global.image.repository="${NCX_IMAGE_REGISTRY}" \
@@ -271,7 +271,7 @@ The deployment order is critical — do not skip steps.
 
 ```bash
 NCX_SITE_UUID="${NCX_SITE_UUID:-a1b2c3d4-e5f6-4000-8000-000000000001}"
-NCX_SITE_AGENT_CHART="${NCX_REPO}/helm/charts/nico-rest-site-agent"
+NCX_SITE_AGENT_CHART="${NCX_REPO}/../helm/rest/nico-rest-site-agent"
 
 # Step 1 - pre-apply the gRPC client cert so it exists before the pod starts
 helm template nico-rest-site-agent "${NCX_SITE_AGENT_CHART}" \

docs/getting-started/quick-start.md

@@ -335,7 +335,7 @@ vault                      (hashicorp/vault 0.25.0, 3-node HA Raft, TLS)
 external-secrets           (external-secrets/external-secrets 0.14.3)
 nico-prereqs            (this Helm chart - nico-system namespace)
 NCX Core                   (../helm - ncx-core.yaml values)
-NCX REST                   (ncx-infra-controller-rest/helm/charts/nico-rest)
+NCX REST                   (../helm/rest/nico-rest)
   ├── nico-rest-ca-issuer ClusterIssuer (cert-manager.io)
   ├── postgres StatefulSet  (temporal + keycloak + NCX databases)
   ├── keycloak              (dev OIDC IdP, nico-dev realm)

helm-prereqs/README.md

@@ -212,7 +212,7 @@ NICo Core      (../helm - nico-core.yaml values)
   ├── nico-pxe              (Deployment - HTTP PXE boot)
   ├── nico-ssh-console-rs   (Deployment - SSH console proxy)
   └── unbound               (Deployment - .forge zone DNS, opt-in)
-NICo REST      (infra-controller-rest/helm/charts/nico-rest)
+NICo REST      (../helm/rest/nico-rest)
   ├── nico-rest-ca-issuer ClusterIssuer (cert-manager.io)
   ├── postgres StatefulSet  (temporal + keycloak + NICo databases)
   ├── keycloak              (dev OIDC IdP, nico-dev realm)

helm-prereqs/preflight.sh

@@ -31,7 +31,7 @@
 #   6. MetalLB BGPPeer nodes    — hostnames in config exist in the cluster
 #   7. Per-node checks          — kernel params (sysctl) and DNS on every node
 #   8. Registry connectivity    — registry host is reachable over HTTPS
-#   9. NICo REST repo            — found locally or offer to clone from GitHub
+#   9. NICo REST source/charts   — in-tree rest-api/ and helm/rest/ are present
 #
 # Configurable:
 #   PREFLIGHT_CHECK_IMAGE — image used for per-node pod checks (default: busybox:1.36)
@@ -674,24 +674,32 @@ if [[ -n "${NICO_IMAGE_REGISTRY:-}" ]] && command -v curl &>/dev/null; then
 fi
 
 # ---------------------------------------------------------------------------
-# 9. NICo REST source tree (in-tree at ../rest-api)
+# 9. NICo REST source tree and Helm charts (in-tree)
 #
 # The REST stack lives in this repo under rest-api/. No separate clone is
 # supported any more; the legacy NICO_REST_REPO / NICO_REPO env vars and the
 # sibling-directory fallbacks were removed once rest-api/ became part of
-# core. If rest-api/ is missing the checkout is broken — error out so the
-# user fixes it rather than installing a half-stack.
+# core. The REST Helm charts live under helm/rest/. If either path is missing,
+# the checkout is broken — error out so the user fixes it rather than
+# installing a half-stack.
 # ---------------------------------------------------------------------------
 NICO_REST_DIR=""
+NICO_REST_HELM_DIR=""
 _NICO_REST_ENABLED=true
 [[ "${SKIP_REST:-false}" == "true" ]] && _NICO_REST_ENABLED=false
 
 if ${_NICO_REST_ENABLED}; then
     _NICO_REST_CANDIDATE="${SCRIPT_DIR}/../rest-api"
-    if [[ -d "${_NICO_REST_CANDIDATE}/helm/charts/nico-rest" ]]; then
+    _NICO_REST_HELM_CANDIDATE="${SCRIPT_DIR}/../helm/rest"
+    if [[ -d "${_NICO_REST_CANDIDATE}" ]]; then
         NICO_REST_DIR="$(cd "${_NICO_REST_CANDIDATE}" && pwd)"
     else
-        ERRORS+=("rest-api/ not found at ${_NICO_REST_CANDIDATE} (or missing helm/charts/nico-rest under it) — check out the full core repo, or pass --skip-rest if you only need the infra prereqs.")
+        ERRORS+=("rest-api/ not found at ${_NICO_REST_CANDIDATE} — check out the full core repo, or pass --skip-rest if you only need the infra prereqs.")
+    fi
+    if [[ -d "${_NICO_REST_HELM_CANDIDATE}/nico-rest" && -d "${_NICO_REST_HELM_CANDIDATE}/nico-rest-site-agent" ]]; then
+        NICO_REST_HELM_DIR="$(cd "${_NICO_REST_HELM_CANDIDATE}" && pwd)"
+    else
+        ERRORS+=("REST Helm charts not found under ${_NICO_REST_HELM_CANDIDATE} — expected nico-rest and nico-rest-site-agent charts.")
     fi
 fi
 
@@ -702,7 +710,7 @@ _print_separator() { echo "-----------------------------------------------------
 
 if [[ ${#ERRORS[@]} -eq 0 && ${#WARNINGS[@]} -eq 0 ]]; then
     if ${_NICO_REST_ENABLED}; then
-        echo "Pre-flight OK  (NICo REST source: ${NICO_REST_DIR})"
+        echo "Pre-flight OK  (NICo REST source: ${NICO_REST_DIR}, charts: ${NICO_REST_HELM_DIR})"
     else
         echo "Pre-flight OK  (NICo REST skipped)"
     fi

helm-prereqs/setup.sh

@@ -115,7 +115,8 @@ done
 
 # ---------------------------------------------------------------------------
 # Pre-flight checks — env vars, tools, config files. Resolves NICO_REST_DIR
-# (in-tree rest-api/). Exits 1 if user declines to continue.
+# (in-tree rest-api/) and NICO_REST_HELM_DIR (in-tree helm/rest/). Exits 1 if
+# user declines to continue.
 # ---------------------------------------------------------------------------
 export AUTO_YES SKIP_CORE SKIP_REST SKIP_FLOW
 # shellcheck source=preflight.sh
@@ -534,15 +535,21 @@ if "${SKIP_REST}"; then
     exit 0
 fi
 
-# --- 7a. NICo REST source tree (in-tree at ../rest-api) --------------------------
-# preflight.sh resolves and validates rest-api/ in this repo into NICO_REST_DIR.
+# --- 7a. NICo REST source tree and Helm charts (in-tree) -------------------------
+# preflight.sh resolves and validates rest-api/ into NICO_REST_DIR and
+# helm/rest/ into NICO_REST_HELM_DIR.
 # If it didn't, preflight already errored out — guard the consumer side too in
 # case someone sources setup.sh without going through preflight.
 if [[ -z "${NICO_REST_DIR:-}" ]]; then
-    echo "ERROR: NICO_REST_DIR is unset — preflight didn't resolve rest-api/. Make sure your checkout contains rest-api/helm/charts/nico-rest."
+    echo "ERROR: NICO_REST_DIR is unset — preflight didn't resolve rest-api/. Make sure your checkout contains rest-api/."
+    exit 1
+fi
+if [[ -z "${NICO_REST_HELM_DIR:-}" ]]; then
+    echo "ERROR: NICO_REST_HELM_DIR is unset — preflight didn't resolve helm/rest/. Make sure your checkout contains helm/rest/nico-rest and helm/rest/nico-rest-site-agent."
     exit 1
 fi
 echo "NICo REST source: ${NICO_REST_DIR}"
+echo "NICo REST charts: ${NICO_REST_HELM_DIR}"
 
 # Create NICo REST namespace
 kubectl create namespace nico-rest 2>/dev/null || true
@@ -633,7 +640,7 @@ echo "Temporal namespaces ready"
 
 _SETUP_PHASE="[7g/7] NICo REST helm chart"
 # --- 7g. NICo REST helm chart -------------------------------------------------
-NICO_HELM_CHART="${NICO_REST_DIR}/helm/charts/nico-rest"
+NICO_HELM_CHART="${NICO_REST_HELM_DIR}/nico-rest"
 NICO_REST_CMD=(
     helm upgrade --install nico-rest "${NICO_HELM_CHART}"
     --namespace nico-rest
@@ -701,7 +708,7 @@ fi
 #
 # The site-agent binary also needs DB credentials for its local elektratest DB.
 # All of this is wired via --set flags so nico-rest.yaml stays registry-agnostic.
-NICO_SITE_AGENT_CHART="${NICO_REST_DIR}/helm/charts/nico-rest-site-agent"
+NICO_SITE_AGENT_CHART="${NICO_REST_HELM_DIR}/nico-rest-site-agent"
 
 # Stable placeholder UUID for this site (must be a valid UUID).
 NICO_SITE_UUID="${NICO_SITE_UUID:-a1b2c3d4-e5f6-4000-8000-000000000001}"

helm/.helmignore

@@ -4,3 +4,6 @@
 .helmignore
 *.md
 examples/
+# Standalone REST charts live under helm/rest/ but are published separately
+# (see rest-helm-workflows.yml), not bundled into the nico umbrella chart.
+rest/

rest-api/helm/README.md → helm/rest/README.md

@@ -6,8 +6,8 @@ Helm charts for deploying the NICo REST API platform services.
 
 | Chart | Path | Description |
 |-------|------|-------------|
-| `nico-rest` | `charts/nico-rest/` | Umbrella chart (api + workflow + site-manager + db) |
-| `nico-rest-site-agent` | `charts/nico-rest-site-agent/` | Site agent (deployed independently per-site) |
+| `nico-rest` | `nico-rest/` | Umbrella chart (api + workflow + site-manager + db) |
+| `nico-rest-site-agent` | `nico-rest-site-agent/` | Site agent (deployed independently per-site) |
 
 ### Umbrella Sub-Charts
 
@@ -41,7 +41,7 @@ The API requires exactly **one** authentication method. Keycloak and JWT issuers
 ### Option A: JWT Issuers (any OpenID Connect provider)
 
 ```bash
-helm upgrade --install nico-rest charts/nico-rest/ \
+helm upgrade --install nico-rest nico-rest/ \
   --namespace $NS --create-namespace \
   --set global.image.repository=$REPO \
   --set global.image.tag=$TAG \
@@ -60,12 +60,12 @@ nico-rest-api:
         issuer: "my-idp.example.com"
 ```
 
-See [auth documentation](../auth/README.md) for full issuer configuration options.
+See [auth documentation](../../rest-api/auth/README.md) for full issuer configuration options.
 
 ### Option B: Keycloak
 
 ```bash
-helm upgrade --install nico-rest charts/nico-rest/ \
+helm upgrade --install nico-rest nico-rest/ \
   --namespace $NS --create-namespace \
   --set global.image.repository=$REPO \
   --set global.image.tag=$TAG \
@@ -102,7 +102,7 @@ REPO=nvcr.io/0837451325059433/carbide-dev
 TAG=latest
 NS=nico-rest
 
-helm upgrade --install nico-rest charts/nico-rest/ \
+helm upgrade --install nico-rest nico-rest/ \
   --namespace $NS --create-namespace \
   --set global.image.repository=$REPO \
   --set global.image.tag=$TAG \
@@ -115,13 +115,13 @@ Site agent requires a registered site (UUID + OTP). The chart must be installed
 
 ```bash
 # 1. Install chart
-helm upgrade --install nico-rest-site-agent charts/nico-rest-site-agent/ \
+helm upgrade --install nico-rest-site-agent nico-rest-site-agent/ \
   --namespace $NS \
   --set global.image.repository=$REPO \
   --set global.image.tag=$TAG || true
 
 # 2. Bootstrap site registration (creates site via API, patches ConfigMap/Secret)
-./scripts/setup-local.sh site-agent
+../../rest-api/scripts/setup-local.sh site-agent
 
 # 3. Site agent will stabilize after bootstrap
 kubectl -n $NS rollout status statefulset/nico-rest-site-agent --timeout=120s

rest-api/helm/charts/nico-rest/templates/NOTES.txt → helm/rest/nico-rest/templates/NOTES.txt

@@ -37,4 +37,4 @@ Prerequisites (must exist before install):
 
 Site Agent:
   Site agent is deployed as a separate chart (nico-rest-site-agent).
-  See helm/charts/nico-rest-site-agent/ for details.
+  See helm/rest/nico-rest-site-agent/ for details.

rest-api/Makefile

@@ -22,8 +22,8 @@ POSTGRES_DB := nicotest
 POSTGRES_IMAGE := postgres:14.4-alpine
 
 # Helm chart configuration (for kind-reset-helm / helm-* targets)
-UMBRELLA_CHART := helm/charts/nico-rest
-SITE_AGENT_CHART := helm/charts/nico-rest-site-agent
+UMBRELLA_CHART := ../helm/rest/nico-rest
+SITE_AGENT_CHART := ../helm/rest/nico-rest-site-agent
 
 HELM_SET := --set global.image.repository=$(IMAGE_REGISTRY) \
 	--set global.image.tag=$(IMAGE_TAG) \