tracebloc · saadqbal · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/client/Chart.yaml b/client/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: client
 description: A unified Helm chart for tracebloc on AKS, EKS, bare-metal, and OpenShift
 type: application
-version: 1.0.1
-appVersion: "1.0.1"
+version: 1.0.2
+appVersion: "1.0.2"
 keywords:
   - tracebloc
   - kubernetes

diff --git a/client/templates/NOTES.txt b/client/templates/NOTES.txt
@@ -18,7 +18,7 @@
   {{ "\033[1;34m" }}Storage:{{ "\033[0m" }}          {{ "\033[0;33m" }}hostPath (bare-metal){{ "\033[0m" }}
   {{ "\033[1;34m" }}Host dirs:{{ "\033[0m" }}        {{ "\033[0;33m" }}/tracebloc/data, /tracebloc/logs, /tracebloc/mysql (on the node){{ "\033[0m" }}
 {{- else }}
-  {{ "\033[1;34m" }}Storage:{{ "\033[0m" }}          {{ "\033[0;33m" }}dynamic PVC ({{ .Values.storageClass.name }}){{ "\033[0m" }}
+  {{ "\033[1;34m" }}Storage:{{ "\033[0m" }}          {{ "\033[0;33m" }}dynamic PVC ({{ include "tracebloc.storageClassName" . }}){{ "\033[0m" }}
 {{- end }}
 {{- if .Values.openshift.scc.enabled }}
   {{ "\033[1;34m" }}OpenShift SCC:{{ "\033[0m" }}    {{ "\033[0;33m" }}tracebloc-resource-monitor-{{ .Release.Name }}{{ "\033[0m" }}

diff --git a/client/templates/_helpers.tpl b/client/templates/_helpers.tpl
@@ -69,6 +69,26 @@ mysql-pvc
 {{ .Release.Name }}-regcred
 {{- end }}
 
+{{/*
+  StorageClass name: when storageClass.create is true, use a release-unique name
+  so each release gets its own StorageClass (avoids Helm ownership conflicts).
+  When create is false, use the user-provided storageClass.name for an existing class.
+*/}}
+{{- define "tracebloc.storageClassName" -}}
+{{- if .Values.storageClass.create -}}
+{{ .Release.Name }}-storage-class
+{{- else -}}
+{{ .Values.storageClass.name }}
+{{- end -}}
+{{- end -}}
+
+{{/* Whether to create registry secret and add imagePullSecrets. Only when dockerRegistry is present and create is true; omit dockerRegistry or set create: false for public images. */}}
+{{- define "tracebloc.useImagePullSecrets" -}}
+{{- if and .Values.dockerRegistry (default false .Values.dockerRegistry.create) -}}
+true
+{{- end -}}
+{{- end }}
+
 {{/*
 Image reference — defaults to docker.io when no registry is provided.
 Tag defaults to "prod" when CLIENT_ENV is omitted or empty.

diff --git a/client/templates/docker-registry-secret.yaml b/client/templates/docker-registry-secret.yaml
@@ -1,3 +1,4 @@
+{{- if include "tracebloc.useImagePullSecrets" . }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +9,4 @@ metadata:
 type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
diff --git a/client/templates/jobs-manager-deployment.yaml b/client/templates/jobs-manager-deployment.yaml
@@ -133,8 +133,10 @@ spec:
           value: {{ $value | quote }}
         {{- end }}
         {{- end }}
+      {{- if include "tracebloc.useImagePullSecrets" . }}
       imagePullSecrets:
       - name: {{ include "tracebloc.registrySecretName" . }}
+      {{- end }}
       volumes:
         - name: shared-volume
           persistentVolumeClaim:

diff --git a/client/templates/logs-pvc.yaml b/client/templates/logs-pvc.yaml
@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 spec:
-  storageClassName: {{ .Values.storageClass.name }}
+  storageClassName: {{ include "tracebloc.storageClassName" . }}
   capacity:
     storage: {{ $storage }}
   accessModes:
@@ -31,7 +31,7 @@ metadata:
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 spec:
-  storageClassName: {{ .Values.storageClass.name }}
+  storageClassName: {{ include "tracebloc.storageClassName" . }}
   accessModes:
     - {{ .Values.pvcAccessMode | default "ReadWriteMany" }}
   resources:

diff --git a/client/templates/mysql-deployment.yaml b/client/templates/mysql-deployment.yaml
@@ -75,8 +75,10 @@ spec:
           mountPath: /etc/mysql/conf.d/
         - name: mysql-logs
           mountPath: /var/log/mysql/
+      {{- if include "tracebloc.useImagePullSecrets" . }}
       imagePullSecrets:
       - name: {{ include "tracebloc.registrySecretName" . }}
+      {{- end }}
       volumes:
       - name: mysql-persistent-storage
         persistentVolumeClaim:

diff --git a/client/templates/mysql-storage-pvc.yaml b/client/templates/mysql-storage-pvc.yaml
@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 spec:
-  storageClassName: {{ .Values.storageClass.name }}
+  storageClassName: {{ include "tracebloc.storageClassName" . }}
   capacity:
     storage: {{ $storage }}
   accessModes:
@@ -31,7 +31,7 @@ metadata:
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 spec:
-  storageClassName: {{ .Values.storageClass.name }}
+  storageClassName: {{ include "tracebloc.storageClassName" . }}
   accessModes:
     - {{ .Values.pvcAccessMode | default "ReadWriteMany" }}
   resources:

diff --git a/client/templates/resource-monitor-daemonset.yaml b/client/templates/resource-monitor-daemonset.yaml
@@ -76,8 +76,10 @@ spec:
               cpu: 200m
               memory: 256Mi
       terminationGracePeriodSeconds: 15
+      {{- if include "tracebloc.useImagePullSecrets" . }}
       imagePullSecrets:
       - name: {{ include "tracebloc.registrySecretName" . }}
+      {{- end }}
       volumes:
         - name: host-proc
           hostPath:

diff --git a/client/templates/shared-images-pvc.yaml b/client/templates/shared-images-pvc.yaml
@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 spec:
-  storageClassName: {{ .Values.storageClass.name }}
+  storageClassName: {{ include "tracebloc.storageClassName" . }}
   capacity:
     storage: {{ $storage }}
   accessModes:
@@ -31,7 +31,7 @@ metadata:
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 spec:
-  storageClassName: {{ .Values.storageClass.name }}
+  storageClassName: {{ include "tracebloc.storageClassName" . }}
   accessModes:
     - {{ .Values.pvcAccessMode | default "ReadWriteMany" }}
   resources:

diff --git a/client/templates/storage-class.yaml b/client/templates/storage-class.yaml
@@ -2,7 +2,7 @@
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
-  name: {{ .Values.storageClass.name }}
+  name: {{ include "tracebloc.storageClassName" . }}
   labels:
     {{- include "tracebloc.labels" . | nindent 4 }}
 provisioner: {{ required "storageClass.provisioner is required when storageClass.create is true" .Values.storageClass.provisioner }}

diff --git a/client/tests/secrets_test.yaml b/client/tests/secrets_test.yaml
@@ -25,10 +25,11 @@ tests:
           path: metadata.labels["app.kubernetes.io/managed-by"]
           pattern: Helm
 
-  - it: should create docker registry secret
+  - it: should create docker registry secret when create is true
     template: templates/docker-registry-secret.yaml
     set:
       dockerRegistry:
+        create: true
         server: https://index.docker.io/v1/
         username: testuser
         password: testpass
@@ -44,3 +45,24 @@ tests:
           value: kubernetes.io/dockerconfigjson
       - isNotEmpty:
           path: data[".dockerconfigjson"]
+
+  - it: should not create docker registry secret when create is omitted (default false)
+    template: templates/docker-registry-secret.yaml
+    set:
+      dockerRegistry:
+        server: https://index.docker.io/v1/
+        username: testuser
+        password: testpass
+        email: test@test.com
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not create docker registry secret when dockerRegistry is omitted (public images)
+    template: templates/docker-registry-secret.yaml
+    values:
+      - values-public-images.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
diff --git a/client/tests/values-public-images.yaml b/client/tests/values-public-images.yaml
@@ -0,0 +1,3 @@
+# Use this values file to test public images (no registry secret).
+# When dockerRegistry is null, no registry secret is created and no imagePullSecrets are added.
+dockerRegistry: null
diff --git a/client/values.schema.json b/client/values.schema.json
@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft-07/schema#",
   "title": "Tracebloc Helm Chart Values",
   "type": "object",
-  "required": ["clientId", "clientPassword", "dockerRegistry"],
+  "required": ["clientId", "clientPassword"],
   "properties": {
     "env": {
       "type": "object",
@@ -156,9 +156,14 @@
       "description": "Client authentication password"
     },
     "dockerRegistry": {
-      "type": "object",
-      "required": ["server", "username", "password", "email"],
+      "type": ["object", "null"],
+      "description": "Optional. Omit entirely or set null for public images (no secret or imagePullSecrets). Only create when set and create is true.",
       "properties": {
+        "create": {
+          "type": "boolean",
+          "default": false,
+          "description": "When true, create registry secret and add imagePullSecrets to workloads. Omit dockerRegistry or set false for public images."
+        },
         "server": {
           "type": "string",
           "format": "uri"
@@ -172,7 +177,20 @@
         "email": {
           "type": "string"
         }
-      }
+      },
+      "allOf": [
+        {
+          "if": {
+            "properties": {
+              "create": { "const": true }
+            },
+            "required": ["create"]
+          },
+          "then": {
+            "required": ["server", "username", "password", "email"]
+          }
+        }
+      ]
     }
   }
 }
diff --git a/client/values.yaml b/client/values.yaml
@@ -25,10 +25,12 @@ env: {
   # RUNTIME_CLASS_NAME: ""
 }
 # -- StorageClass configuration
-# Set create: false to use an existing storage class
+# When create: true, the StorageClass name is release-unique (e.g. "<release-name>-storage-class")
+# so each release gets its own class and Helm ownership conflicts are avoided.
+# Set create: false to use an existing storage class; then name must match that class.
 storageClass:
   create: true
-  name: client-storage-class
+  name: client-storage-class  # only used when create: false
   provisioner: ""
   allowVolumeExpansion: true
   # Optional fields — omitted from rendered YAML when empty
@@ -71,10 +73,12 @@ openshift:
 clientId: "<CLIENT_ID>"
 clientPassword: "<CLIENT_PASSWORD>"
 
-# -- Docker registry credentials
-# Secret name is auto-generated as {{ .Release.Name }}-regcred
-dockerRegistry:
-  server: https://index.docker.io/v1/
-  username: "<DOCKER_USERNAME>"
-  password: "<DOCKER_REGISTRY_TOKEN>"
-  email: "<DOCKER_EMAIL>"
+# -- Docker registry credentials (optional; only used when dockerRegistry is set and create is true)
+# Omit dockerRegistry entirely, or set create: false, for public images (no imagePullSecrets).
+# When create is true, secret name is {{ .Release.Name }}-regcred.
+# dockerRegistry:
+#   create: true
+#   server: https://index.docker.io/v1/
+#   username: "<DOCKER_USERNAME>"
+#   password: "<DOCKER_REGISTRY_TOKEN>"
+#   email: "<DOCKER_EMAIL>"