Add subagent related files

[bigfluffycookie]

Part of OPS-3823

[linear]

OPS-3823 Add EKS support

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Role and RoleBinding for subagents are always created, even when subagents are disabled (OPS_SUBAGENTS_ENABLED: "false"). Other optional features in this chart (e.g., externalSecrets, serviceMonitor, limitRange, networkPolicy) are wrapped in a conditional guard like {{- if .Values.<feature>.enabled }}. These templates should be similarly guarded — for example, wrap the entire file content with {{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }} ... {{- end }}, or better yet, add an enabled field to the subagents section in values.yaml and use it here. Without this, every installation gets RBAC resources for a feature they may not use.

[Copilot]

OPS_SUBAGENT_K8S_NAMESPACE is hardcoded to {{ .Release.Namespace }}, but the RBAC resources (Role/RoleBinding) in role-app-subagents.yaml and rolebinding-app-subagents.yaml use {{ .Values.subagents.namespace | default .Release.Namespace }}. If a user sets subagents.namespace to a different namespace, the app will still try to create pods in .Release.Namespace (per this env var), but the RBAC permissions will be granted in the custom namespace — a mismatch that will cause permission errors. This should use the same logic, e.g., '{{ .Values.subagents.namespace | default .Release.Namespace }}' to stay consistent with the RBAC templates.

Suggested change

	OPS_SUBAGENT_K8S_NAMESPACE: "{{ .Release.Namespace }}"
	OPS_SUBAGENT_K8S_NAMESPACE: '{{ .Values.subagents.namespace | default .Release.Namespace }}'

[Copilot]

Two issues with this default image reference:

1. Private ECR registry: The image URL 535002847982.dkr.ecr.us-east-2.amazonaws.com is a private AWS ECR registry. Other images in this chart use the configurable image.repository (defaulting to public.ecr.aws/openops) or component-level repository overrides. External users won't be able to pull this image without ECR credentials. Consider following the chart's image repository convention or using the public registry as default.

2. Mutable :main tag: All other component images in this chart use pinned, immutable version tags (e.g., "0.2.17", "0.14.6", "18.1", or global.version). The chart's schema describes its purpose as ensuring "deterministic upgrades." Using :main means the image can change between deployments without any chart version change, leading to non-reproducible behavior. Consider pinning to a specific version tag.

Suggested change

	OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:main"
	OPS_SUBAGENT_RUNNER_IMAGE: "public.ecr.aws/openops/subagent-runner:0.0.1-dev"

[Copilot]

Same as the Role template: this RoleBinding is always created regardless of whether subagents are enabled. It should be wrapped in a conditional guard (e.g., {{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}) consistent with how other optional features in this chart gate their resources.

[Copilot]

There are now two separate configuration points for the subagent namespace: subagents.namespace (used by RBAC templates) and OPS_SUBAGENT_K8S_NAMESPACE (used as an env var by the application). Having two independent settings for the same concept is error-prone — users could set one and forget the other, leading to mismatched RBAC permissions and application behavior. Consider deriving OPS_SUBAGENT_K8S_NAMESPACE from subagents.namespace (e.g., '{{ .Values.subagents.namespace | default .Release.Namespace }}') to have a single source of truth.

Suggested change

	# Namespace where subagent pods run (defaults to same namespace as app)
	namespace: ""
	# Namespace where subagent pods run (defaults to the Helm release namespace)
	namespace: "{{ .Release.Namespace }}"