docs: PLTF-388 add Helm-based installer instructions for OpenHands Enterprise#628
Open
aivong-openhands wants to merge 31 commits into
Open
Conversation
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
…undle notes - Note that the no-channel install URL targets the Stable channel; non-Stable licenses must include the channel slug (else 'Channel not found for license') - Add a bring-your-own-certificate values variant alongside the cert-manager one - Document installing the preflight/support-bundle CLIs - Note support-bundle upload prints no link; find the bundle in the portal - Add optional STORAGE_CLASS to the runtime-api values example - Add a troubleshooting row for bundles missing instance metadata
…bleshooting - Drop the claim that self-signed certs break login/agent comms (chart support for self-signed is being explored separately) - Remove the publicly-trusted absolute from the BYO-cert note - Drop the Pending/no-default-storage-class row (a default storage class is already a stated prerequisite)
The prior example used tls.enabled: true + an ACME email, but the chart has no tls.email key and tls.enabled: true only references a pre-existing secret — it does not invoke cert-manager. Switch the minimal example to the validated bring-your-own-certificate config (tls.enabled: false, tls: false on the keycloak/runtime-api ingresses, cert terminated at the ingress controller) and leave a slot noting a cert-manager variant will be documented separately.
Co-authored-by: openhands <openhands@all-hands.dev>
Co-authored-by: openhands <openhands@all-hands.dev>
…-helm-based-installer
aivong-openhands
marked this pull request as ready for review
July 16, 2026 16:58
Add postgresql.auth.database, databaseMigrations.createDatabases (app + runtime-api), and litellm-helm.enabled — without these the bundled-DB path hangs at wait-for-db and no LiteLLM deploys. Correct the 'no configuration needed' prose.
keycloak.enabled defaults false in the chart; the example configured only the Keycloak ingress, so no Keycloak was deployed and login dead-ended with a 404 on auth.app.<domain>. Verified on a fresh KinD install: without this flag no keycloak pod renders; with it the auth endpoints come up and the GitHub login redirect returns 303.
The runtime-api chart defaults STORAGE_CLASS to standard-rwo, which only exists on GKE. On any other cluster sandbox PVCs stay Pending on the nonexistent class and every sandbox times out at startup. Verified live: with the default, PVCs never bind; setting the cluster's storage class makes sandboxes start. Replace the optional (and incorrect) comment with an explicit setting.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Adds a new page
enterprise/k8s-install/installation.mdx("Install with Helm") for the OHE Helm Install path with Replicated, wired into the K8s Install nav and linked from the overview page: registry login with license credentials, the secrets the chart expects (GitHub App via the existing creation script;allhandsrealm/client naming), a minimal usable values file (ingress + keycloak ingress, runtime endpoints withRUNTIME_BASE_URL/RUNTIME_DISABLE_SSL, embedded PostgreSQL/Redis/MinIO), install, preflight, and support-bundle generation + upload. Prerequisites such as DNS hostnames and certificates. A Next Steps section establishes the pattern that features and sizing arehelm upgradeoverrides documented on their own pages; thehelm upgradeexamples inanalytics.mdxandplugin-marketplace.mdxnow use the Replicated registry chart URL so upgrades reference the same source as the install.Validation
openhands 0.24.0via the documented install URL): licensed registry pull, GitHub App login through keycloak, sandbox start, and a working agent conversation. Preflight passed from the in-cluster Secret; an earlier run (chart 0.23.1) uploaded a support bundle confirmed present in the Vendor Portal.helm template.This PR was drafted by an AI agent on behalf of the user.