Skip to content

docs: PLTF-388 add Helm-based installer instructions for OpenHands Enterprise#628

Open
aivong-openhands wants to merge 31 commits into
mainfrom
aivong/pltf-388-update-docsopenhandsdev-with-helm-based-installer
Open

docs: PLTF-388 add Helm-based installer instructions for OpenHands Enterprise#628
aivong-openhands wants to merge 31 commits into
mainfrom
aivong/pltf-388-update-docsopenhandsdev-with-helm-based-installer

Conversation

@aivong-openhands

@aivong-openhands aivong-openhands commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Why

Adds a new page enterprise/k8s-install/installation.mdx ("Install with Helm") for the OHE Helm Install path with Replicated, wired into the K8s Install nav and linked from the overview page: registry login with license credentials, the secrets the chart expects (GitHub App via the existing creation script; allhands realm/client naming), a minimal usable values file (ingress + keycloak ingress, runtime endpoints with RUNTIME_BASE_URL/RUNTIME_DISABLE_SSL, embedded PostgreSQL/Redis/MinIO), install, preflight, and support-bundle generation + upload. Prerequisites such as DNS hostnames and certificates. A Next Steps section establishes the pattern that features and sizing are helm upgrade overrides documented on their own pages; the helm upgrade examples in analytics.mdx and plugin-marketplace.mdx now use the Replicated registry chart URL so upgrades reference the same source as the install.

Validation

  • Validated live end-to-end on a KinD cluster with real DNS and Let's Encrypt certificates, following the page's steps and minimal values example verbatim against the Stable channel (chart openhands 0.24.0 via the documented install URL): licensed registry pull, GitHub App login through keycloak, sandbox start, and a working agent conversation. Preflight passed from the in-cluster Secret; an earlier run (chart 0.23.1) uploaded a support bundle confirmed present in the Vendor Portal.
  • The starter values render cleanly against the chart with helm template.

This PR was drafted by an AI agent on behalf of the user.

@mintlify

mintlify Bot commented Jul 15, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
all-hands-ai 🟢 Ready View Preview Jul 15, 2026, 3:19 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

…undle notes

- Note that the no-channel install URL targets the Stable channel; non-Stable
  licenses must include the channel slug (else 'Channel not found for license')
- Add a bring-your-own-certificate values variant alongside the cert-manager one
- Document installing the preflight/support-bundle CLIs
- Note support-bundle upload prints no link; find the bundle in the portal
- Add optional STORAGE_CLASS to the runtime-api values example
- Add a troubleshooting row for bundles missing instance metadata
…bleshooting

- Drop the claim that self-signed certs break login/agent comms (chart support
  for self-signed is being explored separately)
- Remove the publicly-trusted absolute from the BYO-cert note
- Drop the Pending/no-default-storage-class row (a default storage class is
  already a stated prerequisite)
The prior example used tls.enabled: true + an ACME email, but the chart has no
tls.email key and tls.enabled: true only references a pre-existing secret — it
does not invoke cert-manager. Switch the minimal example to the validated
bring-your-own-certificate config (tls.enabled: false, tls: false on the
keycloak/runtime-api ingresses, cert terminated at the ingress controller) and
leave a slot noting a cert-manager variant will be documented separately.
aivong-openhands and others added 2 commits July 16, 2026 11:55
Co-authored-by: openhands <openhands@all-hands.dev>
Co-authored-by: openhands <openhands@all-hands.dev>
Add postgresql.auth.database, databaseMigrations.createDatabases (app + runtime-api),
and litellm-helm.enabled — without these the bundled-DB path hangs at wait-for-db
and no LiteLLM deploys. Correct the 'no configuration needed' prose.
keycloak.enabled defaults false in the chart; the example configured only the
Keycloak ingress, so no Keycloak was deployed and login dead-ended with a 404
on auth.app.<domain>. Verified on a fresh KinD install: without this flag no
keycloak pod renders; with it the auth endpoints come up and the GitHub login
redirect returns 303.
The runtime-api chart defaults STORAGE_CLASS to standard-rwo, which only
exists on GKE. On any other cluster sandbox PVCs stay Pending on the
nonexistent class and every sandbox times out at startup. Verified live:
with the default, PVCs never bind; setting the cluster's storage class
makes sandboxes start. Replace the optional (and incorrect) comment with
an explicit setting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant