|
| 1 | +--- |
| 2 | +name: sim-helm |
| 3 | +description: Install, upgrade, and operate the Sim Helm chart on Kubernetes. Covers install path selection (inline / existingSecret / External Secrets Operator), required secret generation, the values.yaml mental model (env vs envDefaults vs Secret), and common failure triage. Invoke when a user asks about deploying Sim to a cluster, authoring a Sim values.yaml, debugging a Sim pod that won't start, upgrading a Sim release, or wiring Sim into a secret manager. |
| 4 | +license: Apache-2.0 |
| 5 | +--- |
| 6 | + |
| 7 | +# Sim Helm Chart — Operations Skill |
| 8 | + |
| 9 | +This skill helps an agent deploy and operate the **Sim** Helm chart at `helm/sim/` in the [simstudioai/sim](https://github.com/simstudioai/sim) repository. Use it when the user is installing, upgrading, troubleshooting, or authoring values for the Sim chart. |
| 10 | + |
| 11 | +The skill is **diagnostic-first**: capture context, classify the situation, load only the references that apply, then act. Do not dump the README at the user. Do not invent values that are not in their current state. |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +## Workflow — follow in order |
| 16 | + |
| 17 | +### 1. Capture context |
| 18 | + |
| 19 | +Before recommending anything, ask (or infer from the conversation) all of these. **Never skip this step.** A wrong assumption here corrupts every downstream step. |
| 20 | + |
| 21 | +| Question | Why it matters | |
| 22 | +|---|---| |
| 23 | +| Cluster: EKS / GKE / AKS / OpenShift / kind / other? | Storage class, ingress class, identity provider differ | |
| 24 | +| Secret strategy: inline `--set`, pre-existing K8s Secret, or External Secrets Operator (ESO)? | The chart has three distinct code paths | |
| 25 | +| Postgres: chart-bundled, or external (RDS / Cloud SQL / Azure DB)? | Different value blocks (`postgresql.*` vs `externalDatabase.*`) | |
| 26 | +| Public-facing? Ingress class? TLS? | `ingress.enabled`, `ingress.className`, cert-manager wiring | |
| 27 | +| HA? (target replicas) | Drives `autoscaling.enabled`, `app.replicaCount`, PDB activation | |
| 28 | +| Existing values.yaml the user is editing? | Always read it before proposing a diff — never write blind | |
| 29 | + |
| 30 | +If the user has a `values.yaml`, read it. If they don't, ask before writing one. |
| 31 | + |
| 32 | +### 2. Diagnose |
| 33 | + |
| 34 | +Map the user's request to one of these categories and load the matching reference(s): |
| 35 | + |
| 36 | +| Situation | Reference | |
| 37 | +|---|---| |
| 38 | +| User wants to install for the first time | `references/install-paths.md` then `references/secrets.md` | |
| 39 | +| User needs to generate the required secrets | `references/secrets.md` | |
| 40 | +| User asks "what does this value do" / wants to author values.yaml | `references/values-model.md` | |
| 41 | +| Pod won't start, error message, `CrashLoopBackOff`, image pull error, ingress not routing | `references/troubleshooting.md` | |
| 42 | +| User asks about ESO / Vault / AWS Secrets Manager / Azure Key Vault / GCP Secret Manager | `references/install-paths.md` (ESO section) | |
| 43 | +| User asks "is X production-ready" / autoscaling / network policy / security context | Read the README's "Production checklist" section directly — no separate reference | |
| 44 | + |
| 45 | +Load **only** what the situation requires. Loading every reference burns tokens and produces vague answers. |
| 46 | + |
| 47 | +### 3. Propose |
| 48 | + |
| 49 | +When proposing values changes: |
| 50 | + |
| 51 | +- Show the **minimal diff** against the user's current values.yaml. Don't rewrite the file. |
| 52 | +- Name the **risk** (e.g., "this puts the secret in `helm get values` output — fine for dev, not for prod"). |
| 53 | +- Name the **rollback** (e.g., "if this breaks, `helm rollback sim 1` reverts"). |
| 54 | +- Cite the canonical source (`helm/sim/values.yaml` line numbers, README section, or this skill's reference file). |
| 55 | + |
| 56 | +### 4. Validate before applying |
| 57 | + |
| 58 | +Always run these before telling the user to `helm install` / `helm upgrade`: |
| 59 | + |
| 60 | +```bash |
| 61 | +# Schema + value validation |
| 62 | +helm lint helm/sim --values <user-values>.yaml |
| 63 | + |
| 64 | +# Render full manifest set to catch template errors |
| 65 | +helm template sim helm/sim --values <user-values>.yaml > /tmp/render.yaml |
| 66 | + |
| 67 | +# For upgrades, render against the live release first |
| 68 | +helm upgrade --dry-run sim helm/sim --values <user-values>.yaml |
| 69 | +``` |
| 70 | + |
| 71 | +If lint or template fails, fix the values — do not work around chart validation. The chart's `fail` statements exist to catch misconfigurations that would otherwise surface as `CrashLoopBackOff` at runtime. |
| 72 | + |
| 73 | +### 5. Deliver |
| 74 | + |
| 75 | +Every recommendation should include: |
| 76 | + |
| 77 | +- The exact command(s) to run |
| 78 | +- A one-line summary of what will change |
| 79 | +- The success signal (e.g., "`kubectl rollout status deploy/sim-app` returns Ready") |
| 80 | +- The rollback command if something breaks |
| 81 | + |
| 82 | +--- |
| 83 | + |
| 84 | +## Quick reference — the three secret modes |
| 85 | + |
| 86 | +| Mode | When | Code path | |
| 87 | +|---|---|---| |
| 88 | +| **Inline (`--set`)** | Dev / kind / dry-run only. Values leak into `helm get values`. | `app.env.<KEY>: "..."` | |
| 89 | +| **Pre-existing Secret** | GitOps with Sealed Secrets / SOPS, or hand-managed Secrets. Chart references a Secret you create. | `app.secrets.existingSecret.enabled: true` + `.name` | |
| 90 | +| **External Secrets Operator (recommended for prod)** | Vault, AWS SM, Azure KV, GCP SM. Chart renders an `ExternalSecret` that ESO syncs. | `externalSecrets.enabled: true` + `secretStoreRef` + `remoteRefs.app.<KEY>` | |
| 91 | + |
| 92 | +These modes are **mutually exclusive** for the app Secret. ESO takes precedence over inline. `existingSecret` takes precedence over inline. The chart **fails template rendering** when ESO is enabled and a required key (`BETTER_AUTH_SECRET`, `ENCRYPTION_KEY`, `INTERNAL_API_SECRET`, plus `CRON_SECRET` when cronjobs are enabled) is neither in `app.env` nor mapped in `remoteRefs.app` — see `references/install-paths.md`. |
| 93 | + |
| 94 | +--- |
| 95 | + |
| 96 | +## Quick reference — the four required secrets |
| 97 | + |
| 98 | +| Key | Generate with | Notes | |
| 99 | +|---|---|---| |
| 100 | +| `BETTER_AUTH_SECRET` | `openssl rand -hex 32` | Session signing | |
| 101 | +| `ENCRYPTION_KEY` | `openssl rand -hex 32` | App-level encryption | |
| 102 | +| `INTERNAL_API_SECRET` | `openssl rand -hex 32` | Service-to-service auth (app ↔ realtime) | |
| 103 | +| `CRON_SECRET` | `openssl rand -hex 32` | Required iff `cronjobs.enabled=true` (default true) | |
| 104 | + |
| 105 | +Optional but commonly needed: |
| 106 | + |
| 107 | +| Key | Generate with | Notes | |
| 108 | +|---|---|---| |
| 109 | +| `API_ENCRYPTION_KEY` | `openssl rand -hex 32` | Must be **exactly 64 hex chars**. Required to encrypt user API keys at rest. | |
| 110 | +| `postgresql.auth.password` | `openssl rand -base64 24 \| tr -d '/+='` | Only if using chart-bundled Postgres. Must match `^[a-zA-Z0-9._-]+$` for DATABASE_URL compatibility. | |
| 111 | + |
| 112 | +See `references/secrets.md` for storage patterns and rotation guidance. |
| 113 | + |
| 114 | +--- |
| 115 | + |
| 116 | +## Rules of engagement |
| 117 | + |
| 118 | +These are non-negotiable. Violating any of these has burned users in the past. |
| 119 | + |
| 120 | +1. **Never recommend `--set` for production secrets.** They land in `helm get values` and Helm release history. Direct users to `existingSecret` or ESO. |
| 121 | +2. **Never set `image.tag: latest`.** The chart defaults to `Chart.AppVersion` for a reason — reproducible rollouts. If the user pinned `latest`, push back. |
| 122 | +3. **Never edit chart templates to work around a `fail` statement.** The validation exists because a misconfiguration would otherwise surface as a runtime CrashLoopBackOff with cryptic env errors. |
| 123 | +4. **Never drop `automountServiceAccountToken: false`** unless the workload genuinely needs in-cluster API access (Sim's app/realtime/postgres pods do not). |
| 124 | +5. **Never `kubectl delete sts` without `--cascade=orphan`** on a live Postgres. It deletes the pods and PVCs. |
| 125 | +6. **Never tell a user "the chart works on your cluster" without `helm lint` + `helm template` against their values.** Static reading is not validation. |
| 126 | +7. **Always confirm before `helm uninstall` in a shared namespace.** PVCs survive but other namespace resources may not. |
| 127 | + |
| 128 | +--- |
| 129 | + |
| 130 | +## When the user is stuck and you can't diagnose |
| 131 | + |
| 132 | +Get logs from every component in parallel. This single block answers ~80% of "it's broken" questions: |
| 133 | + |
| 134 | +```bash |
| 135 | +kubectl --namespace <ns> get pods,events --sort-by='.lastTimestamp' |
| 136 | +kubectl --namespace <ns> logs deploy/sim-app --tail=200 |
| 137 | +kubectl --namespace <ns> logs deploy/sim-realtime --tail=200 |
| 138 | +kubectl --namespace <ns> logs sts/sim-postgresql --tail=200 |
| 139 | +kubectl --namespace <ns> logs job/sim-migrations --tail=200 2>/dev/null |
| 140 | +kubectl --namespace <ns> describe pod -l app.kubernetes.io/name=sim |
| 141 | +``` |
| 142 | + |
| 143 | +Then map the symptom to `references/troubleshooting.md`. |
| 144 | + |
| 145 | +--- |
| 146 | + |
| 147 | +## What this skill does **not** cover |
| 148 | + |
| 149 | +- Sim application configuration beyond env vars (provider keys, knowledge base setup, etc.) — that's the Sim app docs at https://docs.sim.ai |
| 150 | +- Kubernetes cluster setup (creating an EKS cluster, installing ingress-nginx, etc.) — that's cloud-provider docs |
| 151 | +- Authoring new chart templates — that's `helm/sim/templates/_helpers.tpl` and the chart's own contributor docs |
| 152 | +- Running Sim outside Kubernetes (Docker Compose, bare-metal) — see the root `README.md` |
| 153 | + |
| 154 | +If the user's question falls outside this scope, say so and point them at the right doc. |
0 commit comments