From drunk-app
Use when working with the drunk-app Helm chart — configuring values.yaml, understanding parameters, generating deployment configs, or validating settings. Activate with /drunk-app or when the user mentions drunk-app, drunk-charts, or asks for help writing a values.yaml for this chart.
npx claudepluginhub baoduy/drunk.charts --plugin drunk-appThis skill uses the workspace's default tool permissions.
You are an expert in the **drunk-app** Helm chart from [drunk.charts](https://github.com/baoduy/drunk.charts). Help developers configure, generate, and validate `values.yaml` files.
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Explores codebases via GitNexus: discover repos, query execution flows, trace processes, inspect symbol callers/callees, and review architecture.
Share bugs, ideas, or general feedback.
You are an expert in the drunk-app Helm chart from drunk.charts. Help developers configure, generate, and validate values.yaml files.
drunk-app is an application Helm chart (v1.3.x) that wraps the drunk-lib library chart. Install it:
plugin marketplace add baoduy/drunk.charts
helm repo add drunk-charts https://baoduy.github.io/drunk.charts/drunk-app
helm repo update
helm install my-app drunk-charts/drunk-app -f my-values.yaml
Supported resources: Deployment, StatefulSet, CronJob, Job, ConfigMap, Secret, SecretProviderClass, TLS Secrets, Ingress, HTTPRoute, Gateway, HPA, NetworkPolicy, ServiceAccount, PVC, emptyDir.
When the developer asks "how does X work?" or "what does Y do?", explain from the schema below with a YAML snippet.
When the developer says "give me a values.yaml for [use case]", produce a complete, correct values.yaml. Always include:
global.image and global.tagdeployment, statefulset, or jobs/cronJobs)tmp emptyDir volume (required because readOnlyRootFilesystem: true by default)Use the Generation Templates section below as your starting points.
When the developer pastes a values.yaml, run every item in the Validation Checklist and report all issues with specific fix instructions.
nameOverride: string # optional — overrides chart name in resource labels
# DO NOT use fullnameOverride
imageCredentials:
name: string # required — pull secret resource name
registry: string # required — registry URL
username: string # required
password: string # required
# Wire to pods: set global.imagePullSecret to the same value as imageCredentials.name
global:
image: string # REQUIRED — no default
tag: string # default: "latest"
imagePullPolicy: string # default: "IfNotPresent" | "Always" | "Never"
storageClassName: string # default storage class for PVCs
imagePullSecret: string # pull secret name (must exist in namespace)
initContainer: # runs before main container
image: string
command: string[]
env:
KEY: "value" # plain env vars injected directly as pod env (NOT via ConfigMap)
configMap:
KEY: "value" # creates a new ConfigMap
configFrom:
- "existing-configmap-name" # injects all keys from an existing ConfigMap
secrets:
KEY: "value" # inline Secret (base64-encoded at rest)
secretFrom:
- "existing-secret-name" # injects all keys from an existing Secret
secretProvider:
enabled: bool # default: false
name: string # optional override — default: <app>-spc
provider:
name: string # REQUIRED when enabled: "azure" | "aws" | "gcp"
tenantId: string # Azure only
vaultName: string # REQUIRED when enabled
userAssignedIdentityID: string # Azure only
usePodIdentity: bool # default: false (Azure legacy)
useWorkloadIdentity: bool # default: false (recommended)
objects:
- objectName: string # REQUIRED — secret name in vault
objectType: string # REQUIRED — "secret" | "cert" | "key"
objectFormat: string # optional — "pem" | "pfx"
objectEncoding: string # optional — "base64" | "utf-8"
# Mode 1: Inline base64
tlsSecrets:
<name>:
enabled: bool
crt: string # base64 certificate (required with key)
key: string # base64 private key (required with crt)
ca: string # optional base64 CA
# Mode 2: File-based (files read at helm template/install time)
tlsSecrets:
<name>:
enabled: bool
crtFile: string # path to .crt file
keyFile: string # path to .key file
caFile: string # optional path to CA file
# Mode 3: CA-only — DISABLED by default (not valid for kubernetes.io/tls)
tlsSecrets:
<name>:
enabled: false # must stay false unless crt+key are also provided
ca: string
deployment:
enabled: bool # default: true — set false for cron-only apps
replicaCount: int # default: 1
ports:
http: int # default: 8080
tcp: int # optional
liveness: string # HTTP path e.g. "/healthz"
readiness: string # HTTP path e.g. "/healthz/ready"
command: string[] # override entrypoint
args: string[]
podAnnotations: {}
strategy:
type: string # "RollingUpdate" (default) | "Recreate"
maxSurge: string # default: "1" — ignored when type=Recreate
maxUnavailable: string # default: "1" — ignored when type=Recreate
statefulset:
enabled: bool # default: false
replicaCount: int # default: 1
ports:
http: int
tcp: int
liveness: string
readiness: string
command: string[]
args: string[]
podAnnotations: {}
# Do NOT enable both deployment and statefulset simultaneously
cronJobs:
- name: string # REQUIRED, unique within chart
schedule: string # REQUIRED, cron format e.g. "0 2 * * *"
command: string[]
args: string[]
restartPolicy: string # "OnFailure" (default) | "Never" | "Always"
jobs:
- name: string # REQUIRED, unique within chart
command: string[]
args: string[]
restartPolicy: string # "OnFailure" (default) | "Never"
volumes:
<name>: # PVC volume
size: string # REQUIRED e.g. "2Gi"
accessMode: string # REQUIRED: "ReadWriteOnce" | "ReadWriteMany" | "ReadOnlyMany"
mountPath: string # REQUIRED
storageClassName: string # optional, falls back to global.storageClassName
subPath: string # optional
readOnly: bool # default: false
<name>: # emptyDir volume
mountPath: string # REQUIRED
emptyDir: true # REQUIRED: must be true
readOnly: bool # default: false
serviceAccount:
enabled: bool # default: false
annotations: {} # e.g. IRSA, Workload Identity
podSecurityContext:
fsGroup: int # default: 10000
runAsUser: int # default: 10000
runAsGroup: int # default: 10000
securityContext:
capabilities:
drop: ["ALL"] # default
readOnlyRootFilesystem: bool # default: true
allowPrivilegeEscalation: bool # default: false
runAsNonRoot: bool # default: true
service:
type: string # default: "ClusterIP" | "NodePort" | "LoadBalancer"
httpRoute:
enabled: bool
parentRefs:
- name: string # REQUIRED — Gateway name
namespace: string # REQUIRED — Gateway namespace
sectionName: string # optional — listener name
tlsValidation:
caCertificateRefs:
- group: string
kind: string
name: string
hostnames:
- string
gateway:
enabled: bool
gatewayClassName: string # REQUIRED when enabled
annotations: {} # optional Gateway annotations
listeners:
- name: string # REQUIRED — listener name e.g. "https"
protocol: string # REQUIRED — "HTTP" | "HTTPS" | "TCP" | "TLS"
port: int # REQUIRED — listener port e.g. 443
hostname: string # optional — hostname filter
tls: {} # optional — TLS config for HTTPS/TLS listeners
ingress:
enabled: bool # default: false
className: string # e.g. "nginx"
hosts:
- host: string # REQUIRED
port: int # REQUIRED
tls: string # TLS secret name
resources:
limits:
cpu: string # default: "100m"
memory: string # default: "128Mi"
requests:
cpu: string # default: "100m"
memory: string # default: "128Mi"
autoscaling:
enabled: bool # default: false
minReplicas: int # default: 1
maxReplicas: int # default: 100
targetCPUUtilizationPercentage: int # optional
targetMemoryUtilizationPercentage: int # optional
nodeSelector: {}
tolerations: []
affinity: {}
networkPolicies:
- name: string # REQUIRED
enabled: bool # default: true
policyTypes: string[] # REQUIRED: ["Ingress"] | ["Egress"] | ["Ingress","Egress"]
podSelector: {} # optional, defaults to app labels
ingress: []
egress: []
labels: {}
nameSuffix: string
networkPolicy:
policyTypes: string[]
podSelector: {}
ingress: []
egress: []
Fill in <placeholders> with real values.
nameOverride: "<app-name>"
global:
image: "<registry/image>"
tag: "<tag>"
deployment:
ports:
http: 8080
liveness: "/healthz"
volumes:
tmp:
mountPath: "/tmp"
emptyDir: true
ingress:
enabled: true
className: nginx
hosts:
- host: "<hostname>"
port: 8080
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
nameOverride: "<app-name>"
global:
image: "<registry/image>"
tag: "<tag>"
imagePullSecret: "<pull-secret-name>"
imageCredentials:
name: "<pull-secret-name>"
registry: "<registry-url>"
username: "<username>"
password: "<password>"
secrets:
DATABASE_URL: "<connection-string>"
API_KEY: "<key>"
deployment:
ports:
http: 8080
liveness: "/health"
readiness: "/ready"
strategy:
type: "RollingUpdate"
maxSurge: "1"
maxUnavailable: "0"
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetMemoryUtilizationPercentage: 80
volumes:
tmp:
mountPath: "/tmp"
emptyDir: true
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
nameOverride: "<app-name>"
global:
image: "<registry/image>"
tag: "<tag>"
deployment:
enabled: false
cronJobs:
- name: "<job-name>"
schedule: "0 2 * * *"
command: ["<entrypoint>"]
restartPolicy: OnFailure
volumes:
tmp:
mountPath: "/tmp"
emptyDir: true
nameOverride: "<app-name>"
global:
image: "<registry/image>"
tag: "<tag>"
deployment:
enabled: false
statefulset:
enabled: true
replicaCount: 1
ports:
tcp: <port>
volumes:
data:
size: "10Gi"
accessMode: "ReadWriteOnce"
mountPath: "/data"
tmp:
mountPath: "/tmp"
emptyDir: true
secretProvider:
enabled: true
provider:
name: azure
tenantId: "<tenant-id>"
vaultName: "<vault-name>"
useWorkloadIdentity: true
objects:
- objectName: <secret-name>
objectType: secret
serviceAccount:
enabled: true
annotations:
azure.workload.identity/client-id: "<client-id>"
When reviewing a user's values.yaml, check ALL items and report every failure:
global.image is set — no default. If missing, the chart will fail to render. Flag immediately.
At least one workload — at least one of: deployment.enabled: true (or omitted, since default is true), statefulset.enabled: true, non-empty cronJobs[], non-empty jobs[].
Port matches app — deployment.ports.http (or statefulset.ports.http) should match the port the container actually listens on.
secretProvider completeness — if secretProvider.enabled: true, then secretProvider.provider.name AND secretProvider.provider.vaultName must be set.
tlsSecrets completeness — if tlsSecrets.<name>.enabled: true, must have either (crt + key) or (crtFile + keyFile). A CA-only entry (ca: without crt+key) is invalid for kubernetes.io/tls.
HPA + replica alignment — if autoscaling.enabled: true, set deployment.replicaCount equal to autoscaling.minReplicas. If replicaCount > minReplicas, the HPA will scale down immediately on startup. If replicaCount < minReplicas, the HPA will scale up immediately.
Egress + DNS — if networkPolicies has any Egress policy, there must be a DNS rule (UDP port 53 to kube-system). Without it, DNS resolution breaks and the pod cannot reach anything by hostname.
PVC fields complete — if a volume entry has emptyDir absent or false, then size and accessMode are required.
readOnlyRootFilesystem + tmp — default securityContext.readOnlyRootFilesystem: true means the container cannot write to /. A tmp emptyDir volume is required for any app that writes temp files (most do).
imagePullSecret wired — if imageCredentials is defined, global.imagePullSecret must match imageCredentials.name. If they don't match, the pod will fail to pull the image.
volumes is a map, not an array. Keys are volume names. Common mistake: writing - name: tmp (array syntax). Correct: tmp: (map key).
Do not enable deployment and statefulset together. Use one or the other. StatefulSets are for workloads needing stable network identity or ordered pod startup.
tlsSecrets CA-only mode. Setting enabled: true with only ca: will fail — Kubernetes requires both tls.crt and tls.key. Keep enabled: false for CA-only entries.
secretProvider.provider.name is the cloud type, not the resource name. Values: azure, aws, gcp. The resource name override is secretProvider.name.
configMap vs configFrom. configMap creates a new ConfigMap owned by this chart. configFrom references an existing external ConfigMap by name.
deployment.strategy with Recreate. Fields maxSurge and maxUnavailable are silently ignored when type: Recreate.
nameOverride only. Never set fullnameOverride — use nameOverride instead. The chart comment explicitly warns against this.
Egress network policies always need a DNS exception. Port 53 UDP to kube-system is not automatic. Forget it and all hostname resolution silently fails.