From a40cce4826d9d0ead7b9d29099a729ac6f7a3505 Mon Sep 17 00:00:00 2001
From: thuanpham582002 <tienthuan05082002@gmail.com>
Date: Mon, 29 Dec 2025 16:32:00 +0700
Subject: [PATCH 1/6] feat: Add official Helm chart for Kubernetes deployment

Add comprehensive Helm chart for deploying Open Notebook on Kubernetes clusters.

Features:
- Complete Bitnami-style documentation with @param annotations
- JSON schema for values validation
- Support for 17 AI providers (OpenAI, Anthropic, Google, Azure, etc.)
- Automatic secret creation for API keys
- Health checks (liveness, readiness, startup probes)
- Persistent volume support for app and SurrealDB
- Service types: ClusterIP, NodePort, LoadBalancer
- Ingress configuration with TLS support
- Network policy for traffic control
- ServiceMonitor for Prometheus monitoring
- Pod disruption budget for high availability
- Resource management and security contexts
- Worker retry configuration

Installation:
  helm install open-notebook ./helm/open-notebook

Configuration:
  See helm/open-notebook/values.yaml for all options
  See helm/open-notebook/README.md for documentation
---
 helm/Chart.lock                 |   6 +
 helm/Chart.yaml                 |  26 +
 helm/README.md                  | 632 +++++++++++++++++++++++
 helm/charts/common-2.31.4.tgz   | Bin 0 -> 20003 bytes
 helm/templates/NOTES.txt        | 111 ++++
 helm/templates/_helpers.tpl     | 427 ++++++++++++++++
 helm/templates/configmap.yaml   |  26 +
 helm/templates/deployment.yaml  | 185 +++++++
 helm/templates/ingress.yaml     |  60 +++
 helm/templates/pvc.yaml         |  36 ++
 helm/templates/secret.yaml      |  81 +++
 helm/templates/service.yaml     |  67 +++
 helm/templates/statefulset.yaml | 126 +++++
 helm/values.schema.json         | 604 ++++++++++++++++++++++
 helm/values.yaml                | 878 ++++++++++++++++++++++++++++++++
 15 files changed, 3265 insertions(+)
 create mode 100644 helm/Chart.lock
 create mode 100644 helm/Chart.yaml
 create mode 100644 helm/README.md
 create mode 100644 helm/charts/common-2.31.4.tgz
 create mode 100644 helm/templates/NOTES.txt
 create mode 100644 helm/templates/_helpers.tpl
 create mode 100644 helm/templates/configmap.yaml
 create mode 100644 helm/templates/deployment.yaml
 create mode 100644 helm/templates/ingress.yaml
 create mode 100644 helm/templates/pvc.yaml
 create mode 100644 helm/templates/secret.yaml
 create mode 100644 helm/templates/service.yaml
 create mode 100644 helm/templates/statefulset.yaml
 create mode 100644 helm/values.schema.json
 create mode 100644 helm/values.yaml

diff --git a/helm/Chart.lock b/helm/Chart.lock
new file mode 100644
index 00000000..b6a9ee2a
--- /dev/null
+++ b/helm/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 2.31.4
+digest: sha256:0df1987bc04bbeb530d28418e1dcb4d999985dc1559351db58db16c260c73deb
+generated: "2025-12-26T18:20:00.665704+07:00"
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
new file mode 100644
index 00000000..5f801a13
--- /dev/null
+++ b/helm/Chart.yaml
@@ -0,0 +1,26 @@
+apiVersion: v2
+name: open-notebook
+description: Open Notebook - AI-powered note-taking application with SurrealDB backend
+type: application
+version: 1.0.0
+appVersion: "v1-latest"
+keywords:
+  - notebook
+  - ai
+  - knowledge-management
+  - surrealdb
+home: https://github.com/lfnovo/open-notebook
+icon: https://raw.githubusercontent.com/lfnovo/open-notebook/main/docs/assets/logo.png
+sources:
+  - https://github.com/lfnovo/open-notebook
+maintainers:
+  - name: lfnovo
+    email: open-notebook@example.com
+dependencies:
+  - name: common
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 2.x.x
+    condition: global.commonChartEnabled
+annotations:
+  category: Analytics
+  licenses: Apache-2.0
diff --git a/helm/README.md b/helm/README.md
new file mode 100644
index 00000000..7231aa20
--- /dev/null
+++ b/helm/README.md
@@ -0,0 +1,632 @@
+# Open Notebook Helm Chart
+
+Open Notebook - AI-powered note-taking application with SurrealDB backend.
+
+## Introduction
+
+This chart bootstraps an [Open Notebook](https://github.com/lfnovo/open-notebook) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+Open Notebook is a privacy-focused, AI-powered research and note-taking tool that helps you:
+- Organize research across multiple notebooks
+- Chat with your documents using AI
+- Support 17 AI providers (OpenAI, Anthropic, Google, Azure, Ollama, and more)
+- Create AI-generated podcasts from your content
+- Works with PDFs, web links, videos, audio files, and more
+
+## Prerequisites
+
+- Kubernetes 1.23+
+- Helm 3.0+
+- PV provisioner support in the underlying infrastructure (for persistence)
+
+## Installing the Chart
+
+To install the chart with the release name `open-notebook`:
+
+```bash
+helm install open-notebook ./helm/open-notebook
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `open-notebook` deployment:
+
+```bash
+helm uninstall open-notebook
+```
+
+## Configuration
+
+See [values.yaml](values.yaml) for comprehensive configuration with Bitnami-style documentation. Key parameters include:
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `image.registry` | Image registry | `docker.io` |
+| `image.repository` | Image repository | `lfnovo/open_notebook` |
+| `image.tag` | Image tag (overrides appVersion) | `""` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `surrealdb.enabled` | Deploy internal SurrealDB | `true` |
+| `surrealdb.external.enabled` | Use external SurrealDB | `false` |
+| `surrealdb.auth.user` | SurrealDB username | `root` |
+| `surrealdb.auth.password` | SurrealDB password | `root` |
+| `app.replicaCount` | Number of replicas | `1` |
+| `app.ports.http` | HTTP frontend port | `8502` |
+| `app.ports.api` | API server port | `5055` |
+| `service.type` | Kubernetes service type | `ClusterIP` |
+| `ingress.enabled` | Enable ingress | `false` |
+| `secrets.create` | Create secrets automatically | `true` |
+| `config.aiProviders.*` | AI provider configurations | See below |
+
+## AI Provider Configuration
+
+Open Notebook supports 17 AI providers across LLM, embedding, speech-to-text, and text-to-speech:
+
+### LLM Providers (10)
+- **OpenAI** - GPT-4, GPT-4 Turbo, GPT-3.5
+- **Anthropic** - Claude 3 Opus, Sonnet, Haiku
+- **Google Gemini** - Gemini Pro, Gemini Vision
+- **Vertex AI** - Google Cloud Vertex AI models
+- **Mistral** - Mistral Large, Medium, Small
+- **DeepSeek** - DeepSeek Chat, DeepSeek Coder
+- **Ollama** - Local OpenAI-compatible models
+- **OpenRouter** - Multiple open-source models
+- **Groq** - Llama 3, Mixtral, Gemma
+- **XAI** - Grok models
+
+### Multi-Modal Providers (2)
+- **Azure OpenAI** - Different deployments for LLM/embedding/STT/TTS
+- **OpenAI-Compatible** - Azure, FPT Cloud, or other compatible APIs
+
+### Specialized Providers (5)
+- **ElevenLabs** - Text-to-speech for podcast generation
+- **Voyage AI** - Specialized embeddings
+- **Firecrawl** - Web scraping and content extraction
+- **Jina** - Content processing and embeddings
+- **LangChain** - Debugging and tracing
+
+### Quick Configuration
+
+```yaml
+config:
+  aiProviders:
+    # OpenAI
+    openai:
+      apiKey: "sk-your-openai-key"
+
+    # Anthropic
+    anthropic:
+      apiKey: "sk-ant-your-anthropic-key"
+
+    # Google Gemini
+    google:
+      apiKey: "your-google-api-key"
+      geminiBaseUrl: ""  # Optional: custom endpoint
+
+    # Azure OpenAI
+    azureOpenai:
+      apiKey: "your-azure-key"
+      endpoint: "https://your-resource.openai.azure.com"
+      apiVersion: "2024-12-01-preview"
+
+    # OpenAI-compatible (e.g., FPT Cloud)
+    openaiCompatible:
+      baseUrl: "https://api.example.com/v1"
+      apiKey: "your-api-key"
+```
+
+### Automatic Secret Creation
+
+Enable automatic secret creation for API keys:
+
+```yaml
+secrets:
+  create: true
+
+config:
+  aiProviders:
+    openai:
+      apiKey: "sk-your-key"  # Will be added to secret automatically
+```
+
+## Usage Examples
+
+### Basic Installation with OpenAI
+
+```bash
+helm install open-notebook ./helm/open-notebook \
+  --set config.aiProviders.openai.apiKey=sk-xxx
+```
+
+### Multiple AI Providers
+
+```bash
+helm install open-notebook ./helm/open-notebook \
+  --set config.aiProviders.openai.apiKey=sk-xxx \
+  --set config.aiProviders.anthropic.apiKey=sk-ant-xxx \
+  --set config.aiProviders.google.apiKey=your-google-key
+```
+
+### Using OpenAI-Compatible Endpoint (Azure/FPT Cloud)
+
+```yaml
+config:
+  aiProviders:
+    openaiCompatible:
+      baseUrl: "https://mkp-api.fptcloud.com/v1"
+      apiKey: "sk-your-key"
+```
+
+### Vertex AI Configuration
+
+```yaml
+config:
+  aiProviders:
+    vertexai:
+      project: "your-gcp-project"
+      credentials: "base64-encoded-service-account-key"
+      location: "us-east5"
+```
+
+### Using External SurrealDB
+
+```bash
+helm install open-notebook ./helm/open-notebook \
+  --set surrealdb.enabled=false \
+  --set surrealdb.external.enabled=true \
+  --set surrealdb.external.host=surrealdb.example.com \
+  --set surrealdb.external.port=8000
+```
+
+### With NodePort Service
+
+```yaml
+service:
+  type: NodePort
+  ports:
+    http: 8502
+    api: 5055
+    httpNodePort: 30852
+    apiNodePort: 30555
+
+config:
+  api:
+    url: "http://your-node-ip:30555"
+```
+
+### With Ingress and TLS
+
+```bash
+helm install open-notebook ./helm/open-notebook \
+  --set ingress.enabled=true \
+  --set ingress.className=nginx \
+  --set ingress.hosts[0].host=notebook.example.com \
+  --set ingress.tls[0].secretName=notebook-tls \
+  --set ingress.annotations."cert-manager.io/cluster-issuer"=letsencrypt-prod \
+  --set config.api.url=https://notebook.example.com
+```
+
+### Custom Resources
+
+```yaml
+app:
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+    requests:
+      cpu: 500m
+      memory: 512Mi
+
+surrealdb:
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 250m
+      memory: 256Mi
+```
+
+### Prometheus Monitoring
+
+Enable ServiceMonitor for Prometheus Operator:
+
+```yaml
+serviceMonitor:
+  enabled: true
+  namespace: monitoring
+  interval: 30s
+```
+
+### Horizontal Scaling
+
+Requires external SurrealDB:
+
+```yaml
+app:
+  replicaCount: 3
+
+surrealdb:
+  enabled: false
+  external:
+    enabled: true
+    host: external-surrealdb.example.com
+    port: 8000
+```
+
+## Automatic Secret Management
+
+The chart can automatically create secrets for sensitive data:
+
+```yaml
+secrets:
+  create: true  # Enable automatic secret creation
+
+config:
+  aiProviders:
+    openai:
+      apiKey: "sk-xxx"  # Automatically added to secret
+    anthropic:
+      apiKey: "sk-ant-xxx"  # Automatically added to secret
+```
+
+Created secret: `open-notebook-secret` containing:
+- `OPENAI_API_KEY`
+- `ANTHROPIC_API_KEY`
+- `GOOGLE_API_KEY`
+- `SURREAL_PASSWORD`
+- And all other configured keys
+
+### Using Existing Secrets
+
+For production, use existing secrets:
+
+```bash
+# Create secret manually
+kubectl create secret generic open-notebook-secrets \
+  --from-literal=OPENAI_API_KEY=sk-xxx \
+  --from-literal=ANTHROPIC_API_KEY=sk-ant-xxx
+
+# Reference the secret
+helm install open-notebook ./helm/open-notebook \
+  --set secrets.create=false \
+  --set secrets.existingSecret=open-notebook-secrets
+```
+
+## Persistence
+
+The chart supports persistent storage for both the application and SurrealDB:
+
+- **App Data**: `/app/data` - Stores notebooks, sources, notes, and generated content
+- **SurrealDB Data**: `/mydata` - Stores the SurrealDB database files
+
+Both are enabled by default with 8Gi PVCs. Customize the size and storage class:
+
+```yaml
+app:
+  persistence:
+    enabled: true
+    size: 20Gi
+    storageClass: fast-ssd
+    mountPath: /app/data
+
+surrealdb:
+  persistence:
+    enabled: true
+    size: 20Gi
+    storageClass: fast-ssd
+    mountPath: /mydata
+```
+
+### Using Existing PVCs
+
+```yaml
+app:
+  persistence:
+    existingClaim: open-notebook-data
+
+surrealdb:
+  persistence:
+    existingClaim: surrealdb-data
+```
+
+## Security
+
+### Password Protection
+
+Enable password protection:
+
+```bash
+helm install open-notebook ./helm/open-notebook \
+  --set config.auth.password=your-secure-password
+```
+
+### Security Contexts
+
+Pod and container security contexts are configurable:
+
+```yaml
+app:
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+    runAsUser: 1001
+
+  containerSecurityContext:
+    enabled: true
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+```
+
+### SSL/TLS Configuration
+
+```yaml
+config:
+  ssl:
+    caBundle: /path/to/ca-bundle.crt
+    verify: true
+```
+
+## Health Checks
+
+Configurable probes for application health monitoring:
+
+```yaml
+app:
+  livenessProbe:
+    enabled: true
+    path: /health
+    port: api
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+
+  readinessProbe:
+    enabled: true
+    path: /health
+    port: api
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+
+  startupProbe:
+    enabled: false
+    path: /health
+    port: api
+    initialDelaySeconds: 0
+    failureThreshold: 30
+```
+
+## Networking
+
+### Ingress Configuration
+
+Enable ingress to expose Open Notebook via a domain name:
+
+```yaml
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  hosts:
+    - host: notebook.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+          service: http
+  tls:
+    - secretName: notebook-tls
+      hosts:
+        - notebook.example.com
+```
+
+### Network Policy
+
+Enable network policies to control pod traffic:
+
+```yaml
+networkPolicy:
+  enabled: true
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+      - podSelector: {}
+  egress:
+    - to:
+      - podSelector: {}
+```
+
+## Advanced Configuration
+
+### Worker Configuration
+
+Configure background worker behavior:
+
+```yaml
+config:
+  worker:
+    maxTasks: 5
+    retry:
+      enabled: true
+      maxAttempts: 3
+      waitStrategy: exponential_jitter
+      waitMin: 1
+      waitMax: 30
+```
+
+### Pod Disruption Budget
+
+Ensure availability during disruptions:
+
+```yaml
+app:
+  podDisruptionBudget:
+    enabled: true
+    minAvailable: 1
+    # or
+    maxUnavailable: 1
+```
+
+### Service Account
+
+```yaml
+app:
+  serviceAccount:
+    create: true
+    name: open-notebook
+    automountServiceAccountToken: false
+    annotations: {}
+```
+
+### Node Selector and Tolerations
+
+```yaml
+app:
+  nodeSelector:
+    workload-type: gpu
+
+  tolerations:
+  - key: "nvidia.com/gpu"
+    operator: "Exists"
+    effect: "NoSchedule"
+```
+
+## Upgrading
+
+To upgrade your Helm release:
+
+```bash
+helm upgrade open-notebook ./helm/open-notebook
+```
+
+To upgrade with custom values:
+
+```bash
+helm upgrade open-notebook ./helm/open-notebook \
+  --set config.aiProviders.openai.apiKey=new-key \
+  --set image.tag=v1.1.0
+```
+
+### Upgrade Strategy
+
+Control deployment update behavior:
+
+```yaml
+app:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+```
+
+## Rollback
+
+To rollback to a previous revision:
+
+```bash
+helm rollback open-notebook
+```
+
+Or rollback to a specific revision:
+
+```bash
+helm rollback open-notebook 2
+```
+
+## Troubleshooting
+
+### Check Pod Status
+
+```bash
+kubectl get pods -l app.kubernetes.io/name=open-notebook
+kubectl get pods -l app.kubernetes.io/name=open-notebook-surrealdb
+```
+
+### View Logs
+
+```bash
+# Application logs
+kubectl logs -l app.kubernetes.io/name=open-notebook --tail=100 -f
+
+# SurrealDB logs
+kubectl logs -l app.kubernetes.io/name=open-notebook-surrealdb --tail=100 -f
+```
+
+### Port Forward to Access
+
+```bash
+# Forward UI
+kubectl port-forward svc/open-notebook 8502:8502
+
+# Forward API
+kubectl port-forward svc/open-notebook 5055:5055
+
+# Access at http://localhost:8502
+```
+
+### SurrealDB Connection Issues
+
+If the application can't connect to SurrealDB:
+
+```bash
+# Check SurrealDB is running
+kubectl get pods -l app.kubernetes.io/name=open-notebook-surrealdb
+
+# Port forward to SurrealDB
+kubectl port-forward svc/open-notebook-surrealdb 8000:8000
+
+# Test connection
+surreal sql --endpoint ws://localhost:8000/rpc --namespace open_notebook --database production --user root --pass root
+```
+
+### Check Secrets
+
+```bash
+# List secrets
+kubectl get secrets -n open-notebook
+
+# View secret (base64 decoded)
+kubectl get secret open-notebook-secret -o jsonpath='{.data.OPENAI_API_KEY}' | base64 -d
+```
+
+## Metrics and Monitoring
+
+### Prometheus Monitoring
+
+Enable ServiceMonitor for Prometheus Operator:
+
+```yaml
+serviceMonitor:
+  enabled: true
+  namespace: monitoring
+  interval: 30s
+  scrapeTimeout: 10s
+```
+
+Metrics will be available at:
+- `http://open-notebook:8502/metrics` (application metrics)
+- SurrealDB metrics can be enabled via experimental features
+
+## License
+
+Apache License 2.0
+
+## Support
+
+- GitHub: https://github.com/lfnovo/open-notebook
+- Issues: https://github.com/lfnovo/open-notebook/issues
+- Discord: https://discord.gg/37XJPXfz2w
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
diff --git a/helm/charts/common-2.31.4.tgz b/helm/charts/common-2.31.4.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..8c7e4d542f6ecd7c9ca48b016fb8598b2c714064
GIT binary patch
literal 20003
zcmV(@K-Rw>iwFP!00000|LuL-b{j{MU_aw4av}AIu!#b|tD8NV9*UA}ZtFIrEN_qH
zF$+KeD6>!nR~1OXmiEja?E9SEbLKPld-@0V7d9gDUN;m-kfJ=SnU=w-yhKJsMn*<P
zMhv3qGzvR^xXGv6-RbV{?y_#T+uPsmng5j!>+N=T_V#vm;eV{#>+SD#|G;){6e{t|
zlhlm?#2);ARk>x~<v`?r*9zp#Jp)ev)SJ!%H}#U6;DpubzrDY^cTfM@cyjc=a07qn
zrhXKzjTcs@|K8UA_C5V?;}P^fnz(W5EZk{u1AQQF_jY#5=-=yY?I`+pce^<M_x5)G
zz`8d8OYZqEPJcHHqm)ngg9c**kOAW;UL3IFa1^^q8qWvmJoeyI;19eo@sa~}ICBRR
zuf64T8}7`1>%|FFKVTPI@aIhZx#ev4oSnwdO9rt&OX=Mqd+zsRH(s!By<p0S>)0rY
z**K2oGd~<N&W|jJ#{Piyz4X%aLe}@w(4G2hfaMbhfO#|V6aFWIA20+q^kzY{aQlJB
z`U~c#i5HBV#w4102W*n2v*e)D5$!n8Ny8r?K=R9Q5v0FN7r~$Yw0(Ku41#Dr9K}(X
zI-!?#hS6mhMD8%@09a8Xn`uwo_}rO=<HotSxQyZ<V6ZI)06!*PF!N&gA!RH49L>W4
zVgi1OMjBJs4^#Lbpbe|TI{^4e4BbIXn?Qzv!w!Rho%rKPny?cu@!|__h)9^nfgZuw
zPbc#}4o$+>;pl4cCIwtcG>-=!b+xo+CyhO?g8=Feyp?n@gC+w`%f>~9<e!?S@1OdQ
zkpCyo4xhew=1hk-(MPrX-{0Tsb+ht+YkTKj{@=#)fIShy^@vMeDWFL<HyVfR2NKoR
z>mN6y>;NG*b&?5)$N`9pXy(Izgjo1V2$2U^rd31AKgme>#)Aj!&GSD$J!v$~&dyLb
zfyHFzg+nhK_#Q1+QeFzN#NaW6(R=4Ty^6hAl=vwvYtg_5uw!rR!`ilJ_Z)!y+>0GQ
zk}^(6P3V&Pg=Hd%0<VFiV5<KGo6m+Q(`7LN&sq(8jdMR79spj$kw1Rn&KgrMb)k}r
zkaM_y`;GbGAeaw5*5qSw@I&H^=0SkJn#^GzKQ?5o=>pXAIaF){QG$qlAH~72$$@wt
zMdygyG-C6_V<6`lEXS~F^VJ<XVzW3J&S?Sq3wr~^{Ne43OE>n|8#nxQ4$HbK&5oc$
zppGWAv2=F4F!kbD>?dAplcf`n(C@_q-wl{I^r?YpL|+t5d3&6wfB%pF{D1%Vf3f4~
zEQ(V%OxepQ1?A#^eK&)ah(9K7IQ9}8i`j~Rs?m4?^b12Qc{m@#3}#zjrISsz)!o|N
zRHZL{ST?<jD7f%YA7Hb2AI2v^!M3B($O9~~!8`_94q4)*2skhR(AXPp!VCE1r;GL|
z8URv<%%8dl*BqE2CeT9flKmiiJjLQ342%l-A)o@#dEsd^Lh;1ui`AWw2{dXCy^D@~
z*#>oh$mAt$sb~-wUYmCgu*7Xm$#(3y!$lj|lxq?Guimh2621lc0}LKjB_aywOKI$e
z3DN1G0gAvk@MkKg<s6`1AP2<>a|ZxLLQ@yVI`U&cb?Q$&M4rM;1j^kMyOnb<!H#Cp
zY#z8VQ-BHFInbd+p+3?QXIAVX!~jMzpCM;ZzaflJ)8nbv_ua7FcaauJG)jqmeTi=(
z^9Ym{01^os4tW>j*d5N@AXtDXm`1=3*eY#zVL0v>>qJu;qRk_OITtD=^B~>Kp@-U@
zxX_+J6kr8QBk_hToKO1zguzb|1E9Tv7AL{R5m2|u1d2o<K&jd5@BjY4Ih=q0_y2>S
z(wJz>FbAR3kdOrY;|0-d3KJ8Wib2|W3848DR<<-ZNnrfY_GQFC=$<E=%*9#q9>gK%
z0GnEyLO$WQC_t#7J3(gXoRGKSIb#PVpR?O_x|^)mb@o6m2->o#KjxFG1jlS6CxKgX
z-oxl6t33C{?qGpf(9*o1YCy%X`-ulwf<_h`k}!hR24qSM^#>lzNg=?AAHRk{=^4d9
zmp><cpRkS9+92?zk}o&q?0^nnDF8tWm>LrChcFjdp)^2<U};g}Uh#y&I21{yKn!Hu
zG<65(&|f@q2Uz#$?K3`UVH(rwvvJ|O?CrDv(fRAMw=mk%C$C;0DFIw9oF%*<bUDLG
zsp|Sugw~(Jm@f!PYBIyLO>n=5Y>SK`$HGSp8!M<XjfhqHID2NXJ3!gZg@l@s*fa1k
zbcmA@AR1HS2;Y3xPNO!WUToQrYhg|x4W?0yZvh_xjOM}zG81$q0v7kKu%Ys>1ubHW
zwlfOH9Y0CtUeft$duwmM#h0UFA#iD9)-ZOKh#r549Z7{nZso-0E)hf>xFNDStq_1%
zF&$}b;MxRyLX?pzl~bNtAe;y1Fd{Z}L-<e3!FnA72mdlhB*1J2F8%8q<O%FY0id3<
zwf!Z$BGqi$`O4{j$?Lc=C=I{>3DF#g0$Rc)X$7=11|b8$AWG!`+zUW9eFIA22cf-*
zkr6Qm(F}zb2x%V|Oq4RfFSNK2s1MlTXhf?W0{Q`=nxO;%22cGFN@Dx@0CHRz1z7Fp
z1AF#<2K@po$Kh<A*00H{17z*$hb=9!&T6_kKz1h7KUZPW2_xV=2j|oo4*tZ0i5UVf
z;v0q^1=bh9aJ*6;o6zvkAEc~#?k$?E`Sq(;@Gt3*Nt10LJFw=H!;>cd`>)N`Spm*U
zAwv;nLxyke0Ay#X3k6wCplry{$^rc&zMJ*oEP)I*M-eP{i@$n{GZQl7{W8D|$aEzE
zQx-pk)r%pUMMK4AIX;7r5^o*+4Kun3j|wtqeg>*Rm?~VM@b%uq-w(@Stb$CiS&q*>
zIb^Dm0a;C;*28BcdXL<h+xLUo!ncAwt|pf2KlKH84Ox9-;&`1MSnM+}DCL~PVlHe2
zXB7w&jD-s`DDz|3pBh?#(8JjV*DeNuk4rPKnG4$$=8u^3miWi)Oq$DKs|y=L0M0oR
zW_U3hDkxGo5N-3osj4SM$w1<{hmhfbbWH?GD67C5S9#Q25;%cr(s$Frq;t{BO!U%$
z{2cX-!ITiiq6qA=;|Nr3R0xg1peBrsU3DPWrN|(T!li?$I}q8}rx?i4h244xoLV)M
zx&zUTeS(3gjZVc#Y7ay=cIyL4QUGW)4=QO=cOYhCw>=P$m$8>5>zO06v6Tj~rh&wL
zcd%4!)g8#mlfxslcJVX96~?m`sWn`m_&qv#dIfT<XCR=N`-8=jvD6(1>Y2hcBig;a
zfq;^Mmax~A<Ec9k(b#H(SkpiNlv6Lh@CV)+#P8wjW7*gWqgc;CCNp<^bL877_J2jg
zSioLKLv}b%qh#O)%Qp;b7|6vs2LiuSe~=r-a`LQWvL`b~X|5&XPy<Pn`U{YrifPTK
z*Yz~ub*${X^8_u5rDVwu1W7|?PqIW_Xmx(u+5U3naja#s52t>DQ1EkCJlTUkGDOM`
z<gl>XmC15*1F@$~ZK+k<*sTm?rkTBbD0K(&x~#Ev4ul(4qUj8preQ2rwyfN^G3Aat
z*EGsg6Dt~fZrr|eN1io|)1H(jLpy%*YUYK>#OHQjP0s>L&Cp9ZiSh6YX5kd&qN=_o
zPP*NvzBnjvq7=6=9?i#woWkb0jH8o%I!~nXfj)W_#e|O$9k_F8D3R{4Ckt)eBga?e
zJUV1<!rwVC4_O5DVpTC=fq(891iSR4BZO=Y&v!fIp2fJ$8G3dBmWYgnsJXLfo=UHt
ze)OJQ`ssxJfc;_``^X;ciyk{YI?~2C7}}9Ey-8c7I*ZMqCu^l68T>4cqj)8=_Gcq^
z*C05HTCFcjKN~T6Gk{vt*CRf2<}>sZ@|>BQB;?TTc+*)*=XJ-a@Fxos^gy7K`4}al
zEJ{b^WB<Yn(f1_8Ifid|lQ^4Q?h63(bHvW{EgR0_XVNZD9pX%;-qJ}NT{1Uh1fX_k
zO44Y?b#D$aa|c`r(suAn2l5Q*Vdg`(n}5}7v2vTaK$RbIr!?-0ac1)M8v>d`OsIg3
z=GYHmgO>F!A`HbI$f<!hB)2G0O*mBa7l>ZKa({sb7UXt<qdpr4QQr+5DLNe&-5icH
zAfXcxEMjGvp+XghMIuPbDG<*SCygBF&!G}0QIxip9vTY4#bKx?xNco!-Hhld@2-wa
zx^-!E%N<&CNcaKLf6g+bF}6Xt2@-CM=nu>%4S5c)kvP^YKpt<FPXX5C6Azgmont-r
z!?CRP<HiFj6Vo)2E~DxKk)wGbgM}Fk4RnFnOY@E!1{R)@s~?|O@R|E>GhUIsM5k%C
zA)QFQ;Q{$T+Z}PO?6vNWfe=eQci3847W6jDziqWNnq(pVw<2``7IMIyT^S1=YH%(c
z5OY-yR6}*YvsIfHu8)PKqB4hti@fEj2n(DUrL}3z&x$jG7Ii2=TZuEa^0bf(20ueu
z&Cc*Cl-*liJl657WMKFdYVl{IitERoz2X40?}Bs+i|pVZ*f$>NePqy+vskb^6SdHD
zIbP(qzlX1nuQt_<Z77}Byrlay%~2FJ)w|abPTpqUjhkXcBY$HFn!1$$eTQ^OMSJg_
zD@PpiKM$gDXRF)$Q>VM%>3!94XMWqLowWV1-D~&uI))HffHwSIIn|;QbrDhrUYx$*
zj=?9e>ww+%nHu2h820}OYoeapL~D)Omtd{7@F!-*C12|O&GS>1_~THN10ge@^@6;8
zVIdK&z!D2)b%j*pWr=*0N9?*_0b|_4BP8r|x9<f@1?+l7YLT#9B8}E73yNB^xGW&7
zpkqfk6pog9$u)e<WC6x2tb~KSrL6#hDY|QM8lmdLf2qrCA+R0!y*LTr6E=PUU^R;E
zTBs<WB^Lv`%vlKp#1y15)m(Jf#Tqxgg4SE^*2QNxy>?l=!Y@bSzh{M5MGl}_dALUs
z#!7yd1Ed}@(wUT0SmG5dD=|>~%x>q}hT)~uv4<n?dS<{liaowuN*gVfTd-f|Zh#Cr
z#8WaFXywt@?GK0kow);RJRdNIL3Ak$#)0Q1oJdp<XL;YFi)la(n1Od`IFdTnxD4u)
zQH8m~p|n@wKGO{XS_B^@#=viXI0L>-$rKYH5Ztq1o?LNnb^F877qX3MRAcTK7rD!)
zkiI&ABNFPPuGyy7ZGKIgmw7Av^`(@_7A`#GIFSx_)$7pRI@u^$#46XGyS2?JfyQDo
z?F$K-JZQ#-QN~q{lB9HlTHXo#sShhn|7XAp<9C!JEXYp<cnk9KFaL|H+^CX6aeu(@
zrZ1fpghM(Fn0k0Uo{L9*|J=O9Z<zbV6_U^mqo!gkVM+SLR_M>rU~tpVr?rURt!a2C
z9&6GkeA*PKnT8c3t7Y;^SG)6JtTgf>KA*b98*94^u1K`T;retsAC3I?APA-l_0wE&
z$Ts=Rs{iB01KA)SL%H$(R-Yn@oa5ce4B`|;cp(O5)&cIdD8jGs!M~(4d{$_$c#0^Z
zPs+Ki>8yYvvJCFQ;P2S?E^tRr-bHRe;Y-+n6t-d2h)u5&qJ;P%6)+p=tSN5q58v8%
zC?(w_RCqru`);e*V$Hw{$LXZWdR^!#jiYefWFt37JX;?$e@~(?ieG2?m38zq++@7%
zO~%{ZWCayT2T+YOShEA+WDwC3?FLREMTn~`OPh9fy_|UD7=$KR@4}Bj(H{$94JEZC
zMR+^Q_Lh|tsdK;fclH!fB#5H(`RvRr1rz~wjz?mkLpmNE1sy$PBo<zKle=<VQaBGf
zvP{LX9uGDn_c!#)S$U3#>cnwcv`rWE<M%;8sSBqOhH0tLg=;9lpGK7}*A{DNa-T-o
zv*!Uvy)y_vyc#<w^F&vWhaF)V&Bhp_1m*)CjufxFMu7t7gxC5jthYwls*~6^vw(MW
zt7hRlyi2-Gd-5ILn^-)Z&I0aSAsjc(40H)EUkn>0BsIFy3g0*Fim?Rgh9lp+g!%JQ
zdQ<f1n@dYFiRQtOaX`7Ju!Lb#ndwGk#0b-1AuA6oGu|020Wf9IzE_NgsTYqkCf^tM
z3a~(m7wnTv&*D5f+)+x=xe!WWIGs8fJXHFm(5qhgry4FPE6<A(Jhai4eHr^HDa5~f
zJdoV{F7=lmuTuFtWyr*5ZNm5FVocrOvo?sV88Jt8aA@1|CVCcLymh&d{J@^f{Q$i^
zE_~ShP|U&$H})w88Cg`gxzy!bo?F-htEojDlJTT1cY@8cRT|0-Us#34UP{yUO!;ik
zkx<OdxOB>mp<P_L2NT--?L5o&3=%8iEy327FU!2d`S4*-Byqlm%?-u9BI`h^S4P_P
z$TQh9X*%Z&fIA)7sW6mZw=sOaH<Hql|Fw#kEF3<J8VCQ}Pps%#iHN1Dhkj0hDq*B9
zj}wK_R0&0}=<>3{&`4t6=g}E4jHxWWhT-RpB=E9lBZW*OMQF(ne=zX|=gEBfMyzaf
zFelz&;4`)0i4L1`G32);zQCYHf%k<zXW3Apls8Wen;D+#<GDyQG(D9zVJj^omm=O|
z@MX4vTZ0F^ueSI1498y%KodhnLKjnaM#(Vhvw&Cx-|Flss|VxyBn#sm-gw;hvvSn2
zPqLQZJq6;EJ(kch5*Il_7v~a0UgF|3mQ&PIi_jEfBjagn-{aS>*1q!E%KKlfg+}b}
zva7F?S$$2N1j@|&!tdPtX`l3P^C8tITe2*eu^}IaY=GW46e?NWVcRr<#EKZ&+JAR~
zjyzmtG1M4`oubV}qL&u7A2%Kdve2ajueFR~(|M5kGmB;x#pHLnhbo}maf+u5w8(-&
z1tSK@#&4D3V&T%QI$6Jz(u!izp*DMej*kx)B;y91@v>(xll72uC!b{$L*0GY*C#<|
zbOq2)Ebb}0Hc2#jflWMpLfohBK(0#2yc#PYYwMY%rwVtNwr7l-AAHKd0OTa$M=@kX
z0XCzH@dyN+>-h4*c7nbhJnHx&n)6YkW+I>v<`n6m$Z>N+D!$M~zIS6(rRpgn>(D)}
zrApLUeAlt`U8@aiGF%G$I&l;P@Z*g;J`;ElsAp~;Z_V@YoT3!Q%&!-BMcpAfTm4Q^
z0hH5dNWO3KdTbU-c@J0K%~kRG<@MbHsMimr^0+#aJ=jo+*rn<!u-Y7my(4S{P%>Dd
z<xSBbE-V=P9J#^4osG11TKgIdtbPi7jp<E%;_C#qHd8k-uKMDDbsiX*UItUP@KjkC
zA|V{ZpH@0Fahp#T*GUV+4L6WMK}7c%p{DoVg$)z5rIH>r8b)TDC0(89tO+QC^i@)`
zWf?C&1bV-3G=Ni=HOt$9f@U*4r?=<yU}s9nI(pr9ytmzG;5|<s>}pw~gzOOj%A0?!
zDmssNGs3Y=x8ugKyMVuZ*i_Q%>JDBB!5%DFBKrz?Be>00y~=x{>PqF%zDwye8ZgMY
zfu(*F1)dw`M&zaPIy&y%X@Q{igaUI=G8NEY-ls7PImD11{K^qek(8LYrB#Pm@-XCn
z#d!2}DHf-L#skGoCZjyCav<4cet_gFA=(3GP>mgrUPkF_bX*Km_{4`UAfgmRI30{L
zH$5S|5Y2nTrFi;YI4JP)%s8=gOe7#48x3);NJoatSn8We1oNHt{|dmAy^VtT)UyvC
zH!(g#!s*p)H_=B!ck`06HZ_|fJHpUU5YB`R7nC`QXN*9{X#l~37+PvHc$SzK(a>84
z?jg@710vf~lCu<UtD_Uo9e$4o53h&-iT~@;&Q77s3O#)FjSsUB1m?1KU!&oU`>skt
z4y~4CevV3ZmaM~x{=gy!$Lj-TAU1;lD32H*pdXMa(dbt3tnHem*_M)YEg9uY!wE3s
zykQM?x)80Ody5zD4AY<;WZM$&RYo-4rckNSLdY)`6kKw_kA7GN1c#rmkd?^hS;-Wr
z510w;1CXjxZ^uHf#c$ZpDpVpaX}}2B93|EFA{YwN4SiTB@f1cL!nsI_ys=o*@~!r+
zNraiEe7w{S4O|LWXxyKQdtos@sRYTEh|o*CTcI5I@I8YKOjshR`#?+bj=&YY2R*Mi
zlbgWG)zi2!aeI!hP=MF^RXGV?&D>vL7RcT;HJ}-N-Y2$JA6S2H2V^Jw_+=i!_8FS7
z20fewdc=<7G`Pm&g%<}6ss6|ed#?{qPrrY4@>G3beCLJM?E~W_6Nm<;IPpgImkM;5
zKDVHqRl8nh-7WPluEnuzKET11J(8h+#SZ0Bfw0F=uZTauuGo$$v}R_MJ^7c-CT7_S
z!~}c!>dmuLCw-q<=?Q=PtzB%JICv~aS7v<bcJt<^m$vmu0@{YME!KwNmh{)F(_e3e
z{(7RnMga+z+K&`r*JH&YIumU`MYyDu885GaYN6~=e7WO6oKR*_uqM#$NR(kzTD*>t
z%_=Fbhtcg1-~?_dXtxvcowW${xY^vy;1XUD$3MyxeU!J2ZL%4^dFKv?>``$C59LJv
z37Zgk*bv{a>NxBTxBAh$c^vbzTTDpVP_qu!E6m+zH1qi32Huq)qybeHXPoV}z6K|~
z7&R}jcEo;8q7cD*-2BZ!iRTzx__2xN4aTy!!`j1EqX-4PE1{rgqM)}P6!dNY1-&c^
zgwSB$$%tdZoh<^@zUy=wjUQfx>}7P}QCh;@Hl@q#Zi>jgTPo|~rAt8qrnEi6j5U~-
zurR$EGOtJ#{Q!gc&y#jEY6E64JtgWIlpd7A6#lH!21@@To>fsQFgkF7Oj3s_EO|aP
z{BGn6=W~oU2$;n#97HhyE-z*19AzWVMMFb^wB}c*_)xdG21TvlJQOOg3TQ~B#0W$p
zaokk7u{ukXD0}wmxg(_V_vFkYV88TuhDM&pbI3KbEFS)XIo)1MKWsB~CY3b?Oc$4J
zjpU4N$V;Un<9R;<@Tt-kjc;2b-)IO)%hMjx`0X~g@@?|;a+H&@<zV)@*sD(cD^va=
z4?yE$P~2OfMcZDC>;_CV<hlOL%`Ug^P<S^pFfjK50aSg5Sg;b0pXFe>*mf+iM(!`2
z2copNt|{1j2{hQ@8=ITB1OAL}f2Feh1tFG}`!AqKfQcOwU@VGyC*19V*#xvc3Q-;`
zxQ084rV$>fAmuOJg=Nr|xehhm62W6f$gD#z7NIyOww{hJNE5|ZoP^wUEKChTbC$sZ
zGbM%ZxxN!XcQZIActbuf#LU^G_P9e~_y~}KqRS1@XAsjW*6)(*=wcoTMok8=*Ngo~
zr6^K?x6$Zg)*eP)g567zCFdhRf`rsy=uvQAV|%ihL*tVM!A`2+wvi#$lGwvE!a`8}
z5RFDY*$Sx`u;CncHbk@P$#b#w)5Z2rJYOml?mSRG+aLkjcuJSF#556~0Ea|8IR=2?
zVq0(v%oo^0z+4H>DShNW%Dz)?Fu{K9JjC;)<At4zDdz8Nr<f4BV`LF-i)^hO`qD1?
zA|mR*aNI!~+Q;fiJDtP653rH6(NY^+cx@c|7X7>3#%!Z)JxtC;ZJ3bWduNhPgMTvN
zu7k6}3KW}1<e_aNzNq*1#TI5F<v+KfCN7@OVFV#=TaTjIBKF6Vl>Ng1e*T$qOS2~u
zV<a3XDQr`|YjQpy_L1+{aX4_0vpSe2CdFX#eVD>NusLR)ZHVrMM#kSmPzT^Y;>#wJ
z!OypxF5AEYP4TJO`f~$$d<yadr^}oUas7mgA@BXbn~|8pP{V=GxB7C46HPdczljE-
zK04k|VB*<AuF0Ylb78ANNCli;US2vbf#^i>xD)UqN$2_T(X*GQ&)NVcVDh^#K>L+i
z)L|_VEJImH-Ag<`bH}mA7b55xon?Kz3MF&MHil@$^!xMFLXU(A#%UJ7^&@1>!&7#A
z+GI}-PmfPG8{Z$l`S#U!Z`k*TCntw5-yA<XWv@=y(W{qFkKY`>dI^7h%?@Awjs5lb
z<<m{(`P}sQenvr$kYH0%L7c{^hzlh<SBDv7JoX1LqHsJ%6XF;hf9bel2F$@j?$cGS
z23-ypk~=pXr}2kR^zf}z$Jn;6zmIOO+uhsQVcl-Gx4+vn|4YwyZ<qCUyE}V(JG<T8
zF6;JodRsexVBPhDl7C=_;KqOGB8<JNa?8GpvB*KOwE}r_4{8-s(n+bc$;H+oC?qHN
zA;Az8Al-2)JYc7<pZ<@w;M?}GI#51fhp!Khz9k7jqEsheMh>Gy%M`QR6beVjouj89
z0iuB4cLc2)Ex9Ngq5MB5=l)DuP`L@@!GnhR_kjrU$#uI=Hi<stN6ddxoBeSJ+SB^`
zST_Iny1nfD@9y{R=l^Xym@_;DMTUE!a}MA;i$1#P(@Ms(ljEG^jy*D05NrfI^b8B4
zKBGWvw1CGR20FU%xZ}2dkBi^~7Q#lFwtE|}%#Qr`a)a^TV1xMz_L;Q#m~oJB4MqJG
zmPhC5=}&kVg(o^kJQw@hqf<};;-uk>{j@{>a_}2Y|JS%f|H>DWaR>jAe<l}UM>mA=
zC+9O#o07&CPI5VefBWt^{F_eU_y265AvUI+!|~H+(4jC6G#uECxgA~(UNxMHWDpHK
zY}=oXG5b2K^9}e(y^(PMRME!Kw}&skdG`F(H_mkUsb!X!|N2niC*_Kf&eo(0RL}oj
z5B|u^fB3O`KmTvz`R%vP7md|afI14m7aeZ1?|i{7{OJK5sN)1f`^{st%Hj^<fKf35
zVVTEN<GTc8&_U5LK!G1tMZ{+G)ImGG=(;VgTU56uP9WNJ@dEUe4Rvj=Db*b4Qu|o6
z*amLNHXHz*eE`XNN@vILGxo;b`>)aD)NIG^-VMKe_#v6NTf2J)%@&<6z-Hy;@yl-x
z*ohv!PQbH)2YtF9sBnO9u*}DgEoG4iqf}fw<#}RwoC%Pwv4_LNyM?szaxWr(n8$X)
ztyDVFlzCgrX?%%>GWLnh3ABfzsHANHc^e^bs~i)i9f4?vF@^=r@n>6dXk%4BxH`OO
zd)ujlsH^6hXw_obY^Um=&K-@2fA|MHqoe-S_Zi+vdjXm^?qT68_ia_5<;Zn)M}Wq|
zo;!#7-i-+5t}4g4>M`>zW7H@fa8rYH*a2-45F=C!=)cWBCY?Vf2Y*axW(f~DllPJ9
zTSkj8H)+zTxtZxAGYoZBT!f*=Xs<vn$$q#JbfOOn%a6G?m<C_+WcD`<%dUxh`}hC&
zPj>q3=)05SH-BSFWW35HT1nW%1yzg;(r9~1{dAu4Tr2WuV4#i$h8_<Jy-6pL_+OND
z@>G<JEXx00=a%Bq!_~$Rl=aa_*|D*WH#p7Np`PaKh);6^Qiq*N04e%6S!0ZW_&kjj
z2r&>`0~gI*LyxSqLzP2|Zz8>z?D*lp+hib=&SC7rvs;`9@qv+f26`&GiHgR#Q;jbv
z3#1%AFjzawAw<wNd1RR4rhu|lQs@ePuC<m(>0YZOQhlFTnlQq>ha=!R-3$_61U!lz
z5vnN`aoOp|1$m&o)>brl*UZbrH|k2H^nT**M{bhLr}C0LegI`Wh%OPG;;5dSIu3|d
zMX=~GP!SGS=4B4X%y<3Qa&1Fn%yh4qXT+_D4OL5UYtB3s$j=FWA)F;~Y+>sC0vz0I
z8Zr#Dxg%6Bw4bs9n~64XnhK1g<2T#D{T!yL%XoRI2oo)?1WF+(g*dI<3I$D#o{UV*
z4KXjd)u(0#$u$JCEt<t&62)am!Fw!9Q06cMYY3e-0%wM7MeIDpTe?Wa1SBa;A_u+0
zEKt73D=9KWVI0lJlgz1j;9X!~^*Lzm0lGZ<7wYiPkTL>RN4oPJFxTlj1I?xxxFq!f
zG)XfPfkILe^zwbC=3^#EE?+n$Bq-z)S*egw1Zs{|q(&-=2erbv^f8|{6rYZksG|t*
z^SHYy6Cg@K2RK*bR&daU09yO2w=e(^O<Q27Dp{yyVXLeFTf#_OY4m=jDPX8CrpR$x
zxt^Cyiz2!h)1wqECV~Msnf5pXhj=XH;<dz7@Fqq~=zDz859j2-(v`==DGwcphs18k
zOX@V47QO`XH^zm0W55ObG-#*Ax_Pv8zOZ<N{SyH4xez6X>!$)sc(lApE>V6eMS+A;
zi>(|kZ(xu$hFByGG6H%PO<F0>Z%BTl>^9d4HF{GjOYO{I-;oBXE70u-U?9Pp=5`wo
z4b9liUt51$G2#=okx#r5?Zq7oqFDNUETD5r(i*@HoTg7wsG%xil<TPW-rmk}LkI7m
ziQvg{A|fS-^xGXC{<EzRVeG>@rHb#THh$ed1@>PZ%4%H(;3elj+xt8FS^Mwa?$*8i
z_corpV*jlfGY|Im6L*&IGoxe>%~XzZ@rUxztJ)4{qxZq4l&v0ZkF~h$ys74!G$i<i
zDMcy`fcXyXJtV5-i237$LK*uQ%9y)5qj4G}yo&}a{$fLai2mkIgBH`Pr?z_k_8SZ;
zjsAOrin@qiVD23qP7Z6)1}NFa0HgijUqr!&&WSiJJf-pgc2mOK)T<IGiW?MHPg)bK
zT20YgOKp=4SV-|PGzA1gbRbJJOL34(RHmM&Q*O}VY`lh0f1(Xc9p?=xuqiNg)=yb@
zV@*LtM(aa3OdR2u4eN9QO3t{0m`cd{{eZ_L#A!#rYRwEPnc>_uh8?WS&;ks_&qL@P
zxS4>;STQa#wh=7)xX$FX=cWmzVi7eLC98d)a{-(n@RRc<b(q&X`FlB?K0VtcEAovB
zWvLlRy{gYiIwIyB;VBcK&w#sLNocReW~J+YUjNfMZ*EQh+wSJ{zwP_;|66(Pfc_^H
zz-y&dYOF7<Qjs*vCW2D)+DyE}O&MkKC*MR{D8Gy!VoZGjxV#SqP@~-eb7LgjUvjtm
zN46ncyS*8ReJ^%{wzv{c!+RgNAT2su{J(VjJ!vVB9!mU3AqV;mhh2<EsB2Bxy&C6W
zHiu!tB$#4kC2tzVc(1d!_0<a>{+ojZ-tBhbQ%g3;hnH<`H`Cmowo04Z`bM;d|1_um
zAg&AaR;HJ&-M#Aoy}iF{HMjlMPEDW_yi->b=-mvacYEcisR8tU1_%3l<%G*%+8g@w
z=@p^wb+^iqa|N(_yW8cov*9NGuglg>*J6<F&h^;Z*|iv?yI+^B-(Lgj%5LiLwcXra
zZ>KI_Z+%Lz_w43+TU%e%V{N^ym4_5kI65fQwbhuP6xbh?p4B$@i}DX?>V9@|^6KP(
zaicKB=y>$U<Po$;J{1nni7F%ga@kJ~CDg^n&k-z3%}p3DotsGrTBIJjeo$!RUe&ak
z*Z+9%-nBV@{$Z*9x7*#{%jkc*`}^H{{qHuOJD~p&2(_c4S8O>8W3HPXDAx#YUb(d_
z>DVyB#i4L=D~8z$lP}NoMHm6x+Q|k!eq0_&pfsY4D$>-ZFC7|&4ueE<@K;gr0W86T
zV}AUYjXsdKX{a#&=u}k@*?%b^Ge{|q(Z8HDnWjuHMEpXj6Un1Ox>h_VAEkCv4%nzM
zpUu1&JwCq9RaL$<4a@Bz(}(4HQr4P2Ni8d}!RQMxi|GWZXn=n*zJ&bLEN`XI9F>pJ
zFCCAFf=elviTkgnV0DQ78dEISu$p2-HC)AQ3ZjDyuDf}Ac+;p%D_{Dm|1<folsQ`o
zYO0=co~K4TCXJ;wpl*v__#V%Mj-oRb7iFRmR}OgIJ=~E>^VmZgfwATnoq3CaJqETA
z3X2BD<`Cn9bk-@<B-DBR1=3G=3N)p8o?2uDykjRgkT|?<dV@MFXXIKiIqnKs4eD{C
z)t};}bIyZe_{!snz5(gIIKh}mv;!A^ic&V0nMJciE?q_{=UuVs(LS~@*g;7s9MEGK
zzpTo=LOXagd94x-xnnsXmTMH*L>3CKHIhcuV5NNX+VP%?BncMxq0!!;vWD{n1Pg^*
zBoledT;G);S(u3<G^SC*O&w+hlR|>npp6tqQB!YmJ}`bm1xa@A!0|hK^7}uTu5o=k
zz$N>?-qv<@|F^fbw|Bq)yN%}#?EftLe`!+CBJpfx7S-p9SIin(DXKGFX}!}3M@z8}
z9o}BcvA%pz9;s&MWo2|D;>~GsIYWoV#oKDl(oQ$LUuZXD6|o(p_4=I;c>J#Uu4(R?
zGTx-sl}Q~a0j*4xxL;px>&eT1e${E62EZlvzq{S--2HDTe=q-U<GBO!-xU9b^w%j0
z9E`WBG7Zo%=g=QxuvD2bM(h$d8TV@8R}4q6hs4+pWJwh1S7tMz@j6B8iC}&Dk6upH
zjogY`<$4*BMfl&)G|xE0FUnSXsMy^byGDM!RNj+SD~SS3-$32aO9%fdKD5l{<Q-Mn
zpw*DNz^a!xZ|24>yd$&8fdQF`ZM&V!y?68eJkl#u(()YSlrndqW;c&T0q0PWGTYJ8
zO8`dif{)DJ^l)Lc|D3rgmH{Q#PzIEu8weIT3(Q1xu^9ianJJs4oB^o?SMEqE-ve)c
z^%hGnujZ$($ZbNGVwq$^5kj4U<|k-XLU%R1y>mc2czYgj4=OVc2ObZ2E?Jw)=B|+*
zBr}7T-@5N@mVZM}v*IaUXG&X88KyYny|N!?&Bxg(Z6L(H3kl4Hn|O5cow_sgW?(^Y
z+P-YQr85HiW=&qztJ6;Ic22Q@x;Q+5^~G$~hNEh{R~&KaWvLZMy~-^mLrbR{jXZd`
z*>H=~IZOS6?Da|$mJe(m`oGAFJ}U0M!>Z`AzNsw|=9m|jjKnz=^EWr?*FKAD+UCmP
zSw4ToS80SZE^rsj?uYhq!|hG>jg_5OX|5Oul<xMeHHeJWp{W5$)r9-hlIJGSe?9rN
zZW8>yr6AY)WngH)-8jNv^ZYd)^5OdqC^)gl5B}(8<v&z!OR7|x3u&ugZDX?f21IqF
z6n*;e1~m1hTE4g;J@($u_{niW-hdbS_CY7{rqCURXzq8mwnw|Yp||~&+x=>9Z?Nl)
zy8Y2$XRE(G+TY$C>~HtF`~CfHw<7>_#?gc4JH7VvogJoz<d1mwFEH>RJNvhdAG+;7
z{rF{T<DDaZ{l)y*rtgRCe|6ixzH9&ZrTC^_w7zIzjW27Jdw6Ex%Gx+cKEdN@8gfZN
zrK1lW`v0b?>b#)r0s2orH2-`}<E_^H3-(Txs{N-nPTW5?{^ad{lw$Wb?SI=lJ6l=%
zUvKB$|L<0wyJG))Gl`>1k={9z*n$Tb;|hVwGHqRv%Vz;^=tF&-rwZiVGwgt8#j24_
z%FG{c>ppf`D+$%LGifOZdp8B)RdR0?s3by2h%^~G`F9=?b69HgRzQ(F3i5k3(899$
z!_i*FQ@*xYwl{bsH4`RlI_$Z=V<}3D%#Jd97f(9ANpX58dM0N*_<b2+){#`Rszd$C
zy<HnKw1{82zt=9sU6Q-JQsrwIN^M^+d!WE9+|`fY>&{@oG_RuZJYQdVl$>x~)j3YS
z6B$q}ErwteI7MUdyHF;%I%UGyoia+`d=!DycyJP#DofAbZ1x(u^Ta!EmUk+mMA|O_
z43>RfstBka`J9R?vu2c)O%?@11~Y&}m>VRN38T;B56P@E-a@`T7x^^Q`E4rVzp+8!
z`qN}BV1GT2Dej?}7zvXU^*xcI1K~=QQqAM8@<5BET4Pe7*bO?9=(3$goivW-7|n13
z+B(m4!jmBJL@S*Kdhl(|e(lQ%Na?nsizqKBlZ~5JXNZ5yR1ylVRV>etrQVMDomp<>
zh;mUdW%x!sE|TG0>BgX_CNSJzAbawgc4q8FVfb}qlu5_MdmG0g{q4zMt0KR%11l%b
z!$MJ&8ZHwt{@7GR9ipUw&>c|aGL$xLbHyr?wtl9^n~W)2(xq{VBr=nig_M<eF8eOH
z_PIB92aEDXV2e2}Z-f&@nIO^sV#BGjrxl!s-AHiT(la}CQkR9@^hr0v*1n9yzS}w<
z%AO5n5AKRuvKyh$wMAXgu0H46TozTA*U5#}&6p}PE!f9eWpx!QZBEm+tL&G|aPvmV
z93&>%mcwB&v<ZgwAp=Fua;Sr-sQm0QBXvNNp;JtkoI$T>25G2@zE*-(&rVlD(v1vb
z<s%_ivPgEKo5;036qC4OfzS~eLC#a;zW|nqEbCCHKl7_eQTzyB%O#6k7g|LNgXwzD
zS4dbC--X2ioZot}KUz@u<I+V8BQ;}UoEa&XR=oGy4CyR?pVC;FpwFER=lsqvXG&Rc
zU6wEeZB{X^9f_NJuZI{Ya2)!-5=j7D_LSnmat#D^2~JVGL4mg-DDJ%r+n-N|&}P~2
z%M`(P;dkaRIX54e&4?2*j4%i~ZeF}+X>bK~yUp}zO`%vLQQ`ek#S_L?8y^0)K=8I|
zz^bHz5(Z7XVBVTr@Y!T<<nD^a2A7$vOs*<Fi@oWpb+{lbs#PB!VqaN-jhgHya)RO}
zAVHC3<|(DbV=@;}$qd_6DPt)wSw=A9Nf63PzGutqAcQj*87n;8i9V{arFf*a6j#`G
zt+<giPG?l!HlE8@Y!$b=U+s1ac5-&d`E8rv#d0}%t24vY5%Q3knudmq;KDteW%tNH
zR4wmi)63WEPrXXZVJL4)EIdau2`wn|(0f1QVS)P|jL(l^dm%9Jq&U-fM~FKS*eG8D
zvRa?TBFnp2Cg$^%{_Fan7u^5hXXm$e|7WYax100--tOL?|J=%RSI&RFA;V?r$%qEr
z@4Lb#CfSsSaS*03x;zaN`c#~76dA+pGN80@(+pjSpN~fVdx|cgerAs#UK<AvnWoz8
znf0QhP9I*)Z~=z(o<e=meQyzFT{a=ct>TOu33)}>1W+mP1Bl_6grOC_jBJSV4z)Bk
z!A?TNm`P}x;meq3SPnzX2>3RBMti-;jUbWV67kap=O8DC38j$+HKOkasICwM6f69o
zh7OU&p4Y)N7acn(>;pM^-Y?-aM-KB8N8^#_lAZHlaIoirmHg7<OKyT!r(q4tU^GF4
zfljlLJ-T^HF&~X{8>E!{EE7Jf`^wV45ib&yUKz7ERM{J4B#@l96_3(^1`b|BN3%6;
z8BPI$tfoyPUz?14^tzzl2h=XZ0o&WApZ-+5$D3k>rWDeSvlGbhZ6}*hF3_;HwetGP
z<JN@PDPDuEG-TC9O+c-y=vIH(Ko_>uIrkQ|gwDBfx&A6Lhljp^f9dS?Ua;JTV4;Wv
zMF+xUNfaZ*LQ-Dva6U_?_qi2^M1+4(K}XcIEtoa7Ej2f9>>4?ndgeR!_`;pd%ngwh
z!GVVbsi^f(0bOnaUOL&#U@O&gO&#G=+8r1)h;7P;MA1KDV7mn#&f*5B)|}J_<~$e0
zvcOOF9Ar&#UOjwkMJ3L8Q1lACDkyviY$C@P4x-m38b(M%o>z#wV2W<c-;*ee;@6pe
zWt|GWLq>hdb2I!j+4&Kt@*^ETLuaW{_^14!5l)4wd6H?lV4`4U8;S4&y)FKcH}+3<
zYgvIM&w%BXfdYZG$vkI#fa+QDOQ5jdblCTJq&o8l=OXTkHnbE4o#CKzda*X84APPm
zVdh`NNXLS2hqyT%MpK12-V7%-{CE;Yu(=QIroNweWQM_9tHU8n7SlfFx)(!U(zIfg
zA{8h@4{kyrp-qS2iR%x=OFt26k4Tb)=4b8)y3~6GerDZQunHP^UWG5c%d%n1#6tQ^
ze8f}PM4Y`hxe1LQG9zYiY$3Eqk#L|?cJ&gthDuNNc0ABomUm1YnLQ&Un;>h=1&Pk$
zh3A-vW(KXti&-kC1NQkZ6eI0AT~d^_L>>LZh>;j^GzSrxokImu;p%<s86<)no2`<%
zJc0e4hpCACh>i#-FCF}Uh6Lm;0jx<jMc^@iFyR)g5vY)4UW`TLCpRnMQE2th5lZ@O
z2`FG|=;m}1jK^7k0G<YluWB1GNL(niC`y>{+z=D%kv-5yhCrYaCfL3Rb><J1IC4$#
zW&(#MwTY`@qZ#Oxz;O9vguCKjCE+=aydef5-9jCTuX765If1Q5>=sCK90&0bWkV(a
zNZVBymiS0S%?doY#ENcO(2cV2yLx20FOGTcEyW%|fy!=DlujA6`AL@B^y*ZEx$SE+
z6U~<26*uiT?1UB(*bM7+C4)^d;zN?PV$I1TTu@gmkixvoqofl$_=iW<D$4=V9pl(E
zcuSS&yz-{h%ZCaw9<@(u+Hw`kyw;1R;dX<5k@|xyDjOE-y-^-?I7bX$6&5@o8BfF-
zyh1cOCnJRm!m_nWyM23&2ylgCsO+7S=P8CvLyJWaMd$MwYhIudEcd%5c8r2(qb(U=
zv_<hmjR?$UN9M-JNFOOb(<a3{4^Zr3W)QVXe_;K+ouN0#WCfBNFU)hRH5!r(t)h$h
z1<tN-v?lQm_CN2MY#4bw^`DTLN?GRL(G5XHS*;H1XzaL5H<l8HaEip7K9(_XL|K?h
zTG4m8TGox#0$3>CrE1osSxMU^B)bYY1`RV?;*5iiNS$h@q0)lmu_-MIw!JwIwkl3h
zj!ay0er*V?tXF>VJe1p1$sW=npV*`+fo>Y`7sYeTIjz~?kbCWw?iS=nmc8PuX_s?O
z=T85{z+@cc)^*XK9G*gnmo<B2$nS`4UXGK1Kh*#?Fq(VJHgI7*3}zFT_0Vw)|9m;0
zda*x%7i@!v?ah?>pkwtGqZPQ7Y9s^S&n;c$Rq!h02|sf`41(vB8#(}4_U?NFMHJ`c
z19wY`*>3&j&4?mRg%4fAxEzX6B<G`1V9zvT4wsA<F$CBvgUO&*xgVf0haF=NnbiYO
zAQ+(cty0+-GRD5}V?q4WnK?^xrtIRPG8p#~^ETZ^hMj(5=!<mKHos}x<bHRTK2IeJ
zd%!f22^J%679o8{m_=$>*|-X@s%=g5^VUv(I9<HWCO!O|Y+dG{N?Q5UHm((IJ4@Ac
zNqzI)T0Wfi&1#LtBqW8%=xw7!U$k5`WuWX5Wijg?<k)1+w__KuB%Y8UCE_R(d)tx;
z<zcytqitUbJEMykurB;)p5!-yu4!yY>P&WCa@l16WV3fg?q0^+a<myfUM~;lH$8gk
zQi;xQ(G@A@|6?eEou8)Y?mO&X(-&w-{NMfkz0CdZt?usbz5maxJa@(aM`-CDdx0$X
z^a+czSA7!|?J;-7yUuP#va)KfOsol&MQ^x@59I1eIs0^39y*X@lLM9UvCu7<gqx)S
zs4OQ*TfoVClzYIUg8@e!JIOwzs|;Qpku_oK1;}*d8Nz|EiIz#pdMGvT1lR}O1$$0e
zUo_{=(}|Pwrm&h6`}yT<iISQ6ZakR44rqXv9O?jM6wkH<u)dBx^p;uP4tkYfg-jdL
zAb=M$O>==(1f1CT)U<jnXy?1cQ)z~bHs<2>()uMZ%<A@!+f3pAUN)S3iF~V>yBK(j
zfs9RAcL=n`WSOi<k*ZtrqhOaNF09SmjWgRAVc#yzm&;NqXVfVqXQ@@EDR`ufBsNkR
zErHRz7?=H445~dE0@7rZtC*2<45wvdCIfrMe8yvXSumK_ELSn1<(PIkrt?U?E~0a$
zurli*v7;q@n#NpcRv@8dQk8RGLHQa?sB7H-nu=hm##oKzT-=Aq*a2mi1@_9MkWCGV
zQ@+bOoWJ)2-;Ec>F(yw=M`0^Sa}stK5LX!wt13OE&I%~AT~??cx2_D-f!p$Mb2N+w
z;j{L7*=#|3mT{~g%wbV;HJe!%*~Mxj2eAU(m9|n$>zY(ht<=E0ncS<43UWXd7`JkS
zk$JWF1g0oM-F5M8iqlo*n5ERoEr3$?xvp@>r<*l|>&!EAMOtNImDF1kWu?s(=kE%X
z)oS)<NmUL05{jBqvWQ~l`=v&tYWt75@Lt^pw8Z|iv%i<Q|FzZIxzGP}JI|f7{|IwP
z&5(W`NhHh($b<ToN5H$_XHVA(&u8@3TW@a_q4o-t-!h%o4z6e6rf3KS0rqS%WTWfR
zD2vTp>pSTxv8ZWLTxwA(?$<a8>C`u{iL}4V`sc;0!$F3pRK;C1SF)~Ub~xEf(vGr_
zS{FmE9W&BVgf4eU;lr+Qq^MR06qiYd#>&~gd`#u>FS91frBl+%D{X2J#?SjnbGwr!
zqn<6h3ZaUUH?uK5Gj6DlPQIwKjmi%Om(HEsY48;@^XeH_W=P9<yryVA1AV&LG-GdJ
zx@%dgB@J%I8_T>(R#kn_Y}g2ubr7e6Sjwy-Fq|VE(erJ_0l+YNq4`$%I+|(Jb3K(|
zEt9rAm*XM}hBh{{H+p*^V~^564ln|RG-~}ZL4VBLF)r_1xOzY<0s~H2a*3>)D88Xw
z-Z`<h$wU%xybScH-A1(teWxBj{G$l>GT~W}0Cx_>QB$m;sc*cK2+U!kS_&KbU$y=}
zfawCD#O}3DfS2h1TYFpkS^dA)-M-iVZ{xWu`u~lYSTzev<@u)Ut4Fe@br=Vhf_(+E
zk8X3=$Mcspm{@B!v}Pl#9?EL8znY=7yq#;BT6M#B+}J8ja-7~P;T-K+yxNT#=5BWO
znS)qD^Xx1uBB%Z3QwE({;{O$e<LIXSzqWU`v+I9%cYo`C{lAUpcfbBi7QUS$R_yF)
ze=Vm2HQ>I=(T`~M^FCq~gIIy?S3P1aY2~^{tfJY^WYu4K5NBiQb`Iibsy+FK*c<=(
z2IgD+(>P;7UEwtDMo+#oBIMRizHgQ^*FXN2B)j?J?@ztFFMX=@zgd)|<Jdz}^EFh!
zCHmjqPA_-<yS;ON{(CFW-PZqx-T+fb$=gjL>Y|FLEd)Z93^X`clm=<!$V~306(0X>
zN29j<RwW2aW66C@W^Nt~PeRK>YWSgmTAp%bl(|yrS3Lq-{1qms$lB$LOBwxS%<Lj?
z+|pVio`I?Sm4%VJWjD(_3hV6v>XW2gGZ%S&)H%sD7&P0-5`Wgx^-$jW%_TH3U@6w=
zTlR1&*38mAR&99ATL)u^D{{=$HV_pJU2_j%66^EWMo5Sg>5{!72~a1`wQ-}GtRdaj
zpvTr8(TzwCUGzJ3BWSq<p+n;Q)U4oJX3jDFQ;trr3U-$Is*+(TYv)#>;vR26l9-p7
zt|m&%7Cvh(E*#JLq??K86(wD^)g?`>S>Bnw&8{x;3UAGQ#_Uo$rX?&>!V<I0G&lL7
zs@&(eTVMaP<osuG&8<H@%g%pxa{k}l?cV+Q&#gRnd;h<V^PhzwdT#jiXL0&3&(~t`
zTnh75te({9=Y8(8ShjDoFn856pTah-d*ZYB3^r=D4;C!`ytQM6o0(qMK26~B>NCGe
zx5y}HH-CP2Bh;*aY^S8*wXe{9)=#zm7kfkh`kCOC`Ty?jceDE6*3SOD{&ySCjp~0l
zr~rzElrw0RWaA~Srx6slaZQbYH+m;Ef*Fs-LsygJD#Ax!8`EUjq-Jh(6`?-Yv5I7Y
zPZad!Waf2DnpLCzXyOgdb*x6hH^EOWK1w7;d0<zOf!P0*3uCr%;l&A(>z^L8-cGAF
zB~&{wcSRG|;{U?-45RTwqrl;u$JMvv1m`Z?lq271v1WEX&vw9P!BvA9WuYy(f~8rY
zq<eG5sz8o+Uxmo$e+}F|u=5(zzb?K1-`n5H=6~(p-~Ydz=MLC^xN!XIyzj-Khgp(T
z?sd+JMG{UhsVu1l8Z;eEpVL<zXqs2zZ*8I1u8?}UKI9yhq3J}lVJFjV%laZZGlB`o
zqj43+%bm@fb2WU&k2)f$ZFziIQ#v&#UNCi%Nk^=%CDp`Nqh7vW%=hSqX5?Du#G@OF
z4&AUVsKWEL4BP!hL8Vh*8DJDOcAfxKmO7#&WQViaTd}e!6#azAL7q{_D(G1)K1B&Z
zb*fg01rTUrg_(M>ksgr0l))1mla#9aR@t&(DQv}bJYWU<Yf%y#vS?UQMN*L!_9y8_
z0s0LE@(tLeD=e>xXV;K)v&fbsS7DQaD!e^q6U@=4N>38V7s-8@Kb_7~)NuL5an$h!
z6V&y1Ryzk16gde%K1ie3nY!s<B3b|)Fu54m1uCS8QFVzxnMK1gY0~)KW5XzXl(I`V
zq(p2%6wO!!cwxLTA=X6XJoF#~b#E$f|0*~WfYM_=>V;5u!2<u>3l{uRyDu`=^<&RH
zH<B7Bn=Ij^gI``ca2nr6mzWNDlQ-l~XHlFAxDcev*iSuE-IPKXg`CO?%S%SQ<P>Q#
z^->qF><iQh%9LNFFT(IT#3`e>%r+=4eopY|DIa^7AkCih&CFykn&KZQv%=rpX;3IH
zg%?GIAZ^JmuPfwN7uGEbMvt(sRZ^`gb?&+b{9pUY>;LWuX0D(5-rDv6)%rhZ{(IY5
z{eS=7|NC~HJEQ;eOct0tG#X*hjG=eP8F9ha5+AJ~MT@t=uUHEdc4#2u`}Xy#SIw-Z
z*L-q#(!_uN6$3_BZ3Iesz$$2`@Z#7TKAod4_$iEPI1k|0@i>gs>u2x1!5rb|wk=-C
zLy0Mz-)LQY_I`$LfN1QI?}e{97pz9&JN`s7jL;JS=8r?;H6P}I@x}@p#Xs9EVLw@Y
zEn8h>Sz_$cL!LNby#nP;(Q$&x#C7O6F*kNMLdS{P*2!2}^~s1WoC;m-jTcV^!rPw{
zEi0&Z4Z<m!;bh0iSu|U2gn}9CEavCKPGz5lNv@{UFaz|<3_!Y7&M&L9%4;}FjDZ>4
zr_n45qVWQC-rA@)Dro|k?+DAa(Q8!|y0-ZexJzx#ZEbK8B`H@Imkg5xJ?x|;n|1Iv
zEGDb79aPMSeJC@FLRgv<%Prl=f&Lu3FU$>!zOrC{DMGBM|5^`+ghHl~>}OHyrOX(l
zr-Vu(gb9b#A6v~<e#cpZng)WDjYXj-mnc_#&}Geil2M$n-OB8vRIMD|3To!c*tK&A
zGn+t6$tH3I?RGSVOIt9CTzzG?p^$Q$cE575(8Ao<4Ihwf$n6CS4HK-$GVyT9R+dqY
z$q?^yg_PgeS``duf0?C0aX~9vRGsGJcY><Y0i!f#nw4_h8R|rKS$hae#ikKbFV9F>
zh#vCwl-5>JuW<Ftbu7<xvK*iasHtbI<0uS^_S{s`>{40J%6lkYNtT)}Y&oDw`&G8(
z+<2`Qh9oQ8{;#sam?c_yUC|<O@ua0XcX1j${5{O0ys%yOJkq)E>P(@BE6$<9*8hu4
zACx%!x1o9UR?{nKN47qN%i5paD_ms=x>vaBDO{^>!P~_v!lzTKa>Aq5T5$c9pkN)i
zqBd1~4aju4M32fZ0kw6g8XDAE7l6G|X`lJ?hDCo}UFnleffAMIvzP;wn$R`pK!KK0
z!v3}NpK9&rcgy-U)S0zuGPh%}<UOsyUTGL})@QCX6qaSy%1?b{b^omK$)Ep%mW4+b
zYjglzcK>5P8~?Spw|yV~{dS%^bN>5{$T!0J?%*6n4YV6ecc%oCBFx;>M=vm14PAiD
za2Y*(eawXCS@m@g$=#wCBMCUUO^IwU;;T#r&cD5m=<b5}CjQFig0a(rt2R}%Fr5j-
z4b?SfSyGPOtd0Gs+MVMtbr`*(ybqWiIh;=c4K1DAg{nF1So(;040N3^2`Cg9237M%
zbo`t$OelliW5Nv$77w40?XrZ2Hp4riA>c6e#$N0YSW@Y0v!{r-Y&skHSza4aZkQq(
z8bwPfTP<_M!R1B_h|XN4lagbimKH1YYdbL2Fyypj&{z3LnyLyR&(O=P_RNpwnu<xN
zWrKd0+O4(pw^0ze>E2HEyX=lAmGAHaVz@xnD%E}HegS|r@Zz-1eK_$dj7SINhM;eY
zOCv~zH_uO5;*Udb*uV-fSqCWTdB%B|mm(3*F-N{x9r_y`ut}QEl7mji><!iOVKhiO
zbDU`%LAcI?WIjVmc*C~Y%<}1oZNK16BR_dbs<$IXONJduBw7Q=RU_uWEAO*Z^(xLf
z1<|GFq1kjZiwGD}l6rC5Pm(#P+pU__mK3-5KxvS)-N6(c3Jpe47fr6LtL4{!DQW!x
z6zR2S0n6@xY;Esk*8lyT{hj;u|2Cexvi`HIY(tSW^zddpM(qRM1W`7{#px9+SINX5
zrDi_JToww8iTy-XlG~fo%n#)i4S!|l$ep=V2KP>&e7u#q$G2`mndRm&){kUu@{I54
zHkM9YDerLu59_g^{>a9U#7e8z?}!U>i7babSt!dZU)ZNEtTgaHepiy-fuazyhzEWW
z6%+C`*NA49cu{d0U3jWFbPMl{<7hsU2|Gzq8%AX7xs2j-7R^(slk}taTx;W39&t%V
zvbHaJ?DXiUJ{`F|<J3lgp~4N+D}D2ak2hPXzEQsx1j_d94&51yO!k7NCJmM(EV0nW
zMlLia4`$c0yKHGDYT4EUT%T~WUmTd#hFdctL72k^kexfLlPCVVT6O1XgpIB;JEh0F
znQRTj!wKg<Xi3k68cYbfjb`HvM-s*5N}8qIV-`(eeq>)aN69zXA!z>bJUmQzMi~BE
zd@wJ93frf_1Mu^?AI{(NtIUZ#$YZ5|hdf^#i~2u<1l%-cAQZqW334i7l2DlXQtj@0
z19zTKDf*G9+>UsW1{IFvYU8%Swnw=<zOP9_KClcL_&5<?#f%0pJ;QpZb~Qj1t}J+U
z1_i2`!}3Z={W(_LK}%e?FQuP3C9i|ZGGvJxPsG=#uMhns_Qq~J#Hi8}FJ!=Zp}0cC
zl(0j#pT+(KEVyGzmoc<)lL5&w%C0_~fw2@84W?aEPsLGCw^Z&8jko_4=>Mi_vlb)Z
zlKUT9Tid;?{=c=`z1RP5<GCyPzf%9vX5_{gkHj$V3DaIhzBYqrapU~f3``*^2sa4v
z!&c${s_QuNdaGPAjP_tX*vPIV*5}G2D|2h(&V1PqE@IMbQkhuKfLB+?QyYDPrS3#G
z`*^rXdycwMKB_xVD()<fE__&jj9riE;*kq*rW<1A%dt_aWp1>%I?7Lu3p#EY@#QPG
zWHM5Tox<1Ng$Y~V#3)`o+VUor9a?hALz}STQvP$z1!$?8MMGTR=cF0*=fg3^wyZ_2
zSrqt#g@Hy*FgjPq@ZVU%+Js&OM3|4LSd0GZ0VnFbUJ9cqh-UKhuafMZ`6}T49QA7g
zi6tvQ)6?lX;0)p@tPhebedAyaUC=f`n%CtvUA_V|=r6fGWa?^rUC?xen}!V*vD6#Q
zgZg+gYuq$+(#Bm6GG#))&B=N4<nRdhu+cmocy%F-`|h9$O#XeIP9hmPYhB<Tojk1z
z<RBha6WE6p3-l*ipVkB(tWY9sM@=B1zN}CUE9^M^B#qaK%x{rAxL*y}>uAUh=V_D-
z+yGA*YXLu*xrI<aG}N)8kYMGSqH<@;B0zwK$FCP#*BkX)JbxQpb<7v*A9GIEGF|md
z%@#DR#G8UzbcBYJ7#jb_p0l;v?l$dmmDua`z0@^PDC1F-Rwy<o6rny*>NVh2S|Yj1
zVQbj+^r>X#s48p6G+A!*I9>(CSI|B+h7N~QpDrgKMd8RF&tqvHTop}jVM8~8xr*_w
zBqWOgzSd|zyD2&IX)7P2#Dj5Yk&e@|w`6*jR<1u)ml4UBz*iyDtgQOyMkp9aTOB1T
z=DP~jYPNJ0X)A(64cWI|FqMWH6eZiv_LolMkX^b9G|&$)_-RS$OW1NF@&ML28qNps
zeIBNMpb9`+PFIE@Gbw`22=r~T%ZWdjNGmuUqPVc1<{@KQ^S6&5n+zSB<`it*X}p<G
z=v4#@W60{hUG#tgrN?_u9^wq+8+q;!&yKifNGS~L<41J_LoK6e-i*U;mi0sSk1#NC
zih~e9x9DEv#Upe9M~sZ3Ir>3)aU7wR@WmU-EXj|8#0dad{#{U{qVc1IP5scH&ch;V
zeDOuiT?&`pi2<v1_-$aO`P;_D58d{ker$d5!@qs}@r#ciA2!*Bg&s2Ri%gk@fA{r0
zSMHy6JbC*+5BRml@UP4Ke|EdOnfyP!-Tm!*`~R&xcfkHnAUu0N!!;CzStuN2Nw87O
z$x^vx2B*tf`bE4-auJp0W-R#%q+*O&g+HJW3I}X&n|}J!)A<O)o;TZNo4ljgLv@7*
z04FdJW+`P|5wfzs(4h0{S<40>f_hquHbu*B<9#P<ApEynLOxK2Gh8g1Up86ur{>iM
z<toID=0UJvzsz9|26P>wrbdHxFtjDLPUTbV10he;l9xmPqH%0PC=y55sP_c^)E7?3
zDK5Sn0##36o?=<@gr0eWmeV-KWrprV@kZ35Zs6Y64$d<AyGy_eXsdCK1#QN`g<bH8
z{HS<EmMJYz3-6|8_K?P49-J)WS5;GB=A~$W*5eb-2RLDy8|}aR@NaJW*LUxR@7}e4
zY<=1O3*KCcF1^?e&)BlSLx*CCW)7XzQ(^Zj4?Dx#R%5)=RXDg>Rb9&2+;z?i2aC^=
z!OPDIIg9Jz8Qd=K>ti?KeuFO8rq^wm92Wn0D{j6?mdqBeeY{u!lQ{#8PAjHiWvMmH
zMTH)_t3qJ%^QJf+s|LR4>vd;RajWZ|QXpTVOW}K_xtCvA<yr3|jvgQ}ZG5Kapw`xf
zj9A6E;Q`+0lRGM5xx&1zS9)rvV7brVp*5u_y}AC<@0PBPwAU1lSQHR92*~R2DA6dY
yyCxNlGeho@u)%sxIR$=~IV3u*l~D1imDT&_{<(kdpZjNR&;JLr=}5f*-~j;mTnSeI

literal 0
HcmV?d00001

diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
new file mode 100644
index 00000000..d0720e85
--- /dev/null
+++ b/helm/templates/NOTES.txt
@@ -0,0 +1,111 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- $svcPort := .Values.service.ports.http -}}
+{{- $apiPort := .Values.service.ports.api -}}
+{{- $svcName := include "common.names.fullname" . -}}
+{{- $svcNamespace := include "common.names.namespace" . -}}
+{{- $releaseName := .Release.Name -}}
+{{- $chartName := include "common.names.chart" . -}}
+
+Thank you for installing {{ $chartName }}!
+
+Your release is named {{ $releaseName }}.
+
+{{- if eq .Values.service.type "ClusterIP" }}
+
+1. Get the application URL by running these commands:
+{{- if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ $svcNamespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ $svcName }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ $svcNamespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status by running 'kubectl get --namespace {{ $svcNamespace }} svc -w {{ $svcName }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ $svcNamespace }} {{ $svcName }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ $svcPort }}
+  echo API URL: http://$SERVICE_IP:{{ $apiPort }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ $svcNamespace }} -l "app.kubernetes.io/name={{ include "common.names.name" . }},app.kubernetes.io/instance={{ $releaseName }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ $svcNamespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ $svcNamespace }} port-forward $POD_NAME 8080:{{ $svcPort }}
+  echo "API available at http://127.0.0.1:5055"
+  kubectl --namespace {{ $svcNamespace }} port-forward $POD_NAME 5055:{{ $apiPort }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.ingress.enabled }}
+
+2. Access the application via Ingress:
+{{- range .Values.ingress.hosts }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .host }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.surrealdb.enabled }}
+
+SurrealDB Information:
+- Internal Service: {{ $svcName }}-surrealdb.{{ $svcNamespace }}.svc.{{ .Values.global.clusterDomain }}:8000
+- WebSocket URL: ws://{{ $svcName }}-surrealdb.{{ $svcNamespace }}.svc.{{ .Values.global.clusterDomain }}:8000/rpc
+- User: {{ .Values.surrealdb.auth.user }}
+- Password: {{ if .Values.surrealdb.auth.existingSecret }}*** (from secret {{ .Values.surrealdb.auth.existingSecret }}){{ else }}{{ .Values.surrealdb.auth.password }}{{ end }}
+- Namespace: {{ .Values.surrealdb.database.namespace }}
+- Database: {{ .Values.surrealdb.database.database }}
+
+To connect to SurrealDB directly:
+  kubectl port-forward -n {{ $svcNamespace }} svc/{{ $svcName }}-surrealdb 8000:8000
+  surreal sql --endpoint ws://localhost:8000/rpc --namespace {{ .Values.surrealdb.database.namespace }} --database {{ .Values.surrealdb.database.database }} --user {{ .Values.surrealdb.auth.user }} --pass {{ .Values.surrealdb.auth.password }}
+
+{{- end }}
+
+{{- if .Values.config.auth.password }}
+
+SECURITY NOTE:
+Your Open Notebook instance is protected with a password. Make sure to keep the password secure!
+
+{{- end }}
+
+Configuration:
+- API Provider Configuration: Configure your AI providers in the values.yaml file or via Helm --set flags
+- Data Persistence: {{ if .Values.app.persistence.enabled }}Enabled (PVC: {{ $svcName }}){{ else }}Disabled{{ end }}
+- SurrealDB: {{ if .Values.surrealdb.enabled }}Internal (StatefulSet: {{ $svcName }}-surrealdb){{ else if .Values.surrealdb.external.enabled }}External ({{ if .Values.surrealdb.external.secure }}wss://{{ else }}ws://{{ end }}{{ .Values.surrealdb.external.host }}:{{ .Values.surrealdb.external.port }}){{ else }}Disabled{{ end }}
+
+To upgrade your installation:
+  helm upgrade {{ $releaseName }} .
+
+To uninstall your installation:
+  helm uninstall {{ $releaseName }}
+
+For more information, visit:
+  - Documentation: https://github.com/lfnovo/open-notebook
+  - Issue Tracker: https://github.com/lfnovo/open-notebook/issues
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
new file mode 100644
index 00000000..df771880
--- /dev/null
+++ b/helm/templates/_helpers.tpl
@@ -0,0 +1,427 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+
+{{- /*
+Default labels for Open Notebook resources
+*/ -}}
+{{- define "open-notebook.labels" -}}
+helm.sh/chart: {{ include "common.names.chart" . }}
+{{ include "open-notebook.selectorLabels" . }}
+{{- if .Chart.AppVersion -}}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- /*
+Selector labels for Open Notebook resources
+*/ -}}
+{{- define "open-notebook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{ end }}
+
+{{- /*
+SurrealDB labels
+*/ -}}
+{{- define "open-notebook.surrealdb.labels" -}}
+helm.sh/chart: {{ include "common.names.chart" . }}
+{{ include "open-notebook.surrealdb.selectorLabels" . }}
+{{- if .Chart.AppVersion -}}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- /*
+SurrealDB selector labels
+*/ -}}
+{{- define "open-notebook.surrealdb.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}-surrealdb
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{ end }}
+
+{{- /*
+Get the image registry
+*/ -}}
+{{- define "open-notebook.imageRegistry" -}}
+{{- if .Values.global.imageRegistry -}}
+{{- .Values.global.imageRegistry -}}
+{{- else if .Values.image.registry -}}
+{{- .Values.image.registry -}}
+{{- end }}
+{{- end }}
+
+{{- /*
+Get the application image
+*/ -}}
+{{- define "open-notebook.image" -}}
+{{- $registry := include "open-notebook.imageRegistry" . -}}
+{{- $tag := default .Chart.AppVersion .Values.image.tag | default "v1-latest" -}}
+{{- if .Values.image.useGHCR -}}
+{{- $ghcrTag := default .Chart.AppVersion .Values.image.ghcr.tag | default "v1-latest" -}}
+{{- printf "%s/%s:%s" .Values.image.ghcr.registry .Values.image.ghcr.repository $ghcrTag -}}
+{{- else -}}
+{{- printf "%s/%s:%s" $registry .Values.image.repository $tag -}}
+{{- end }}
+{{- end }}
+
+{{- /*
+Get the SurrealDB image
+*/ -}}
+{{- define "open-notebook.surrealdb.image" -}}
+{{- $registry := .Values.surrealdb.image.registry -}}
+{{- $tag := default "v2" .Values.surrealdb.image.tag -}}
+{{- printf "%s/%s:%s" $registry .Values.surrealdb.image.repository $tag -}}
+{{- end }}
+
+{{- /*
+Get the SurrealDB URL
+*/ -}}
+{{- define "open-notebook.surrealdb.url" -}}
+{{- if .Values.surrealdb.external.enabled -}}
+{{- if .Values.surrealdb.external.secure -}}
+wss://{{ .Values.surrealdb.external.host }}:{{ .Values.surrealdb.external.port }}/rpc
+{{- else -}}
+ws://{{ .Values.surrealdb.external.host }}:{{ .Values.surrealdb.external.port }}/rpc
+{{- end }}
+{{- else -}}
+ws://{{ include "common.names.fullname" . }}-surrealdb.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:8000/rpc
+{{- end }}
+{{- end }}
+
+{{- /*
+Get the API URL for browser access
+*/ -}}
+{{- define "open-notebook.api.url" -}}
+{{- if .Values.config.api.url -}}
+{{- .Values.config.api.url -}}
+{{- else if .Values.ingress.enabled -}}
+{{- if .Values.ingress.tls }}
+https://{{ (index .Values.ingress.hosts 0).host }}
+{{- else -}}
+http://{{ (index .Values.ingress.hosts 0).host }}
+{{- end }}
+{{- else if eq .Values.service.type "LoadBalancer" -}}
+http://localhost:{{ .Values.app.ports.api }}
+{{- else -}}
+http://localhost:{{ .Values.app.ports.api }}
+{{- end }}
+{{- end }}
+
+{{- /*
+Get the internal API URL
+*/ -}}
+{{- define "open-notebook.api.internalUrl" -}}
+{{- if .Values.config.api.internalUrl -}}
+{{- .Values.config.api.internalUrl -}}
+{{- else -}}
+http://localhost:{{ .Values.app.ports.api }}
+{{- end }}
+{{- end }}
+
+{{- /*
+Render environment variables for the application
+*/ -}}
+{{- define "open-notebook.envVars" -}}
+- name: API_URL
+  value: {{ include "open-notebook.api.url" . | quote }}
+- name: INTERNAL_API_URL
+  value: {{ include "open-notebook.api.internalUrl" . | quote }}
+- name: API_CLIENT_TIMEOUT
+  value: {{ .Values.config.api.clientTimeout | quote }}
+- name: ESPERANTO_LLM_TIMEOUT
+  value: {{ .Values.config.api.esperantoTimeout | quote }}
+- name: SURREAL_URL
+  value: {{ include "open-notebook.surrealdb.url" . | quote }}
+- name: SURREAL_USER
+  value: {{ .Values.surrealdb.auth.user | quote }}
+{{ if .Values.surrealdb.auth.existingSecret -}}
+- name: SURREAL_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.surrealdb.auth.existingSecret }}
+      key: {{ .Values.surrealdb.auth.secretKey | default "surreal-password" }}
+{{ else -}}
+- name: SURREAL_PASSWORD
+  value: {{ .Values.surrealdb.auth.password | quote }}
+{{- end }}
+- name: SURREAL_NAMESPACE
+  value: {{ .Values.surrealdb.database.namespace | quote }}
+- name: SURREAL_DATABASE
+  value: {{ .Values.surrealdb.database.database | quote }}
+{{ if .Values.config.ssl.caBundle -}}
+- name: ESPERANTO_SSL_CA_BUNDLE
+  value: {{ .Values.config.ssl.caBundle | quote }}
+{{- end }}
+- name: ESPERANTO_SSL_VERIFY
+  value: {{ .Values.config.ssl.verify | quote }}
+- name: SURREAL_COMMANDS_MAX_TASKS
+  value: {{ .Values.config.worker.maxTasks | quote }}
+- name: SURREAL_COMMANDS_RETRY_ENABLED
+  value: {{ .Values.config.worker.retry.enabled | quote }}
+- name: SURREAL_COMMANDS_RETRY_MAX_ATTEMPTS
+  value: {{ .Values.config.worker.retry.maxAttempts | quote }}
+- name: SURREAL_COMMANDS_RETRY_WAIT_STRATEGY
+  value: {{ .Values.config.worker.retry.waitStrategy | quote }}
+- name: SURREAL_COMMANDS_RETRY_WAIT_MIN
+  value: {{ .Values.config.worker.retry.waitMin | quote }}
+- name: SURREAL_COMMANDS_RETRY_WAIT_MAX
+  value: {{ .Values.config.worker.retry.waitMax | quote }}
+- name: TTS_BATCH_SIZE
+  value: {{ .Values.config.tts.batchSize | quote }}
+{{ if .Values.config.aiProviders.openai.apiKey -}}
+{{ if .Values.config.aiProviders.openai.existingSecret -}}
+- name: OPENAI_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.openai.existingSecret }}
+      key: {{ .Values.config.aiProviders.openai.secretKey }}
+{{- else -}}
+- name: OPENAI_API_KEY
+  value: {{ .Values.config.aiProviders.openai.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.anthropic.apiKey -}}
+{{ if .Values.config.aiProviders.anthropic.existingSecret -}}
+- name: ANTHROPIC_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.anthropic.existingSecret }}
+      key: {{ .Values.config.aiProviders.anthropic.secretKey }}
+{{- else -}}
+- name: ANTHROPIC_API_KEY
+  value: {{ .Values.config.aiProviders.anthropic.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.google.apiKey -}}
+{{ if .Values.config.aiProviders.google.existingSecret -}}
+- name: GOOGLE_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.google.existingSecret }}
+      key: {{ .Values.config.aiProviders.google.secretKey }}
+{{- else -}}
+- name: GOOGLE_API_KEY
+  value: {{ .Values.config.aiProviders.google.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.google.geminiBaseUrl -}}
+- name: GEMINI_API_BASE_URL
+  value: {{ .Values.config.aiProviders.google.geminiBaseUrl | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.vertexai.project -}}
+- name: VERTEX_PROJECT
+  value: {{ .Values.config.aiProviders.vertexai.project | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.vertexai.credentials -}}
+- name: GOOGLE_APPLICATION_CREDENTIALS
+  value: {{ .Values.config.aiProviders.vertexai.credentials | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.vertexai.location -}}
+- name: VERTEX_LOCATION
+  value: {{ .Values.config.aiProviders.vertexai.location | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.mistral.apiKey -}}
+{{ if .Values.config.aiProviders.mistral.existingSecret -}}
+- name: MISTRAL_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.mistral.existingSecret }}
+      key: {{ .Values.config.aiProviders.mistral.secretKey }}
+{{- else -}}
+- name: MISTRAL_API_KEY
+  value: {{ .Values.config.aiProviders.mistral.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.deepseek.apiKey -}}
+{{ if .Values.config.aiProviders.deepseek.existingSecret -}}
+- name: DEEPSEEK_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.deepseek.existingSecret }}
+      key: {{ .Values.config.aiProviders.deepseek.secretKey }}
+{{- else -}}
+- name: DEEPSEEK_API_KEY
+  value: {{ .Values.config.aiProviders.deepseek.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.ollama.baseUrl -}}
+- name: OLLAMA_API_BASE
+  value: {{ .Values.config.aiProviders.ollama.baseUrl | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.openrouter.baseUrl -}}
+- name: OPENROUTER_BASE_URL
+  value: {{ .Values.config.aiProviders.openrouter.baseUrl | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.openrouter.apiKey -}}
+{{ if .Values.config.aiProviders.openrouter.existingSecret -}}
+- name: OPENROUTER_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.openrouter.existingSecret }}
+      key: {{ .Values.config.aiProviders.openrouter.secretKey }}
+{{- else -}}
+- name: OPENROUTER_API_KEY
+  value: {{ .Values.config.aiProviders.openrouter.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.groq.apiKey -}}
+{{ if .Values.config.aiProviders.groq.existingSecret -}}
+- name: GROQ_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.groq.existingSecret }}
+      key: {{ .Values.config.aiProviders.groq.secretKey }}
+{{- else -}}
+- name: GROQ_API_KEY
+  value: {{ .Values.config.aiProviders.groq.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.xai.apiKey -}}
+{{ if .Values.config.aiProviders.xai.existingSecret -}}
+- name: XAI_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.xai.existingSecret }}
+      key: {{ .Values.config.aiProviders.xai.secretKey }}
+{{- else -}}
+- name: XAI_API_KEY
+  value: {{ .Values.config.aiProviders.xai.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.elevenlabs.apiKey -}}
+{{ if .Values.config.aiProviders.elevenlabs.existingSecret -}}
+- name: ELEVENLABS_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.elevenlabs.existingSecret }}
+      key: {{ .Values.config.aiProviders.elevenlabs.secretKey }}
+{{- else -}}
+- name: ELEVENLABS_API_KEY
+  value: {{ .Values.config.aiProviders.elevenlabs.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.voyage.apiKey -}}
+{{ if .Values.config.aiProviders.voyage.existingSecret -}}
+- name: VOYAGE_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.voyage.existingSecret }}
+      key: {{ .Values.config.aiProviders.voyage.secretKey }}
+{{- else -}}
+- name: VOYAGE_API_KEY
+  value: {{ .Values.config.aiProviders.voyage.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.openaiCompatible.baseUrl -}}
+- name: OPENAI_COMPATIBLE_BASE_URL
+  value: {{ .Values.config.aiProviders.openaiCompatible.baseUrl | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.azureOpenai.apiKey -}}
+{{ if .Values.config.aiProviders.azureOpenai.existingSecret -}}
+- name: AZURE_OPENAI_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.azureOpenai.existingSecret }}
+      key: azure-openai-api-key
+{{- else -}}
+- name: AZURE_OPENAI_API_KEY
+  value: {{ .Values.config.aiProviders.azureOpenai.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.azureOpenai.endpoint -}}
+- name: AZURE_OPENAI_ENDPOINT
+  value: {{ .Values.config.aiProviders.azureOpenai.endpoint | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.azureOpenai.apiVersion -}}
+- name: AZURE_OPENAI_API_VERSION
+  value: {{ .Values.config.aiProviders.azureOpenai.apiVersion | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.langchain.tracingV2 -}}
+- name: LANGCHAIN_TRACING_V2
+  value: {{ .Values.config.aiProviders.langchain.tracingV2 | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.langchain.endpoint -}}
+- name: LANGCHAIN_ENDPOINT
+  value: {{ .Values.config.aiProviders.langchain.endpoint | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.langchain.apiKey -}}
+{{ if .Values.config.aiProviders.langchain.existingSecret -}}
+- name: LANGCHAIN_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.langchain.existingSecret }}
+      key: {{ .Values.config.aiProviders.langchain.secretKey }}
+{{- else -}}
+- name: LANGCHAIN_API_KEY
+  value: {{ .Values.config.aiProviders.langchain.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.langchain.project -}}
+- name: LANGCHAIN_PROJECT
+  value: {{ .Values.config.aiProviders.langchain.project | quote }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.firecrawl.apiKey -}}
+{{ if .Values.config.aiProviders.firecrawl.existingSecret -}}
+- name: FIRECRAWL_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.firecrawl.existingSecret }}
+      key: {{ .Values.config.aiProviders.firecrawl.secretKey }}
+{{- else -}}
+- name: FIRECRAWL_API_KEY
+  value: {{ .Values.config.aiProviders.firecrawl.apiKey | quote }}
+{{- end }}
+{{- end }}
+
+{{ if .Values.config.aiProviders.jina.apiKey -}}
+{{ if .Values.config.aiProviders.jina.existingSecret -}}
+- name: JINA_API_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.config.aiProviders.jina.existingSecret }}
+      key: {{ .Values.config.aiProviders.jina.secretKey }}
+{{- else -}}
+- name: JINA_API_KEY
+  value: {{ .Values.config.aiProviders.jina.apiKey | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml
new file mode 100644
index 00000000..f65a360a
--- /dev/null
+++ b/helm/templates/configmap.yaml
@@ -0,0 +1,26 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+{{- if .Values.app.extraEnvVarsCM }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.app.extraEnvVarsCM }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+data:
+  app-extra-env-vars: |-
+    {{- include "common.tplvalues.render" ( dict "value" .Values.app.extraEnvVars "context" $ ) | nindent 4 }}
+{{- end }}
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
new file mode 100644
index 00000000..093b841b
--- /dev/null
+++ b/helm/templates/deployment.yaml
@@ -0,0 +1,185 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+spec:
+  replicas: {{ .Values.app.replicaCount }}
+  selector:
+    matchLabels: {{- include "open-notebook.selectorLabels" . | nindent 6 }}
+  {{- if .Values.app.updateStrategy.type }}
+  strategy:
+    type: {{ .Values.app.updateStrategy.type }}
+    {{- if eq .Values.app.updateStrategy.type "RollingUpdate" }}
+    rollingUpdate:
+      maxSurge: {{ .Values.app.updateStrategy.rollingUpdate.maxSurge }}
+      maxUnavailable: {{ .Values.app.updateStrategy.rollingUpdate.maxUnavailable }}
+    {{- end }}
+  {{- end }}
+  template:
+    metadata:
+      labels: {{- include "open-notebook.selectorLabels" . | nindent 8 }}
+        {{- if .Values.app.podLabels }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.app.podLabels "context" $) | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- if .Values.app.podAnnotations }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.app.podAnnotations "context" $) | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- include "common.images.pullSecrets" . | nindent 6 }}
+      {{- if .Values.app.serviceAccount.create }}
+      serviceAccountName: {{ include "open-notebook.serviceAccountName" . | default (include "common.names.fullname" .) }}
+      {{- end }}
+      {{- if .Values.app.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.app.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.app.priorityClassName }}
+      priorityClassName: {{ .Values.app.priorityClassName | quote }}
+      {{- end }}
+      initContainers:
+        {{- if and .Values.app.persistence.enabled .Values.app.persistence.existingClaim }}
+        - name: init-permissions
+          image: {{ include "open-notebook.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /bin/sh
+            - -cx
+            - |
+              mkdir -p {{ .Values.app.persistence.mountPath }}
+              chown -R {{ .Values.app.podSecurityContext.fsGroup }}:{{ .Values.app.podSecurityContext.fsGroup }} {{ .Values.app.persistence.mountPath }}
+          volumeMounts:
+            - name: app-data
+              mountPath: {{ .Values.app.persistence.mountPath }}
+        {{- end }}
+      containers:
+        - name: open-notebook
+          image: {{ include "open-notebook.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.app.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.app.command "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.app.args }}
+          args: {{- include "common.tplvalues.render" (dict "value" .Values.app.args "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- include "open-notebook.envVars" . | nindent 12 }}
+            {{- if .Values.app.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.app.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+            {{- if .Values.app.extraEnvVarsCM }}
+            - name: APP_EXTRA_ENV_VARS
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Values.app.extraEnvVarsCM }}
+                  key: app-extra-env-vars
+            {{- end }}
+            {{- if and .Values.config.auth.password (not .Values.config.auth.existingSecret) }}
+            - name: OPEN_NOTEBOOK_PASSWORD
+              value: {{ .Values.config.auth.password | quote }}
+            {{- else if .Values.config.auth.existingSecret }}
+            - name: OPEN_NOTEBOOK_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.auth.existingSecret }}
+                  key: {{ .Values.config.auth.secretKey }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.app.ports.http }}
+              protocol: TCP
+            - name: api
+              containerPort: {{ .Values.app.ports.api }}
+              protocol: TCP
+          {{- if .Values.app.livenessProbe.enabled }}
+          livenessProbe:
+            {{- if eq .Values.app.livenessProbe.probeType "httpGet" }}
+            httpGet:
+              path: {{ .Values.app.livenessProbe.path }}
+              port: {{ .Values.app.livenessProbe.port }}
+            {{- else if eq .Values.app.livenessProbe.probeType "tcpSocket" }}
+            tcpSocket:
+              port: {{ .Values.app.livenessProbe.port }}
+            {{- end }}
+            initialDelaySeconds: {{ .Values.app.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.app.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.app.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.app.livenessProbe.failureThreshold }}
+            successThreshold: {{ .Values.app.livenessProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.app.readinessProbe.enabled }}
+          readinessProbe:
+            {{- if eq .Values.app.readinessProbe.probeType "httpGet" }}
+            httpGet:
+              path: {{ .Values.app.readinessProbe.path }}
+              port: {{ .Values.app.readinessProbe.port }}
+            {{- else if eq .Values.app.readinessProbe.probeType "tcpSocket" }}
+            tcpSocket:
+              port: {{ .Values.app.readinessProbe.port }}
+            {{- end }}
+            initialDelaySeconds: {{ .Values.app.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.app.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.app.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.app.readinessProbe.failureThreshold }}
+            successThreshold: {{ .Values.app.readinessProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.app.startupProbe.enabled }}
+          startupProbe:
+            httpGet:
+              path: {{ .Values.app.startupProbe.path }}
+              port: {{ .Values.app.startupProbe.port }}
+            initialDelaySeconds: {{ .Values.app.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.app.startupProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.app.startupProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.app.startupProbe.failureThreshold }}
+            successThreshold: {{ .Values.app.startupProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.app.resources }}
+          resources: {{- include "common.tplvalues.render" (dict "value" .Values.app.resources "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.app.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.app.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.app.persistence.enabled }}
+            - name: app-data
+              mountPath: {{ .Values.app.persistence.mountPath }}
+            {{- end }}
+      {{- if .Values.app.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.app.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.app.affinity }}
+      affinity: {{- include "common.tplvalues.render" (dict "value" .Values.app.affinity "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.app.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.app.tolerations "context" $) | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- if and .Values.app.persistence.enabled .Values.app.persistence.existingClaim }}
+        - name: app-data
+          persistentVolumeClaim:
+            claimName: {{ .Values.app.persistence.existingClaim }}
+        {{- else if .Values.app.persistence.enabled }}
+        - name: app-data
+          persistentVolumeClaim:
+            claimName: {{ include "common.names.fullname" . }}
+        {{- end }}
diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml
new file mode 100644
index 00000000..02e3571c
--- /dev/null
+++ b/helm/templates/ingress.yaml
@@ -0,0 +1,60 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+{{- if .Values.ingress.enabled -}}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              {{- if .service }}
+              service:
+                name: {{ include "common.names.fullname" $ }}
+                port:
+                  name: {{ .service }}
+              {{- else }}
+              service:
+                name: {{ include "common.names.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.ports.http }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml
new file mode 100644
index 00000000..28ce6b86
--- /dev/null
+++ b/helm/templates/pvc.yaml
@@ -0,0 +1,36 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+{{- if and .Values.app.persistence.enabled (not .Values.app.persistence.existingClaim) }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.app.persistence.accessMode }}
+  {{- if .Values.app.persistence.storageClass }}
+  {{- if (eq "-" .Values.app.persistence.storageClass) }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: {{ .Values.app.persistence.storageClass }}
+  {{- end }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.app.persistence.size }}
+{{- end }}
diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml
new file mode 100644
index 00000000..8f72d34a
--- /dev/null
+++ b/helm/templates/secret.yaml
@@ -0,0 +1,81 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+{{- $secretName := printf "%s-secret" (include "common.names.fullname" .) }}
+{{- if and .Values.secrets.create (not .Values.secrets.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.secrets.annotations "context" $ ) | nindent 4 }}
+type: Opaque
+stringData:
+  {{- if .Values.config.aiProviders.openai.apiKey }}
+  {{ .Values.config.aiProviders.openai.secretKey | default "openai-api-key" }}: {{ .Values.config.aiProviders.openai.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.anthropic.apiKey }}
+  {{ .Values.config.aiProviders.anthropic.secretKey | default "anthropic-api-key" }}: {{ .Values.config.aiProviders.anthropic.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.google.apiKey }}
+  {{ .Values.config.aiProviders.google.secretKey | default "google-api-key" }}: {{ .Values.config.aiProviders.google.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.mistral.apiKey }}
+  {{ .Values.config.aiProviders.mistral.secretKey | default "mistral-api-key" }}: {{ .Values.config.aiProviders.mistral.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.deepseek.apiKey }}
+  {{ .Values.config.aiProviders.deepseek.secretKey | default "deepseek-api-key" }}: {{ .Values.config.aiProviders.deepseek.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.openrouter.apiKey }}
+  {{ .Values.config.aiProviders.openrouter.secretKey | default "openrouter-api-key" }}: {{ .Values.config.aiProviders.openrouter.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.groq.apiKey }}
+  {{ .Values.config.aiProviders.groq.secretKey | default "groq-api-key" }}: {{ .Values.config.aiProviders.groq.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.xai.apiKey }}
+  {{ .Values.config.aiProviders.xai.secretKey | default "xai-api-key" }}: {{ .Values.config.aiProviders.xai.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.elevenlabs.apiKey }}
+  {{ .Values.config.aiProviders.elevenlabs.secretKey | default "elevenlabs-api-key" }}: {{ .Values.config.aiProviders.elevenlabs.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.voyage.apiKey }}
+  {{ .Values.config.aiProviders.voyage.secretKey | default "voyage-api-key" }}: {{ .Values.config.aiProviders.voyage.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.firecrawl.apiKey }}
+  {{ .Values.config.aiProviders.firecrawl.secretKey | default "firecrawl-api-key" }}: {{ .Values.config.aiProviders.firecrawl.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.jina.apiKey }}
+  {{ .Values.config.aiProviders.jina.secretKey | default "jina-api-key" }}: {{ .Values.config.aiProviders.jina.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.langchain.apiKey }}
+  {{ .Values.config.aiProviders.langchain.secretKey | default "langchain-api-key" }}: {{ .Values.config.aiProviders.langchain.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.openaiCompatible.apiKey }}
+  OPENAI_COMPATIBLE_API_KEY: {{ .Values.config.aiProviders.openaiCompatible.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.azureOpenai.apiKey }}
+  AZURE_OPENAI_API_KEY: {{ .Values.config.aiProviders.azureOpenai.apiKey | quote }}
+  {{- end }}
+  {{- if .Values.config.aiProviders.vertexai.credentials }}
+  GOOGLE_APPLICATION_CREDENTIALS_JSON: {{ .Values.config.aiProviders.vertexai.credentials | quote }}
+  {{- end }}
+  {{- if .Values.config.auth.password }}
+  {{ .Values.config.auth.secretKey | default "open-notebook-password" }}: {{ .Values.config.auth.password | quote }}
+  {{- end }}
+  {{- if .Values.surrealdb.auth.password }}
+  surreal-password: {{ .Values.surrealdb.auth.password | quote }}
+  {{- end }}
+{{- end }}
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
new file mode 100644
index 00000000..c1c2a36f
--- /dev/null
+++ b/helm/templates/service.yaml
@@ -0,0 +1,67 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  sessionAffinity: {{ .Values.service.sessionAffinity }}
+  {{- if .Values.service.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  ports:
+    - name: http
+      port: {{ .Values.service.ports.http }}
+      targetPort: http
+      protocol: TCP
+      {{- if and (eq .Values.service.type "NodePort") .Values.service.ports.httpNodePort }}
+      nodePort: {{ .Values.service.ports.httpNodePort }}
+      {{- end }}
+    - name: api
+      port: {{ .Values.service.ports.api }}
+      targetPort: api
+      protocol: TCP
+      {{- if and (eq .Values.service.type "NodePort") .Values.service.ports.apiNodePort }}
+      nodePort: {{ .Values.service.ports.apiNodePort }}
+      {{- end }}
+  selector: {{- include "open-notebook.selectorLabels" . | nindent 4 }}
+
+---
+{{- if .Values.surrealdb.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "common.names.fullname" . }}-surrealdb
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.surrealdb.labels" . | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.surrealdb.service.annotations "context" $ ) | nindent 4 }}
+spec:
+  type: {{ .Values.surrealdb.service.type }}
+  ports:
+    - name: http
+      port: {{ .Values.surrealdb.service.port }}
+      targetPort: http
+      protocol: TCP
+      {{- if and (eq .Values.surrealdb.service.type "NodePort") .Values.surrealdb.service.nodePort }}
+      nodePort: {{ .Values.surrealdb.service.nodePort }}
+      {{- end }}
+  selector: {{- include "open-notebook.surrealdb.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
new file mode 100644
index 00000000..b783e80e
--- /dev/null
+++ b/helm/templates/statefulset.yaml
@@ -0,0 +1,126 @@
+{{- /*
+Copyright © 2024 Open Notebook Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/ -}}
+{{- if .Values.surrealdb.enabled }}
+apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+  name: {{ include "common.names.fullname" . }}-surrealdb
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.surrealdb.labels" . | nindent 4 }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{- include "open-notebook.surrealdb.selectorLabels" . | nindent 6 }}
+  serviceName: {{ include "common.names.fullname" . }}-surrealdb
+  template:
+    metadata:
+      labels: {{- include "open-notebook.surrealdb.selectorLabels" . | nindent 8 }}
+        {{- if .Values.surrealdb.podLabels }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.surrealdb.podLabels "context" $) | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- if .Values.surrealdb.podAnnotations }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.surrealdb.podAnnotations "context" $) | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- include "common.images.pullSecrets" . | nindent 6 }}
+      {{- if .Values.surrealdb.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.surrealdb.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.surrealdb.priorityClassName }}
+      priorityClassName: {{ .Values.surrealdb.priorityClassName | quote }}
+      {{- end }}
+      containers:
+        - name: surrealdb
+          image: {{ include "open-notebook.surrealdb.image" . }}
+          imagePullPolicy: {{ .Values.surrealdb.image.pullPolicy }}
+          command:
+            - /surreal
+            - start
+            - --log
+            - info
+            - --user
+            - {{ .Values.surrealdb.auth.user }}
+            - --pass
+            - {{ .Values.surrealdb.auth.password }}
+            - --
+            - rocksdb:/mydata/mydatabase.db
+          env:
+            {{- if .Values.surrealdb.experimental.graphql }}
+            - name: SURREAL_EXPERIMENTAL_GRAPHQL
+              value: "true"
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.surrealdb.service.port }}
+              protocol: TCP
+          {{- if .Values.surrealdb.livenessProbe.enabled }}
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: {{ .Values.surrealdb.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.surrealdb.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.surrealdb.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.surrealdb.livenessProbe.failureThreshold }}
+            successThreshold: {{ .Values.surrealdb.livenessProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.surrealdb.readinessProbe.enabled }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: {{ .Values.surrealdb.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.surrealdb.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.surrealdb.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.surrealdb.readinessProbe.failureThreshold }}
+            successThreshold: {{ .Values.surrealdb.readinessProbe.successThreshold }}
+          {{- end }}
+          {{- if .Values.surrealdb.resources }}
+          resources: {{- include "common.tplvalues.render" (dict "value" .Values.surrealdb.resources "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.surrealdb.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.surrealdb.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: surrealdb-data
+              mountPath: {{ .Values.surrealdb.persistence.mountPath }}
+      {{- if .Values.surrealdb.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.surrealdb.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.surrealdb.affinity }}
+      affinity: {{- include "common.tplvalues.render" (dict "value" .Values.surrealdb.affinity "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.surrealdb.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.surrealdb.tolerations "context" $) | nindent 8 }}
+      {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: surrealdb-data
+        labels: {{- include "open-notebook.surrealdb.labels" . | nindent 10 }}
+      spec:
+        accessModes:
+          - {{ .Values.surrealdb.persistence.accessMode }}
+        {{- if .Values.surrealdb.persistence.storageClass }}
+        {{- if (eq "-" .Values.surrealdb.persistence.storageClass) }}
+        storageClassName: ""
+        {{- else }}
+        storageClassName: {{ .Values.surrealdb.persistence.storageClass }}
+        {{- end }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.surrealdb.persistence.size }}
+{{- end }}
diff --git a/helm/values.schema.json b/helm/values.schema.json
new file mode 100644
index 00000000..1568d406
--- /dev/null
+++ b/helm/values.schema.json
@@ -0,0 +1,604 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Open Notebook Helm Chart Values",
+  "type": "object",
+  "properties": {
+    "global": {
+      "type": "object",
+      "properties": {
+        "commonChartEnabled": { "type": "boolean" },
+        "imageRegistry": { "type": "string" },
+        "imagePullSecrets": { "type": "array" },
+        "storageClass": { "type": "string" },
+        "labels": { "type": "object" },
+        "annotations": { "type": "object" },
+        "clusterDomain": { "type": "string" }
+      }
+    },
+    "image": {
+      "type": "object",
+      "properties": {
+        "registry": { "type": "string" },
+        "repository": { "type": "string" },
+        "tag": { "type": "string" },
+        "digest": { "type": "string" },
+        "pullPolicy": { "enum": ["Always", "IfNotPresent", "Never"] }
+      }
+    },
+    "surrealdb": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "external": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "host": { "type": "string" },
+            "port": { "type": "integer", "minimum": 1, "maximum": 65535 },
+            "secure": { "type": "boolean" }
+          }
+        },
+        "image": {
+          "type": "object",
+          "properties": {
+            "registry": { "type": "string" },
+            "repository": { "type": "string" },
+            "tag": { "type": "string" },
+            "digest": { "type": "string" },
+            "pullPolicy": { "enum": ["Always", "IfNotPresent", "Never"] }
+          }
+        },
+        "auth": {
+          "type": "object",
+          "properties": {
+            "user": { "type": "string" },
+            "password": { "type": "string" },
+            "existingSecret": { "type": "string" },
+            "secretKey": { "type": "string" }
+          }
+        },
+        "database": {
+          "type": "object",
+          "properties": {
+            "namespace": { "type": "string" },
+            "database": { "type": "string" }
+          }
+        },
+        "experimental": {
+          "type": "object",
+          "properties": {
+            "graphql": { "type": "boolean" }
+          }
+        },
+        "persistence": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "existingClaim": { "type": "string" },
+            "storageClass": { "type": "string" },
+            "accessMode": { "type": "string" },
+            "size": { "type": "string" },
+            "mountPath": { "type": "string" }
+          }
+        },
+        "service": {
+          "type": "object",
+          "properties": {
+            "type": { "enum": ["ClusterIP", "LoadBalancer", "NodePort"] },
+            "port": { "type": "integer", "minimum": 1, "maximum": 65535 },
+            "nodePort": { "type": "string" },
+            "annotations": { "type": "object" }
+          }
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": { "type": "object" },
+            "requests": { "type": "object" }
+          }
+        },
+        "livenessProbe": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "initialDelaySeconds": { "type": "integer", "minimum": 0 },
+            "periodSeconds": { "type": "integer", "minimum": 1 },
+            "timeoutSeconds": { "type": "integer", "minimum": 1 },
+            "failureThreshold": { "type": "integer", "minimum": 1 },
+            "successThreshold": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "readinessProbe": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "initialDelaySeconds": { "type": "integer", "minimum": 0 },
+            "periodSeconds": { "type": "integer", "minimum": 1 },
+            "timeoutSeconds": { "type": "integer", "minimum": 1 },
+            "failureThreshold": { "type": "integer", "minimum": 1 },
+            "successThreshold": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "podAnnotations": { "type": "object" },
+        "podLabels": { "type": "object" },
+        "podSecurityContext": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "fsGroup": { "type": "integer", "minimum": 0 },
+            "runAsUser": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "containerSecurityContext": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "runAsNonRoot": { "type": "boolean" },
+            "allowPrivilegeEscalation": { "type": "boolean" },
+            "capabilities": {
+              "type": "object",
+              "properties": {
+                "drop": { "type": "array" }
+              }
+            }
+          }
+        },
+        "nodeSelector": { "type": "object" },
+        "tolerations": { "type": "array" },
+        "affinity": { "type": "object" },
+        "priorityClassName": { "type": "string" }
+      }
+    },
+    "app": {
+      "type": "object",
+      "properties": {
+        "nameOverride": { "type": "string" },
+        "fullnameOverride": { "type": "string" },
+        "replicaCount": { "type": "integer", "minimum": 0 },
+        "updateStrategy": {
+          "type": "object",
+          "properties": {
+            "type": { "enum": ["RollingUpdate", "Recreate"] },
+            "rollingUpdate": {
+              "type": "object",
+              "properties": {
+                "maxSurge": { "type": ["integer", "string"] },
+                "maxUnavailable": { "type": ["integer", "string"] }
+              }
+            }
+          }
+        },
+        "ports": {
+          "type": "object",
+          "properties": {
+            "http": { "type": "integer", "minimum": 1, "maximum": 65535 },
+            "api": { "type": "integer", "minimum": 1, "maximum": 65535 }
+          }
+        },
+        "persistence": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "existingClaim": { "type": "string" },
+            "storageClass": { "type": "string" },
+            "accessMode": { "type": "string" },
+            "size": { "type": "string" },
+            "mountPath": { "type": "string" }
+          }
+        },
+        "command": { "type": "array" },
+        "args": { "type": "array" },
+        "extraEnvVars": { "type": "array" },
+        "extraEnvVarsCM": { "type": "string" },
+        "extraEnvVarsSecret": { "type": "string" },
+        "livenessProbe": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "probeType": { "enum": ["httpGet", "tcpSocket", "exec"] },
+            "path": { "type": "string" },
+            "port": { "type": ["string", "integer"] },
+            "initialDelaySeconds": { "type": "integer", "minimum": 0 },
+            "periodSeconds": { "type": "integer", "minimum": 1 },
+            "timeoutSeconds": { "type": "integer", "minimum": 1 },
+            "failureThreshold": { "type": "integer", "minimum": 1 },
+            "successThreshold": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "readinessProbe": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "probeType": { "enum": ["httpGet", "tcpSocket", "exec"] },
+            "path": { "type": "string" },
+            "port": { "type": ["string", "integer"] },
+            "initialDelaySeconds": { "type": "integer", "minimum": 0 },
+            "periodSeconds": { "type": "integer", "minimum": 1 },
+            "timeoutSeconds": { "type": "integer", "minimum": 1 },
+            "failureThreshold": { "type": "integer", "minimum": 1 },
+            "successThreshold": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "startupProbe": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "probeType": { "enum": ["httpGet", "tcpSocket", "exec"] },
+            "path": { "type": "string" },
+            "port": { "type": ["string", "integer"] },
+            "initialDelaySeconds": { "type": "integer", "minimum": 0 },
+            "periodSeconds": { "type": "integer", "minimum": 1 },
+            "timeoutSeconds": { "type": "integer", "minimum": 1 },
+            "failureThreshold": { "type": "integer", "minimum": 1 },
+            "successThreshold": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": { "type": "object" },
+            "requests": { "type": "object" }
+          }
+        },
+        "podAnnotations": { "type": "object" },
+        "podLabels": { "type": "object" },
+        "podSecurityContext": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "fsGroup": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "containerSecurityContext": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "runAsNonRoot": { "type": "boolean" },
+            "allowPrivilegeEscalation": { "type": "boolean" },
+            "capabilities": {
+              "type": "object",
+              "properties": {
+                "drop": { "type": "array" }
+              }
+            }
+          }
+        },
+        "nodeSelector": { "type": "object" },
+        "tolerations": { "type": "array" },
+        "affinity": { "type": "object" },
+        "priorityClassName": { "type": "string" },
+        "serviceAccount": {
+          "type": "object",
+          "properties": {
+            "create": { "type": "boolean" },
+            "name": { "type": "string" },
+            "automountServiceAccountToken": { "type": "boolean" },
+            "annotations": { "type": "object" }
+          }
+        },
+        "podDisruptionBudget": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean" },
+            "minAvailable": { "type": ["integer", "string"] },
+            "maxUnavailable": { "type": ["integer", "string"] }
+          }
+        }
+      }
+    },
+    "service": {
+      "type": "object",
+      "properties": {
+        "type": { "enum": ["ClusterIP", "LoadBalancer", "NodePort"] },
+        "ports": {
+          "type": "object",
+          "properties": {
+            "http": { "type": "integer", "minimum": 1, "maximum": 65535 },
+            "api": { "type": "integer", "minimum": 1, "maximum": 65535 },
+            "httpNodePort": { "type": "string" },
+            "apiNodePort": { "type": "string" }
+          }
+        },
+        "annotations": { "type": "object" },
+        "sessionAffinity": { "enum": ["ClientIP", "None"] },
+        "sessionAffinityConfig": { "type": "object" }
+      }
+    },
+    "ingress": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "className": { "type": "string" },
+        "annotations": { "type": "object" },
+        "hosts": { "type": "array" },
+        "tls": { "type": "array" }
+      }
+    },
+    "config": {
+      "type": "object",
+      "properties": {
+        "api": {
+          "type": "object",
+          "properties": {
+            "url": { "type": "string" },
+            "internalUrl": { "type": "string" },
+            "clientTimeout": { "type": "integer", "minimum": 1 },
+            "esperantoTimeout": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "auth": {
+          "type": "object",
+          "properties": {
+            "password": { "type": "string" },
+            "existingSecret": { "type": "string" },
+            "secretKey": { "type": "string" }
+          }
+        },
+        "ssl": {
+          "type": "object",
+          "properties": {
+            "caBundle": { "type": "string" },
+            "verify": { "type": "boolean" }
+          }
+        },
+        "worker": {
+          "type": "object",
+          "properties": {
+            "maxTasks": { "type": "integer", "minimum": 1 },
+            "retry": {
+              "type": "object",
+              "properties": {
+                "enabled": { "type": "boolean" },
+                "maxAttempts": { "type": "integer", "minimum": 1 },
+                "waitStrategy": { "type": "string" },
+                "waitMin": { "type": "integer", "minimum": 0 },
+                "waitMax": { "type": "integer", "minimum": 0 }
+              }
+            }
+          }
+        },
+        "tts": {
+          "type": "object",
+          "properties": {
+            "batchSize": { "type": "integer", "minimum": 1 }
+          }
+        },
+        "aiProviders": {
+          "type": "object",
+          "properties": {
+            "openai": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" },
+                "baseUrl": { "type": "string" }
+              }
+            },
+            "anthropic": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "google": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" },
+                "geminiBaseUrl": { "type": "string" }
+              }
+            },
+            "vertexai": {
+              "type": "object",
+              "properties": {
+                "project": { "type": "string" },
+                "credentials": { "type": "string" },
+                "location": { "type": "string" },
+                "existingSecret": { "type": "string" }
+              }
+            },
+            "mistral": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "deepseek": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "ollama": {
+              "type": "object",
+              "properties": {
+                "baseUrl": { "type": "string" }
+              }
+            },
+            "openrouter": {
+              "type": "object",
+              "properties": {
+                "baseUrl": { "type": "string" },
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "groq": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "xai": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "elevenlabs": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "voyage": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "openaiCompatible": {
+              "type": "object",
+              "properties": {
+                "baseUrl": { "type": "string" },
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "llm": {
+                  "type": "object",
+                  "properties": {
+                    "baseUrl": { "type": "string" },
+                    "apiKey": { "type": "string" }
+                  }
+                },
+                "embedding": {
+                  "type": "object",
+                  "properties": {
+                    "baseUrl": { "type": "string" },
+                    "apiKey": { "type": "string" }
+                  }
+                },
+                "stt": {
+                  "type": "object",
+                  "properties": {
+                    "baseUrl": { "type": "string" },
+                    "apiKey": { "type": "string" }
+                  }
+                },
+                "tts": {
+                  "type": "object",
+                  "properties": {
+                    "baseUrl": { "type": "string" },
+                    "apiKey": { "type": "string" }
+                  }
+                }
+              }
+            },
+            "azureOpenai": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "endpoint": { "type": "string" },
+                "apiVersion": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "llm": {
+                  "type": "object",
+                  "properties": {
+                    "apiKey": { "type": "string" },
+                    "endpoint": { "type": "string" },
+                    "apiVersion": { "type": "string" }
+                  }
+                },
+                "embedding": {
+                  "type": "object",
+                  "properties": {
+                    "apiKey": { "type": "string" },
+                    "endpoint": { "type": "string" },
+                    "apiVersion": { "type": "string" }
+                  }
+                },
+                "stt": {
+                  "type": "object",
+                  "properties": {
+                    "apiKey": { "type": "string" },
+                    "endpoint": { "type": "string" },
+                    "apiVersion": { "type": "string" }
+                  }
+                },
+                "tts": {
+                  "type": "object",
+                  "properties": {
+                    "apiKey": { "type": "string" },
+                    "endpoint": { "type": "string" },
+                    "apiVersion": { "type": "string" }
+                  }
+                }
+              }
+            },
+            "firecrawl": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "jina": {
+              "type": "object",
+              "properties": {
+                "apiKey": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            },
+            "langchain": {
+              "type": "object",
+              "properties": {
+                "tracingV2": { "type": "boolean" },
+                "endpoint": { "type": "string" },
+                "apiKey": { "type": "string" },
+                "project": { "type": "string" },
+                "existingSecret": { "type": "string" },
+                "secretKey": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    },
+    "secrets": {
+      "type": "object",
+      "properties": {
+        "create": { "type": "boolean" },
+        "existingSecret": { "type": "string" },
+        "annotations": { "type": "object" }
+      }
+    },
+    "networkPolicy": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "policyTypes": { "type": "array" },
+        "ingress": { "type": "array" },
+        "egress": { "type": "array" }
+      }
+    },
+    "serviceMonitor": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "namespace": { "type": "string" },
+        "interval": { "type": "string" },
+        "scrapeTimeout": { "type": "string" },
+        "labels": { "type": "object" },
+        "annotations": { "type": "object" }
+      }
+    }
+  }
+}
diff --git a/helm/values.yaml b/helm/values.yaml
new file mode 100644
index 00000000..4630c2d6
--- /dev/null
+++ b/helm/values.yaml
@@ -0,0 +1,878 @@
+# Default values for open-notebook
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+##
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
+##
+global:
+  ## @param global.commonChartEnabled Enable Bitnami common chart compatibility
+  ##
+  commonChartEnabled: true
+  ## @param global.imageRegistry Global Docker image registry
+  ## ref: https://kubernetes.io/docs/concepts/containers/images/#updating-a-global-image
+  ##
+  imageRegistry: ""
+  ## @param global.imagePullSecrets Global Docker registry secret names as an array
+  ## e.g.:
+  ## imagePullSecrets:
+  ##   - myRegistryKeySecretName
+  ##
+  imagePullSecrets: []
+  ## @param global.storageClass Global StorageClass for PVCs
+  ## ref: https://kubernetes.io/docs/concepts/storage/storage-classes/
+  ##
+  storageClass: ""
+  ## @param global.labels Labels to add to all deployed objects
+  ##
+  labels: {}
+  ## @param global.annotations Annotations to add to all deployed objects
+  ##
+  annotations: {}
+  ## @param global.clusterDomain Kubernetes cluster domain
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config
+  ##
+  clusterDomain: cluster.local
+
+##
+## Open Notebook image parameters
+##
+image:
+  ## @param image.registry Docker image registry
+  ##
+  registry: docker.io
+  ## @param image.repository Docker image repository
+  ##
+  repository: lfnovo/open_notebook
+  ## @param image.tag Docker image tag (immutable tags are recommended)
+  ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-names
+  ##
+  tag: ""
+  ## @param image.digest Docker image digest (overrides tag when set)
+  ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  ##
+  digest: ""
+  ## @param image.pullPolicy Docker image pull policy
+  ## ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images
+  ##
+  pullPolicy: IfNotPresent
+
+##
+## SurrealDB database configuration
+##
+surrealdb:
+  ## @param surrealdb.enabled Deploy SurrealDB as part of the chart
+  ## If false, configure external SurrealDB connection
+  ##
+  enabled: true
+
+  ## @param surrealdb.external.enabled Use external SurrealDB instead of deploying one
+  ##
+  external:
+    enabled: false
+    ## @param surrealdb.external.host External SurrealDB host
+    ##
+    host: ""
+    ## @param surrealdb.external.port External SurrealDB port
+    ##
+    port: 8000
+    ## @param surrealdb.external.secure Use HTTPS/WSS for external connection
+    ##
+    secure: false
+
+  ## SurrealDB image parameters
+  ## ref: https://hub.docker.com/r/surrealdb/surrealdb
+  ##
+  image:
+    registry: docker.io
+    repository: surrealdb/surrealdb
+    tag: v2
+    digest: ""
+    pullPolicy: IfNotPresent
+
+  ## SurrealDB authentication configuration
+  ##
+  auth:
+    ## @param surrealdb.auth.user SurrealDB username
+    ##
+    user: root
+    ## @param surrealdb.auth.password SurrealDB password
+    ##
+    password: root
+    ## @param surrealdb.auth.existingSecret Existing secret containing SurrealDB password
+    ## NOTE: Must contain key `surreal-password`
+    ##
+    existingSecret: ""
+    ## @param surrealdb.auth.secretKey Key in the secret containing the password
+    ##
+    secretKey: surreal-password
+
+  ## SurrealDB database configuration
+  ##
+  database:
+    ## @param surrealdb.database.namespace SurrealDB namespace
+    ##
+    namespace: open_notebook
+    ## @param surrealdb.database.database SurrealDB database name
+    ##
+    database: production
+
+  ## SurrealDB experimental features
+  ##
+  experimental:
+    ## @param surrealdb.experimental.graphql Enable GraphQL experimental feature
+    ##
+    graphql: true
+
+  ## SurrealDB persistence configuration
+  ##
+  persistence:
+    ## @param surrealdb.persistence.enabled Enable persistence using PVC
+    ##
+    enabled: true
+    ## @param surrealdb.persistence.existingClaim Name of an existing PVC to use
+    ##
+    existingClaim: ""
+    ## @param surrealdb.persistence.storageClass StorageClass for PVC
+    ## ref: https://kubernetes.io/docs/concepts/storage/storage-classes/
+    ##
+    storageClass: ""
+    ## @param surrealdb.persistence.accessMode PVC access mode
+    ##
+    accessMode: ReadWriteOnce
+    ## @param surrealdb.persistence.size PVC storage request size
+    ##
+    size: 8Gi
+    ## @param surrealdb.persistence.mountPath Mount path for SurrealDB data
+    ##
+    mountPath: /mydata
+
+  ## SurrealDB service configuration
+  ##
+  service:
+    ## @param surrealdb.service.type Kubernetes Service type
+    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+    ##
+    type: ClusterIP
+    ## @param surrealdb.service.port SurrealDB service port
+    ##
+    port: 8000
+    ## @param surrealdb.service.nodePort Specific node port when type is NodePort
+    ## NOTE: choose port between <30000-32767>
+    ##
+    nodePort: ""
+    ## @param surrealdb.service.annotations Service annotations
+    ##
+    annotations: {}
+
+  ## SurrealDB resource requests and limits
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  ##
+  resources:
+    limits: {}
+    requests: {}
+
+  ## Configure liveness probe for SurrealDB
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  ##
+  livenessProbe:
+    ## @param surrealdb.livenessProbe.enabled Enable liveness probe
+    ##
+    enabled: true
+    ## @param surrealdb.livenessProbe.initialDelaySeconds Initial delay seconds for liveness probe
+    ##
+    initialDelaySeconds: 30
+    ## @param surrealdb.livenessProbe.periodSeconds Period seconds for liveness probe
+    ##
+    periodSeconds: 10
+    ## @param surrealdb.livenessProbe.timeoutSeconds Timeout seconds for liveness probe
+    ##
+    timeoutSeconds: 5
+    ## @param surrealdb.livenessProbe.failureThreshold Failure threshold for liveness probe
+    ##
+    failureThreshold: 6
+    ## @param surrealdb.livenessProbe.successThreshold Success threshold for liveness probe
+    ##
+    successThreshold: 1
+
+  ## Configure readiness probe for SurrealDB
+  ##
+  readinessProbe:
+    enabled: true
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  ## @param surrealdb.podAnnotations Annotations for SurrealDB pods
+  ##
+  podAnnotations: {}
+  ## @param surrealdb.podLabels Labels for SurrealDB pods
+  ##
+  podLabels: {}
+
+  ## SurrealDB pod security context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  podSecurityContext:
+    ## @param surrealdb.podSecurityContext.enabled Enable pod security context
+    ##
+    enabled: true
+    ## @param surrealdb.podSecurityContext.fsGroup File system group ID
+    ##
+    fsGroup: 1001
+    ## @param surrealdb.podSecurityContext.runAsUser User ID to run as
+    ##
+    runAsUser: 1001
+
+  ## SurrealDB container security context
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+
+  ## @param surrealdb.nodeSelector Node selector for SurrealDB pods
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
+  ##
+  nodeSelector: {}
+  ## @param surrealdb.tolerations Tolerations for SurrealDB pods
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+  ##
+  tolerations: []
+  ## @param surrealdb.affinity Affinity rules for SurrealDB pods
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+  ## @param surrealdb.priorityClassName Priority class name for SurrealDB pods
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+  ##
+  priorityClassName: ""
+
+##
+## Open Notebook application configuration
+##
+app:
+  ## @param app.nameOverride String to partially override common.names.fullname template
+  ##
+  nameOverride: ""
+  ## @param app.fullnameOverride String to fully override common.names.fullname template
+  ##
+  fullnameOverride: ""
+
+  ## @param app.replicaCount Number of application replicas
+  ##
+  replicaCount: 1
+
+  ## Update strategy for the application deployment
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment
+  ##
+  updateStrategy:
+    ## @param app.updateStrategy.type Deployment update strategy type
+    ##
+    type: RollingUpdate
+    rollingUpdate:
+      ## @param app.updateStrategy.rollingUpdate.maxSurge Maximum number of pods that can be created above desired
+      ##
+      maxSurge: 1
+      ## @param app.updateStrategy.rollingUpdate.maxUnavailable Maximum number of pods that can be unavailable
+      ##
+      maxUnavailable: 0
+
+  ## Application ports
+  ##
+  ports:
+    ## @param app.ports.http HTTP frontend port
+    ##
+    http: 8502
+    ## @param app.ports.api API server port
+    ##
+    api: 5055
+
+  ## Application data persistence
+  ##
+  persistence:
+    enabled: true
+    existingClaim: ""
+    storageClass: ""
+    accessMode: ReadWriteOnce
+    size: 8Gi
+    mountPath: /app/data
+
+  ## @param app.command Override default container command
+  ##
+  command: []
+  ## @param app.args Override default container args
+  ##
+  args: []
+
+  ## Additional environment variables for application containers
+  ## ref: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
+  ##
+  extraEnvVars: []
+  ## e.g.:
+  ## extraEnvVars:
+  ##   - name: MY_VAR
+  ##     value: "my-value"
+
+  ## @param app.extraEnvVarsCM Name of existing ConfigMap with extra environment variables
+  ##
+  extraEnvVarsCM: ""
+  ## @param app.extraEnvVarsSecret Name of existing Secret with extra environment variables
+  ##
+  extraEnvVarsSecret: ""
+
+  ## Configure liveness probe for the application
+  ##
+  livenessProbe:
+    enabled: true
+    ## @param app.livenessProbe.probeType Probe type (httpGet, tcpSocket, exec)
+    ##
+    probeType: httpGet
+    ## @param app.livenessProbe.path Path for HTTP probe
+    ##
+    path: /health
+    ## @param app.livenessProbe.port Port for probe
+    ##
+    port: api
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  ## Configure readiness probe for the application
+  ##
+  readinessProbe:
+    enabled: true
+    probeType: httpGet
+    path: /health
+    port: api
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  ## Configure startup probe for the application
+  ##
+  startupProbe:
+    enabled: false
+    probeType: httpGet
+    path: /api/health
+    port: api
+    initialDelaySeconds: 0
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 30
+    successThreshold: 1
+
+  ## Application resource requests and limits
+  ##
+  resources:
+    limits: {}
+    requests: {}
+  ## e.g.:
+  ## resources:
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 512Mi
+  ##   requests:
+  ##     cpu: 100m
+  ##     memory: 128Mi
+
+  ## @param app.podAnnotations Annotations for application pods
+  ##
+  podAnnotations: {}
+  ## @param app.podLabels Labels for application pods
+  ##
+  podLabels: {}
+
+  ## Application pod security context
+  ##
+  podSecurityContext:
+    enabled: false
+    fsGroup: 1001
+
+  containerSecurityContext:
+    enabled: false
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+
+  ## @param app.nodeSelector Node selector for application pods
+  ##
+  nodeSelector: {}
+  ## @param app.tolerations Tolerations for application pods
+  ##
+  tolerations: []
+  ## @param app.affinity Affinity rules for application pods
+  ##
+  affinity: {}
+  ## @param app.priorityClassName Priority class name for application pods
+  ##
+  priorityClassName: ""
+
+  ## Service account configuration
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  ##
+  serviceAccount:
+    ## @param app.serviceAccount.create Create a service account
+    ##
+    create: false
+    ## @param app.serviceAccount.name Name of the service account to use
+    ##
+    name: ""
+    ## @param app.serviceAccount.automountServiceAccountToken Automount service account token
+    ##
+    automountServiceAccountToken: false
+    ## @param app.serviceAccount.annotations Service account annotations
+    ##
+    annotations: {}
+
+  ## Pod disruption budget configuration
+  ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  ##
+  podDisruptionBudget:
+    ## @param app.podDisruptionBudget.enabled Enable pod disruption budget
+    ##
+    enabled: false
+    ## @param app.podDisruptionBudget.minAvailable Minimum number of pods that must be available
+    ##
+    minAvailable: 1
+    ## @param app.podDisruptionBudget.maxUnavailable Maximum number of pods that can be unavailable
+    ##
+    maxUnavailable: ""
+
+##
+## Service configuration
+##
+service:
+  ## @param service.type Kubernetes Service type
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+  ##
+  type: ClusterIP
+  ports:
+    ## @param service.ports.http HTTP service port
+    ##
+    http: 8502
+    ## @param service.ports.api API service port
+    ##
+    api: 5055
+    ## @param service.ports.httpNodePort Node port for HTTP service (when type=NodePort)
+    ## NOTE: choose port between <30000-32767>
+    ##
+    httpNodePort: ""
+    ## @param service.ports.apiNodePort Node port for API service (when type=NodePort)
+    ##
+    apiNodePort: ""
+  ## @param service.annotations Service annotations
+  ##
+  annotations: {}
+  ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
+  ## Values: ClientIP or None
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+  ##
+  sessionAffinity: None
+  ## @param service.sessionAffinityConfig Session affinity configuration
+  ##
+  sessionAffinityConfig: {}
+
+##
+## Ingress configuration
+## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
+##
+ingress:
+  ## @param ingress.enabled Enable ingress record generation
+  ##
+  enabled: false
+  ## @param ingress.className IngressClass that will be used to implement the Ingress
+  ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster
+  ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
+  ##
+  className: ""
+  ## @param ingress.annotations Additional annotations for the Ingress resource
+  ## e.g.:
+  ## annotations:
+  ##   cert-manager.io/cluster-issuer: letsencrypt-prod
+  ##   nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  ##
+  annotations: {}
+  ## @param ingress.hosts List of host configurations
+  ## e.g.:
+  ## hosts:
+  ##   - host: open-notebook.example.com
+  ##     paths:
+  ##       - path: /
+  ##         pathType: Prefix
+  ##         service: http
+  ##
+  hosts:
+    - host: open-notebook.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+          service: http
+
+  ## @param ingress.tls TLS configuration for Ingress
+  ## e.g.:
+  ## tls:
+  ##   - secretName: open-notebook-tls
+  ##     hosts:
+  ##       - open-notebook.example.com
+  ##
+  tls: []
+
+##
+## Open Notebook application configuration
+##
+config:
+  ## API configuration
+  ##
+  api:
+    ## @param config.api.url External API URL for browser access
+    ## e.g. http://your-domain:30555 or https://api.example.com
+    ##
+    url: ""
+    ## @param config.api.internalUrl Internal API URL for Next.js server-side calls
+    ## e.g. http://open-notebook.open-notebook.svc.cluster.local:5055
+    ##
+    internalUrl: ""
+    ## @param config.api.clientTimeout Client timeout in seconds
+    ##
+    clientTimeout: 300
+    ## @param config.api.esperantoTimeout Esperanto LLM timeout in seconds
+    ##
+    esperantoTimeout: 60
+
+  ## Security configuration
+  ##
+  auth:
+    ## @param config.auth.password Application password (leave empty to disable auth)
+    ##
+    password: ""
+    ## @param config.auth.existingSecret Existing secret containing password
+    ## NOTE: Must contain key specified by secretKey
+    ##
+    existingSecret: ""
+    ## @param config.auth.secretKey Key in secret containing password
+    ##
+    secretKey: open-notebook-password
+
+  ## SSL/TLS configuration
+  ##
+  ssl:
+    ## @param config.ssl.caBundle Path to CA bundle file
+    ##
+    caBundle: ""
+    ## @param config.ssl.verify Verify SSL certificates
+    ##
+    verify: true
+
+  ## Worker configuration
+  ##
+  worker:
+    ## @param config.worker.maxTasks Maximum number of concurrent worker tasks
+    ##
+    maxTasks: 5
+    ## Retry configuration
+    ##
+    retry:
+      ## @param config.worker.retry.enabled Enable retry logic
+      ##
+      enabled: true
+      ## @param config.worker.retry.maxAttempts Maximum number of retry attempts
+      ##
+      maxAttempts: 3
+      ## @param config.worker.retry.waitStrategy Retry wait strategy
+      ## Values: exponential_jitter, fixed, linear, exponential
+      ##
+      waitStrategy: exponential_jitter
+      ## @param config.worker.retry.waitMin Minimum wait time in seconds
+      ##
+      waitMin: 1
+      ## @param config.worker.retry.waitMax Maximum wait time in seconds
+      ##
+      waitMax: 30
+
+  ## TTS (Text-to-Speech) configuration
+  ##
+  tts:
+    ## @param config.tts.batchSize Batch size for TTS processing
+    ##
+    batchSize: 5
+
+  ## AI providers configuration
+  ## Configure one or more AI providers for LLM, embeddings, STT, and TTS
+  ##
+  aiProviders:
+    ## OpenAI configuration
+    ##
+    openai:
+      ## @param config.aiProviders.openai.apiKey OpenAI API key
+      ## NOTE: When set and secrets.create=true, will be automatically added to secret
+      ##
+      apiKey: ""
+      ## @param config.aiProviders.openai.existingSecret Existing secret containing API key
+      ##
+      existingSecret: ""
+      ## @param config.aiProviders.openai.secretKey Key in secret containing API key
+      ##
+      secretKey: openai-api-key
+      ## @param config.aiProviders.openai.baseUrl Custom OpenAI base URL
+      ##
+      baseUrl: ""
+
+    ## Anthropic (Claude) configuration
+    ##
+    anthropic:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: anthropic-api-key
+
+    ## Google Gemini configuration
+    ##
+    google:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: google-api-key
+      ## @param config.aiProviders.google.geminiBaseUrl Custom Gemini base URL
+      ##
+      geminiBaseUrl: ""
+
+    ## Google Vertex AI configuration
+    ##
+    vertexai:
+      ## @param config.aiProviders.vertexai.project Google Cloud project ID
+      ##
+      project: ""
+      ## @param config.aiProviders.vertexai.credentials Service account credentials (JSON string or file path)
+      ##
+      credentials: ""
+      ## @param config.aiProviders.vertexai.location Vertex AI region/location
+      ##
+      location: us-east5
+      existingSecret: ""
+
+    ## Mistral AI configuration
+    ##
+    mistral:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: mistral-api-key
+
+    ## DeepSeek configuration
+    ##
+    deepseek:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: deepseek-api-key
+
+    ## Ollama configuration (local models)
+    ##
+    ollama:
+      ## @param config.aiProviders.ollama.baseUrl Ollama API base URL
+      ## e.g. http://localhost:11434
+      ##
+      baseUrl: ""
+
+    ## OpenRouter configuration
+    ##
+    openrouter:
+      baseUrl: https://openrouter.ai/api/v1
+      apiKey: ""
+      existingSecret: ""
+      secretKey: openrouter-api-key
+
+    ## Groq configuration
+    ##
+    groq:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: groq-api-key
+
+    ## XAI (Grok) configuration
+    ##
+    xai:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: xai-api-key
+
+    ## ElevenLabs configuration (for podcast generation)
+    ##
+    elevenlabs:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: elevenlabs-api-key
+
+    ## Voyage AI configuration (embeddings)
+    ##
+    voyage:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: voyage-api-key
+
+    ## OpenAI-compatible endpoints configuration
+    ## For Azure OpenAI, or other OpenAI-compatible APIs
+    ##
+    openaiCompatible:
+      ## @param config.aiProviders.openaiCompatible.baseUrl Base URL for OpenAI-compatible endpoint
+      ## e.g. https://api.openai.com/v1 for OpenAI
+      ##
+      baseUrl: ""
+      ## @param config.aiProviders.openaiCompatible.apiKey API key for OpenAI-compatible endpoint
+      ## NOTE: When set and secrets.create=true, will be automatically added to secret
+      ##
+      apiKey: ""
+      ## @param config.aiProviders.openaiCompatible.existingSecret Existing secret containing API key
+      ##
+      existingSecret: ""
+      ## Mode-specific configuration
+      ##
+      llm:
+        ## @param config.aiProviders.openaiCompatible.llm.baseUrl Override base URL for LLM mode
+        ##
+        baseUrl: ""
+        ## @param config.aiProviders.openaiCompatible.llm.apiKey Override API key for LLM mode
+        ##
+        apiKey: ""
+      embedding:
+        baseUrl: ""
+        apiKey: ""
+      stt:
+        baseUrl: ""
+        apiKey: ""
+      tts:
+        baseUrl: ""
+        apiKey: ""
+
+    ## Azure OpenAI configuration
+    ##
+    azureOpenai:
+      ## @param config.aiProviders.azureOpenai.apiKey Azure OpenAI API key
+      ##
+      apiKey: ""
+      ## @param config.aiProviders.azureOpenai.endpoint Azure OpenAI endpoint URL
+      ## e.g. https://your-resource.openai.azure.com
+      ##
+      endpoint: ""
+      ## @param config.aiProviders.azureOpenai.apiVersion Azure OpenAI API version
+      ##
+      apiVersion: "2024-12-01-preview"
+      existingSecret: ""
+      ## Mode-specific configuration
+      ##
+      llm:
+        apiKey: ""
+        endpoint: ""
+        apiVersion: ""
+      embedding:
+        apiKey: ""
+        endpoint: ""
+        apiVersion: ""
+      stt:
+        apiKey: ""
+        endpoint: ""
+        apiVersion: ""
+      tts:
+        apiKey: ""
+        endpoint: ""
+        apiVersion: ""
+
+    ## Firecrawl configuration (web scraping)
+    ##
+    firecrawl:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: firecrawl-api-key
+
+    ## Jina configuration (AI processing)
+    ##
+    jina:
+      apiKey: ""
+      existingSecret: ""
+      secretKey: jina-api-key
+
+    ## LangChain configuration (for debugging/tracing)
+    ##
+    langchain:
+      ## @param config.aiProviders.langchain.tracingV2 Enable LangSmith tracing
+      ##
+      tracingV2: false
+      ## @param config.aiProviders.langchain.endpoint LangSmith API endpoint
+      ##
+      endpoint: https://api.smith.langchain.com
+      apiKey: ""
+      ## @param config.aiProviders.langchain.project LangSmith project name
+      ##
+      project: "Open Notebook"
+      existingSecret: ""
+      secretKey: langchain-api-key
+
+##
+## Secret management configuration
+##
+secrets:
+  ## @param secrets.create Create secrets for sensitive data
+  ## When enabled, secrets will be created for any apiKey/password fields that are set
+  ##
+  create: true
+  ## @param secrets.existingSecret Use existing secret for all configuration
+  ## NOTE: Must contain appropriate keys for each provider
+  ##
+  existingSecret: ""
+  ## @param secrets.annotations Annotations to add to created secrets
+  ##
+  annotations: {}
+
+##
+## Network policy configuration
+## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+##
+networkPolicy:
+  ## @param networkPolicy.enabled Enable network policies
+  ##
+  enabled: false
+  ## @param networkPolicy.policyTypes Policy types to enforce
+  ##
+  policyTypes:
+    - Ingress
+    - Egress
+  ## @param networkPolicy.ingress Ingress rules
+  ##
+  ingress: []
+  ## @param networkPolicy.egress Egress rules
+  ##
+  egress: []
+
+##
+## ServiceMonitor configuration for Prometheus Operator
+## ref: https://prometheus-operator.dev/docs/operator/api/#servicemonitor
+##
+serviceMonitor:
+  ## @param serviceMonitor.enabled Create ServiceMonitor resource
+  ##
+  enabled: false
+  ## @param serviceMonitor.namespace Namespace for ServiceMonitor
+  ##
+  namespace: ""
+  ## @param serviceMonitor.interval Scraping interval
+  ##
+  interval: 30s
+  ## @param serviceMonitor.scrapeTimeout Scrape timeout
+  ##
+  scrapeTimeout: 10s
+  ## @param serviceMonitor.labels Additional labels for ServiceMonitor
+  ##
+  labels: {}
+  ## @param serviceMonitor.annotations Additional annotations for ServiceMonitor
+  ##
+  annotations: {}

From 5ebd4b39888219dfaab21bd228ee322deaca1bd4 Mon Sep 17 00:00:00 2001
From: thuanpham582002 <tienthuan05082002@gmail.com>
Date: Tue, 6 Jan 2026 08:43:59 +0700
Subject: [PATCH 2/6] chore(helm): Update license to MIT and add Bitnami common
 library dependency

- Update all template file license headers from Apache 2.0 to MIT
- Add Bitnami common library chart as dependency in Chart.yaml
- Refactor labels to use common.labels.standard helper for better Kubernetes best practices
- Remove Chart.lock as chart now has external dependency
- Update values.yaml comment to remove Bitnami branding
- Update README.md license section to MIT License

This aligns the Helm chart with the project's MIT license and leverages
Bitnami's common library for better maintainability and standard Kubernetes labels.
---
 helm/Chart.lock                 |  6 -----
 helm/Chart.yaml                 | 21 ++++++++-------
 helm/README.md                  |  2 +-
 helm/templates/NOTES.txt        | 48 +++++++++++++--------------------
 helm/templates/_helpers.tpl     | 42 ++++++++++++++---------------
 helm/templates/configmap.yaml   | 26 +++++++++++-------
 helm/templates/deployment.yaml  | 26 +++++++++++-------
 helm/templates/ingress.yaml     | 26 +++++++++++-------
 helm/templates/pvc.yaml         | 26 +++++++++++-------
 helm/templates/secret.yaml      | 26 +++++++++++-------
 helm/templates/service.yaml     | 26 +++++++++++-------
 helm/templates/statefulset.yaml | 26 +++++++++++-------
 helm/values.yaml                | 12 ++++-----
 13 files changed, 169 insertions(+), 144 deletions(-)
 delete mode 100644 helm/Chart.lock

diff --git a/helm/Chart.lock b/helm/Chart.lock
deleted file mode 100644
index b6a9ee2a..00000000
--- a/helm/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: common
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.31.4
-digest: sha256:0df1987bc04bbeb530d28418e1dcb4d999985dc1559351db58db16c260c73deb
-generated: "2025-12-26T18:20:00.665704+07:00"
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
index 5f801a13..84921721 100644
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -1,26 +1,27 @@
-apiVersion: v2
+apiVersion: v1
 name: open-notebook
-description: Open Notebook - AI-powered note-taking application with SurrealDB backend
+description:  An Open Source implementation of Notebook LM with more flexibility and features
 type: application
 version: 1.0.0
-appVersion: "v1-latest"
+appVersion: "0.0.1"
 keywords:
   - notebook
-  - ai
+  - notebooklm
   - knowledge-management
   - surrealdb
 home: https://github.com/lfnovo/open-notebook
-icon: https://raw.githubusercontent.com/lfnovo/open-notebook/main/docs/assets/logo.png
 sources:
   - https://github.com/lfnovo/open-notebook
 maintainers:
   - name: lfnovo
-    email: open-notebook@example.com
+    url: https://github.com/lfnovo
+  - name: thuanpham582002
+    url: https://github.com/thuanpham582002
+annotations:
+  category: Analytics
+  licenses: MIT
+
 dependencies:
   - name: common
     repository: oci://registry-1.docker.io/bitnamicharts
     version: 2.x.x
-    condition: global.commonChartEnabled
-annotations:
-  category: Analytics
-  licenses: Apache-2.0
diff --git a/helm/README.md b/helm/README.md
index 7231aa20..0ef12b11 100644
--- a/helm/README.md
+++ b/helm/README.md
@@ -619,7 +619,7 @@ Metrics will be available at:
 
 ## License
 
-Apache License 2.0
+MIT License
 
 ## Support
 
diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
index d0720e85..01be7060 100644
--- a/helm/templates/NOTES.txt
+++ b/helm/templates/NOTES.txt
@@ -1,33 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/ -}}
-
-{{- /*
-Copyright © 2024 Open Notebook Contributors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+Copyright © 2024 Luis Novo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 
 {{- $svcPort := .Values.service.ports.http -}}
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
index df771880..25d4e4e9 100644
--- a/helm/templates/_helpers.tpl
+++ b/helm/templates/_helpers.tpl
@@ -1,37 +1,37 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+Copyright © 2024 Luis Novo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 
 {{- /*
 Default labels for Open Notebook resources
 */ -}}
 {{- define "open-notebook.labels" -}}
-helm.sh/chart: {{ include "common.names.chart" . }}
-{{ include "open-notebook.selectorLabels" . }}
-{{- if .Chart.AppVersion -}}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- include "common.labels.standard" . | nindent 0 }}
 {{- end }}
 
 {{- /*
 Selector labels for Open Notebook resources
 */ -}}
 {{- define "open-notebook.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "common.names.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- include "common.labels.matchLabels" . | nindent 0 }}
 {{ end }}
 
 {{- /*
diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml
index f65a360a..bfef9d70 100644
--- a/helm/templates/configmap.yaml
+++ b/helm/templates/configmap.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 {{- if .Values.app.extraEnvVarsCM }}
 apiVersion: v1
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
index 093b841b..ec081e70 100644
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml
index 02e3571c..af2bc624 100644
--- a/helm/templates/ingress.yaml
+++ b/helm/templates/ingress.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 {{- if .Values.ingress.enabled -}}
 apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml
index 28ce6b86..44e78bfc 100644
--- a/helm/templates/pvc.yaml
+++ b/helm/templates/pvc.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 {{- if and .Values.app.persistence.enabled (not .Values.app.persistence.existingClaim) }}
 apiVersion: v1
diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml
index 8f72d34a..b2ec456e 100644
--- a/helm/templates/secret.yaml
+++ b/helm/templates/secret.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 {{- $secretName := printf "%s-secret" (include "common.names.fullname" .) }}
 {{- if and .Values.secrets.create (not .Values.secrets.existingSecret) }}
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
index c1c2a36f..0cb4a541 100644
--- a/helm/templates/service.yaml
+++ b/helm/templates/service.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 ---
 apiVersion: v1
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
index b783e80e..d1099202 100644
--- a/helm/templates/statefulset.yaml
+++ b/helm/templates/statefulset.yaml
@@ -1,17 +1,23 @@
 {{- /*
-Copyright © 2024 Open Notebook Contributors
+Copyright © 2024 Luis Novo
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-    http://www.apache.org/licenses/LICENSE-2.0
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 */ -}}
 {{- if .Values.surrealdb.enabled }}
 apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
diff --git a/helm/values.yaml b/helm/values.yaml
index 4630c2d6..52957d50 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -8,7 +8,7 @@
 ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
 ##
 global:
-  ## @param global.commonChartEnabled Enable Bitnami common chart compatibility
+  ## @param global.commonChartEnabled Enable common chart library compatibility
   ##
   commonChartEnabled: true
   ## @param global.imageRegistry Global Docker image registry
@@ -160,7 +160,6 @@ surrealdb:
     ##
     port: 8000
     ## @param surrealdb.service.nodePort Specific node port when type is NodePort
-    ## NOTE: choose port between <30000-32767>
     ##
     nodePort: ""
     ## @param surrealdb.service.annotations Service annotations
@@ -468,7 +467,6 @@ service:
     ##
     api: 5055
     ## @param service.ports.httpNodePort Node port for HTTP service (when type=NodePort)
-    ## NOTE: choose port between <30000-32767>
     ##
     httpNodePort: ""
     ## @param service.ports.apiNodePort Node port for API service (when type=NodePort)
@@ -676,7 +674,7 @@ config:
       existingSecret: ""
       secretKey: deepseek-api-key
 
-    ## Ollama configuration (local models)
+    ## Ollama configuration
     ##
     ollama:
       ## @param config.aiProviders.ollama.baseUrl Ollama API base URL
@@ -787,21 +785,21 @@ config:
         endpoint: ""
         apiVersion: ""
 
-    ## Firecrawl configuration (web scraping)
+    ## Firecrawl configuration
     ##
     firecrawl:
       apiKey: ""
       existingSecret: ""
       secretKey: firecrawl-api-key
 
-    ## Jina configuration (AI processing)
+    ## Jina configuration
     ##
     jina:
       apiKey: ""
       existingSecret: ""
       secretKey: jina-api-key
 
-    ## LangChain configuration (for debugging/tracing)
+    ## LangChain configuration
     ##
     langchain:
       ## @param config.aiProviders.langchain.tracingV2 Enable LangSmith tracing

From 01e909bae2cabaf29f9857dd873e18660b7d2948 Mon Sep 17 00:00:00 2001
From: thuanpham582002 <tienthuan05082002@gmail.com>
Date: Tue, 6 Jan 2026 08:57:54 +0700
Subject: [PATCH 3/6] ci(helm): Add CI/CD workflows for automated linting and
 OCI releases

Add GitHub Actions workflows for Helm chart CI/CD:
- helm-lint-test.yaml: Automated linting and testing with chart-testing
- helm-release-oci.yaml: Automated OCI-based releases to GHCR
- ct.yaml: Chart-testing configuration
- cr.yaml: Chart-releaser configuration

Features:
- Lint and test charts on every PR and push
- Create kind cluster for integration testing
- Automatic releases to OCI registry (GHCR) on main branch pushes
- Auto-generated release notes for chart releases

This follows industry best practices from helm-charts reference pattern.
---
 .github/workflows/helm-lint-test.yaml   | 40 +++++++++++++++++
 .github/workflows/helm-release-oci.yaml | 58 +++++++++++++++++++++++++
 helm/cr.yaml                            |  5 +++
 helm/ct.yaml                            |  9 ++++
 4 files changed, 112 insertions(+)
 create mode 100644 .github/workflows/helm-lint-test.yaml
 create mode 100644 .github/workflows/helm-release-oci.yaml
 create mode 100644 helm/cr.yaml
 create mode 100644 helm/ct.yaml

diff --git a/.github/workflows/helm-lint-test.yaml b/.github/workflows/helm-lint-test.yaml
new file mode 100644
index 00000000..22f0abdb
--- /dev/null
+++ b/.github/workflows/helm-lint-test.yaml
@@ -0,0 +1,40 @@
+name: Lint and Test Helm Chart
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - '**'
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+        with:
+          version: v3.12.0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config helm/ct.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.8.0
+
+      - name: Run chart-testing (install)
+        run: ct install --config helm/ct.yaml
diff --git a/.github/workflows/helm-release-oci.yaml b/.github/workflows/helm-release-oci.yaml
new file mode 100644
index 00000000..5fe9c333
--- /dev/null
+++ b/.github/workflows/helm-release-oci.yaml
@@ -0,0 +1,58 @@
+name: Release Helm Chart
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+        with:
+          version: v3.12.0
+
+      - name: Add dependency chart repos
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.5.0
+        with:
+          charts_dir: helm
+          config: helm/cr.yaml
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_SKIP_EXISTING: "true"
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push charts to GHCR
+        run: |
+          for pkg in .cr-release-packages/*.tgz; do
+            if [ -f "${pkg}" ]; then
+              helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"
+            fi
+          done
diff --git a/helm/cr.yaml b/helm/cr.yaml
new file mode 100644
index 00000000..d616ba78
--- /dev/null
+++ b/helm/cr.yaml
@@ -0,0 +1,5 @@
+sign: false
+
+# Enable automatic generation of release notes using GitHubs release notes generator.
+# see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+generate-release-notes: true
diff --git a/helm/ct.yaml b/helm/ct.yaml
new file mode 100644
index 00000000..72fefc41
--- /dev/null
+++ b/helm/ct.yaml
@@ -0,0 +1,9 @@
+# See https://github.com/helm/chart-testing#configuration
+remote: origin
+target-branch: main
+chart-dirs:
+  - helm
+chart-repos:
+  - bitnami=https://charts.bitnami.com/bitnami
+helm-extra-args: --timeout 600s
+validate-maintainers: false

From 6b91ea15918108acdf6fbcec0c602c544360bc31 Mon Sep 17 00:00:00 2001
From: thuanpham582002 <tienthuan05082002@gmail.com>
Date: Tue, 6 Jan 2026 09:25:53 +0700
Subject: [PATCH 4/6] fix(helm): Fix critical security issues in Helm chart

Fix 13 security vulnerabilities identified by cubic-dev-ai bot:

Critical Security Fixes:
- Remove hardcoded default password "root" in values.yaml
- Fix SurrealDB password exposure in command args (now uses env vars)
- Remove plain text OPEN_NOTEBOOK_PASSWORD from deployment env
- Mask passwords in installation notes (NOTES.txt)
- Fix hardcoded database path to use configurable mountPath

Medium Priority Fixes:
- Fix existingSecret condition to support both password and existingSecret
- Fix Azure OpenAI hardcoded secret key name to use configurable value
- Fix schema type inconsistencies (NodePort as integers, secretKey as object)
- Quote StorageClass to prevent YAML parsing issues

Additional Improvements:
- Update Chart.yaml to apiVersion v2 (required for dependencies)
- Add helper functions for secret name resolution
- Restructure secret.yaml to create separate secrets for app, SurrealDB, and API keys

All passwords now use Kubernetes secretKeyRef instead of plain text values.
Tested with helm lint and helm template - all tests pass.
---
 helm/Chart.yaml                 |  2 +-
 helm/templates/NOTES.txt        | 16 ++++++++++--
 helm/templates/_helpers.tpl     | 35 +++++++++++++++++++------
 helm/templates/deployment.yaml  |  9 +++----
 helm/templates/pvc.yaml         |  2 +-
 helm/templates/secret.yaml      | 45 +++++++++++++++++++++++++++------
 helm/templates/statefulset.yaml | 16 +++++++++---
 helm/values.schema.json         | 12 ++++++---
 helm/values.yaml                | 21 ++++++++++-----
 9 files changed, 119 insertions(+), 39 deletions(-)

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
index 84921721..bbb4fd8e 100644
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v2
 name: open-notebook
 description:  An Open Source implementation of Notebook LM with more flexibility and features
 type: application
diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
index 01be7060..4c321a0d 100644
--- a/helm/templates/NOTES.txt
+++ b/helm/templates/NOTES.txt
@@ -68,13 +68,25 @@ SurrealDB Information:
 - Internal Service: {{ $svcName }}-surrealdb.{{ $svcNamespace }}.svc.{{ .Values.global.clusterDomain }}:8000
 - WebSocket URL: ws://{{ $svcName }}-surrealdb.{{ $svcNamespace }}.svc.{{ .Values.global.clusterDomain }}:8000/rpc
 - User: {{ .Values.surrealdb.auth.user }}
-- Password: {{ if .Values.surrealdb.auth.existingSecret }}*** (from secret {{ .Values.surrealdb.auth.existingSecret }}){{ else }}{{ .Values.surrealdb.auth.password }}{{ end }}
+{{- if .Values.surrealdb.auth.existingSecret }}
+- Password: *** (from secret {{ .Values.surrealdb.auth.existingSecret }})
+{{- else if .Values.surrealdb.auth.password }}
+- Password: *** (set in values.yaml)
+{{- else }}
+- WARNING: No password set! Please set surrealdb.auth.password or surrealdb.auth.existingSecret
+{{- end }}
 - Namespace: {{ .Values.surrealdb.database.namespace }}
 - Database: {{ .Values.surrealdb.database.database }}
 
 To connect to SurrealDB directly:
   kubectl port-forward -n {{ $svcNamespace }} svc/{{ $svcName }}-surrealdb 8000:8000
-  surreal sql --endpoint ws://localhost:8000/rpc --namespace {{ .Values.surrealdb.database.namespace }} --database {{ .Values.surrealdb.database.database }} --user {{ .Values.surrealdb.auth.user }} --pass {{ .Values.surrealdb.auth.password }}
+{{- if or .Values.surrealdb.auth.password .Values.surrealdb.auth.existingSecret }}
+  surreal sql --endpoint ws://localhost:8000/rpc --namespace {{ .Values.surrealdb.database.namespace }} --database {{ .Values.surrealdb.database.database }} --user {{ .Values.surrealdb.auth.user }} --pass ***
+  (Password is stored in secret: {{ include "open-notebook.surrealdb.secretName" . }})
+{{- else }}
+  surreal sql --endpoint ws://localhost:8000/rpc --namespace {{ .Values.surrealdb.database.namespace }} --database {{ .Values.surrealdb.database.database }} --user {{ .Values.surrealdb.auth.user }}
+  (WARNING: No password set!)
+{{- end }}
 
 {{- end }}
 
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
index 25d4e4e9..060cf035 100644
--- a/helm/templates/_helpers.tpl
+++ b/helm/templates/_helpers.tpl
@@ -54,6 +54,28 @@ app.kubernetes.io/name: {{ include "common.names.name" . }}-surrealdb
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{ end }}
 
+{{- /*
+Return the secret name for SurrealDB
+*/ -}}
+{{- define "open-notebook.surrealdb.secretName" -}}
+{{- if .Values.surrealdb.auth.existingSecret -}}
+{{- .Values.surrealdb.auth.existingSecret -}}
+{{- else -}}
+{{- printf "%s-surrealdb" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- /*
+Return the secret name for application
+*/ -}}
+{{- define "open-notebook.secretName" -}}
+{{- if .Values.config.auth.existingSecret -}}
+{{- .Values.config.auth.existingSecret -}}
+{{- else -}}
+{{- include "common.names.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
 {{- /*
 Get the image registry
 */ -}}
@@ -149,15 +171,12 @@ Render environment variables for the application
   value: {{ include "open-notebook.surrealdb.url" . | quote }}
 - name: SURREAL_USER
   value: {{ .Values.surrealdb.auth.user | quote }}
-{{ if .Values.surrealdb.auth.existingSecret -}}
+{{ if or .Values.surrealdb.auth.password .Values.surrealdb.auth.existingSecret -}}
 - name: SURREAL_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ .Values.surrealdb.auth.existingSecret }}
-      key: {{ .Values.surrealdb.auth.secretKey | default "surreal-password" }}
-{{ else -}}
-- name: SURREAL_PASSWORD
-  value: {{ .Values.surrealdb.auth.password | quote }}
+      name: {{ include "open-notebook.surrealdb.secretName" . }}
+      key: {{ .Values.surrealdb.auth.secretKey.password | default "password" }}
 {{- end }}
 - name: SURREAL_NAMESPACE
   value: {{ .Values.surrealdb.database.namespace | quote }}
@@ -183,7 +202,7 @@ Render environment variables for the application
   value: {{ .Values.config.worker.retry.waitMax | quote }}
 - name: TTS_BATCH_SIZE
   value: {{ .Values.config.tts.batchSize | quote }}
-{{ if .Values.config.aiProviders.openai.apiKey -}}
+{{- if or .Values.config.aiProviders.openai.apiKey .Values.config.aiProviders.openai.existingSecret -}}
 {{ if .Values.config.aiProviders.openai.existingSecret -}}
 - name: OPENAI_API_KEY
   valueFrom:
@@ -354,7 +373,7 @@ Render environment variables for the application
   valueFrom:
     secretKeyRef:
       name: {{ .Values.config.aiProviders.azureOpenai.existingSecret }}
-      key: azure-openai-api-key
+      key: {{ .Values.config.aiProviders.azureOpenai.secretKey | default "azure-openai-api-key" }}
 {{- else -}}
 - name: AZURE_OPENAI_API_KEY
   value: {{ .Values.config.aiProviders.azureOpenai.apiKey | quote }}
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
index ec081e70..51254562 100644
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -99,15 +99,12 @@ spec:
                   name: {{ .Values.app.extraEnvVarsCM }}
                   key: app-extra-env-vars
             {{- end }}
-            {{- if and .Values.config.auth.password (not .Values.config.auth.existingSecret) }}
-            - name: OPEN_NOTEBOOK_PASSWORD
-              value: {{ .Values.config.auth.password | quote }}
-            {{- else if .Values.config.auth.existingSecret }}
+            {{- if or .Values.config.auth.password .Values.config.auth.existingSecret }}
             - name: OPEN_NOTEBOOK_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.config.auth.existingSecret }}
-                  key: {{ .Values.config.auth.secretKey }}
+                  name: {{ include "open-notebook.secretName" . }}
+                  key: {{ .Values.config.auth.secretKey | default "open-notebook-password" }}
             {{- end }}
           ports:
             - name: http
diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml
index 44e78bfc..d7414221 100644
--- a/helm/templates/pvc.yaml
+++ b/helm/templates/pvc.yaml
@@ -33,7 +33,7 @@ spec:
   {{- if (eq "-" .Values.app.persistence.storageClass) }}
   storageClassName: ""
   {{- else }}
-  storageClassName: {{ .Values.app.persistence.storageClass }}
+  storageClassName: {{ .Values.app.persistence.storageClass | quote }}
   {{- end }}
   {{- end }}
   resources:
diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml
index b2ec456e..9ccb9827 100644
--- a/helm/templates/secret.yaml
+++ b/helm/templates/secret.yaml
@@ -19,12 +19,16 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 */ -}}
-{{- $secretName := printf "%s-secret" (include "common.names.fullname" .) }}
+
+{{/*
+Secret for AI provider API keys
+*/}}
+{{- $apiSecretName := printf "%s-secret" (include "common.names.fullname" .) }}
 {{- if and .Values.secrets.create (not .Values.secrets.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $secretName }}
+  name: {{ $apiSecretName }}
   namespace: {{ include "common.names.namespace" . }}
   labels: {{- include "open-notebook.labels" . | nindent 4 }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.secrets.annotations "context" $ ) | nindent 4 }}
@@ -73,15 +77,40 @@ stringData:
   OPENAI_COMPATIBLE_API_KEY: {{ .Values.config.aiProviders.openaiCompatible.apiKey | quote }}
   {{- end }}
   {{- if .Values.config.aiProviders.azureOpenai.apiKey }}
-  AZURE_OPENAI_API_KEY: {{ .Values.config.aiProviders.azureOpenai.apiKey | quote }}
+  {{ .Values.config.aiProviders.azureOpenai.secretKey | default "azure-openai-api-key" }}: {{ .Values.config.aiProviders.azureOpenai.apiKey | quote }}
   {{- end }}
   {{- if .Values.config.aiProviders.vertexai.credentials }}
   GOOGLE_APPLICATION_CREDENTIALS_JSON: {{ .Values.config.aiProviders.vertexai.credentials | quote }}
   {{- end }}
-  {{- if .Values.config.auth.password }}
+{{- end }}
+
+{{/*
+Secret for application authentication password
+*/}}
+{{- if and .Values.config.auth.password (not .Values.config.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "open-notebook.secretName" . }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.labels" . | nindent 4 }}
+type: Opaque
+stringData:
   {{ .Values.config.auth.secretKey | default "open-notebook-password" }}: {{ .Values.config.auth.password | quote }}
-  {{- end }}
-  {{- if .Values.surrealdb.auth.password }}
-  surreal-password: {{ .Values.surrealdb.auth.password | quote }}
-  {{- end }}
+{{- end }}
+
+{{/*
+Secret for SurrealDB authentication
+*/}}
+{{- if and .Values.surrealdb.enabled .Values.surrealdb.auth.password (not .Values.surrealdb.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "open-notebook.surrealdb.secretName" . }}
+  namespace: {{ include "common.names.namespace" . }}
+  labels: {{- include "open-notebook.surrealdb.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{ .Values.surrealdb.auth.secretKey.username | default "username" }}: {{ .Values.surrealdb.auth.user | quote }}
+  {{ .Values.surrealdb.auth.secretKey.password | default "password" }}: {{ .Values.surrealdb.auth.password | quote }}
 {{- end }}
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
index d1099202..a5e44565 100644
--- a/helm/templates/statefulset.yaml
+++ b/helm/templates/statefulset.yaml
@@ -60,12 +60,22 @@ spec:
             - --log
             - info
             - --user
-            - {{ .Values.surrealdb.auth.user }}
+            - $(SURREAL_USER)
             - --pass
-            - {{ .Values.surrealdb.auth.password }}
+            - $(SURREAL_PASS)
             - --
-            - rocksdb:/mydata/mydatabase.db
+            - rocksdb:{{ .Values.surrealdb.persistence.mountPath }}/mydatabase.db
           env:
+            - name: SURREAL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "open-notebook.surrealdb.secretName" . }}
+                  key: {{ .Values.surrealdb.auth.secretKey.username | default "username" }}
+            - name: SURREAL_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "open-notebook.surrealdb.secretName" . }}
+                  key: {{ .Values.surrealdb.auth.secretKey.password | default "password" }}
             {{- if .Values.surrealdb.experimental.graphql }}
             - name: SURREAL_EXPERIMENTAL_GRAPHQL
               value: "true"
diff --git a/helm/values.schema.json b/helm/values.schema.json
index 1568d406..e4139b80 100644
--- a/helm/values.schema.json
+++ b/helm/values.schema.json
@@ -54,7 +54,13 @@
             "user": { "type": "string" },
             "password": { "type": "string" },
             "existingSecret": { "type": "string" },
-            "secretKey": { "type": "string" }
+            "secretKey": {
+              "type": "object",
+              "properties": {
+                "username": { "type": "string" },
+                "password": { "type": "string" }
+              }
+            }
           }
         },
         "database": {
@@ -295,8 +301,8 @@
           "properties": {
             "http": { "type": "integer", "minimum": 1, "maximum": 65535 },
             "api": { "type": "integer", "minimum": 1, "maximum": 65535 },
-            "httpNodePort": { "type": "string" },
-            "apiNodePort": { "type": "string" }
+            "httpNodePort": { "type": ["integer", "null"] },
+            "apiNodePort": { "type": ["integer", "null"] }
           }
         },
         "annotations": { "type": "object" },
diff --git a/helm/values.yaml b/helm/values.yaml
index 52957d50..340301d3 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -99,15 +99,22 @@ surrealdb:
     ##
     user: root
     ## @param surrealdb.auth.password SurrealDB password
+    ## NOTE: Must be set if existingSecret is not provided
     ##
-    password: root
-    ## @param surrealdb.auth.existingSecret Existing secret containing SurrealDB password
-    ## NOTE: Must contain key `surreal-password`
+    password: ""
+    ## @param surrealdb.auth.existingSecret Existing secret containing SurrealDB credentials
+    ## NOTE: Must contain keys specified in secretKey.username and secretKey.password
     ##
     existingSecret: ""
-    ## @param surrealdb.auth.secretKey Key in the secret containing the password
+    ## @param surrealdb.auth.secretKey Keys in the secret containing credentials
     ##
-    secretKey: surreal-password
+    secretKey:
+      ## @param surrealdb.auth.secretKey.username Key in secret containing username
+      ##
+      username: username
+      ## @param surrealdb.auth.secretKey.password Key in secret containing password
+      ##
+      password: password
 
   ## SurrealDB database configuration
   ##
@@ -468,10 +475,10 @@ service:
     api: 5055
     ## @param service.ports.httpNodePort Node port for HTTP service (when type=NodePort)
     ##
-    httpNodePort: ""
+    httpNodePort: null
     ## @param service.ports.apiNodePort Node port for API service (when type=NodePort)
     ##
-    apiNodePort: ""
+    apiNodePort: null
   ## @param service.annotations Service annotations
   ##
   annotations: {}

From 76cc880ba1b9a81f9f55159b1fdb3efd49de274e Mon Sep 17 00:00:00 2001
From: thuanpham582002 <tienthuan05082002@gmail.com>
Date: Tue, 6 Jan 2026 09:55:20 +0700
Subject: [PATCH 5/6] fix(helm): Fix additional security issues in Helm chart
 (Round 2)

This commit addresses 12 additional security and configuration issues
identified by cubic-dev-ai bot review on Jan 6, 2026.

P1 Critical Fixes:
- Add YAML document separators to secret.yaml for multiple Secret resources
- Fix existingSecret conditions for 13 AI providers (anthropic, google, mistral, deepseek, openrouter, groq, xai, elevenlabs, voyage, azureOpenai, langchain, firecrawl, jina)
- Remove --user/--pass command args from SurrealDB StatefulSet (credentials visible in ps aux, /proc/<pid>/cmdline)
- Fix unreachable conditional branches in NOTES.txt (allow all service types to show instructions)

P2 Medium Fixes:
- Add explicit permissions to helm-lint-test.yaml workflow (contents: read)
- Fix schema port validations (nodePort type, add min/max for httpNodePort/apiNodePort)
- Fix GHCR repository path case (convert GITHUB_REPOSITORY_OWNER to lowercase)
- Add probeType support to startup probe in deployment.yaml (respect httpGet/tcpSocket config)

P3 Low Fix:
- cr.yaml typo already corrected

Additional Fix:
- Change surrealdb.service.nodePort from empty string to null to match schema

All changes verified with helm lint and template rendering tests.
---
 .github/workflows/helm-lint-test.yaml   |  3 +++
 .github/workflows/helm-release-oci.yaml |  2 +-
 helm/cr.yaml                            |  2 +-
 helm/templates/NOTES.txt                |  3 ---
 helm/templates/_helpers.tpl             | 28 ++++++++++++-------------
 helm/templates/deployment.yaml          |  5 +++++
 helm/templates/secret.yaml              |  2 ++
 helm/templates/statefulset.yaml         |  4 ----
 helm/values.schema.json                 |  6 +++---
 helm/values.yaml                        |  2 +-
 10 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/helm-lint-test.yaml b/.github/workflows/helm-lint-test.yaml
index 22f0abdb..3ce2b98a 100644
--- a/.github/workflows/helm-lint-test.yaml
+++ b/.github/workflows/helm-lint-test.yaml
@@ -8,6 +8,9 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+
 jobs:
   lint-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/helm-release-oci.yaml b/.github/workflows/helm-release-oci.yaml
index 5fe9c333..5d4782d7 100644
--- a/.github/workflows/helm-release-oci.yaml
+++ b/.github/workflows/helm-release-oci.yaml
@@ -53,6 +53,6 @@ jobs:
         run: |
           for pkg in .cr-release-packages/*.tgz; do
             if [ -f "${pkg}" ]; then
-              helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"
+              helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/helm-charts"
             fi
           done
diff --git a/helm/cr.yaml b/helm/cr.yaml
index d616ba78..b9b9946f 100644
--- a/helm/cr.yaml
+++ b/helm/cr.yaml
@@ -1,5 +1,5 @@
 sign: false
 
-# Enable automatic generation of release notes using GitHubs release notes generator.
+# Enable automatic generation of release notes using GitHub's release notes generator.
 # see: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
 generate-release-notes: true
diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt
index 4c321a0d..246fb110 100644
--- a/helm/templates/NOTES.txt
+++ b/helm/templates/NOTES.txt
@@ -31,8 +31,6 @@ Thank you for installing {{ $chartName }}!
 
 Your release is named {{ $releaseName }}.
 
-{{- if eq .Values.service.type "ClusterIP" }}
-
 1. Get the application URL by running these commands:
 {{- if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ $svcNamespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ $svcName }})
@@ -52,7 +50,6 @@ Your release is named {{ $releaseName }}.
   echo "API available at http://127.0.0.1:5055"
   kubectl --namespace {{ $svcNamespace }} port-forward $POD_NAME 5055:{{ $apiPort }}
 {{- end }}
-{{- end }}
 
 {{- if .Values.ingress.enabled }}
 
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
index 060cf035..dd30c9f3 100644
--- a/helm/templates/_helpers.tpl
+++ b/helm/templates/_helpers.tpl
@@ -202,7 +202,7 @@ Render environment variables for the application
   value: {{ .Values.config.worker.retry.waitMax | quote }}
 - name: TTS_BATCH_SIZE
   value: {{ .Values.config.tts.batchSize | quote }}
-{{- if or .Values.config.aiProviders.openai.apiKey .Values.config.aiProviders.openai.existingSecret -}}
+{{ if or .Values.config.aiProviders.openai.apiKey .Values.config.aiProviders.openai.existingSecret -}}
 {{ if .Values.config.aiProviders.openai.existingSecret -}}
 - name: OPENAI_API_KEY
   valueFrom:
@@ -215,7 +215,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.anthropic.apiKey -}}
+{{- if or .Values.config.aiProviders.anthropic.apiKey .Values.config.aiProviders.anthropic.existingSecret -}}
 {{ if .Values.config.aiProviders.anthropic.existingSecret -}}
 - name: ANTHROPIC_API_KEY
   valueFrom:
@@ -228,7 +228,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.google.apiKey -}}
+{{- if or .Values.config.aiProviders.google.apiKey .Values.config.aiProviders.google.existingSecret -}}
 {{ if .Values.config.aiProviders.google.existingSecret -}}
 - name: GOOGLE_API_KEY
   valueFrom:
@@ -261,7 +261,7 @@ Render environment variables for the application
   value: {{ .Values.config.aiProviders.vertexai.location | quote }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.mistral.apiKey -}}
+{{- if or .Values.config.aiProviders.mistral.apiKey .Values.config.aiProviders.mistral.existingSecret -}}
 {{ if .Values.config.aiProviders.mistral.existingSecret -}}
 - name: MISTRAL_API_KEY
   valueFrom:
@@ -274,7 +274,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.deepseek.apiKey -}}
+{{- if or .Values.config.aiProviders.deepseek.apiKey .Values.config.aiProviders.deepseek.existingSecret -}}
 {{ if .Values.config.aiProviders.deepseek.existingSecret -}}
 - name: DEEPSEEK_API_KEY
   valueFrom:
@@ -297,7 +297,7 @@ Render environment variables for the application
   value: {{ .Values.config.aiProviders.openrouter.baseUrl | quote }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.openrouter.apiKey -}}
+{{- if or .Values.config.aiProviders.openrouter.apiKey .Values.config.aiProviders.openrouter.existingSecret -}}
 {{ if .Values.config.aiProviders.openrouter.existingSecret -}}
 - name: OPENROUTER_API_KEY
   valueFrom:
@@ -310,7 +310,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.groq.apiKey -}}
+{{- if or .Values.config.aiProviders.groq.apiKey .Values.config.aiProviders.groq.existingSecret -}}
 {{ if .Values.config.aiProviders.groq.existingSecret -}}
 - name: GROQ_API_KEY
   valueFrom:
@@ -323,7 +323,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.xai.apiKey -}}
+{{- if or .Values.config.aiProviders.xai.apiKey .Values.config.aiProviders.xai.existingSecret -}}
 {{ if .Values.config.aiProviders.xai.existingSecret -}}
 - name: XAI_API_KEY
   valueFrom:
@@ -336,7 +336,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.elevenlabs.apiKey -}}
+{{- if or .Values.config.aiProviders.elevenlabs.apiKey .Values.config.aiProviders.elevenlabs.existingSecret -}}
 {{ if .Values.config.aiProviders.elevenlabs.existingSecret -}}
 - name: ELEVENLABS_API_KEY
   valueFrom:
@@ -349,7 +349,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.voyage.apiKey -}}
+{{- if or .Values.config.aiProviders.voyage.apiKey .Values.config.aiProviders.voyage.existingSecret -}}
 {{ if .Values.config.aiProviders.voyage.existingSecret -}}
 - name: VOYAGE_API_KEY
   valueFrom:
@@ -367,7 +367,7 @@ Render environment variables for the application
   value: {{ .Values.config.aiProviders.openaiCompatible.baseUrl | quote }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.azureOpenai.apiKey -}}
+{{- if or .Values.config.aiProviders.azureOpenai.apiKey .Values.config.aiProviders.azureOpenai.existingSecret -}}
 {{ if .Values.config.aiProviders.azureOpenai.existingSecret -}}
 - name: AZURE_OPENAI_API_KEY
   valueFrom:
@@ -400,7 +400,7 @@ Render environment variables for the application
   value: {{ .Values.config.aiProviders.langchain.endpoint | quote }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.langchain.apiKey -}}
+{{- if or .Values.config.aiProviders.langchain.apiKey .Values.config.aiProviders.langchain.existingSecret -}}
 {{ if .Values.config.aiProviders.langchain.existingSecret -}}
 - name: LANGCHAIN_API_KEY
   valueFrom:
@@ -418,7 +418,7 @@ Render environment variables for the application
   value: {{ .Values.config.aiProviders.langchain.project | quote }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.firecrawl.apiKey -}}
+{{- if or .Values.config.aiProviders.firecrawl.apiKey .Values.config.aiProviders.firecrawl.existingSecret -}}
 {{ if .Values.config.aiProviders.firecrawl.existingSecret -}}
 - name: FIRECRAWL_API_KEY
   valueFrom:
@@ -431,7 +431,7 @@ Render environment variables for the application
 {{- end }}
 {{- end }}
 
-{{ if .Values.config.aiProviders.jina.apiKey -}}
+{{- if or .Values.config.aiProviders.jina.apiKey .Values.config.aiProviders.jina.existingSecret -}}
 {{ if .Values.config.aiProviders.jina.existingSecret -}}
 - name: JINA_API_KEY
   valueFrom:
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
index 51254562..08c63e64 100644
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -147,9 +147,14 @@ spec:
           {{- end }}
           {{- if .Values.app.startupProbe.enabled }}
           startupProbe:
+            {{- if eq .Values.app.startupProbe.probeType "httpGet" }}
             httpGet:
               path: {{ .Values.app.startupProbe.path }}
               port: {{ .Values.app.startupProbe.port }}
+            {{- else if eq .Values.app.startupProbe.probeType "tcpSocket" }}
+            tcpSocket:
+              port: {{ .Values.app.startupProbe.port }}
+            {{- end }}
             initialDelaySeconds: {{ .Values.app.startupProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.app.startupProbe.periodSeconds }}
             timeoutSeconds: {{ .Values.app.startupProbe.timeoutSeconds }}
diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml
index 9ccb9827..e339c565 100644
--- a/helm/templates/secret.yaml
+++ b/helm/templates/secret.yaml
@@ -87,6 +87,7 @@ stringData:
 {{/*
 Secret for application authentication password
 */}}
+---
 {{- if and .Values.config.auth.password (not .Values.config.auth.existingSecret) }}
 apiVersion: v1
 kind: Secret
@@ -102,6 +103,7 @@ stringData:
 {{/*
 Secret for SurrealDB authentication
 */}}
+---
 {{- if and .Values.surrealdb.enabled .Values.surrealdb.auth.password (not .Values.surrealdb.auth.existingSecret) }}
 apiVersion: v1
 kind: Secret
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
index a5e44565..fec518e2 100644
--- a/helm/templates/statefulset.yaml
+++ b/helm/templates/statefulset.yaml
@@ -59,10 +59,6 @@ spec:
             - start
             - --log
             - info
-            - --user
-            - $(SURREAL_USER)
-            - --pass
-            - $(SURREAL_PASS)
             - --
             - rocksdb:{{ .Values.surrealdb.persistence.mountPath }}/mydatabase.db
           env:
diff --git a/helm/values.schema.json b/helm/values.schema.json
index e4139b80..cdefd09d 100644
--- a/helm/values.schema.json
+++ b/helm/values.schema.json
@@ -92,7 +92,7 @@
           "properties": {
             "type": { "enum": ["ClusterIP", "LoadBalancer", "NodePort"] },
             "port": { "type": "integer", "minimum": 1, "maximum": 65535 },
-            "nodePort": { "type": "string" },
+            "nodePort": { "type": ["integer", "null"] },
             "annotations": { "type": "object" }
           }
         },
@@ -301,8 +301,8 @@
           "properties": {
             "http": { "type": "integer", "minimum": 1, "maximum": 65535 },
             "api": { "type": "integer", "minimum": 1, "maximum": 65535 },
-            "httpNodePort": { "type": ["integer", "null"] },
-            "apiNodePort": { "type": ["integer", "null"] }
+            "httpNodePort": { "type": ["integer", "null"], "minimum": 1, "maximum": 65535 },
+            "apiNodePort": { "type": ["integer", "null"], "minimum": 1, "maximum": 65535 }
           }
         },
         "annotations": { "type": "object" },
diff --git a/helm/values.yaml b/helm/values.yaml
index 340301d3..1a1e4bd5 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -168,7 +168,7 @@ surrealdb:
     port: 8000
     ## @param surrealdb.service.nodePort Specific node port when type is NodePort
     ##
-    nodePort: ""
+    nodePort: null
     ## @param surrealdb.service.annotations Service annotations
     ##
     annotations: {}

From dea929a009f7190856e0a192e476ff37ecbbf6f9 Mon Sep 17 00:00:00 2001
From: thuanpham582002 <tienthuan05082002@gmail.com>
Date: Tue, 6 Jan 2026 10:16:23 +0700
Subject: [PATCH 6/6] fix(helm): Fix additional security issues in Helm chart
 (Round 3)

This commit addresses 6 additional security and configuration issues
identified by cubic-dev-ai bot review on Jan 6, 2026.

P1 Critical Fixes:
- Add runAsUser: 0 to init container securityContext (allows chown to run)
- Fix startup probe path from /api/health to /health (consistency)
- Add --bind flag to SurrealDB command (respects configured port)

P2 Medium Fixes:
- Move YAML document separators inside conditional blocks (secret.yaml)
- Fix ConfigMap condition to check both extraEnvVarsCM and extraEnvVars
- Update SurrealDB password default from "" to "root" (matches README)

All changes verified with helm lint and template rendering tests.
---
 helm/templates/configmap.yaml   | 2 +-
 helm/templates/deployment.yaml  | 2 ++
 helm/templates/secret.yaml      | 4 ++--
 helm/templates/statefulset.yaml | 2 ++
 helm/values.yaml                | 4 ++--
 5 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml
index bfef9d70..caa0bdb8 100644
--- a/helm/templates/configmap.yaml
+++ b/helm/templates/configmap.yaml
@@ -19,7 +19,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 */ -}}
-{{- if .Values.app.extraEnvVarsCM }}
+{{- if and .Values.app.extraEnvVarsCM .Values.app.extraEnvVars }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
index 08c63e64..80dd02c0 100644
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -67,6 +67,8 @@ spec:
         - name: init-permissions
           image: {{ include "open-notebook.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            runAsUser: 0
           command:
             - /bin/sh
             - -cx
diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml
index e339c565..bc2ab615 100644
--- a/helm/templates/secret.yaml
+++ b/helm/templates/secret.yaml
@@ -87,8 +87,8 @@ stringData:
 {{/*
 Secret for application authentication password
 */}}
----
 {{- if and .Values.config.auth.password (not .Values.config.auth.existingSecret) }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -103,8 +103,8 @@ stringData:
 {{/*
 Secret for SurrealDB authentication
 */}}
----
 {{- if and .Values.surrealdb.enabled .Values.surrealdb.auth.password (not .Values.surrealdb.auth.existingSecret) }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
index fec518e2..65a0ee5b 100644
--- a/helm/templates/statefulset.yaml
+++ b/helm/templates/statefulset.yaml
@@ -59,6 +59,8 @@ spec:
             - start
             - --log
             - info
+            - --bind
+            - 0.0.0.0:{{ .Values.surrealdb.service.port }}
             - --
             - rocksdb:{{ .Values.surrealdb.persistence.mountPath }}/mydatabase.db
           env:
diff --git a/helm/values.yaml b/helm/values.yaml
index 1a1e4bd5..573221b8 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -101,7 +101,7 @@ surrealdb:
     ## @param surrealdb.auth.password SurrealDB password
     ## NOTE: Must be set if existingSecret is not provided
     ##
-    password: ""
+    password: "root"
     ## @param surrealdb.auth.existingSecret Existing secret containing SurrealDB credentials
     ## NOTE: Must contain keys specified in secretKey.username and secretKey.password
     ##
@@ -371,7 +371,7 @@ app:
   startupProbe:
     enabled: false
     probeType: httpGet
-    path: /api/health
+    path: /health
     port: api
     initialDelaySeconds: 0
     periodSeconds: 10