feat: Ability to disable App pod

Tiltfile

@@ -86,8 +86,11 @@ for app in ['app', 'console', 'executor', 'parquet', 'weave', 'weave-trace']:
     postfix = current_values.get(app, {}).get('deploymentPostfix', "")
     if postfix != "":
         app_names[app] += '-' + postfix
-k8s_resource(app_names['app'], objects=['wandb-app:ServiceAccount:' + current_namespace])
-k8s_resource(app_names['console'])
+
+if current_values.get('app', {}).get('install', False):
+    k8s_resource(app_names['app'], objects=['wandb-app:ServiceAccount:' + current_namespace])
+if current_values.get('console', {}).get('install', False):
+    k8s_resource(app_names['console'])
 k8s_resource("wandb-nginx", port_forwards=settings["forwardedPorts"]["nginx"], objects=['wandb-console:ServiceAccount:' + current_namespace])
 if current_values.get('anaconda2', {}).get('install', False):
     k8s_resource('wandb-anaconda2', objects=['wandb-anaconda2:ServiceAccount:' + current_namespace])

charts/operator-wandb/Chart.lock

@@ -86,11 +86,14 @@ dependencies:
 - name: wandb-base
   repository: file://../wandb-base
   version: 0.11.6
+- name: wandb-base
+  repository: file://../wandb-base
+  version: 0.11.6
 - name: reloader
   repository: https://stakater.github.io/stakater-charts
   version: 1.3.0
 - name: clickhouse
   repository: file://charts/clickhouse
   version: 9.1.1
-digest: sha256:29ab2278caa8a43a445f702ce7f807c684896bf8f67b31f4e25281f588b9840e
-generated: "2025-12-19T05:05:35.702691+09:00"
+digest: sha256:b5c4d3f08b2fb2f0b60e787b81ee8a7ac9ed5df8b862c9b7f32577c77c99cd41
+generated: "2026-01-28T16:26:07.548808-06:00"

charts/operator-wandb/Chart.yaml

@@ -133,6 +133,11 @@ dependencies:
     condition: anaconda2.install
     repository: file://../wandb-base
     version: "0.11.6"
+  - name: wandb-base
+    alias: internalSignerPreHook
+    condition: internalSignerPreHook.install
+    repository: file://../wandb-base
+    version: "0.11.6"
   - name: wandb-base
     alias: metric-observer
     condition: metric-observer.install

charts/operator-wandb/templates/_volumes.tpl

@@ -56,3 +56,16 @@
 {{- end }}
 {{- end }}
 {{- end }}
+
+
+{{- define "wandb.internalSignerVolumeMounts" -}}
+- name: wandb-internal-signer-root
+  mountPath: /vol/env
+{{- end -}}
+
+{{- define "wandb.internalSignerVolumes" -}}
+- name: wandb-internal-signer-root
+  secret:
+    secretName: "{{ .Release.Name }}-internal-signer"
+    optional: true
+{{- end -}}

charts/operator-wandb/templates/api.yaml

@@ -36,4 +36,8 @@ data:
   {{- if index .Values.global "weave-trace" "enabled" }}
   GORILLA_INTERNAL_JWT_SUBJECTS_TO_ISSUERS: {{ tpl (include "wandb.internalJWTMap" .) . }}
   {{- end }}
+  {{- if not .Values.app.install }}
+  INTERNAL_SIGNER_KEY_PATH: '{{ .Values.global.signerKeyPath }}'
+  {{- end }}
   GORILLA_TASK_QUEUE_WORKER_ENABLED: "false"
+  GORILLA_LOCAL_SERVICE_BYPASS: '{{ .Values.global.localService.bypass }}'

charts/operator-wandb/templates/frontend.yaml

@@ -5,10 +5,18 @@ metadata:
   labels:
     {{- include "wandb.commonLabels" . | nindent 4 }}
 data:
+  {{- if not .Values.app.install }}
+  FRONTEND_APP_BACKEND: "{{ .Release.Name }}-api:8081"
+  FRONTEND_AUTH_BACKEND: "{{ .Release.Name }}-api:8081"
+
+  # this doesn't actually work, but the FE pod currently requires this host to be valid
+  FRONTEND_LOCAL_BACKEND: "{{ .Release.Name }}-api:8083"
+  {{- else }}
   FRONTEND_APP_BACKEND: "{{ .Release.Name }}-app:8080"
   FRONTEND_AUTH_BACKEND: "{{ .Release.Name }}-app:8080"
-  FRONTEND_WEAVE_BACKEND: "{{ .Release.Name }}-weave:9994"
   FRONTEND_LOCAL_BACKEND: "{{ .Release.Name }}-app:8083"
+  {{- end }}
+  FRONTEND_WEAVE_BACKEND: "{{ .Release.Name }}-weave:9994"
   REACT_APP_GIT_TAG: "HEAD"
   REACT_APP_HOST: "{{ .Values.global.host }}"
   REACT_APP_ENVIRONMENT_NAME: "local"

charts/operator-wandb/templates/glue.yaml

@@ -54,3 +54,5 @@ data:
 
   # Clear task dedupe key configuration
   GORILLA_GLUE_CLEAR_TASK_DEDUPE_KEY_ENABLED: "false"
+
+  GORILLA_GLUE_LOCAL_SERVICE_BYPASS: "{{ .Values.global.localService.bypass }}"

charts/operator-wandb/templates/internal-signer-job.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-internal-signer-configmap
+  labels:
+    {{- include "wandb.labels" . | nindent 4 }}
+data:
+  INTERNAL_SIGNER_K8S_SECRET_NAME: "{{ .Release.Name }}-internal-signer"
+  INTERNAL_SIGNER_K8S_NAMESPACE: "{{ .Release.Namespace }}"

charts/operator-wandb/templates/local.yaml

@@ -14,3 +14,6 @@ data:
   OIDC_AUTH_METHOD: {{ .Values.global.auth.oidc.authMethod }}
   OIDC_ISSUER: {{ .Values.global.auth.oidc.issuer }}
   {{- end }}
+
+  INTERNAL_SIGNER_K8S_SECRET_NAME: "{{ .Release.Name }}-internal-signer"
+  INTERNAL_SIGNER_K8S_NAMESPACE: "{{ .Release.Namespace }}"

charts/operator-wandb/templates/nginx.yaml

@@ -21,9 +21,15 @@ data:
         listen 8080;
         proxy_set_header Host $host:8080;
         client_max_body_size 0;
+      {{- if .Values.frontend.install }}
+        location / {
+          proxy_pass http://{{ .Release.Name }}-frontend:8080;
+        }
+      {{- else }}
         location / {
           proxy_pass http://{{ .Release.Name }}-app:8080;
         }
+      {{- end }}
         location /console {
           proxy_pass http://{{ .Release.Name }}-console:8082;
         }

charts/operator-wandb/values.yaml

@@ -26,6 +26,7 @@ global:
     # Example:
     # imagePullSecrets: &imagePullSecrets
     #   - my-registry-secret
+  signerKeyPath: "/vol/env"
 
   cloudProvider: ""
 
@@ -305,6 +306,11 @@ global:
   weave-trace:
     enabled: false
 
+  # As part of the migration away from using local, the `bypass` setting will
+  # control whether the gorilla services will use the app service (and, thus, local)
+  localService:
+    bypass: false
+
   api:
     enabled: false
     rateLimits:
@@ -474,6 +480,7 @@ api:
         failureThreshold: 5
       volumeMountsTpls:
         - '{{ include "wandb.caCertsVolumeMounts" . }}'
+        - '{{ include "wandb.internalSignerVolumeMounts" . }}'
   image:
     repository: wandb/megabinary
     tag: latest
@@ -488,6 +495,7 @@ api:
         verbs: ["get"]
   volumesTpls:
     - '{{ include "wandb.caCertsVolumes" . }}'
+    - '{{ include "wandb.internalSignerVolumes" . }}'
   size: ""
   sizing:
     small:
@@ -1657,6 +1665,7 @@ glue:
     - '{{ include "wandb.license" . }}'
   initContainers:
     init-db:
+
       image:
         repository: wandb/local
         tag: latest
@@ -1697,6 +1706,7 @@ glue:
         failureThreshold: 3
       volumeMountsTpls:
         - '{{ include "wandb.caCertsVolumeMounts" . }}'
+        - '{{ include "wandb.internalSignerVolumeMounts" . }}'
   image:
     repository: wandb/megabinary
     tag: latest
@@ -1713,6 +1723,7 @@ glue:
     type: Recreate
   volumesTpls:
     - '{{ include "wandb.caCertsVolumes" . }}'
+    - '{{ include "wandb.internalSignerVolumes" . }}'
   size: ""
   sizing:
     small:
@@ -1756,6 +1767,32 @@ glue:
           cpu: "3"
           memory: 6Gi
 
+internalSignerPreHook:
+  install: true
+  kind: Job
+  podDisruptionBudget:
+    enabled: false
+  jobs:
+    internal-signer-pre-hook:
+      containers:
+        internal-signer-pre-hook:
+          envFrom:
+            "{{ .Release.Name }}-internal-signer-configmap": "configMapRef"
+          args:
+            - 'secret-generation-job'
+  image:
+    repository: wandb/megabinary
+    tag: latest
+  helmHook:
+    enabled: true
+    hook: "pre-upgrade"
+  role:
+    create: true
+    rules:
+      - apiGroups: [""]
+        resources: ["secrets"]
+        verbs: ["get", "patch", "create", "update"]
+
 metric-observer:
   install: false
   image: