uc-cdis · EliseCastle23 · Feb 3, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/helm/arborist/Chart.yaml b/helm/arborist/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.31
+version: 0.1.32
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -25,9 +25,5 @@ appVersion: "master"
 
 dependencies:
   - name: common
-    version: 0.1.31
+    version: 0.1.34
     repository: file://../common
-  - name: postgresql
-    version: 11.9.13
-    repository: "https://charts.bitnami.com/bitnami"
-    condition: postgres.separate
diff --git a/helm/arborist/README.md b/helm/arborist/README.md
@@ -1,91 +1,66 @@
 # arborist
 
-![Version: 0.1.31](https://img.shields.io/badge/Version-0.1.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.32](https://img.shields.io/badge/Version-0.1.32-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for gen3 arborist
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../common | common | 0.1.31 |
-| https://charts.bitnami.com/bitnami | postgresql | 11.9.13 |
+| file://../common | common | 0.1.34 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | map | `{}` | Affinity rules to apply to the pod |
+| args[0] | string | `"-c"` |  |
+| args[1] | string | `"set -e\n# set env vars\nexport PGSSLMODE=\"disable\"\n\n# bring the database schema up to the latest version\n/go/src/github.com/uc-cdis/arborist/migrations/latest\n\n# run arborist\n/go/src/github.com/uc-cdis/arborist/bin/arborist\n"` |  |
 | autoscaling | object | `{}` |  |
+| command[0] | string | `"sh"` |  |
 | commonLabels | map | `nil` | Will completely override the commonLabels defined in the common chart's _label_setup.tpl |
 | criticalService | string | `"true"` | Valid options are "true" or "false". If invalid option is set- the value will default to "false". |
 | cronjob | bool | `{"enabled":true}` | Whether the arborist rm exipred access cronjob is enabled. |
-| env | list | `[{"name":"JWKS_ENDPOINT","value":"http://fence-service/.well-known/jwks"}]` | Environment variables to pass to the container |
+| cronjobs[0].affinityOverride | object | `{}` |  |
+| cronjobs[0].args[0] | string | `"-c"` |  |
+| cronjobs[0].args[1] | string | `"# run job to remove expired access from the database\n/go/src/github.com/uc-cdis/arborist/jobs/delete_expired_access\n"` |  |
+| cronjobs[0].automountServiceAccountToken | bool | `false` |  |
+| cronjobs[0].command[0] | string | `"sh"` |  |
+| cronjobs[0].dbSecretName | string | `"arborist-dbcreds"` |  |
+| cronjobs[0].dnsConfig.options[0].name | string | `"use-vc"` |  |
+| cronjobs[0].dnsConfig.options[1].name | string | `"single-request-reopen"` |  |
+| cronjobs[0].envFromApp | bool | `true` |  |
+| cronjobs[0].name | string | `"arborist-rm-expired-access"` |  |
+| cronjobs[0].schedule | string | `"*/5 * * * *"` |  |
+| dbService | bool | `true` |  |
+| env | list | `[{"name":"JWKS_ENDPOINT","value":"http://fence-service/.well-known/jwks"},{"name":"PGSSLMODE","value":"disable"}]` | Environment variables to pass to the container |
 | env[0] | string | `{"name":"JWKS_ENDPOINT","value":"http://fence-service/.well-known/jwks"}` | The URL of the JSON Web Key Set (JWKS) endpoint for authentication |
 | externalSecrets | map | `{"dbcreds":null,"pushSecret":false}` | External Secrets settings. |
 | externalSecrets.dbcreds | string | `nil` | Will override the name of the aws secrets manager secret. Default is "Values.global.environment-.Chart.Name-creds" |
 | externalSecrets.pushSecret | bool | `false` | Whether to create the database and Secrets Manager secrets via PushSecret. |
+| extraLabels | map | `{"authprovider":"yes","dbarborist":"yes","public":"yes"}` | Will completely override the extraLabels defined in the common chart's _label_setup.tpl |
 | fullnameOverride | string | `""` | Override the full name of the deployment. |
-| global.autoscaling.averageCPUValue | string | `"500m"` |  |
-| global.autoscaling.averageMemoryValue | string | `"500Mi"` |  |
-| global.autoscaling.enabled | bool | `false` |  |
-| global.autoscaling.maxReplicas | int | `10` |  |
-| global.autoscaling.minReplicas | int | `1` |  |
-| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"externalSecrets":{"enabled":false,"externalSecretAwsCreds":null}}` | AWS configuration |
-| global.aws.awsAccessKeyId | string | `nil` | Credentials for AWS stuff. |
-| global.aws.awsSecretAccessKey | string | `nil` | Credentials for AWS stuff. |
-| global.aws.enabled | bool | `false` | Set to true if deploying to AWS. Controls ingress annotations. |
-| global.aws.externalSecrets.enabled | bool | `false` | Whether to use External Secrets for aws config. |
-| global.aws.externalSecrets.externalSecretAwsCreds | String | `nil` | Name of Secrets Manager secret. |
-| global.dev | bool | `true` | Whether the deployment is for development purposes. |
-| global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. |
-| global.dispatcherJobNum | int | `"10"` | Number of dispatcher jobs. |
-| global.environment | string | `"default"` | Environment name. This should be the same as vpcname if you're doing an AWS deployment. Currently this is being used to share ALB's if you have multiple namespaces. Might be used other places too. |
-| global.externalSecrets | map | `{"deploy":false,"separateSecretStore":false}` | External Secrets settings. |
-| global.externalSecrets.deploy | bool | `false` | Will use ExternalSecret resources to pull secrets from Secrets Manager instead of creating them locally. Be cautious as this will override any arborist secrets you have deployed. |
-| global.externalSecrets.separateSecretStore | string | `false` | Will deploy a separate External Secret Store for this service. |
-| global.hostname | string | `"localhost"` | Hostname for the deployment. |
-| global.kubeBucket | string | `"kube-gen3"` | S3 bucket name for Kubernetes manifest files. |
-| global.logsBucket | string | `"logs-gen3"` | S3 bucket name for log files. |
-| global.minAvailable | int | `1` | The minimum amount of pods that are available at all times if the PDB is deployed. |
-| global.netPolicy | map | `{"enabled":false}` | Controls network policy settings |
-| global.pdb | bool | `false` | If the service will be deployed with a Pod Disruption Budget. Note- you need to have more than 2 replicas for the pdb to be deployed. |
-| global.portalApp | string | `"gitops"` | Portal application name. |
-| global.postgres.dbCreate | bool | `true` | Whether the database should be created. |
-| global.postgres.externalSecret | string | `""` | Name of external secret. Disabled if empty |
-| global.postgres.master | map | `{"host":null,"password":null,"port":"5432","username":"postgres"}` | Master credentials to postgres. This is going to be the default postgres server being used for each service, unless each service specifies their own postgres |
-| global.postgres.master.host | string | `nil` | hostname of postgres server |
-| global.postgres.master.password | string | `nil` | password for superuser in postgres. This is used to create or restore databases |
-| global.postgres.master.port | string | `"5432"` | Port for Postgres. |
-| global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases |
-| global.publicDataSets | bool | `true` | Whether public datasets are enabled. |
-| global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. |
-| global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` |
-| global.topologySpread | map | `{"enabled":false,"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone"}` | Karpenter topology spread configuration. |
-| global.topologySpread.enabled | bool | `false` | Whether to enable topology spread constraints for all subcharts that support it. |
-| global.topologySpread.maxSkew | int | `1` | The maxSkew to use for topology spread constraints. Defaults to 1. |
-| global.topologySpread.topologyKey | string | `"topology.kubernetes.io/zone"` | The topology key to use for spreading. Defaults to "topology.kubernetes.io/zone". |
 | image | map | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cdis/arborist","tag":""}` | Docker image information. |
 | image.pullPolicy | string | `"IfNotPresent"` | Docker pull policy. |
 | image.repository | string | `"quay.io/cdis/arborist"` | Docker repository. |
 | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` | Docker image pull secrets. |
+| livenessProbe.path | string | `"/health"` |  |
 | metricsEnabled | bool | `nil` | Whether Metrics are enabled. |
 | nameOverride | string | `""` | Override the name of the chart. |
 | nodeSelector | map | `{}` | Node selector to apply to the pod |
 | partOf | string | `"Authentication"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. |
 | podAnnotations | map | `{}` | Annotations to add to the pod |
 | podSecurityContext | map | `nil` | Security context to apply to the pod |
-| postgres | map | `{"database":null,"dbCreate":null,"host":null,"password":null,"port":"5432","separate":false,"username":null}` | Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you |
+| postgres | map | `{"database":null,"dbCreate":null,"host":null,"password":null,"port":"5432","username":null}` | Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you |
 | postgres.database | string | `nil` | Database name for postgres. This is a service override, defaults to <serviceName>-<releaseName> |
 | postgres.dbCreate | bool | `nil` | Whether the database should be created. Default to global.postgres.dbCreate |
 | postgres.host | string | `nil` | Hostname for postgres server. This is a service override, defaults to global.postgres.host |
 | postgres.password | string | `nil` | Password for Postgres. Will be autogenerated if left empty. |
 | postgres.port | string | `"5432"` | Port for Postgres. |
-| postgres.separate | string | `false` | Will create a Database for the individual service to help with developing it. |
 | postgres.username | string | `nil` | Username for postgres. This is a service override, defaults to <serviceName>-<releaseName> |
-| postgresql | map | `{"primary":{"persistence":{"enabled":false}}}` | Postgresql subchart settings if deployed separately option is set to "true". Disable persistence by default so we can spin up and down ephemeral environments |
-| postgresql.primary.persistence.enabled | bool | `false` | Option to persist the dbs data. |
+| readinessProbe.path | string | `"/health"` |  |
 | release | string | `"production"` | Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". |
 | replicaCount | int | `1` | Number of replicas for the deployment. |
 | resources | map | `{"limits":{"memory":"512Mi"},"requests":{"memory":"12Mi"}}` | Resource requests and limits for the containers in the pod |

diff --git a/helm/arborist/templates/_helpers.tpl b/helm/arborist/templates/_helpers.tpl
diff --git a/helm/arborist/templates/arborist-expired-access-cronjob.yaml b/helm/arborist/templates/arborist-expired-access-cronjob.yaml
@@ -1,92 +1,3 @@
 {{- if .Values.cronjob.enabled }}
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: arborist-rm-expired-access
-spec:
-  schedule: "*/5 * * * *"
-  successfulJobsHistoryLimit: 2
-  failedJobsHistoryLimit: 2
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        metadata:
-          labels:
-            app: gen3job
-        spec:
-          affinity:
-            nodeAffinity:
-              preferredDuringSchedulingIgnoredDuringExecution:
-              - weight: 100
-                preference:
-                  matchExpressions:
-                  - key: karpenter.sh/capacity-type
-                    operator: In
-                    values:
-                    - on-demand
-              - weight: 99
-                preference:
-                  matchExpressions:
-                  - key: eks.amazonaws.com/capacityType
-                    operator: In
-                    values:
-                    - ONDEMAND
-          automountServiceAccountToken: false
-          containers:
-          - name: arborist
-            image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-            imagePullPolicy: Always
-            env:
-            {{- toYaml .Values.env | nindent 12 }}
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: arborist-dbcreds
-                  key: password
-                  optional: false
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: arborist-dbcreds
-                  key: username
-                  optional: false
-            - name: PGDATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: arborist-dbcreds
-                  key: database
-                  optional: false
-            - name: PGHOST
-              valueFrom:
-                secretKeyRef:
-                  name: arborist-dbcreds
-                  key: host
-                  optional: false
-            - name: PGPORT
-              valueFrom:
-                secretKeyRef:
-                  name: arborist-dbcreds
-                  key: port
-                  optional: false
-            - name: PGSSLMODE
-              value: disable
-            - name: DBREADY
-              valueFrom:
-                secretKeyRef:
-                  name: arborist-dbcreds
-                  key: dbcreated
-                  optional: false
-            command: ["sh"]
-            args:
-            - "-c"
-            - |
-                # run job to remove expired access from the database
-                /go/src/github.com/uc-cdis/arborist/jobs/delete_expired_access
-          restartPolicy: Never
-          dnsConfig:
-            options:
-            - name: use-vc
-            - name: single-request-reopen
-          dnsPolicy: ClusterFirst
+{{ include "common.cronjob" . }}
 {{- end }}