calypr · matthewpeterkort · Mar 4, 2026 · Mar 11, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/helm/common/templates/_db_setup_job.tpl b/helm/common/templates/_db_setup_job.tpl
@@ -135,32 +135,39 @@ spec:
             echo "SERVICE_PGDB=$SERVICE_PGDB"
             echo "SERVICE_PGUSER=$SERVICE_PGUSER"
 
-            until pg_isready -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -d template1
+            until pg_isready -h $PGHOST -p $PGPORT -U $PGUSER -d template1
             do
               >&2 echo "Postgres is unavailable - sleeping"
               sleep 5
             done
             >&2 echo "Postgres is up - executing command"
 
+            printf '%s\n' \
+              "SELECT format('CREATE ROLE %I LOGIN PASSWORD %L', :'service_user', :'service_pass')" \
+              "WHERE NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = :'service_user')\\gexec" \
+              "ALTER ROLE :\"service_user\" WITH LOGIN PASSWORD :'service_pass';" \
+              "SELECT format('CREATE DATABASE %I OWNER %I', :'service_db', :'service_user')" \
+              "WHERE NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = :'service_db')\\gexec" \
+              "GRANT ALL ON DATABASE :\"service_db\" TO :\"service_user\" WITH GRANT OPTION;" \
+              | psql -h "$PGHOST" -p "$PGPORT" -U "$PGUSER" -d postgres \
+              -v service_user="$SERVICE_PGUSER" \
+              -v service_db="$SERVICE_PGDB" \
+              -v service_pass="$SERVICE_PGPASS" \
+              -f -
 
-            if psql -lqt | cut -d \| -f 1 | grep -qw $SERVICE_PGDB; then
-              gen3_log_info "Database exists"
-              PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo"
+            printf '%s\n' \
+              "CREATE EXTENSION IF NOT EXISTS ltree;" \
+              "ALTER ROLE :\"service_user\" WITH LOGIN;" \
+              "GRANT ALL ON SCHEMA public TO :\"service_user\";" \
+              "ALTER SCHEMA public OWNER TO :\"service_user\";" \
+              | psql -h "$PGHOST" -p "$PGPORT" -U "$PGUSER" -d "$SERVICE_PGDB" \
+              -v service_user="$SERVICE_PGUSER" \
+              -f -
 
-              # Update secret to signal that db is ready, and services can start
-              kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}'
-            else
-              echo "database does not exist"
-              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$SERVICE_PGDB'" | grep -q 1 || psql -c "CREATE DATABASE \"$SERVICE_PGDB\";"
-              gen3_log_info psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';"
-              psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';"
-              psql -c "GRANT ALL ON DATABASE \"$SERVICE_PGDB\" TO \"$SERVICE_PGUSER\" WITH GRANT OPTION;"
-              psql -d $SERVICE_PGDB -c "CREATE EXTENSION ltree; ALTER ROLE \"$SERVICE_PGUSER\" WITH LOGIN"
-              PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo"
+            PGPASSWORD=$SERVICE_PGPASS psql -d "$SERVICE_PGDB" -h "$PGHOST" -p "$PGPORT" -U "$SERVICE_PGUSER" -c "\conninfo"
 
-              # Update secret to signal that db has been created, and services can start
-              kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}'
-            fi
+            # Update secret to signal that db has been created, and services can start
+            kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}'
 {{- end}}
 {{- end }}
 

diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml
diff --git a/helm/fence/templates/service.yaml b/helm/fence/templates/service.yaml
@@ -13,18 +13,3 @@ spec:
       name: http
   selector:
     {{- include "fence.selectorLabels" . | nindent 4 }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: presigned-url-fence-service
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app: presigned-url-fence
-
diff --git a/helm/gecko/files/init-data/nav.json b/helm/gecko/files/init-data/nav.json
@@ -52,6 +52,13 @@
         "href": "/Apps",
         "perms": null
       },
+      {
+        "title": "Upload",
+        "description": "Upload local files into authorized storage.",
+        "icon": "/icons/apps/Upload.svg",
+        "href": "/upload",
+        "perms": ""
+      },
       {
         "title": "Directory Structure",
         "description": "Search for files via a tree based interactive search",
@@ -74,9 +81,9 @@
         "perms": null
       },
       {
-        "title": "GraphQL Query",
+        "title": "Query Editor",
         "description": "Query graph databases via a web interface",
-        "icon": "/icons/query.svg",
+        "icon": "/icons/Search.svg",
         "href": "/Query",
         "perms": null
       }

diff --git a/helm/gecko/templates/deployment.yaml b/helm/gecko/templates/deployment.yaml
@@ -74,16 +74,18 @@ spec:
                   key: serviceName
             - name: GRIP_PORT
               value: "8202"
+            {{- if .Values.qdrant.enabled }}
             - name: QDRANT_HOST
               value: {{ printf "%s-qdrant" .Release.Name | quote }}
             - name: QDRANT_PORT
-              value: "6334"
+              value: {{ .Values.qdrant.port | quote }}
             - name: QDRANT_API_KEY
               valueFrom:
                 secretKeyRef:
-                  name: {{  "qdrant-api-key-secret" }}
-                  key: {{  "api-key" }}
+                  name: {{ .Values.qdrant.apiKeySecretName | quote }}
+                  key: {{ .Values.qdrant.apiKeySecretKey | quote }}
                   optional: false
+            {{- end }}
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
@@ -138,4 +140,4 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}
diff --git a/helm/gecko/templates/qdrant-pv.yaml b/helm/gecko/templates/qdrant-pv.yaml
@@ -1,3 +1,4 @@
+{{- if and .Values.qdrant.enabled .Values.qdrant.persistence.enabled }}
 apiVersion: v1
 kind: PersistentVolume
 metadata:
@@ -9,10 +10,11 @@ metadata:
     meta.helm.sh/release-namespace: "default"
 spec:
   capacity:
-    storage: 26Gi
+    storage: {{ .Values.qdrant.persistence.size | quote }}
   accessModes:
     - ReadWriteOnce
-  storageClassName: "qdrant-manual-storage"
+  storageClassName: {{ .Values.qdrant.persistence.storageClass | quote }}
   persistentVolumeReclaimPolicy: Retain
   hostPath:
-    path: "/mnt/data/qdrant-local"
+    path: {{ .Values.qdrant.persistence.hostPath | quote }}
+{{- end }}
diff --git a/helm/gecko/values.yaml b/helm/gecko/values.yaml
@@ -102,6 +102,25 @@ postgresql:
       # -- (bool) Option to persist the dbs data.
       enabled: false
 
+qdrant:
+  # -- (bool) Whether Gecko should connect to Qdrant.
+  enabled: false
+  # -- (string) Kubernetes Secret containing the Qdrant API key.
+  apiKeySecretName: qdrant-api-key-secret
+  # -- (string) Key in the Qdrant API key Secret.
+  apiKeySecretKey: api-key
+  # -- (string) Qdrant gRPC port.
+  port: "6334"
+  persistence:
+    # -- (bool) Whether to create the local Qdrant PersistentVolume.
+    enabled: false
+    # -- (string) StorageClass used by the local Qdrant PersistentVolume.
+    storageClass: qdrant-manual-storage
+    # -- (string) Local path used by the local Qdrant PersistentVolume.
+    hostPath: /mnt/data/qdrant-local
+    # -- (string) Size of the local Qdrant PersistentVolume.
+    size: 26Gi
+
 
 # -- (int) Number of replicas for the deployment.
 replicaCount: 1

diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml
@@ -114,6 +114,11 @@ dependencies:
 - name: qdrant
   version: 1.15.4
   repository: "https://qdrant.github.io/qdrant-helm"
+  condition: qdrant.enabled
+- name: syfon
+  version: 0.1.0
+  repository: "file://../syfon"
+  condition: syfon.enabled
 
 # A chart can be either an 'application' or a 'library' chart.
 #

diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml
@@ -284,6 +284,15 @@ wts:
   # -- (bool) Whether to deploy the wts subchart.
   enabled: true
 
+syfon:
+  # -- (bool) Whether to deploy the syfon subchart.
+  enabled: false
+
+gecko:
+  qdrant:
+    # -- (bool) Whether Gecko should connect to Qdrant.
+    enabled: false
+
 # Disable persistence by default so we can spin up and down ephemeral environments
 postgresql:
   primary:
@@ -299,7 +308,7 @@ qdrant:
         secretKeyRef:
           name: qdrant-api-key-secret  # Name of the Kubernetes Secret from Step 1
           key: api-key
-  enabled: true
+  enabled: false
   replicaCount: 1
   resources:
     limits:

diff --git a/helm/revproxy/gen3.nginx.conf/fence-service-ga4gh.conf b/helm/revproxy/gen3.nginx.conf/fence-service-ga4gh.conf