From d7cf53ff0613c3e7c7d38d4ad23c467a75c74be8 Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Thu, 5 Mar 2026 13:55:42 +0100
Subject: [PATCH 1/9] Add subagent related files

---
 chart/templates/role-app-subagents.yaml       | 21 ++++++++++++++++++
 .../templates/rolebinding-app-subagents.yaml  | 22 +++++++++++++++++++
 chart/values.yaml                             | 16 ++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 chart/templates/role-app-subagents.yaml
 create mode 100644 chart/templates/rolebinding-app-subagents.yaml

diff --git a/chart/templates/role-app-subagents.yaml b/chart/templates/role-app-subagents.yaml
new file mode 100644
index 0000000..4833543
--- /dev/null
+++ b/chart/templates/role-app-subagents.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "openops.fullname" . }}-subagent-manager
+  namespace: {{ .Values.subagents.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "openops.componentLabels" (dict "root" . "component" "app") | nindent 4 }}
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.global.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["create", "get", "list", "delete"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
diff --git a/chart/templates/rolebinding-app-subagents.yaml b/chart/templates/rolebinding-app-subagents.yaml
new file mode 100644
index 0000000..1281b1b
--- /dev/null
+++ b/chart/templates/rolebinding-app-subagents.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "openops.fullname" . }}-subagent-manager
+  namespace: {{ .Values.subagents.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "openops.componentLabels" (dict "root" . "component" "app") | nindent 4 }}
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.global.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "openops.fullname" . }}-subagent-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "openops.serviceAccountName" (dict "root" . "component" "app") }}
+  namespace: {{ .Release.Namespace }}
diff --git a/chart/values.yaml b/chart/values.yaml
index dd58200..f369d75 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -151,6 +151,17 @@ openopsEnv:
   OPS_SLACK_APP_SIGNING_SECRET: ""
   OPS_SLACK_ENABLE_INTERACTIONS: "true"
 
+  # Subagent configuration
+  OPS_SUBAGENTS_ENABLED: "false"
+  OPS_SUBAGENT_EXECUTOR_TYPE: "k8s"
+  OPS_SUBAGENT_K8S_NAMESPACE: "{{ .Release.Namespace }}"
+  OPS_SUBAGENT_RUNNER_IMAGE: "{{ .Values.image.repository }}/openops-subagent-runner:{{ .Values.global.version }}"
+  OPS_SUBAGENT_S3_BUCKET: "subagent-runner"
+  OPS_SUBAGENT_S3_REGION: "eu-central-1"
+  OPS_SUBAGENT_S3_ENDPOINT: "https://s3.eu-central-1.amazonaws.com"
+  OPS_SUBAGENT_S3_ACCESS_KEY: ""  # Set per environment
+  OPS_SUBAGENT_S3_SECRET_KEY: ""  # Set per environment
+
 secretEnv:
   create: true
   existingSecret: ""
@@ -620,3 +631,8 @@ externalSecrets:
     create: false
     name: external-secrets-sa
     annotations: {}
+
+# Subagent configuration
+subagents:
+  # Namespace where subagent pods run (defaults to same namespace as app)
+  namespace: ""

From 722d9225bd4fe8660d50b72653b117d1416e7f6c Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Thu, 5 Mar 2026 14:08:34 +0100
Subject: [PATCH 2/9] fix

---
 chart/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index f369d75..fd88806 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -159,8 +159,8 @@ openopsEnv:
   OPS_SUBAGENT_S3_BUCKET: "subagent-runner"
   OPS_SUBAGENT_S3_REGION: "eu-central-1"
   OPS_SUBAGENT_S3_ENDPOINT: "https://s3.eu-central-1.amazonaws.com"
-  OPS_SUBAGENT_S3_ACCESS_KEY: ""  # Set per environment
-  OPS_SUBAGENT_S3_SECRET_KEY: ""  # Set per environment
+  OPS_SUBAGENT_S3_ACCESS_KEY: "secret"
+  OPS_SUBAGENT_S3_SECRET_KEY: "secret"
 
 secretEnv:
   create: true

From 5b5f44a3643ee4321c23d1259bc97d08c228e104 Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Thu, 5 Mar 2026 14:29:57 +0100
Subject: [PATCH 3/9] fix

---
 chart/values.yaml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index fd88806..ebee398 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -155,12 +155,11 @@ openopsEnv:
   OPS_SUBAGENTS_ENABLED: "false"
   OPS_SUBAGENT_EXECUTOR_TYPE: "k8s"
   OPS_SUBAGENT_K8S_NAMESPACE: "{{ .Release.Namespace }}"
-  OPS_SUBAGENT_RUNNER_IMAGE: "{{ .Values.image.repository }}/openops-subagent-runner:{{ .Values.global.version }}"
-  OPS_SUBAGENT_S3_BUCKET: "subagent-runner"
-  OPS_SUBAGENT_S3_REGION: "eu-central-1"
-  OPS_SUBAGENT_S3_ENDPOINT: "https://s3.eu-central-1.amazonaws.com"
-  OPS_SUBAGENT_S3_ACCESS_KEY: "secret"
-  OPS_SUBAGENT_S3_SECRET_KEY: "secret"
+  OPS_SUBAGENT_S3_BUCKET: ""
+  OPS_SUBAGENT_S3_REGION: ""
+  OPS_SUBAGENT_S3_ENDPOINT: ""
+  OPS_SUBAGENT_S3_ACCESS_KEY: ""  
+  OPS_SUBAGENT_S3_SECRET_KEY: ""
 
 secretEnv:
   create: true

From 22f719ca8ad460b68fef6765172f580f5983d509 Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Thu, 5 Mar 2026 14:41:07 +0100
Subject: [PATCH 4/9] clean

---
 chart/values.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/chart/values.yaml b/chart/values.yaml
index ebee398..ff5d26d 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -160,6 +160,7 @@ openopsEnv:
   OPS_SUBAGENT_S3_ENDPOINT: ""
   OPS_SUBAGENT_S3_ACCESS_KEY: ""  
   OPS_SUBAGENT_S3_SECRET_KEY: ""
+  OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:main"
 
 secretEnv:
   create: true

From 8e876a4094c3bb4a9ef35754a0e8874d0f508476 Mon Sep 17 00:00:00 2001
From: Maor Rozenfeld <49363375+maor-rozenfeld@users.noreply.github.com>
Date: Fri, 6 Mar 2026 22:41:40 +0100
Subject: [PATCH 5/9] Move S3 creds to the secrets

---
 chart/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index c2daf61..7a98586 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -150,8 +150,6 @@ openopsEnv:
   OPS_SUBAGENT_S3_BUCKET: ""
   OPS_SUBAGENT_S3_REGION: ""
   OPS_SUBAGENT_S3_ENDPOINT: ""
-  OPS_SUBAGENT_S3_ACCESS_KEY: ""
-  OPS_SUBAGENT_S3_SECRET_KEY: ""
   OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:main"
 
 # Secret environment variables
@@ -170,6 +168,8 @@ openopsEnvSecrets:
   OPS_LANGFUSE_PUBLIC_KEY: ""
   OPS_LANGFUSE_SECRET_KEY: ""
   OPS_SSO_FRONTEGG_PUBLIC_KEY: ""
+  OPS_SUBAGENT_S3_ACCESS_KEY: ""
+  OPS_SUBAGENT_S3_SECRET_KEY: ""
 
 secretEnv:
   create: true

From 36e1c7a37372f753603cf085fbf33f4a735eed70 Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Thu, 12 Mar 2026 14:00:10 +0100
Subject: [PATCH 6/9] fix permission

---
 chart/templates/role-app-subagents.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/chart/templates/role-app-subagents.yaml b/chart/templates/role-app-subagents.yaml
index 4833543..da90328 100644
--- a/chart/templates/role-app-subagents.yaml
+++ b/chart/templates/role-app-subagents.yaml
@@ -13,9 +13,12 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create", "get", "list", "delete"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["create", "get", "list", "delete"]
+  verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods/log"]
   verbs: ["get"]

From dc125d66dc6b766a82aad969ac2e0d2a2ba8ebf3 Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Fri, 13 Mar 2026 16:22:31 +0100
Subject: [PATCH 7/9] suggestions

---
 chart/templates/role-app-subagents.yaml        | 2 ++
 chart/templates/rolebinding-app-subagents.yaml | 2 ++
 chart/values.yaml                              | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/chart/templates/role-app-subagents.yaml b/chart/templates/role-app-subagents.yaml
index da90328..f04ba8b 100644
--- a/chart/templates/role-app-subagents.yaml
+++ b/chart/templates/role-app-subagents.yaml
@@ -1,3 +1,4 @@
+{{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -22,3 +23,4 @@ rules:
 - apiGroups: [""]
   resources: ["pods/log"]
   verbs: ["get"]
+{{- end }}
diff --git a/chart/templates/rolebinding-app-subagents.yaml b/chart/templates/rolebinding-app-subagents.yaml
index 1281b1b..fbb9425 100644
--- a/chart/templates/rolebinding-app-subagents.yaml
+++ b/chart/templates/rolebinding-app-subagents.yaml
@@ -1,3 +1,4 @@
+{{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -20,3 +21,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "openops.serviceAccountName" (dict "root" . "component" "app") }}
   namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 7a98586..0d7d7bb 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -146,11 +146,11 @@ openopsEnv:
   # Subagent configuration
   OPS_SUBAGENTS_ENABLED: "false"
   OPS_SUBAGENT_EXECUTOR_TYPE: "k8s"
-  OPS_SUBAGENT_K8S_NAMESPACE: "{{ .Release.Namespace }}"
+  OPS_SUBAGENT_K8S_NAMESPACE: '{{ .Values.subagents.namespace | default .Release.Namespace }}'
   OPS_SUBAGENT_S3_BUCKET: ""
   OPS_SUBAGENT_S3_REGION: ""
   OPS_SUBAGENT_S3_ENDPOINT: ""
-  OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:main"
+  OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:0fdbc6b1"
 
 # Secret environment variables
 # Any var in this section is treated as a secret (stored in K8s Secret, referenced via secretKeyRef).

From 57a9a251a09ed85c2955c8f59b4f7e2b1b44f0bd Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Fri, 13 Mar 2026 16:31:57 +0100
Subject: [PATCH 8/9] more suggestions

---
 chart/templates/role-app-subagents.yaml        | 3 ++-
 chart/templates/rolebinding-app-subagents.yaml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/chart/templates/role-app-subagents.yaml b/chart/templates/role-app-subagents.yaml
index f04ba8b..afec15e 100644
--- a/chart/templates/role-app-subagents.yaml
+++ b/chart/templates/role-app-subagents.yaml
@@ -1,4 +1,5 @@
-{{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}
+{{- $openopsEnv := .Values.openopsEnv | default dict }}
+{{- if and (eq (toString (get $openopsEnv "OPS_SUBAGENTS_ENABLED")) "true") (eq (default "k8s" (get $openopsEnv "OPS_SUBAGENT_EXECUTOR_TYPE")) "k8s") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
diff --git a/chart/templates/rolebinding-app-subagents.yaml b/chart/templates/rolebinding-app-subagents.yaml
index fbb9425..fa8559e 100644
--- a/chart/templates/rolebinding-app-subagents.yaml
+++ b/chart/templates/rolebinding-app-subagents.yaml
@@ -1,4 +1,5 @@
-{{- if eq (index .Values.openopsEnv "OPS_SUBAGENTS_ENABLED") "true" }}
+{{- $openopsEnv := .Values.openopsEnv | default dict }}
+{{- if and (eq (toString (get $openopsEnv "OPS_SUBAGENTS_ENABLED")) "true") (eq (default "k8s" (get $openopsEnv "OPS_SUBAGENT_EXECUTOR_TYPE")) "k8s") }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

From f552c02d6eeaaf07ca27577ac8a430e8cdb417cb Mon Sep 17 00:00:00 2001
From: BigFluffyCookie <leyla@openops.com>
Date: Fri, 13 Mar 2026 16:51:35 +0100
Subject: [PATCH 9/9] rm

---
 chart/values.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index 0d7d7bb..3c6fa95 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -168,8 +168,6 @@ openopsEnvSecrets:
   OPS_LANGFUSE_PUBLIC_KEY: ""
   OPS_LANGFUSE_SECRET_KEY: ""
   OPS_SSO_FRONTEGG_PUBLIC_KEY: ""
-  OPS_SUBAGENT_S3_ACCESS_KEY: ""
-  OPS_SUBAGENT_S3_SECRET_KEY: ""
 
 secretEnv:
   create: true