feat: initial helm charts

fixes: #3063

.gitignore

@@ -45,3 +45,4 @@ junit*.xml
 .ftl.lock
 docker-build/
 **/.ftl
+charts/charts/

Dockerfile.controller

@@ -27,7 +27,7 @@ COPY . /src/
 RUN just errtrace
 # Reset timestamps so that the build state is reset
 RUN git ls-files -z | xargs -0 touch -r go.mod
-RUN just build ftl-controller
+RUN just build ftl-controller ftl-initdb
 
 # Finally create the runtime image.
 FROM scratch

Dockerfile.initdb

@@ -0,0 +1,50 @@
+FROM ubuntu:24.04 AS builder
+RUN apt-get update
+RUN apt-get install -y curl git zip
+
+# Copy Hermit bin stubs and install all packages. This is done
+# separately so that Docker will cache the tools correctly.
+COPY ./bin /src/bin
+ENV PATH="/src/bin:$PATH"
+WORKDIR /src
+
+# Seed some of the most common tools - this will be cached
+RUN go version
+RUN node --version
+
+# Download Go dependencies separately so Docker will cache them
+COPY go.mod go.sum ./
+RUN go mod download -x
+
+# Download PNPM dependencies separately so Docker will cache them
+COPY frontend/console/package.json ./frontend/console/
+COPY frontend/vscode/package.json ./frontend/vscode/
+COPY pnpm-workspace.yaml pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+
+# Build
+COPY . /src/
+RUN just errtrace
+# Reset timestamps so that the build state is reset
+RUN git ls-files -z | xargs -0 touch -r go.mod
+RUN just build ftl-controller
+
+# Finally create the runtime image.
+FROM scratch
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+WORKDIR /service/
+
+COPY --from=builder /src/build/release/ftl-controller .
+COPY --from=builder /src/build/release/ftl-initdb . #TODO: Remove this line, we need a different migration image, this will get us moving for now though
+
+EXPOSE 8891
+EXPOSE 8892
+
+ENV FTL_CONTROLLER_BIND="http://0.0.0.0:8892"
+ENV FTL_CONTROLLER_ADVERTISE="http://127.0.0.1:8892"
+ENV FTL_CONTROLLER_CONSOLE_URL="*"
+ENV FTL_CONTROLLER_DSN="postgres://host.docker.internal/ftl?sslmode=disable&user=postgres&password=secret"
+
+CMD ["/service/ftl-controller"]

Justfile

@@ -39,11 +39,7 @@ dev *args:
   watchexec -r {{WATCHEXEC_ARGS}} -- "just build-sqlc && ftl dev --plain {{args}}"
 
 # Build everything
-build-all: build-protos-unconditionally build-backend build-backend-tests build-frontend build-generate build-sqlc build-zips lsp-generate build-java generate-kube-migrations
-
-# Update the kube config map with the latest schema migrations
-generate-kube-migrations:
-    just k8s update-schema
+build-all: build-protos-unconditionally build-backend build-backend-tests build-frontend build-generate build-sqlc build-zips lsp-generate build-java
 
 # Run "go generate" on all packages
 build-generate:
@@ -264,3 +260,6 @@ build-docker name:
     -t ftl0/ftl-{{name}}:"${GITHUB_SHA:-$(git rev-parse HEAD)}" \
     -t ftl0/ftl-{{name}}:latest \
     -f Dockerfile.{{name}} .
+
+chart *args:
+    @cd charts && just {{args}}

charts/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 15.5.29
+- name: harbor
+  repository: https://helm.goharbor.io
+  version: 1.15.1
+digest: sha256:54ee3d28306509e5360950f19a6ff0add5552f2a90adef6c50dcecf77d7fd119
+generated: "2024-10-10T14:53:25.059332+11:00"

charts/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: ftl
+description: |
+  A Helm chart for Kubernetes that deploys FTL
+home: https://github.com/TBD54566975/ftl
+version: 0.0.1
+appVersion: v0.354.1
+
+dependencies:
+- name: postgresql
+  version: 15.5.29
+  repository: oci://registry-1.docker.io/bitnamicharts
+  condition: postgresql.enabled
+- name: harbor
+  version: v1.15.1
+  repository: https://helm.goharbor.io
+  condition: harbor.enabled

charts/Justfile

@@ -0,0 +1,5 @@
+_help:
+  @just -l
+
+dep-update:
+    helm dep update .

charts/templates/_helpers.tpl

@@ -0,0 +1,44 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ftl.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "ftl.labels" -}}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+app.kubernetes.io/name: {{ include "ftl.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Values.customLabels -}}
+{{ toYaml .Values.customLabels }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ftl-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ftl.fullname" . }}
+app.kubernetes.io/component: controller
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "ftl-runner.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ftl.fullname" . }}
+app.kubernetes.io/component: runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}

charts/templates/controller-role.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "ftl.fullname" . }}-controller
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.controller.controllersRoleArn }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.controller.controllersRoleArn }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "ftl.fullname" . }}-controller
+  labels:
+    {{- include "ftl.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get", "list", "watch", "delete", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "services" , "serviceaccounts"]
+    verbs: [ "get", "list", "watch", "delete", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    resourceNames:
+      - ftl-controller-deployment-config
+    verbs: [ "get"]
+  - apiGroups: [ "security.istio.io" ]
+    resources: [ "authorizationpolicies" ]
+    verbs: [ "get", "list", "watch", "delete", "create", "update", "patch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ftl.fullname" . }}-controller
+  labels:
+    {{- include "ftl.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "ftl.fullname" . }}-controller
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "ftl.fullname" . }}-controller

charts/templates/controller-services.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "ftl.labels" . | nindent 4 }}
+  name: {{ include "ftl.fullname" . }}-controller
+  {{- if .Values.controller.service.annotations }}
+  annotations:
+    {{- toYaml .Values.controller.service.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+    {{- range .Values.controller.service.ports }}
+    - name: {{ .name }}
+      port: {{ .port }}
+      protocol: {{ .protocol | default "TCP" }}
+      {{- if .appProtocol }}
+      appProtocol: {{ .appProtocol }}
+      {{- end }}
+      targetPort: {{ .targetPort }}
+    {{- end }}
+  selector:
+    {{- include "ftl-controller.selectorLabels" . | nindent 4 }}
+  type: {{ .Values.controller.service.type | default "ClusterIP" }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "ftl.labels" . | nindent 4 }}
+  name: {{ include "ftl.fullname" . }}-controller-ingress
+  {{- if .Values.controller.ingressService.annotations }}
+  annotations:
+    {{- toYaml .Values.controller.ingressService.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+    {{- range .Values.controller.ingressService.ports }}
+    - name: {{ .name }}
+      port: {{ .port }}
+      protocol: {{ .protocol | default "TCP" }}
+      targetPort: {{ .targetPort }}
+    {{- end }}
+  selector:
+    {{- include "ftl-controller.selectorLabels" . | nindent 4 }}
+  type: {{ .Values.controller.ingressService.type | default "ClusterIP" }}

charts/templates/controller.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ftl.fullname" . }}-controller
+  labels:
+    {{- include "ftl.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.controller.replicas }}
+  revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      {{- include "ftl-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "ftl-controller.selectorLabels" . | nindent 8 }}
+      {{- if .Values.controller.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.controller.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ include "ftl.fullname" . }}-controller
+      containers:
+        - name: app
+          image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}"
+          {{- if .Values.controller.envFrom }}
+          envFrom:
+            {{- if .Values.controller.envFrom }}
+            {{- toYaml .Values.controller.envFrom | nindent 12 }}
+            {{- end }}
+          {{- else if or .Values.secrets.logEncryptionKey .Values.secrets.asyncEncryptionKey }}
+          envFrom:
+            - secretRef:
+                name: {{ include "ftl.fullname" . }}-secrets
+          {{- end }}
+          env:
+            {{- if .Values.controller.env }}
+            {{- toYaml .Values.controller.env | nindent 12 }}
+            {{- end }}
+            {{- if not .Values.postgresql.enabled }}
+            - name: FTL_CONTROLLER_DSN
+              value: "{{ .Values.controller.dbConnectionString }}"
+            {{- else }}
+            - name: FTL_CONTROLLER_DSN
+              value: "postgres://{{ .Release.Name }}-postgresql:5432/{{ .Values.postgresql.global.postgresql.auth.database }}?sslmode=disable&user={{ .Values.postgresql.global.postgresql.auth.username }}&password={{ .Values.postgresql.global.postgresql.auth.password }}"
+            {{- end }}
+            {{- if .Values.controller.kmsUri }}
+            - name: FTL_KMS_URI
+              value: "{{ .Values.controller.kmsUri }}"
+            {{- end }}
+          ports:
+            {{- range .Values.controller.ports }}
+            - name: {{ .name }}
+              containerPort: {{ .containerPort }}
+              protocol: {{ .protocol | default "TCP" }}
+            {{- end }}
+          readinessProbe:
+            {{- if .Values.controller.readinessProbe }}
+            {{- toYaml .Values.controller.readinessProbe | nindent 12 }}
+            {{- else }}
+            httpGet:
+              path: /healthz
+              port: 8892
+            initialDelaySeconds: 1
+            periodSeconds: 2
+            timeoutSeconds: 2
+            successThreshold: 1
+            failureThreshold: 15
+            {{- end }}
+      {{- if .Values.controller.nodeSelector }}
+      nodeSelector:
+        {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.affinity }}
+      affinity:
+        {{- toYaml .Values.controller.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.tolerations }}
+      tolerations:
+        {{- toYaml .Values.controller.tolerations | nindent 8 }}
+      {{- end }}