k8s: adding a helm chart

Author: grampelberg

.envrc.example

@@ -1,4 +1,6 @@
 #!/bin/bash
 
+export LOCAL_REGISTRY="kuberift:5432"
+
 export GHCR_USER="me"
 export GHCR_TOKEN="token"

.github/workflows/build.yml

@@ -1,23 +1,13 @@
 name: build
 
 on:
-  pull_request:
-    branches:
-      - main
-
   workflow_call:
 
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
   CARGO_INCREMENTAL: 0
   RUSTFLAGS: -D warnings
-  IMAGE: ghcr.io/grampelberg/kuberift
-
-concurrency:
-  group: |-
-    build-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
 
 jobs:
   binary:
@@ -67,26 +57,30 @@ jobs:
           path: kuberift*
           retention-days: 1
 
-  docker:
-    runs-on: ${{ matrix.runner }}
-
+  # The state of include/exclude in matrices is tough because we want to add the
+  # runner to the matrix based on arch. Calling a sub-workflow allows for
+  # code-reuse without having to deal with that added complexity.
+  docker-linux-amd64:
+    uses: ./.github/workflows/docker.yml
     permissions:
       packages: write
+    with:
+      os: linux
+      arch: amd64
+      runner: ubuntu-latest
+
+  docker-linux-arm64:
+    if: ${{ github.event_name != 'pull_request' }}
+    uses: ./.github/workflows/docker.yml
+    permissions:
+      packages: write
+    with:
+      os: linux
+      arch: arm64
+      runner: buildjet-4vcpu-ubuntu-2204-arm
 
-    strategy:
-      matrix:
-        os: [linux]
-        arch:
-          - amd64
-          # The emulated arm64 builds are painfully slow (90m last time). Skip them until we have dedicated linux-arm64 hardware.
-          - arm64
-
-        include:
-          - arch: amd64
-            runner: ubuntu-latest
-
-          - arch: arm64
-            runner: buildjet-4vcpu-ubuntu-2204-arm
+  helm:
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
@@ -95,56 +89,21 @@ jobs:
 
       - uses: taiki-e/install-action@v2
         with:
-          tool: just,git-cliff
-      - name: set version
-        run: just set-version
-
-      - name: meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.IMAGE }}
-          tags: |
-            type=ref,event=tag
-            type=raw,value=unstable,enable={{is_default_branch}}
-            type=sha
-
-      - name: buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: login
-        uses: docker/login-action@v3
+          tool: git-cliff
+      - uses: jdx/mise-action@v2
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          experimental: true
+          mise_toml: |
+            [tools]
+            helm = "latest"
+            just = "latest"
 
-      - name: Build and push
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: ${{ matrix.os }}/${{ matrix.arch }}
-          cache-from: type=registry,ref=${{ env.IMAGE }}-cache
-          cache-to: type=registry,ref=${{ env.IMAGE }}-cache,mode=max
-          file: docker/kuberift.dockerfile
-          labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ steps.meta.outputs.annotations }}
-          push: ${{ github.event_name != 'pull_request' }}
-          outputs: |-
-            type=image,name=${{ env.IMAGE }},push-by-digest=true,name-canonical=true
-
-      - name: create digest
+      - name: helm
         run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
+          just set-version helm-build
 
-      - name: upload digest
-        uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v4
         with:
-          name: digests-${{ matrix.os }}-${{ matrix.arch }}
-          path: /tmp/digests/*
-          if-no-files-found: error
+          name: helm
+          path: /tmp/chart/*
           retention-days: 1

.github/workflows/check.yml

@@ -1,9 +1,6 @@
 name: check
 
 on:
-  pull_request:
-    branches: ['main']
-
   workflow_call:
 
 env:
@@ -12,11 +9,6 @@ env:
   CARGO_INCREMENTAL: 0
   RUSTFLAGS: -D warnings
 
-concurrency:
-  group: |-
-    check-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/docker.yml

@@ -0,0 +1,96 @@
+name: docker
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        description: 'Operating system to build for'
+        default: 'linux'
+        type: string
+      arch:
+        required: true
+        description: 'Architecture to build for'
+        default: 'amd64'
+        type: string
+      runner:
+        required: true
+        description: 'Runner to use'
+        default: 'ubuntu-latest'
+        type: string
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+  CARGO_INCREMENTAL: 0
+  RUSTFLAGS: -D warnings
+  IMAGE: ghcr.io/grampelberg/kuberift
+  CACHE: ghcr.io/grampelberg/cache/kuberift
+
+jobs:
+  build:
+    runs-on: ${{ inputs.runner }}
+
+    permissions:
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: tags
+        run: git fetch --prune --unshallow --tags
+
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: just,git-cliff
+      - name: set version
+        run: just set-version
+
+      - name: meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE }}
+          tags: |
+            type=ref,event=tag
+            type=raw,value=unstable,enable={{is_default_branch}}
+            type=sha
+
+      - name: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: ${{ inputs.os }}/${{ inputs.arch }}
+          cache-from: type=registry,ref=${{ env.CACHE }}
+          cache-to: type=registry,ref=${{ env.CACHE }},mode=max
+          file: docker/kuberift.dockerfile
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          push: ${{ github.event_name != 'pull_request' }}
+          outputs: |-
+            type=image,name=${{ env.IMAGE }},push-by-digest=true,name-canonical=true
+
+      - name: create digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ inputs.os }}-${{ inputs.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1

.github/workflows/pr.yml

@@ -0,0 +1,21 @@
+name: pr
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: |-
+    build-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    uses: ./.github/workflows/check.yml
+
+  build:
+    permissions:
+      packages: write
+
+    uses: ./.github/workflows/build.yml

.github/workflows/release.yml

@@ -28,8 +28,6 @@ jobs:
   merge:
     runs-on: ubuntu-latest
 
-    if: ${{ github.event_name != 'pull_request' }}
-
     permissions:
       packages: write
 
@@ -93,6 +91,35 @@ jobs:
         run: |
           docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }}
 
+  helm:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+
+    permissions:
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: jdx/mise-action@v2
+        with:
+          experimental: true
+          mise_toml: |
+            [tools]
+            helm = "latest"
+            just = "latest"
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: /tmp/chart
+          name: helm
+
+      - name: upload
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: just helm-upload
+
   release:
     runs-on: ubuntu-latest
     needs:
@@ -112,6 +139,11 @@ jobs:
           pattern: kuberift-*
           merge-multiple: true
 
+      - uses: actions/download-artifact@v4
+        with:
+          path: /tmp/chart
+          name: helm
+
       - uses: taiki-e/install-action@v2
         with:
           tool: git-cliff
@@ -137,3 +169,4 @@ jobs:
           tag_name: unstable
           files: |-
             /tmp/binaries/*
+            /tmp/chart/*

.mise.toml

@@ -1,7 +1,8 @@
 [tools]
-"cargo:cargo-audit" = "latest"
+"cargo:cargo-audit" = "0.20.0"
 "cargo:cargo-binstall" = "1.7.4"
 "cargo:cargo-outdated" = "0.15.0"
 "npm:prettier" = "3.3.2"
 "npm:prettier-plugin-toml" = "2.0.1"
 just = "1.34.0"
+helm = "3.15.4"

DEVELOPMENT.md

@@ -0,0 +1,35 @@
+# Development
+
+## CI
+
+On PR, CI produces a darwin-arm64 binary and helm chart. Click on any step from
+the PR and then `Summary` on the left sidebar to see the uploaded artifacts.
+Docker images are not currently build/uploaded on PR runs.
+
+## Environment
+
+Copy `.envrc.example` to `.envrc`. The `GHCR_TOKEN` is a [personal access
+token][pat] with permissions to `write:packages`. This is only required if you
+want to upload directly to github.
+
+[pat]:
+  https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
+
+## Cluster
+
+We recommend using [k3d][k3d] to run a local cluster. To setup:
+
+```bash
+k3d cluster create kuberift --registry-create kuberift:5432
+```
+
+Next, you'll want to add the registry to your `/etc/hosts`:
+
+```bash
+echo "127.0.0.1 kuberift" | sudo tee -a /etc/hosts
+```
+
+When you run `just dev-push`, an image at `kuberift:5432/kuberift:latest` will
+be available to run inside the cluster.
+
+[k3d]: https://k3d.io/v5.6.3/#releases