add web and app service

Author: jsbroks

charts/ctrlplane/Chart.lock

@@ -20,5 +20,11 @@ dependencies:
 - name: workspace-engine
   repository: file://charts/workspace-engine
   version: 0.1.0
-digest: sha256:0e91f273ef3731567ede504f5dee53983823962a69f54d2e13047e221253f98b
-generated: "2025-10-20T11:22:56.849671-07:00"
+- name: api
+  repository: file://charts/api
+  version: 1.0.0
+- name: web
+  repository: file://charts/web
+  version: 1.0.0
+digest: sha256:756516a6f12884144d13d94d9316e767188d95aedb9009634e80f16e46b1bbd7
+generated: "2025-10-26T13:32:54.817996-04:00"

charts/ctrlplane/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: ctrlplane
 description: Ctrlplane Helm chart for Kubernetes
 type: application
-version: 0.5.1
+version: 0.6.0
 appVersion: "1.16.0"
 
 maintainers:
@@ -39,3 +39,11 @@ dependencies:
     condition: workspace-engine.install
     version: "*.*.*"
     repository: "file://charts/workspace-engine"
+  - name: api
+    condition: api.install
+    version: "*.*.*"
+    repository: "file://charts/api"
+  - name: web
+    condition: web.install
+    version: "*.*.*"
+    repository: "file://charts/web"

charts/ctrlplane/charts/api/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/ctrlplane/charts/api/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: api
+description: A Helm chart for Kubernetes
+type: application
+version: 1.0.0
+appVersion: "1.0.0"

charts/ctrlplane/charts/api/README.md

@@ -0,0 +1 @@
+# webservice

charts/ctrlplane/charts/api/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "api.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "api.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "api.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "api.labels" -}}
+helm.sh/chart: {{ include "api.chart" . }}
+{{ include "api.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "api.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "api.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "api.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "api.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/ctrlplane/charts/api/templates/deployment.yaml

@@ -0,0 +1,146 @@
+{{- $imageCfg := dict "global" $.Values.global.image "local" $.Values.image -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "api.fullname" . }}
+  labels:
+    {{- include "api.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels -}}
+    {{-   toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.deployment.annotations -}}
+    {{-   toYaml .Values.deployment.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  replicas: {{ .Values.replica }}
+  selector:
+    matchLabels:
+      {{- include "api.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "api.labels" . | nindent 8 }}
+      annotations:
+        {{- if .Values.pod.annotations -}}
+        {{-   toYaml .Values.pod.annotations | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ include "api.serviceAccountName" . }}
+      {{- if .tolerations }}
+      tolerations:
+        {{- toYaml .tolerations | nindent 8 }}
+      {{- end }}
+      {{- include "ctrlplane.nodeSelector" . | nindent 6 }}
+      {{- include "ctrlplane.priorityClassName" . | nindent 6 }}
+      {{- include "ctrlplane.podSecurityContext" .Values.pod.securityContext | nindent 6 }}
+      containers:
+        - name: api
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          ports:
+            - name: api
+              containerPort: 8081
+              protocol: TCP
+          env:
+            - name: BASE_URL
+              value: {{ .Values.global.fqdn }}
+            - name: AUTH_URL
+              value: {{ .Values.global.fqdn }}
+
+            - name: VARIABLES_AES_256_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-encryption-key
+                  key: AES_256_KEY
+
+            {{- if ne .Values.global.authProviders.google.clientId "" }}
+            - name: AUTH_GOOGLE_CLIENT_ID
+              value: {{ .Values.global.authProviders.google.clientId }}
+            - name: AUTH_GOOGLE_CLIENT_SECRET
+              value: {{ .Values.global.authProviders.google.clientSecret }}
+            {{- end }}
+
+            {{- if ne .Values.global.authProviders.oidc.clientId "" }}
+            - name: AUTH_OIDC_ISSUER
+              value: {{ .Values.global.authProviders.oidc.issuer }}
+            - name: AUTH_OIDC_CLIENT_ID
+              value: {{ .Values.global.authProviders.oidc.clientId }}
+            - name: AUTH_OIDC_CLIENT_SECRET
+              value: {{ .Values.global.authProviders.oidc.clientSecret }}
+            {{- end }}
+
+            {{- if eq .Values.global.authProviders.credentials.enabled "true" }}
+            - name: AUTH_CREDENTIALS_ENABLED
+              value: "true"
+            {{- else if eq .Values.global.authProviders.credentials.enabled "false" }}
+            - name: AUTH_CREDENTIALS_ENABLED
+              value: "false"
+            {{- else }}
+            - name: AUTH_CREDENTIALS_ENABLED
+              value: "auto"
+            {{- end }}
+
+            - name: KAFKA_BROKERS
+              value: {{ .Values.global.kafkaBrokers | quote }}
+
+            - name: POSTGRES_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-connections
+                  key: POSTGRES_URL
+
+            - name: AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api.fullname" . }}
+                  key: AUTH_SECRET
+            - name: GITHUB_URL
+              value: {{ include "ctrlplane.githubUrl" . }}
+            {{- with (include "ctrlplane.githubBot" . | fromYaml) }}
+            - name: GITHUB_BOT_NAME
+              value: {{ .name | quote }}
+            - name: GITHUB_BOT_APP_ID
+              value: {{ .appId | quote }}
+            - name: GITHUB_BOT_CLIENT_ID
+              value: {{ .clientId | quote }}
+            - name: GITHUB_BOT_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretRef }}
+                  key: GITHUB_BOT_CLIENT_SECRET
+                  optional: true
+            - name: GITHUB_BOT_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretRef }}
+                  key: GITHUB_BOT_PRIVATE_KEY
+                  optional: true
+            - name: GITHUB_WEBHOOK_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretRef }}
+                  key: GITHUB_WEBHOOK_SECRET
+                  optional: true
+            # - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              # value: http://{{ $.Release.Name }}-otel:4318
+            {{- end }}
+            {{- with (include "ctrlplane.azureApp" . | fromYaml) }}
+            - name: AZURE_APP_CLIENT_ID
+              value: {{ .clientId | quote }}
+            {{- end }}
+            {{- include "ctrlplane.extraEnv" . | nindent 12 }}
+            {{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /api/healthz
+              port: api
+          readinessProbe:
+            httpGet:
+              path: /api/healthz
+              port: api
+          startupProbe:
+            httpGet:
+              path: /api/healthz
+              port: api
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

charts/ctrlplane/charts/api/templates/hpa.yaml

@@ -0,0 +1,28 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "api.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "api.labels" . | nindent 4 }}
+    {{- if .Values.hpa.labels -}}
+    {{-   toYaml .Values.hpa.labels | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.hpa.annotations -}}
+    {{-   toYaml .Values.hpa.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "api.fullname" . }}
+  minReplicas: {{ .Values.hpa.minReplicas }}
+  maxReplicas: {{ .Values.hpa.maxReplicas }}
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 70

charts/ctrlplane/charts/api/templates/secrets.yaml

@@ -0,0 +1,14 @@
+{{- $secretName := (include "api.fullname" .)  }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "api.labels" . | nindent 4 }}
+data:
+{{- if $secret }}
+  AUTH_SECRET: {{ $secret.data.AUTH_SECRET }}
+{{- else }}
+  AUTH_SECRET: {{ randAlphaNum 64 | b64enc }}
+{{- end }}

charts/ctrlplane/charts/api/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "api.fullname" . }}
+  labels:
+    {{- include "api.labels" . | nindent 4 }}
+    {{- if .Values.service.labels -}}
+    {{-   toYaml .Values.service.labels | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.service.annotations -}}
+    {{-   toYaml .Values.service.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: 8081
+      protocol: TCP
+      name: http-api
+  selector:
+    {{- include "api.labels" . | nindent 4 }}