feat: Helm chart for Kubernetes deployment#44
Open
eric-becker wants to merge 2 commits into
Open
Conversation
added 2 commits
May 2, 2026 22:52
Adds charts/floodgate/ — Deployment, Service, ConfigMap,
ServiceAccount, optional PodDisruptionBudget, NOTES.txt — with
values.yaml that mirrors config.yaml so every floodgate config option
is overridable via --set or a values file. The Deployment carries a
checksum/config annotation so ConfigMap changes drive a rolling
restart automatically.
Container ports, Service port, and probe ports all derive from
.Values.config.{grpc_port,health_port} so there is one source of
truth — no risk of the chart and the rendered config disagreeing.
Security context (nonroot, read-only fs, drop ALL caps, runAsUser
65534) matches the upstream Dockerfile defaults.
CI: extends the existing manifests job with helm lint and two
helm template | kubeconform passes (defaults plus a non-trivial
override set covering PDB, drop_enabled, json logs).
Closes #20.
Adds k8s/README.md flagging the static manifests as deprecated and pointing readers at charts/floodgate/. Updates the root README and CLAUDE.md file table to match. The static manifests are intentionally left in place for one release to give kubectl-only deployers a deprecation window; they will be removed in a follow-up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
charts/floodgate/— a Helm chart that replaces the static manifests ink8s/as the supported install path. Also flags the static manifests as deprecated (kept in place for one release forkubectl apply -fusers).Closes #20.
What's in the chart
Chart.yaml,.helmignore,values.yaml,_helpers.tplDeployment,Service(ClusterIP, gRPC only),ConfigMap,ServiceAccount, optionalPodDisruptionBudget,NOTES.txtREADME.mdwith install / upgrade / uninstall and a values highlights tablevalues.yaml shape
values.configmirrorsconfig.yaml1:1 — every floodgate config key is a Helm value, overridable via--setor a values file. The chart renders that block verbatim into the ConfigMap, so the chart and the running floodgate can never disagree on which keys exist.Container ports, Service port, and probe ports all derive from
.Values.config.{grpc_port,health_port}— single source of truth.Hardening
containerSecurityContextdefaults match the upstream Dockerfile:runAsNonRoot,runAsUser: 65534,readOnlyRootFilesystem,allowPrivilegeEscalation: false,capabilities.drop: [ALL].Rolling restarts on config change
The Deployment carries a
checksum/configannotation computed viasha256sumof the rendered ConfigMap. ConfigMap edits → checksum changes → rolling restart. No manualkubectl rollout restartneeded.CI
Extends the existing
manifestsjob:helm lint charts/floodgatehelm template floodgate charts/floodgate | kubeconform -strict -summary(default values)podDisruptionBudget.enabled=true,config.drop_enabled=true,config.drop_portnums={RANGE_TEST_APP},config.log_format=jsonThe static
k8s/*.yamlvalidation step is unchanged.Stale-spec note
Issue #20 mentions
channel_blacklist/channel_whitelist— those keys were removed in #29. The chart instead exposeszerohop_channels/drop_channels, matching the current schema.Out of scope (per issue)
Test plan
helm lint charts/floodgate— cleanhelm template ... | kubeconform -strict(defaults) — 4 resources validhelm template ... | kubeconform -strict(PDB + drop + json overrides) — 5 resources validk8s/*.yaml— still 3 resources valid🤖 Generated with Claude Code