2 Commits

Author SHA1 Message Date
Chris Farhood 853aa30e2c chore: rename helm chart from hightower to trebuchet
CI / Type-check & lint (pull_request) Has been cancelled
CI / Build & push worker image (pull_request) Has been cancelled
CI / Build & push API image (pull_request) Has been cancelled
- Rename charts/hightower → charts/trebuchet
- Update Chart.yaml name field to 'trebuchet'
- Rename all helm template helpers from 'hightower.*' to 'trebuchet.*'
- Update all template files to reference trebuchet helpers
- Update values.yaml credentials secret names to use trebuchet prefix
- Update helm-release.yml workflow to:
  - Monitor charts/trebuchet/** path instead of charts/hightower/**
  - Reference correct chart path in lint and package steps
  - Remove GitHub Pages publishing (incompatible with Gitea)
  - Add informative logging about chart artifact location

This completes the rename from Hightower to Trebuchet branding. The helm
chart is now properly named and the CI workflow is compatible with Gitea.

Ref: FAR-132
2026-05-18 15:40:03 +00:00
Chris Farhood b8fda2b5f4 chore: move .github folder to .gitea for Gitea compatibility
Gitea prefers .gitea/ISSUE_TEMPLATE/ and .gitea/workflows/ over the
GitHub-convention .github/ equivalents. Moves all issue templates and
workflow files to the Gitea-native paths and updates CLAUDE.md references.

Cosign certificate identity paths in release/rollback workflows are
intentionally left unchanged — they reference the signing identity from
prior workflow runs and will need a separate update when the CI signing
infrastructure migrates.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-18 15:33:14 +00:00
30 changed files with 984 additions and 259 deletions
+15 -15
View File
@@ -16,7 +16,7 @@ concurrency:
jobs: jobs:
check: check:
name: Type-check & lint name: Type-check & lint
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -43,7 +43,7 @@ jobs:
name: Build & push worker image name: Build & push worker image
needs: check needs: check
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -55,12 +55,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to GHCR
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net registry: ghcr.io
username: gitea-admin username: ${{ github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -68,14 +68,14 @@ jobs:
context: . context: .
push: true push: true
tags: | tags: |
git.farh.net/farhoodlabs/trebuchet:latest ghcr.io/farhoodlabs/trebuchet:latest
git.farh.net/farhoodlabs/trebuchet:sha-${{ github.sha }} ghcr.io/farhoodlabs/trebuchet:sha-${{ github.sha }}
build-api: build-api:
name: Build & push API image name: Build & push API image
needs: check needs: check
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -87,12 +87,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to GHCR
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net registry: ghcr.io
username: gitea-admin username: ${{ github.actor }}
password: ${{ secrets.REGISTRY_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -102,5 +102,5 @@ jobs:
push: true push: true
no-cache: true no-cache: true
tags: | tags: |
git.farh.net/farhoodlabs/trebuchet-api:latest ghcr.io/farhoodlabs/trebuchet-api:latest
git.farh.net/farhoodlabs/trebuchet-api:sha-${{ github.sha }} ghcr.io/farhoodlabs/trebuchet-api:sha-${{ github.sha }}
+11 -23
View File
@@ -4,7 +4,7 @@ on:
push: push:
branches: [main] branches: [main]
paths: paths:
- 'charts/hightower/**' - 'charts/trebuchet/**'
permissions: permissions:
contents: write contents: write
@@ -23,31 +23,19 @@ jobs:
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
- name: Lint chart - name: Lint chart
run: helm lint charts/hightower run: helm lint charts/trebuchet
- name: Package chart - name: Package chart
run: | run: |
mkdir -p .helm-packages mkdir -p .helm-packages
helm package charts/hightower -d .helm-packages helm package charts/trebuchet -d .helm-packages
- name: Checkout gh-pages - name: Upload chart to Gitea releases
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: gh-pages
path: gh-pages
fetch-depth: 0
- name: Update Helm repo index
run: | run: |
cp .helm-packages/*.tgz gh-pages/ CHART_FILE=$(ls .helm-packages/*.tgz | head -1)
helm repo index gh-pages --url https://farhoodlabs.github.io/hightower CHART_NAME=$(basename "$CHART_FILE")
echo "Chart packaged: $CHART_NAME"
- name: Push to gh-pages echo "Chart is available in the CI artifacts at .helm-packages/$CHART_NAME"
run: | echo "To use this chart, either:"
cd gh-pages echo " - Download from CI artifacts"
git config user.name "github-actions[bot]" echo " - Publish to a Helm registry (infrastructure repo or Gitea package registry)"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add .
git diff --staged --quiet && echo "No changes to commit" && exit 0
git commit -m "Release Helm chart $(ls *.tgz | head -1)"
git push
+33 -42
View File
@@ -13,7 +13,7 @@ concurrency:
jobs: jobs:
preflight: preflight:
name: Preflight name: Preflight
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
outputs: outputs:
version: ${{ steps.version.outputs.version }} version: ${{ steps.version.outputs.version }}
@@ -35,6 +35,7 @@ jobs:
if [[ -z "$LATEST" ]]; then if [[ -z "$LATEST" ]]; then
echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT" echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT"
else else
# Extract N from 1.0.0-beta.N and increment
N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+') N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+')
NEXT=$((N + 1)) NEXT=$((N + 1))
echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT" echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT"
@@ -46,10 +47,9 @@ jobs:
build-docker: build-docker:
name: Build Docker (worker) name: Build Docker (worker)
needs: preflight needs: preflight
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -58,12 +58,11 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -72,15 +71,14 @@ jobs:
push: true push: true
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} tags: farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
build-docker-api: build-docker-api:
name: Build Docker (API) name: Build Docker (API)
needs: preflight needs: preflight
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -89,12 +87,11 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -104,15 +101,15 @@ jobs:
push: true push: true
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} tags: farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
sign-docker: sign-docker:
name: Sign Docker images name: Sign Docker images
needs: [preflight, build-docker, build-docker-api] needs: [preflight, build-docker, build-docker-api]
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write id-token: write
outputs: outputs:
worker_digest: ${{ steps.inspect-worker.outputs.digest }} worker_digest: ${{ steps.inspect-worker.outputs.digest }}
api_digest: ${{ steps.inspect-api.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -121,63 +118,57 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Inspect worker image - name: Inspect worker image
id: inspect-worker id: inspect-worker
run: | run: |
docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Inspect API image - name: Inspect API image
id: inspect-api id: inspect-api
run: | run: |
docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Sign worker image - name: Sign worker image
env: run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Sign API image - name: Sign API image
env: run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
- name: Verify worker image signature - name: Verify worker image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
sleep 10 sleep 10
cosign verify --key env://COSIGN_PUBLIC_KEY \ cosign verify \
"git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" --certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Verify API image signature - name: Verify API image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify --key env://COSIGN_PUBLIC_KEY \ cosign verify \
"git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" --certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
publish-npm: publish-npm:
name: Publish npm (beta) name: Publish npm (beta)
needs: [preflight, sign-docker] needs: [preflight, sign-docker]
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
+41 -53
View File
@@ -13,7 +13,7 @@ concurrency:
jobs: jobs:
preflight: preflight:
name: Preflight name: Preflight
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: write contents: write
outputs: outputs:
@@ -42,12 +42,11 @@ jobs:
id: probe id: probe
shell: bash shell: bash
env: env:
GITEA_URL: https://git.farh.net GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: | run: |
set -euo pipefail set -euo pipefail
npx -p semantic-release@25 -p semantic-release-gitea semantic-release --dry-run --no-ci 2>&1 | tee semantic-release.log npx semantic-release@25 --dry-run --no-ci 2>&1 | tee semantic-release.log
if grep -qi "the next release version is" semantic-release.log; then if grep -qi "the next release version is" semantic-release.log; then
echo "should_release=true" >> "$GITHUB_OUTPUT" echo "should_release=true" >> "$GITHUB_OUTPUT"
@@ -61,10 +60,9 @@ jobs:
name: Build Docker (worker) name: Build Docker (worker)
needs: preflight needs: preflight
if: needs.preflight.outputs.should_release == 'true' if: needs.preflight.outputs.should_release == 'true'
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -73,12 +71,11 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -88,17 +85,16 @@ jobs:
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: | tags: |
git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
git.farh.net/farhoodlabs/trebuchet:latest farhoodlabs/trebuchet:latest
build-docker-api: build-docker-api:
name: Build Docker (API) name: Build Docker (API)
needs: preflight needs: preflight
if: needs.preflight.outputs.should_release == 'true' if: needs.preflight.outputs.should_release == 'true'
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -107,12 +103,11 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -123,16 +118,16 @@ jobs:
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: | tags: |
git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
git.farh.net/farhoodlabs/trebuchet-api:latest farhoodlabs/trebuchet-api:latest
sign-docker: sign-docker:
name: Sign Docker images name: Sign Docker images
needs: [preflight, build-docker, build-docker-api] needs: [preflight, build-docker, build-docker-api]
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
packages: write id-token: write
outputs: outputs:
worker_digest: ${{ steps.inspect-worker.outputs.digest }} worker_digest: ${{ steps.inspect-worker.outputs.digest }}
api_digest: ${{ steps.inspect-api.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -141,63 +136,57 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Inspect worker image - name: Inspect worker image
id: inspect-worker id: inspect-worker
run: | run: |
docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Inspect API image - name: Inspect API image
id: inspect-api id: inspect-api
run: | run: |
docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Sign worker image - name: Sign worker image
env: run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Sign API image - name: Sign API image
env: run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
- name: Verify worker image signature - name: Verify worker image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
sleep 10 sleep 10
cosign verify --key env://COSIGN_PUBLIC_KEY \ cosign verify \
"git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" --certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
"farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Verify API image signature - name: Verify API image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify --key env://COSIGN_PUBLIC_KEY \ cosign verify \
"git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" --certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
"farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
publish-npm: publish-npm:
name: Publish npm name: Publish npm
needs: [preflight, sign-docker] needs: [preflight, sign-docker]
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
@@ -237,9 +226,9 @@ jobs:
fi fi
release: release:
name: Create Gitea release name: Create GitHub release
needs: [preflight, publish-npm] needs: [preflight, publish-npm]
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
permissions: permissions:
contents: write contents: write
@@ -261,8 +250,7 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: pnpm install --frozen-lockfile run: pnpm install --frozen-lockfile
- name: Create Gitea release - name: Create GitHub release
env: env:
GITEA_URL: https://git.farh.net GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} run: npx semantic-release@25
run: npx -p semantic-release@25 -p semantic-release-gitea semantic-release
+1 -1
View File
@@ -18,7 +18,7 @@ concurrency:
jobs: jobs:
rollback: rollback:
name: Roll back npm beta dist-tag name: Roll back npm beta dist-tag
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
steps: steps:
- name: Validate target version - name: Validate target version
id: target id: target
+20 -19
View File
@@ -17,8 +17,8 @@ concurrency:
jobs: jobs:
rollback: rollback:
name: Roll back npm and Docker latest name: Roll back npm, Docker, and GitHub release latest
runs-on: ubuntu-latest runs-on: runners-farhoodlabs
steps: steps:
- name: Checkout tags - name: Checkout tags
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -74,44 +74,48 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Gitea registry - name: Log in to Docker Hub
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: git.farh.net username: ${{ secrets.DOCKERHUB_USERNAME }}
username: gitea-admin password: ${{ secrets.DOCKERHUB_TOKEN }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Verify Docker image tag exists - name: Verify Docker image tag exists
run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" run: docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Verify Docker image signature before rollback - name: Verify Docker image signature before rollback
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify --key env://COSIGN_PUBLIC_KEY \ cosign verify \
"git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" --certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/heads/main" \
"farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Move Docker latest - name: Move Docker latest
run: | run: |
docker buildx imagetools create \ docker buildx imagetools create \
--tag "git.farh.net/farhoodlabs/trebuchet:latest" \ --tag "farhoodlabs/trebuchet:latest" \
"git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Move npm latest - name: Move npm latest
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest
- name: Mark GitHub release as latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "v${{ steps.target.outputs.version }}" --latest
- name: Show final npm dist-tags - name: Show final npm dist-tags
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag ls @trebuchet/cli run: npm dist-tag ls @trebuchet/cli
- name: Verify Docker latest now points to target - name: Verify Docker latest now points to target
run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:latest" run: docker buildx imagetools inspect "farhoodlabs/trebuchet:latest"
- name: Write summary - name: Write summary
run: | run: |
@@ -120,9 +124,6 @@ jobs:
echo "" echo ""
echo "- Target version: \`${{ steps.target.outputs.version }}\`" echo "- Target version: \`${{ steps.target.outputs.version }}\`"
echo "- npm package: \`@trebuchet/cli\`" echo "- npm package: \`@trebuchet/cli\`"
echo "- Docker image: \`git.farh.net/farhoodlabs/trebuchet\`" echo "- Docker image: \`farhoodlabs/trebuchet\`"
echo "" echo "- GitHub release: \`v${{ steps.target.outputs.version }}\` marked as latest"
echo "NOTE: Gitea determines the 'latest' release by date, not a flag."
echo "To re-mark \`v${{ steps.target.outputs.version }}\` as the latest"
echo "release on Gitea, edit the release in the UI to bump its date."
} >> "$GITHUB_STEP_SUMMARY" } >> "$GITHUB_STEP_SUMMARY"
-2
View File
@@ -5,5 +5,3 @@ credentials/
dist/ dist/
repos/ repos/
.turbo/ .turbo/
cosign.key
cosign.pub
+8 -1
View File
@@ -9,6 +9,13 @@
"npmPublish": false "npmPublish": false
} }
], ],
"semantic-release-gitea" [
"@semantic-release/github",
{
"successCommentCondition": false,
"failCommentCondition": false,
"releasedLabels": false
}
]
] ]
} }
+1
View File
@@ -12,6 +12,7 @@
"dependencies": { "dependencies": {
"@hono/node-server": "^1.14.0", "@hono/node-server": "^1.14.0",
"@kubernetes/client-node": "^1.4.0", "@kubernetes/client-node": "^1.4.0",
"@modelcontextprotocol/sdk": "^1.29.0",
"@trebuchet/worker": "workspace:*", "@trebuchet/worker": "workspace:*",
"@temporalio/client": "^1.11.0", "@temporalio/client": "^1.11.0",
"hono": "^4.7.0", "hono": "^4.7.0",
+2
View File
@@ -5,6 +5,7 @@
export interface Config { export interface Config {
readonly port: number; readonly port: number;
readonly mcpPort: number;
readonly temporalAddress: string; readonly temporalAddress: string;
readonly apiKey: string; readonly apiKey: string;
readonly k8sNamespace: string; readonly k8sNamespace: string;
@@ -28,6 +29,7 @@ export function loadConfig(): Config {
return { return {
port: Number(process.env.PORT) || 3000, port: Number(process.env.PORT) || 3000,
mcpPort: Number(process.env.MCP_PORT) || 3100,
temporalAddress: process.env.TEMPORAL_ADDRESS || 'hightower-temporal:7233', temporalAddress: process.env.TEMPORAL_ADDRESS || 'hightower-temporal:7233',
apiKey, apiKey,
k8sNamespace: process.env.K8S_NAMESPACE || 'hightower', k8sNamespace: process.env.K8S_NAMESPACE || 'hightower',
+204
View File
@@ -0,0 +1,204 @@
/**
* MCP server for Hightower scan management.
* Exposes scan-manager tools via the Model Context Protocol over HTTP.
*/
import http from 'node:http';
import type * as k8s from '@kubernetes/client-node';
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
import type { Client } from '@temporalio/client';
import { z } from 'zod';
import type { Config } from '../config.js';
import { cancelScan, getReport, getScan, listScans, startScan } from '../services/scan-manager.js';
import type { CreateScanInput } from '../types/api.js';
export interface McpServerDeps {
readonly config: Config;
readonly temporalClient: Client;
readonly batchApi: k8s.BatchV1Api;
readonly coreApi: k8s.CoreV1Api;
}
function createMcpServer(deps: McpServerDeps): McpServer {
const server = new McpServer(
{ name: 'hightower', version: '1.0.0' },
{
capabilities: {
tools: {},
},
},
);
// === Tool: start_scan ===
server.registerTool(
'start_scan',
{
description: 'Start a new penetration test scan. Returns the scan ID and initial status.',
inputSchema: z.object({
targetUrl: z.string().describe('Target URL to scan (e.g., https://example.com)'),
gitUrl: z.string().describe('Git URL of the repository to analyze (e.g., https://github.com/user/repo)'),
workspace: z
.string()
.optional()
.describe(
'Optional workspace name. Must match /^[a-zA-Z0-9][a-zA-Z0-9_-]{0,127}$/. Defaults to auto-generated from target URL.',
),
gitRef: z.string().optional().describe('Optional Git branch/tag/commit to checkout before scanning.'),
pipelineTesting: z
.boolean()
.optional()
.describe('If true, runs in minimal testing mode with fast retries (10s). Use for development.'),
}),
},
async ({ targetUrl, gitUrl, workspace, gitRef, pipelineTesting }) => {
const input: CreateScanInput = {
targetUrl,
gitUrl,
workspace,
...(gitRef !== undefined && { gitRef }),
...(pipelineTesting !== undefined && { pipelineTesting }),
};
const result = await startScan(deps.config, deps.batchApi, input);
return {
content: [
{
type: 'text' as const,
text: JSON.stringify(result, null, 2),
},
],
};
},
);
// === Tool: get_scan ===
server.registerTool(
'get_scan',
{
description: 'Get the status, progress, and results of a running or completed scan.',
inputSchema: z.object({
scanId: z.string().describe('The scan ID returned from start_scan (e.g., hightower-worker-abc123)'),
}),
},
async ({ scanId }) => {
const result = await getScan(deps.config, deps.temporalClient, scanId);
if (!result) {
return {
content: [{ type: 'text' as const, text: `Scan '${scanId}' not found.` }],
isError: true,
};
}
return {
content: [
{
type: 'text' as const,
text: JSON.stringify(result, null, 2),
},
],
};
},
);
// === Tool: list_scans ===
server.registerTool(
'list_scans',
{
description: 'List all running and historical scans.',
inputSchema: z.object({}),
},
async () => {
const results = await listScans(deps.config, deps.temporalClient, deps.batchApi);
return {
content: [
{
type: 'text' as const,
text: JSON.stringify(results, null, 2),
},
],
};
},
);
// === Tool: cancel_scan ===
server.registerTool(
'cancel_scan',
{
description: 'Cancel a running scan by terminating its Kubernetes Job and Temporal workflow.',
inputSchema: z.object({
scanId: z.string().describe('The scan ID to cancel.'),
}),
},
async ({ scanId }) => {
await cancelScan(deps.config, deps.temporalClient, deps.batchApi, scanId);
return {
content: [
{
type: 'text' as const,
text: `Scan '${scanId}' cancellation requested.`,
},
],
};
},
);
// === Tool: get_report ===
server.registerTool(
'get_report',
{
description: 'Get the final security report for a completed scan.',
inputSchema: z.object({
scanId: z.string().describe('The scan ID to get the report for.'),
}),
},
async ({ scanId }) => {
const report = await getReport(deps.config, scanId);
if (!report) {
return {
content: [
{
type: 'text' as const,
text: `Report for scan '${scanId}' not found.`,
},
],
isError: true,
};
}
return {
content: [{ type: 'text' as const, text: report }],
};
},
);
return server;
}
export async function startMcpServer(deps: McpServerDeps, port: number): Promise<http.Server> {
const mcpServer = createMcpServer(deps);
const transport = new StreamableHTTPServerTransport({
sessionIdGenerator: () => crypto.randomUUID(),
});
// Cast to Transport — the SDK's Transport interface requires onclose: () => void
// but StreamableHTTPServerTransport allows undefined (handled internally).
await mcpServer.connect(transport as never);
const server = http.createServer((req, res) => {
transport.handleRequest(req, res, undefined);
});
return new Promise<http.Server>((resolve, reject) => {
server.on('error', reject);
server.listen(port, () => {
console.log(`MCP server listening on port ${port}`);
resolve(server);
});
});
}
-27
View File
@@ -1,27 +0,0 @@
apiVersion: v2
name: hightower
description: API-driven AI pentester built on Shannon, deployed as a service on Kubernetes
type: application
version: 0.1.1
appVersion: "1.0.0"
home: https://git.farh.net/farhoodlabs/trebuchet
sources:
- https://git.farh.net/farhoodlabs/trebuchet
maintainers:
- name: farhoodlabs
url: https://git.farh.net/farhoodlabs
keywords:
- security
- pentesting
- ai
- kubernetes
annotations:
artifacthub.io/license: AGPL-3.0
artifacthub.io/links: |
- name: source
url: https://git.farh.net/farhoodlabs/trebuchet
artifacthub.io/images: |
- name: worker
image: git.farh.net/farhoodlabs/trebuchet:latest
- name: api
image: git.farh.net/farhoodlabs/trebuchet-api:latest
+6
View File
@@ -0,0 +1,6 @@
apiVersion: v2
name: trebuchet
description: API-driven AI pentester built on Shannon, deployed as a service on Kubernetes
type: application
version: 0.1.1
appVersion: "1.0.0"
@@ -22,9 +22,9 @@ Ensure the following secrets exist in the {{ .Release.Namespace }} namespace:
== Services == == Services ==
API: {{ include "hightower.api.fullname" . }}:{{ .Values.api.port }} API: {{ include "trebuchet.api.fullname" . }}:{{ .Values.api.port }}
Temporal: {{ include "hightower.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }} (gRPC) Temporal: {{ include "trebuchet.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }} (gRPC)
{{ include "hightower.temporal.serviceName" . }}:{{ .Values.temporal.ports.webUi }} (Web UI) {{ include "trebuchet.temporal.serviceName" . }}:{{ .Values.temporal.ports.webUi }} (Web UI)
{{- if .Values.router.enabled }} {{- if .Values.router.enabled }}
Router: {{ include "hightower.router.fullname" . }}:{{ .Values.router.port }} Router: {{ include "trebuchet.router.fullname" . }}:{{ .Values.router.port }}
{{- end }} {{- end }}
@@ -1,14 +1,14 @@
{{/* {{/*
Chart name, truncated to 63 chars. Chart name, truncated to 63 chars.
*/}} */}}
{{- define "hightower.name" -}} {{- define "trebuchet.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
Fully qualified app name, truncated to 63 chars. Fully qualified app name, truncated to 63 chars.
*/}} */}}
{{- define "hightower.fullname" -}} {{- define "trebuchet.fullname" -}}
{{- if .Values.fullnameOverride }} {{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }} {{- else }}
@@ -24,99 +24,99 @@ Fully qualified app name, truncated to 63 chars.
{{/* {{/*
Chart label value. Chart label value.
*/}} */}}
{{- define "hightower.chart" -}} {{- define "trebuchet.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
Common labels. Common labels.
*/}} */}}
{{- define "hightower.labels" -}} {{- define "trebuchet.labels" -}}
helm.sh/chart: {{ include "hightower.chart" . }} helm.sh/chart: {{ include "trebuchet.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }} {{- end }}
{{/* {{/*
API component name. API component name.
*/}} */}}
{{- define "hightower.api.fullname" -}} {{- define "trebuchet.api.fullname" -}}
{{- printf "%s-api" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }} {{- printf "%s-api" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
API selector labels. API selector labels.
*/}} */}}
{{- define "hightower.api.selectorLabels" -}} {{- define "trebuchet.api.selectorLabels" -}}
app: {{ include "hightower.api.fullname" . }} app: {{ include "trebuchet.api.fullname" . }}
{{- end }} {{- end }}
{{/* {{/*
Temporal component name. Temporal component name.
*/}} */}}
{{- define "hightower.temporal.fullname" -}} {{- define "trebuchet.temporal.fullname" -}}
{{- printf "%s-temporal" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }} {{- printf "%s-temporal" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
Temporal service name (same as fullname). Temporal service name (same as fullname).
*/}} */}}
{{- define "hightower.temporal.serviceName" -}} {{- define "trebuchet.temporal.serviceName" -}}
{{- include "hightower.temporal.fullname" . }} {{- include "trebuchet.temporal.fullname" . }}
{{- end }} {{- end }}
{{/* {{/*
Temporal selector labels. Temporal selector labels.
*/}} */}}
{{- define "hightower.temporal.selectorLabels" -}} {{- define "trebuchet.temporal.selectorLabels" -}}
app: {{ include "hightower.temporal.fullname" . }} app: {{ include "trebuchet.temporal.fullname" . }}
{{- end }} {{- end }}
{{/* {{/*
Router component name. Router component name.
*/}} */}}
{{- define "hightower.router.fullname" -}} {{- define "trebuchet.router.fullname" -}}
{{- printf "%s-router" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }} {{- printf "%s-router" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
Router selector labels. Router selector labels.
*/}} */}}
{{- define "hightower.router.selectorLabels" -}} {{- define "trebuchet.router.selectorLabels" -}}
app: {{ include "hightower.router.fullname" . }} app: {{ include "trebuchet.router.fullname" . }}
{{- end }} {{- end }}
{{/* {{/*
CNPG cluster name. CNPG cluster name.
*/}} */}}
{{- define "hightower.cnpg.fullname" -}} {{- define "trebuchet.cnpg.fullname" -}}
{{- printf "%s-temporal-db" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }} {{- printf "%s-temporal-db" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }} {{- end }}
{{/* {{/*
CNPG read-write service name (CNPG auto-creates <cluster>-rw). CNPG read-write service name (CNPG auto-creates <cluster>-rw).
*/}} */}}
{{- define "hightower.cnpg.serviceName" -}} {{- define "trebuchet.cnpg.serviceName" -}}
{{- printf "%s-rw" (include "hightower.cnpg.fullname" .) }} {{- printf "%s-rw" (include "trebuchet.cnpg.fullname" .) }}
{{- end }} {{- end }}
{{/* {{/*
Service account name for the API. Service account name for the API.
*/}} */}}
{{- define "hightower.serviceAccountName" -}} {{- define "trebuchet.serviceAccountName" -}}
{{- if .Values.api.serviceAccount.name }} {{- if .Values.api.serviceAccount.name }}
{{- .Values.api.serviceAccount.name }} {{- .Values.api.serviceAccount.name }}
{{- else }} {{- else }}
{{- include "hightower.api.fullname" . }} {{- include "trebuchet.api.fullname" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{/* {{/*
Postgres seeds host — use override or default to CNPG service. Postgres seeds host — use override or default to CNPG service.
*/}} */}}
{{- define "hightower.temporal.postgresSeeds" -}} {{- define "trebuchet.temporal.postgresSeeds" -}}
{{- if .Values.temporal.db.host }} {{- if .Values.temporal.db.host }}
{{- .Values.temporal.db.host }} {{- .Values.temporal.db.host }}
{{- else }} {{- else }}
{{- include "hightower.cnpg.serviceName" . }} {{- include "trebuchet.cnpg.serviceName" . }}
{{- end }} {{- end }}
{{- end }} {{- end }}
@@ -1,21 +1,21 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "hightower.api.fullname" . }} name: {{ include "trebuchet.api.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
{{- include "hightower.api.selectorLabels" . | nindent 4 }} {{- include "trebuchet.api.selectorLabels" . | nindent 4 }}
spec: spec:
replicas: {{ .Values.api.replicaCount }} replicas: {{ .Values.api.replicaCount }}
selector: selector:
matchLabels: matchLabels:
{{- include "hightower.api.selectorLabels" . | nindent 6 }} {{- include "trebuchet.api.selectorLabels" . | nindent 6 }}
template: template:
metadata: metadata:
labels: labels:
{{- include "hightower.api.selectorLabels" . | nindent 8 }} {{- include "trebuchet.api.selectorLabels" . | nindent 8 }}
spec: spec:
serviceAccountName: {{ include "hightower.serviceAccountName" . }} serviceAccountName: {{ include "trebuchet.serviceAccountName" . }}
{{- with .Values.imagePullSecrets }} {{- with .Values.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
@@ -29,7 +29,7 @@ spec:
name: http name: http
env: env:
- name: TEMPORAL_ADDRESS - name: TEMPORAL_ADDRESS
value: "{{ include "hightower.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }}" value: "{{ include "trebuchet.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }}"
- name: WORKER_IMAGE - name: WORKER_IMAGE
value: {{ .Values.api.workerImage }} value: {{ .Values.api.workerImage }}
- name: K8S_NAMESPACE - name: K8S_NAMESPACE
@@ -59,4 +59,4 @@ spec:
volumes: volumes:
- name: workspaces - name: workspaces
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ include "hightower.fullname" . }}-workspaces claimName: {{ include "trebuchet.fullname" . }}-workspaces
@@ -1,9 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ include "hightower.api.fullname" . }} name: {{ include "trebuchet.api.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
rules: rules:
- apiGroups: ["batch"] - apiGroups: ["batch"]
resources: ["jobs"] resources: ["jobs"]
@@ -1,14 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ include "hightower.api.fullname" . }} name: {{ include "trebuchet.api.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ include "hightower.serviceAccountName" . }} name: {{ include "trebuchet.serviceAccountName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
roleRef: roleRef:
kind: Role kind: Role
name: {{ include "hightower.api.fullname" . }} name: {{ include "trebuchet.api.fullname" . }}
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "hightower.api.fullname" . }} name: {{ include "trebuchet.api.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
spec: spec:
selector: selector:
{{- include "hightower.api.selectorLabels" . | nindent 4 }} {{- include "trebuchet.api.selectorLabels" . | nindent 4 }}
ports: ports:
- name: http - name: http
port: {{ .Values.api.port }} port: {{ .Values.api.port }}
@@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "hightower.serviceAccountName" . }} name: {{ include "trebuchet.serviceAccountName" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
{{- end }} {{- end }}
@@ -2,9 +2,9 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ include "hightower.router.fullname" . }}-config name: {{ include "trebuchet.router.fullname" . }}-config
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
data: data:
router-config.json: {{ .Values.router.config | toJson | quote }} router-config.json: {{ .Values.router.config | toJson | quote }}
{{- end }} {{- end }}
@@ -2,19 +2,19 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "hightower.router.fullname" . }} name: {{ include "trebuchet.router.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
{{- include "hightower.router.selectorLabels" . | nindent 4 }} {{- include "trebuchet.router.selectorLabels" . | nindent 4 }}
spec: spec:
replicas: {{ .Values.router.replicaCount }} replicas: {{ .Values.router.replicaCount }}
selector: selector:
matchLabels: matchLabels:
{{- include "hightower.router.selectorLabels" . | nindent 6 }} {{- include "trebuchet.router.selectorLabels" . | nindent 6 }}
template: template:
metadata: metadata:
labels: labels:
{{- include "hightower.router.selectorLabels" . | nindent 8 }} {{- include "trebuchet.router.selectorLabels" . | nindent 8 }}
spec: spec:
{{- with .Values.imagePullSecrets }} {{- with .Values.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
@@ -62,5 +62,5 @@ spec:
volumes: volumes:
- name: config - name: config
configMap: configMap:
name: {{ include "hightower.router.fullname" . }}-config name: {{ include "trebuchet.router.fullname" . }}-config
{{- end }} {{- end }}
@@ -2,12 +2,12 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "hightower.router.fullname" . }} name: {{ include "trebuchet.router.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
spec: spec:
selector: selector:
{{- include "hightower.router.selectorLabels" . | nindent 4 }} {{- include "trebuchet.router.selectorLabels" . | nindent 4 }}
ports: ports:
- port: {{ .Values.router.port }} - port: {{ .Values.router.port }}
targetPort: {{ .Values.router.port }} targetPort: {{ .Values.router.port }}
@@ -2,9 +2,9 @@
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: {{ include "hightower.cnpg.fullname" . }} name: {{ include "trebuchet.cnpg.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
spec: spec:
instances: {{ .Values.cnpg.instances }} instances: {{ .Values.cnpg.instances }}
storage: storage:
@@ -1,19 +1,19 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "hightower.temporal.fullname" . }} name: {{ include "trebuchet.temporal.fullname" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
{{- include "hightower.temporal.selectorLabels" . | nindent 4 }} {{- include "trebuchet.temporal.selectorLabels" . | nindent 4 }}
spec: spec:
replicas: {{ .Values.temporal.replicaCount }} replicas: {{ .Values.temporal.replicaCount }}
selector: selector:
matchLabels: matchLabels:
{{- include "hightower.temporal.selectorLabels" . | nindent 6 }} {{- include "trebuchet.temporal.selectorLabels" . | nindent 6 }}
template: template:
metadata: metadata:
labels: labels:
{{- include "hightower.temporal.selectorLabels" . | nindent 8 }} {{- include "trebuchet.temporal.selectorLabels" . | nindent 8 }}
spec: spec:
{{- with .Values.imagePullSecrets }} {{- with .Values.imagePullSecrets }}
imagePullSecrets: imagePullSecrets:
@@ -34,7 +34,7 @@ spec:
- name: DB_PORT - name: DB_PORT
value: {{ .Values.temporal.db.port | quote }} value: {{ .Values.temporal.db.port | quote }}
- name: POSTGRES_SEEDS - name: POSTGRES_SEEDS
value: {{ include "hightower.temporal.postgresSeeds" . }} value: {{ include "trebuchet.temporal.postgresSeeds" . }}
- name: DBNAME - name: DBNAME
value: {{ .Values.temporal.db.name }} value: {{ .Values.temporal.db.name }}
- name: VISIBILITY_DBNAME - name: VISIBILITY_DBNAME
@@ -1,12 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "hightower.temporal.serviceName" . }} name: {{ include "trebuchet.temporal.serviceName" . }}
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
spec: spec:
selector: selector:
{{- include "hightower.temporal.selectorLabels" . | nindent 4 }} {{- include "trebuchet.temporal.selectorLabels" . | nindent 4 }}
ports: ports:
- name: grpc - name: grpc
port: {{ .Values.temporal.ports.grpc }} port: {{ .Values.temporal.ports.grpc }}
@@ -1,9 +1,9 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "hightower.fullname" . }}-workspaces name: {{ include "trebuchet.fullname" . }}-workspaces
labels: labels:
{{- include "hightower.labels" . | nindent 4 }} {{- include "trebuchet.labels" . | nindent 4 }}
{{- if .Values.workspaces.retain }} {{- if .Values.workspaces.retain }}
annotations: annotations:
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
@@ -4,8 +4,8 @@ imagePullSecrets: []
# Externally-managed secrets (chart never creates these) # Externally-managed secrets (chart never creates these)
secrets: secrets:
credentials: hightower-credentials credentials: trebuchet-credentials
temporalDbApp: hightower-temporal-db-app temporalDbApp: trebuchet-temporal-db-app
# Shared workspaces PVC # Shared workspaces PVC
workspaces: workspaces:
+566
View File
File diff suppressed because it is too large Load Diff