[cross-repo from workflow#407] server + workflow: publish self-serve Helm charts for Kubernetes deployments (#60)

Author: durable-workflow-ops

.github/workflows/helm-chart-validation.yml

@@ -0,0 +1,196 @@
+name: Helm Chart Validation
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "k8s/helm/**"
+      - "scripts/helm-chart-kind-smoke.sh"
+      - ".github/workflows/helm-chart-validation.yml"
+  pull_request:
+    paths:
+      - "k8s/helm/**"
+      - "scripts/helm-chart-kind-smoke.sh"
+      - ".github/workflows/helm-chart-validation.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  CHART_PATH: k8s/helm/durable-workflow
+  HELM_VERSION: v3.16.2
+  KUBECONFORM_VERSION: v0.6.7
+  KUBE_VERSIONS: "1.27.0 1.28.0 1.29.0 1.30.0"
+  HELM_CT_CLUSTER_NAME: dw-helm-ct-${{ github.run_id }}-${{ github.run_attempt }}
+
+jobs:
+  lint-and-template:
+    name: Lint, render, and validate manifests
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout server
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Helm lint
+        run: |
+          helm lint "${CHART_PATH}"
+          for f in "${CHART_PATH}"/ci/*-values.yaml; do
+            echo "::group::helm lint with $(basename "$f")"
+            helm lint "${CHART_PATH}" -f "$f"
+            echo "::endgroup::"
+          done
+
+      - name: Render every CI fixture
+        run: |
+          mkdir -p rendered
+          for f in "${CHART_PATH}"/ci/*-values.yaml; do
+            name="$(basename "$f" .yaml)"
+            echo "::group::helm template ${name}"
+            helm template "rel-${name}" "${CHART_PATH}" \
+              --namespace durable-workflow \
+              -f "$f" \
+              > "rendered/${name}.yaml"
+            echo "::endgroup::"
+          done
+
+      - name: Validate rendered manifests against Kubernetes schemas
+        run: |
+          docker run --rm \
+            -v "${PWD}/rendered:/manifests:ro" \
+            ghcr.io/yannh/kubeconform:${KUBECONFORM_VERSION} \
+            -strict \
+            -summary \
+            -schema-location default \
+            -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
+            -kubernetes-version 1.29.0 \
+            /manifests
+
+      - name: Validate against the supported Kubernetes version matrix
+        run: |
+          for kv in ${KUBE_VERSIONS}; do
+            echo "::group::kubeconform against ${kv}"
+            docker run --rm \
+              -v "${PWD}/rendered:/manifests:ro" \
+              ghcr.io/yannh/kubeconform:${KUBECONFORM_VERSION} \
+              -strict \
+              -summary \
+              -kubernetes-version "${kv}" \
+              /manifests
+            echo "::endgroup::"
+          done
+
+      - name: Upload rendered manifests
+        if: always()
+        continue-on-error: true
+        uses: actions/upload-artifact@v3.2.2
+        with:
+          name: helm-rendered-manifests
+          path: rendered/
+          if-no-files-found: error
+
+  ct-lint-install:
+    name: chart-testing lint + install (kind)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout server
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Configure kind networking for containerized runners
+        if: env.JOB_CONTAINER_NAME != ''
+        run: |
+          workflow_network="$(docker inspect -f '{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s" $k}}{{end}}' "${JOB_CONTAINER_NAME}")"
+          if [ -z "${workflow_network}" ]; then
+            echo "unable to determine workflow network for ${JOB_CONTAINER_NAME}" >&2
+            exit 1
+          fi
+          echo "KIND_EXPERIMENTAL_DOCKER_NETWORK=${workflow_network}" >> "${GITHUB_ENV}"
+
+      - name: Set up kind
+        uses: helm/kind-action@v1.10.0
+        with:
+          version: v0.23.0
+          node_image: kindest/node:v1.29.4
+          cluster_name: ${{ env.HELM_CT_CLUSTER_NAME }}
+          wait: 120s
+
+      - name: Export internal kind kubeconfig for containerized runners
+        if: env.JOB_CONTAINER_NAME != ''
+        run: kind export kubeconfig --name "${HELM_CT_CLUSTER_NAME}" --internal
+
+      - name: ct lint
+        run: |
+          ct lint \
+            --target-branch "${{ github.event.repository.default_branch }}" \
+            --chart-dirs k8s/helm \
+            --charts "${CHART_PATH}" \
+            --validate-maintainers=false
+
+      - name: Run kind smoke script
+        env:
+          K8S_HELM_SMOKE_KIND_NODE_IMAGE: kindest/node:v1.29.4
+          K8S_HELM_SMOKE_CLUSTER: ${{ env.HELM_CT_CLUSTER_NAME }}
+          K8S_HELM_SMOKE_REUSE_CLUSTER: "1"
+          K8S_HELM_SMOKE_IMAGE: durableworkflow/server:helm-smoke-${{ github.run_id }}-${{ github.run_attempt }}
+          K8S_HELM_SMOKE_ARTIFACT_DIR: ${{ runner.temp }}/helm-smoke
+        run: scripts/helm-chart-kind-smoke.sh
+
+      - name: Print smoke diagnostics
+        if: failure()
+        run: |
+          artifact_dir="${{ runner.temp }}/helm-smoke"
+          if [ ! -d "${artifact_dir}" ]; then
+            echo "no smoke artifacts collected"
+            exit 0
+          fi
+
+          for file in \
+            helm-status.txt \
+            events.txt \
+            describe.txt \
+            resources.txt \
+            migration-job.log \
+            server.log \
+            worker.log \
+            mysql.log \
+            redis.log \
+            port-forward.log; do
+            path="${artifact_dir}/${file}"
+            if [ ! -f "${path}" ]; then
+              continue
+            fi
+            echo "::group::${file}"
+            tail -n 200 "${path}" || cat "${path}" || true
+            echo "::endgroup::"
+          done
+
+      - name: Upload smoke artifacts
+        if: failure()
+        continue-on-error: true
+        uses: actions/upload-artifact@v3.2.2
+        with:
+          name: helm-chart-kind-smoke
+          path: ${{ runner.temp }}/helm-smoke
+          if-no-files-found: ignore

.github/workflows/kubernetes-validation.yml

@@ -64,7 +64,7 @@ jobs:
 
       - name: Upload Kubernetes smoke artifacts
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3.2.2
         with:
           name: kubernetes-kind-smoke-artifacts
           path: ${{ runner.temp }}/k8s-kind-smoke-artifacts

.github/workflows/server-perf.yml

@@ -68,7 +68,7 @@ jobs:
 
       - name: Upload perf artifacts
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v3.2.2
         with:
           name: server-perf-smoke
           path: build/perf/
@@ -106,7 +106,7 @@ jobs:
 
       - name: Upload perf artifacts
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v3.2.2
         with:
           name: server-perf-soak
           path: build/perf/

Dockerfile

@@ -74,7 +74,16 @@ RUN chmod +x /usr/local/bin/server-bootstrap /usr/local/bin/server-ensure-sqlite
 
 # Route cache is safe at build time (no env dependency).
 # Config cache is deferred to the entrypoint so runtime env vars take effect.
-RUN php artisan route:cache
+RUN php artisan route:cache \
+    && mkdir -p \
+        storage/logs \
+        storage/framework/cache/data \
+        storage/framework/sessions \
+        storage/framework/views \
+        storage/framework/testing \
+        bootstrap/cache \
+    && chown -R 1000:1000 storage bootstrap/cache \
+    && chmod -R ug+rwX storage bootstrap/cache
 
 LABEL org.opencontainers.image.title="Durable Workflow Server" \
       org.opencontainers.image.description="Standalone Durable Workflow server" \

README.md

@@ -188,7 +188,7 @@ external MySQL or PostgreSQL plus 2 or 3 API nodes behind a stateless load
 balancer, shared Redis, and independently scaled external workers. The first
 contract requires exactly one scheduler or maintenance runner. SQLite,
 Redis-less multi-node mode, duplicate schedulers, rolling upgrades,
-active/active multi-region, Helm charts, and provider-specific failover
+active/active multi-region, Helm-based Kubernetes deployments, and provider-specific failover
 semantics are not part of that first contract.
 
 The CI harness in `docker-compose.small-cluster.yml` runs the MySQL and
@@ -1159,16 +1159,23 @@ docker run --rm --entrypoint sh ghcr.io/durable-workflow/server:0.2.0 -lc \
 
 ### Kubernetes
 
-The raw manifests intentionally stay Kubernetes-native instead of shipping a
-Helm chart. Use Kustomize overlays or direct patches for environment-specific
-names, images, registry secrets, and scaling policy; revisit Helm only when an
-operator needs chart versioning and a chart/image compatibility matrix.
+The published Helm chart in [`k8s/helm/durable-workflow/`](k8s/helm/durable-workflow/)
+is the recommended self-serve path for Kubernetes deployments. The raw
+manifests remain the inspectable low-level alternative for teams that
+intentionally do not want Helm in the rollout.
+
+Both paths share the same external-persistence, singleton-scheduler, and
+`/api/ready` readiness contracts. Use Helm values, Kustomize overlays, or
+direct patches for environment-specific names, images, registry secrets, and
+scaling policy.
 
 The public manifests default to the pinned Docker Hub image
 `durableworkflow/server:0.2`. For production, patch every workload to the exact
 Docker Hub or GHCR tag or digest you intend to run before applying it. See
-[`k8s/README.md`](k8s/README.md) for the raw-manifest support boundary and
-image-pinning contract.
+[`k8s/README.md`](k8s/README.md) for the raw-manifest support boundary,
+[`docs/helm-validation.md`](docs/helm-validation.md) for the Helm contract and
+validation harness, and [`k8s/helm/durable-workflow/docs/UPGRADING.md`](k8s/helm/durable-workflow/docs/UPGRADING.md)
+for chart upgrade steps.
 
 The supported apply order is configuration first, migration second, and
 long-running workloads last. The helper script enforces that order, deletes any

docs/ha-failover-validation.md

@@ -326,11 +326,11 @@ pass; the topology itself is part of the product risk:
 - Synchronous cross-region database replication (RPO=0).
 - Duplicate scheduler/maintenance runners as a steady-state topology.
 - Engine-enforced region-pinned task queues as a routing axis.
-- Multi-cluster Helm charts and provider-specific managed-Kubernetes
-  validation. The
-  [`k8s/`](https://github.com/durable-workflow/server/tree/main/k8s)
-  manifests stay raw and inspectable; provider-specific HA on top of
-  them remains a support-led design pass.
+- Multi-cluster Helm topologies and provider-specific managed-Kubernetes
+  validation. The single-cluster self-serve Helm contract lives in
+  [`docs/helm-validation.md`](helm-validation.md) and
+  [`k8s/helm/durable-workflow/`](../k8s/helm/durable-workflow/); provider-specific
+  or multi-cluster HA on top of it remains a support-led design pass.
 - Strong "five-nines" or "zero-downtime" SLA promises beyond the
   bounded recovery times above. The contract is *bounded recovery
   during named events*, not an uptime promise that depends on the