Adding a Helm chart for deployment to Kubernetes

helm/taskchampion-sync-server/.helmignore

@@ -0,0 +1,5 @@
+# Patterns to ignore when building the Helm chart
+.git
+.gitignore
+*.md
+examples/

helm/taskchampion-sync-server/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: taskchampion-sync-server
+description: A Helm chart for deploying TaskChampion Sync Server on Kubernetes
+type: application
+version: 0.1.0
+appVersion: "0.7.0"
+keywords:
+  - taskchampion
+  - taskwarrior
+  - sync
+  - task-management
+home: https://github.com/GothenburgBitFactory/taskchampion-sync-server
+sources:
+  - https://github.com/GothenburgBitFactory/taskchampion-sync-server
+maintainers: 
+  - name: Jansen Fuller
+    email: jansendfuller@mailfence.com

helm/taskchampion-sync-server/README.md

@@ -0,0 +1,60 @@
+# TaskChampion Sync Server Helm Chart
+
+Deploy the [TaskChampion Sync Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server) on Kubernetes.
+
+## Prerequisites
+
+- Kubernetes 1.23+
+- Helm 3+
+
+## Storage Backends
+
+Exactly one storage backend must be enabled. The chart will fail validation if both or neither are enabled.
+
+### SQLite
+
+```console
+helm install my-release ./helm/taskchampion-sync-server -f helm/taskchampion-sync-server/examples/sqlite-values.yaml
+```
+
+### PostgreSQL
+
+```console
+helm install my-release ./helm/taskchampion-sync-server -f helm/taskchampion-sync-server/examples/postgres-values.yaml
+```
+
+## Secrets
+
+The chart expects pre-created secrets referenced by name:
+
+### Client ID Secret
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-client-ids
+type: Opaque
+data:
+  client-ids: <base64-encoded comma-separated UUIDs>
+```
+
+Reference it via `clientIdSecret: "my-client-ids"`.
+
+### PostgreSQL Secret
+
+For PostgreSQL, the chart can automatically create a secret with the connection string, or use an existing secret. 
+
+**Automatic Secret Creation**:
+- When `postgres.existingSecret` is empty (default), the chart automatically creates a secret
+- Secret is named using Helm naming convention: `release-name-taskchampion-sync-server`
+- Secret contains only a `connection` key with the built connection string
+
+**Existing Secret Usage**:
+- When `postgres.existingSecret` is provided, the chart uses that secret
+- The secret **must** contain a `connection` key with the PostgreSQL connection string
+- If the secret doesn't have a `connection` key, the deployment will fail with a clear error
+
+## Configuration
+
+See [values.yaml](values.yaml) for all configurable options.

helm/taskchampion-sync-server/examples/postgres-values.yaml

@@ -0,0 +1,30 @@
+sqlite:
+  enabled: false
+
+postgres:
+  enabled: true
+  database: taskchampion
+  host: postgres-primary
+  username: taskchampion-user
+
+clientIdSecret: "taskchampion-client-ids"
+
+env:
+  RUST_LOG: debug
+  LISTEN: "0.0.0.0:8080"
+  CREATE_CLIENTS: "false"
+
+replicas:
+  enabled: true
+  count: 3
+
+image:
+  pullSecrets:
+    - my-registry-secret
+
+httpRoute:
+  enabled: true
+  gateway: "my-gateway"
+  host: "taskchampion.example.com"
+  path: "/"
+  port: 8080

helm/taskchampion-sync-server/examples/sqlite-values.yaml

@@ -0,0 +1,22 @@
+sqlite:
+  enabled: true
+  existingPV: ""
+  emptyDir:
+    sizeLimit: 1Gi
+  persistence:
+    enabled: false
+
+postgres:
+  enabled: false
+
+clientIdSecret: "taskchampion-client-ids"
+
+env:
+  RUST_LOG: info
+  LISTEN: "0.0.0.0:8080"
+  CREATE_CLIENTS: "false"
+
+ingress:
+  enabled: true
+  hosts:
+    - taskchampion.example.com

helm/taskchampion-sync-server/templates/_helpers.tpl

@@ -0,0 +1,102 @@
+{{- /*
+taskchampion-sync-server helpers
+*/ -}}
+
+{{- define "taskchampion-sync-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "taskchampion-sync-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "taskchampion-sync-server.labels" -}}
+helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+app.kubernetes.io/name: {{ include "taskchampion-sync-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "taskchampion-sync-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "taskchampion-sync-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "taskchampion-sync-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "taskchampion-sync-server.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "taskchampion-sync-server.postgres-connection" -}}
+  {{- $host := .Values.postgres.host -}}
+  {{- $port := .Values.postgres.port | toString -}}
+  {{- $username := .Values.postgres.username -}}
+  {{- $password := .Values.postgres.password -}}
+  {{- $database := .Values.postgres.database -}}
+
+  {{- /* Override individual fields from existingSecret where present */ -}}
+  {{- if .Values.postgres.existingSecret -}}
+    {{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.postgres.existingSecret -}}
+    {{- if $secret -}}
+      {{- if index $secret.data "host" -}}
+        {{- $host = index $secret.data "host" | b64dec -}}
+      {{- end -}}
+      {{- if index $secret.data "port" -}}
+        {{- $port = index $secret.data "port" | b64dec -}}
+      {{- end -}}
+      {{- if index $secret.data "username" -}}
+        {{- $username = index $secret.data "username" | b64dec -}}
+      {{- end -}}
+      {{- if index $secret.data "password" -}}
+        {{- $password = index $secret.data "password" | b64dec -}}
+      {{- end -}}
+      {{- if index $secret.data "database" -}}
+        {{- $database = index $secret.data "database" | b64dec -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- /* Build URI */ -}}
+  {{- $uri := "postgresql://" -}}
+  {{- if ne $username "" -}}
+    {{- $uri = printf "%s%s" $uri $username -}}
+    {{- if ne $password "" -}}
+      {{- $uri = printf "%s:%s" $uri $password -}}
+    {{- end -}}
+    {{- $uri = printf "%s@" $uri -}}
+  {{- end -}}
+  {{- $uri = printf "%s%s" $uri $host -}}
+  {{- if ne $port "5432" -}}
+    {{- $uri = printf "%s:%s" $uri $port -}}
+  {{- end -}}
+  {{- $uri = printf "%s/%s" $uri $database -}}
+  {{- if .Values.postgres.sslMode -}}
+    {{- $uri = printf "%s?sslmode=%s" $uri .Values.postgres.sslMode -}}
+  {{- end -}}
+  {{- $uri -}}
+{{- end -}}
+
+{{- define "taskchampion-sync-server.schema-url" -}}
+{{- if .Values.postgres.initContainer.schemaUrl -}}
+{{- .Values.postgres.initContainer.schemaUrl -}}
+{{- else -}}
+{{- printf "https://raw.githubusercontent.com/GothenburgBitFactory/taskchampion-sync-server/v%s/postgres/schema.sql" .Chart.AppVersion -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "taskchampion-sync-server.postgres-secret-name" -}}
+{{- printf "%s-connection" .Release.Name -}}
+{{- end -}}

helm/taskchampion-sync-server/templates/deployment.yaml

@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "taskchampion-sync-server.fullname" . }}
+  labels:
+    {{- include "taskchampion-sync-server.labels" . | nindent 4 }}
+spec:
+  {{- if and (eq .Values.postgres.enabled true) .Values.replicas.enabled }}
+  replicas: {{ .Values.replicas.count }}
+  {{- else }}
+  replicas: 1
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "taskchampion-sync-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taskchampion-sync-server.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "taskchampion-sync-server.fullname" . }}
+      {{- else if .Values.serviceAccount.name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- if and .Values.postgres.enabled .Values.postgres.initContainer.enabled }}
+      initContainers:
+        - name: postgres-init
+          image: "{{ .Values.postgres.initContainer.image }}"
+          imagePullPolicy: {{ .Values.postgres.initContainer.imagePullPolicy }}
+          env:
+            - name: PGURI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "taskchampion-sync-server.postgres-secret-name" . }}
+                  key: connection
+            - name: SCHEMA_URL
+              value: {{ include "taskchampion-sync-server.schema-url" . | quote }}
+            {{- if .Values.clientIdSecret }}
+            - name: CLIENT_IDS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.clientIdSecret }}
+                  key: client-ids
+            {{- end }}
+          command:
+            - sh
+            - -c
+            - |
+              set -e
+              until pg_isready -d "$PGURI"; do
+                echo 'Waiting for PostgreSQL...'
+                sleep 2
+              done
+              echo "Downloading schema from ${SCHEMA_URL}..."
+              wget -qO /tmp/schema.sql "$SCHEMA_URL" || {
+                echo 'Failed to download schema - continuing with main container'
+                exit 0
+              }
+              psql "$PGURI" -f /tmp/schema.sql || {
+                echo 'Schema execution failed (SQL error) - continuing with main container'
+                exit 0
+              }
+              echo 'Schema executed successfully'
+              if [ -n "$CLIENT_IDS" ]; then
+                echo "Inserting client IDs..."
+                IFS=','
+                for client_id in $CLIENT_IDS; do
+                  client_id=$(echo "$client_id" | tr -d ' ')
+                  [ -z "$client_id" ] && continue
+                  psql "$PGURI" -c "INSERT INTO clients (client_id) VALUES ('$client_id') ON CONFLICT (client_id) DO NOTHING;" || {
+                    echo "Failed to insert client $client_id - continuing"
+                  }
+                done
+                unset IFS
+                echo "Client ID insertion complete"
+              fi
+      {{- end }}
+      containers:
+        - name: taskchampion-sync-server
+          {{- if eq .Values.postgres.enabled true }}
+          image: "{{ .Values.image.repository }}-postgres:{{ .Values.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            {{- range $name, $value := .Values.env }}
+            - name: {{ $name }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- if .Values.clientIdSecret }}
+            - name: CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.clientIdSecret }}
+                  key: client-ids
+            {{- end }}
+            {{- if eq .Values.sqlite.enabled true }}
+            - name: DATA_DIR
+              value: {{ .Values.sqlite.dataDir }}
+            {{- end }}
+            {{- if eq .Values.postgres.enabled true }}
+            - name: CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "taskchampion-sync-server.postgres-secret-name" . }}
+                  key: connection
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.targetPort }}
+              protocol: TCP
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if eq .Values.sqlite.enabled true }}
+          volumeMounts:
+            - name: data
+              mountPath: {{ .Values.sqlite.dataDir }}
+          {{- end }}
+      {{- if eq .Values.sqlite.enabled true }}
+      volumes:
+        {{- if .Values.sqlite.existingPV }}
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ .Values.sqlite.existingPV }}
+        {{- else if .Values.sqlite.persistence.enabled }}
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ include "taskchampion-sync-server.fullname" . }}-pvc
+        {{- else }}
+        - name: data
+          emptyDir:
+            {{- if .Values.sqlite.emptyDir.sizeLimit }}
+            sizeLimit: {{ .Values.sqlite.emptyDir.sizeLimit }}
+            {{- end }}
+            {{- if .Values.sqlite.emptyDir.medium }}
+            medium: {{ .Values.sqlite.emptyDir.medium }}
+            {{- end }}
+        {{- end }}
+      {{- end }}