feat: allow running with vanilla k8s

.github/workflows/release.yaml

@@ -67,6 +67,9 @@ jobs:
       - name: Install ko
         uses: ko-build/setup-ko@v0.7
 
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
       - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
@@ -85,7 +88,7 @@ jobs:
         run: |
           set -o errexit -o nounset -o pipefail
 
-          for component in ateapi atelet ateom-gvisor podcertcontroller atenet; do
+          for component in ateapi atecontroller atelet ateom-gvisor podcertcontroller atenet; do
             KO_DOCKER_REPO="${IMAGE_REPOSITORY}/${component}" \
             ./hack/run-tool.sh ko build \
               --tags "${IMAGE_TAGS}" \
@@ -94,6 +97,36 @@ jobs:
               "./cmd/${component}"
           done
 
+      - name: Package and push Helm charts
+        if: inputs.create_release
+        env:
+          HELM_EXPERIMENTAL_OCI: "1"
+          CHART_REPOSITORY: oci://ghcr.io/kagent-dev/substrate/helm
+        run: |
+          set -o errexit -o nounset -o pipefail
+
+          tag="${{ steps.tag.outputs.value }}"
+          chart_version="${tag#v}"
+          package_dir="${RUNNER_TEMP}/helm-packages"
+          mkdir -p "${package_dir}"
+
+          echo "${{ secrets.GITHUB_TOKEN }}" \
+            | helm registry login ghcr.io \
+              --username "${{ github.actor }}" \
+              --password-stdin
+
+          helm package charts/substrate-crds \
+            --destination "${package_dir}" \
+            --version "${chart_version}" \
+            --app-version "${tag}"
+          helm package charts/substrate \
+            --destination "${package_dir}" \
+            --version "${chart_version}" \
+            --app-version "${tag}"
+
+          helm push "${package_dir}/substrate-crds-${chart_version}.tgz" "${CHART_REPOSITORY}"
+          helm push "${package_dir}/substrate-${chart_version}.tgz" "${CHART_REPOSITORY}"
+
       - name: Create GitHub Release
         if: inputs.create_release
         uses: softprops/action-gh-release@v2

Makefile

@@ -44,10 +44,11 @@ build: build-images build-atectl
 
 .PHONY: build-images
 build-images:
-	$(KO) build --ldflags "$(LDFLAGS)" ./cmd/ateapi
-	$(KO) build --ldflags "$(LDFLAGS)" ./cmd/atelet
-	$(KO) build --ldflags "$(LDFLAGS)" ./cmd/podcertcontroller
-	$(KO) build --ldflags "$(LDFLAGS)" ./cmd/atenet
+	$(KO) build --base-import-paths --ldflags "$(LDFLAGS)" ./cmd/ateapi
+	$(KO) build --base-import-paths --ldflags "$(LDFLAGS)" ./cmd/atecontroller
+	$(KO) build --base-import-paths --ldflags "$(LDFLAGS)" ./cmd/atelet
+	$(KO) build --base-import-paths --ldflags "$(LDFLAGS)" ./cmd/podcertcontroller
+	$(KO) build --base-import-paths --ldflags "$(LDFLAGS)" ./cmd/atenet
 
 .PHONY: build-atectl
 build-atectl:
@@ -92,3 +93,19 @@ verify: test
 .PHONY: clean
 clean:
 	rm -rf $(BINDIR)
+
+# Render the substrate Helm chart into manifests/ate-install/ (mTLS mode,
+# the historical default install). Run this whenever charts/substrate/ changes.
+.PHONY: helm-template
+helm-template:
+	@./hack/render-manifests.sh
+
+# Verify that manifests/ate-install/ matches the chart output. Used in CI.
+.PHONY: verify-helm-template
+verify-helm-template:
+	@./hack/render-manifests.sh --check
+
+# Verify that the CRD chart mirrors the generated CRDs.
+.PHONY: verify-crd-chart
+verify-crd-chart:
+	@./hack/verify/crd-chart.sh

README.md

@@ -102,7 +102,7 @@ To quickly set up the complete environment:
 
 2. Run the following steps:
 ```shell
-# create cluster and local registry
+# create cluster and local registry (enables podcert feature gates for mTLS)
 hack/create-kind-cluster.sh
 
 # install ate, valkey, rustfs
@@ -126,6 +126,25 @@ kubectl port-forward -n ate-system svc/atenet-router 8000:80
 curl -X POST -H "Host: my-counter-1.actors.resources.substrate.ate.dev" -i http://localhost:8000/
 ```
 
+#### JWT mode (no feature gates)
+
+For clusters where you can't enable the `ClusterTrustBundle` /
+`PodCertificateRequest` feature gates (most managed Kubernetes), use the
+JWT install path. Authentication is via projected ServiceAccount tokens
+verified against the cluster's OIDC issuer; server certs come from a
+self-signed pair bootstrapped by the install script.
+
+```shell
+# create cluster WITHOUT podcert feature gates
+KIND_ENABLE_PODCERT=false hack/create-kind-cluster.sh
+
+# install ate via Helm in JWT mode (auto-bootstraps Secret/ConfigMap)
+hack/install-ate-kind-jwt.sh
+
+# the demo + kubectl-ate + port-forward steps from the mTLS Quickstart
+# above work identically from here.
+```
+
 ### GKE Quickstart (Development)
 
 1. Create and configure your environment file:

manifests/ate-install/ate-system-namespace.yaml → charts/substrate-crds/Chart.yaml

@@ -12,7 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ate-system
+apiVersion: v2
+name: substrate-crds
+description: Agent Substrate CustomResourceDefinitions.
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+home: https://github.com/agent-substrate/substrate
+sources:
+- https://github.com/agent-substrate/substrate
+keywords:
+- agent
+- actor
+- substrate
+- crds

charts/substrate-crds/README.md

@@ -0,0 +1,13 @@
+# substrate-crds
+
+Helm chart for installing the Agent Substrate CRDs.
+
+Install this chart before installing the main `substrate` chart:
+
+```bash
+helm upgrade --install substrate-crds ./charts/substrate-crds
+helm upgrade --install substrate ./charts/substrate --namespace ate-system --create-namespace
+```
+
+The CRD YAMLs in `templates/` mirror `manifests/ate-install/generated/`.
+Run `hack/verify/crd-chart.sh` to verify they are in sync.