linode · CasLubbers · Sep 5, 2025 · Sep 5, 2025 · Sep 8, 2025 · Sep 8, 2025
@@ -1,10 +1,10 @@
 apiVersion: v2
-name: apl
+name: apl-operator
 description: A Helm chart for installing APL in Kubernetes
 home: https://techdocs.akamai.com/app-platform/docs/welcome
 type: application
 version: 0.0.0-chart-version
-appVersion: APP_VERSION_PLACEHOLDER
+appVersion: "main"
 keywords:
   - linode
   - lke

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: apl-operator
+  labels:
+    kubernetes.io/metadata.name: apl-operator
+    name: apl-operator
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: otomi
+  labels:
+    kubernetes.io/metadata.name: otomi
+    name: otomi
@@ -1,5 +1,5 @@
 The APL installer was successfully deployed on the cluster.
 
-Please inspect the output of the installer job ({{ .Release.Namespace }}/{{ include "apl.fullname" . }}) for any feedback or errors.
+Please inspect the output of the installer job ({{ .Release.Namespace }}/{{ include "apl-operator.fullname" . }}) for any feedback or errors.
 
 Also visit https://apl-docs.net for further instructions and reference documentation.
@@ -1,41 +1,35 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "apl.name" -}}
+{{- define "apl-operator.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
+Always returns "apl-operator" to ensure consistent naming.
 */}}
-{{- define "apl.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
+{{- define "apl-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+apl-operator
+{{- end -}}
 {{- end }}
 
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "apl.chart" -}}
+{{- define "apl-operator.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "apl.labels" -}}
-helm.sh/chart: {{ include "apl.chart" . }}
-{{ include "apl.selectorLabels" . }}
+{{- define "apl-operator.labels" -}}
+helm.sh/chart: {{ include "apl-operator.chart" . }}
+{{ include "apl-operator.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,8 +39,19 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "apl.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "apl.name" . }}
+{{- define "apl-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "apl-operator.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "apl-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "apl-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: git-config
+  namespace: apl-operator
+data:
+  .gitconfig: |
+    [safe]
+        directory = *
@@ -0,0 +1,128 @@
+{{- $kms := .Values.kms | default dict }}
+{{- $imageName := .Values.imageName | default "linode/apl-core" }}
+{{- $version := .Values.otomi.version | default .Chart.AppVersion }}
+{{- $useORCS := .Values.otomi.useORCS | default "true"}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "apl-operator.fullname" . }}
+  namespace: apl-operator
+  labels: {{- include "apl-operator.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{- include "apl-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels: {{- include "apl-operator.selectorLabels" . | nindent 8 }}
+    spec:
+      dnsConfig:
+          nameservers:
+            - 8.8.8.8
+            - 8.8.4.4
+      restartPolicy: Always
+      serviceAccountName: {{ include "apl-operator.serviceAccountName" . }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 3000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: apl-operator
+          {{- if $useORCS }}
+          image: "mirror.registry.linodelke.net/docker/{{ $imageName }}:{{ $version }}"
+          {{- else }}
+          image: "{{ $imageName }}:{{ $version }}"
+          {{- end }}
+          imagePullPolicy: {{ ternary "IfNotPresent" "Always" (regexMatch "^v\\d" $version) }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1001
+          resources:
+            limits:
+              cpu: '2'
+              memory: '2Gi'
+            requests:
+              cpu: '1'
+              memory: '1Gi'
+          workingDir: /home/app/stack
+          command:
+            - node
+            - dist/src/operator/main.js
+          env:
+            - name: VERBOSITY
+              value: '1'
+            - name: ENV_DIR
+              value: /home/app/stack/env
+            - name: VALUES_INPUT
+              value: /secret/values.yaml
+            # Git configuration for operator (will be set after installation)
+            - name: GIT_ORG
+              value: {{ .Values.operator.gitOrg | default "apl" | quote }}
+            - name: GIT_REPO
+              value: {{ .Values.operator.gitRepo | default "values" | quote }}
+            - name: POLL_INTERVAL_MS
+              value: {{ .Values.operator.pollIntervalMs | default "30000" | quote }}
+            - name: RECONCILE_INTERVAL_MS
+              value: {{ .Values.operator.reconcileIntervalMs | default "300000" | quote }}
+          {{- if hasKey $kms "sops" }}
+          envFrom:
+            - secretRef:
+                name: apl-sops-secrets
+            - secretRef:
+                name: gitea-credentials
+          {{- end }}
+          volumeMounts:
+            - name: otomi-values
+              mountPath: /home/app/stack/env
+            - name: values-secret
+              mountPath: /secret
+            - name: tmp
+              mountPath: /tmp
+            - name: git-config
+              mountPath: /home/app/.gitconfig
+              subPath: .gitconfig
+          livenessProbe:
+            exec:
+              command: ["/bin/sh", "-c", "pgrep -f 'apl-operator' > /dev/null"]
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 10
+            failureThreshold: 3
+          readinessProbe:
+            exec:
+              command: ["/bin/sh", "-c", "pgrep -f 'apl-operator' > /dev/null"]
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+      volumes:
+        - name: values-secret
+          secret:
+            secretName: {{ .Release.Name }}-values
+        - name: otomi-values
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+        - name: git-config
+          configMap:
+            name: git-config
+            items:
+              - key: .gitconfig
+                path: .gitconfig
+      {{- if hasKey .Values "imagePullSecretNames" }}
+      imagePullSecrets:
+        {{- range .Values.imagePullSecretNames }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-credentials
+  namespace: apl-operator
+type: Opaque
+stringData:
+{{- if .Values.gitUsername }}
+  GIT_USERNAME: {{ .Values.gitUsername | quote }}
+{{- end }}
+{{- if .Values.gitPassword }}
+  GIT_PASSWORD: {{ .Values.gitPassword | quote }}
+{{- end }}