Helm Chart Deployment

Each platform component ships its own Helm chart inside the repository authlance/deployment:

  • helm/auth — Auth Container.
  • helm/licenseoperator — License Operator.
  • helm/loop — Default Authlance Dashboard.
  • helm/loop-scaffold — Template chart you can reuse after building a custom dashboard from the scaffold.

The charts use the same values structure (image, imageCredentials, ingress, serviceAccount, and duna.*), so once you configure one of them the others feel familiar.

Shared Conventions

  1. Images and pull credentials
    Set image.repository, image.tag (or digest), and optionally image.pullPolicy. When imageCredentials.enabled is true, the chart renders a Secret named <release>-pull-secret using the provided registry, username, password, and email. To reuse an existing pull secret, set imageCredentials.pullSecret and leave enabled as false.

  2. Ingress
    Every chart exposes HTTP by default. duna.url and duna.basePath determine the host + path for the generated Ingress manifest while ingress.tls[0].secretName supplies the TLS secret. Default annotations include external-dns.alpha.kubernetes.io/hostname and the ingress class is nginx, but you can override both.

  3. Configuration secrets
    duna.configSecret must point to a Secret that contains the rendered configuration file:

    • Auth Container: /app/config/config.yaml.
    • License Operator: /app/config/config.yaml.
    • Dashboard: /app/app-config.json.

    Use the Compose renderer from deployment/docker-compose to create these files and keep the values consistent across environments (see Docker Compose Deployment for the extraction workflow).

Preparing Config and TLS Secrets

  1. Render the latest configs via docker compose run --rm ory-templates.
  2. Copy the files out of the volumes (e.g., docker run --rm -v duna_app_auth_config:/src alpine cat /src/config.yaml > auth-config.yaml).
  3. Create Kubernetes secrets: kubectl create secret generic auth-config --from-file=config.yaml=auth-config.yaml.
  4. Ensure the TLS certificate referenced by ingress.tls[0].secretName exists before running helm upgrade --install.

These secrets are purely referenced by the charts; Helm does not generate them automatically.

Auth Container Chart

Path: helm/auth.

  • Deploys a single Deployment, Service, and Ingress plus an optional backup CronJob controlled by the backup.* values.
  • Mounts the secret referenced in duna.configSecret at /app/config and sets CONFIG_FILE=/app/config/config.yaml.
  • Mounts whatever TLS secret you reference inside the pod so that nginx inside the Auth Container can terminate HTTPS if needed.
  • Defines readiness/liveness probes against ${duna.basePath}/identity/health.

Example installation (using the working tree as your Helm chart source):

helm upgrade --install auth helm/auth \
  --namespace auth --create-namespace \
  -f helm/auth/values.yaml \
  --set duna.configSecret=auth-config \
  --set ingress.tls[0].secretName=auth-tls

Override image.tag, duna.url, the registry credentials, and any other environment-specific values through a separate YAML file or --set flags.

License Operator Chart

Path: helm/licenseoperator.

  • Mirrors the same structure as the Auth chart (Deployment, Service, Ingress).
  • Mounts /app/config/config.yaml from duna.configSecret.
  • Exposes readiness and liveness probes on ${duna.basePath}/healthz.

Install it into its own namespace to keep license workloads isolated:

helm upgrade --install license helm/licenseoperator \
  --namespace license --create-namespace \
  -f helm/licenseoperator/values.yaml \
  --set duna.configSecret=license-config \
  --set ingress.tls[0].secretName=license-tls

Dashboard Chart

Path: helm/loop-scaffold. Or your custom dashboard chart based on the scaffold.

  • Publishes both the backend path (duna.basePath) and the front-end base path (duna.frontEndBasePath) through a single ingress so redirects and static assets work no matter which entry point the browser starts with.
  • Mounts app-config.json from the secret referenced in duna.configSecret.
  • Supports shipping a favicon through favicon.enabled and favicon.filePath, which renders a ConfigMap consumed by the deployment.

For customers implementing their own dashboard, copy the scaffold, build an image, and point the release to that image/tag. The helm/loop-scaffold chart is already wired for this scenario: it shares the same values interface but adds an optional robotstxt ConfigMap so you can ship custom crawler instructions alongside the favicon.

Example install using the scaffold chart:

helm upgrade --install dashboard helm/loop-scaffold \
  --namespace dashboard --create-namespace \
  -f my-dashboard-values.yaml \
  --set image.repository=registry.digitalocean.com/example/dashboard \
  --set duna.configSecret=dashboard-config \
  --set ingress.tls[0].secretName=dashboard-tls

my-dashboard-values.yaml should at least provide duna.url, duna.basePath, duna.frontEndBasePath, and the registry credentials for your custom image.

Putting It Together

  1. Render configs and create the secrets for each component.
  2. Install the Auth Container chart and confirm the /identity/health endpoint reports ready.
  3. Install the License Operator chart and verify /healthz.
  4. Install your dashboard chart (either the default loop chart or the scaffold chart once you publish a custom image).

Each release only depends on existing secrets and TLS assets, so you can manage lifecycle upgrades through GitOps tooling or helm upgrade commands. Keep the Compose templates in sync with production values to avoid drift between local development and Kubernetes.