infra/helm/platform/README.md
Platform-level Helm umbrella chart installed once per Kubernetes cluster that hosts the Tuist-managed deployment. It bundles the infrastructure that our per-app chart (infra/helm/tuist/) assumes is already running.
| Component | Purpose |
|---|---|
cert-manager | TLS certificate issuance via Let's Encrypt + Cloudflare DNS-01 |
ingress-nginx | Ingress controller backed by a cloud LoadBalancer |
external-dns | Sync Ingress / Service hostnames into Cloudflare DNS |
external-secrets | Pull secrets from external stores (1Password, SOPS, etc.) into the cluster |
ClusterIssuer | Shared Let's Encrypt issuer wired to Cloudflare DNS-01 |
# 1. Create the target namespace.
kubectl create namespace platform
# 2. Create the Cloudflare API token Secret out-of-band. The token must have
# Zone.DNS:Edit scope on the managed zone(s). Never commit this value.
kubectl -n platform create secret generic cloudflare-api-token \
--from-literal=api-token="$CLOUDFLARE_API_TOKEN"
# 3. Fetch chart dependencies.
helm dependency update infra/helm/platform
# 4. Install the platform with the right provider overlay.
helm upgrade --install platform infra/helm/platform \
-n platform \
-f infra/helm/platform/values-hetzner.yaml
Other clouds can plug in by adding a values-<provider>.yaml overlay that
sets the provider-specific LoadBalancer annotations + any LB-specific
ingress-nginx config.
helm dependency update infra/helm/platform
helm template platform infra/helm/platform | kubectl apply --dry-run=client -f -
helm lint infra/helm/platform
ingress-nginx.controller.service.annotations when the cluster lands on a different provider.txtOwnerId: tuist-platform — one cluster, one TXT prefix. Run it with policy: sync only if you're happy with it deleting DNS records that aren't tracked by any Ingress.installCRDs: true). If another tool manages them, turn that off.