Add release workflow

Signed-off-by: Dan Webb <dan.webb@damacus.io>

Author: damacus

.github/workflows/release.yml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  packages: write
 
 jobs:
   release-please:
@@ -80,3 +81,56 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release upload ${{ needs.release-please.outputs.tag_name }} dist/*
+
+  docker:
+    name: Build and Push Container Images
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - image: ironbuckets
+            context: .
+            dockerfile: Dockerfile
+          - image: minio-community
+            context: ./docker/minio
+            dockerfile: ./docker/minio/Dockerfile
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
+          tags: |
+            type=semver,pattern={{version}},value=${{ needs.release-please.outputs.tag_name }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ needs.release-please.outputs.tag_name }}
+            type=semver,pattern={{major}},value=${{ needs.release-please.outputs.tag_name }}
+            type=raw,value=latest
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ matrix.context }}
+          file: ${{ matrix.dockerfile }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

kubernetes/README.md

@@ -0,0 +1,101 @@
+# IronBuckets Kubernetes Deployment
+
+This directory contains Kubernetes manifests for deploying IronBuckets using
+[Flux](https://fluxcd.io/) and the
+[bjw-s app-template](https://github.com/bjw-s/helm-charts/tree/main/charts/library/common)
+Helm chart.
+
+## Architecture
+
+The deployment runs two containers in a single pod:
+
+- **ironbuckets** - The main web UI application (port 8080)
+- **minio** - MinIO object storage server (ports 9000, 9001)
+
+## Container Images
+
+Images are published to GitHub Container Registry on each release:
+
+- `ghcr.io/damacus/ironbuckets:latest`
+- `ghcr.io/damacus/minio-community:latest`
+
+Both images support `linux/amd64` and `linux/arm64` architectures.
+
+## Prerequisites
+
+- Kubernetes cluster with Flux installed
+- [bjw-s HelmRepository](https://github.com/bjw-s/helm-charts) configured
+- External Secrets Operator (optional, for secret management)
+- Gateway API or Ingress controller
+
+## Directory Structure
+
+```text
+kubernetes/
+└── apps/
+    └── ironbuckets/
+        ├── ks.yaml                    # Flux Kustomization
+        └── app/
+            ├── HelmRelease.yaml       # App-template HelmRelease
+            ├── externalsecret.yaml    # External secret for credentials
+            └── kustomization.yaml     # Kustomize resources
+```
+
+## Configuration
+
+### Required Secrets
+
+Create a secret named `ironbuckets-secret` with:
+
+- `MINIO_ACCESS_KEY` - MinIO access key / username
+- `MINIO_SECRET_KEY` - MinIO secret key / password
+
+If using External Secrets Operator, update `externalsecret.yaml` with your
+secret store configuration.
+
+### Manual Secret Creation
+
+```bash
+kubectl create secret generic ironbuckets-secret \
+  --from-literal=MINIO_ACCESS_KEY=your-access-key \
+  --from-literal=MINIO_SECRET_KEY=your-secret-key
+```
+
+### Customization
+
+Edit `HelmRelease.yaml` to customize:
+
+- **Image tags** - Pin to specific versions instead of `latest`
+- **Resource limits** - Adjust CPU/memory based on your needs
+- **Persistence** - Configure storage class and size
+- **Routes/Ingress** - Update hostnames for your domain
+
+## Standalone Deployment
+
+If not using Flux, you can deploy with Helm directly:
+
+```bash
+helm repo add bjw-s https://bjw-s.github.io/helm-charts
+helm repo update
+
+# Extract values from HelmRelease.yaml and apply
+helm install ironbuckets bjw-s/app-template \
+  --values <your-values.yaml>
+```
+
+## Services
+
+The deployment creates three services:
+
+| Service                    | Port | Description              |
+| -------------------------- | ---- | ------------------------ |
+| ironbuckets-app            | 8080 | IronBuckets web UI       |
+| ironbuckets-minio-api      | 9000 | MinIO S3 API             |
+| ironbuckets-minio-console  | 9001 | MinIO web console        |
+
+## Health Checks
+
+Both containers have liveness and readiness probes configured:
+
+- **IronBuckets**: `GET /health` on port 8080
+- **MinIO**: `GET /minio/health/live` and `/minio/health/ready` on port 9000

kubernetes/apps/ironbuckets/app/HelmRelease.yaml

@@ -0,0 +1,201 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ironbuckets
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 4.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      strategy: uninstall
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      ironbuckets:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/damacus/ironbuckets
+              tag: latest # Replace with specific version
+            env:
+              MINIO_ENDPOINT: minio.${SECRET_DOMAIN}:443
+              MINIO_USE_SSL: "true"
+              # Credentials should be provided via secrets
+              MINIO_ACCESS_KEY:
+                valueFrom:
+                  secretKeyRef:
+                    name: ironbuckets-secret
+                    key: MINIO_ACCESS_KEY
+              MINIO_SECRET_KEY:
+                valueFrom:
+                  secretKeyRef:
+                    name: ironbuckets-secret
+                    key: MINIO_SECRET_KEY
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: 8080
+                  initialDelaySeconds: 5
+                  periodSeconds: 10
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: 8080
+                  initialDelaySeconds: 5
+                  periodSeconds: 10
+            resources:
+              requests:
+                cpu: 10m
+                memory: 64Mi
+              limits:
+                memory: 256Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+
+          minio:
+            image:
+              repository: ghcr.io/damacus/minio-community
+              tag: latest # Replace with specific version
+            args:
+              - server
+              - /data
+              - --console-address
+              - ":9001"
+            env:
+              MINIO_ROOT_USER:
+                valueFrom:
+                  secretKeyRef:
+                    name: ironbuckets-secret
+                    key: MINIO_ACCESS_KEY
+              MINIO_ROOT_PASSWORD:
+                valueFrom:
+                  secretKeyRef:
+                    name: ironbuckets-secret
+                    key: MINIO_SECRET_KEY
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /minio/health/live
+                    port: 9000
+                  initialDelaySeconds: 10
+                  periodSeconds: 30
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /minio/health/ready
+                    port: 9000
+                  initialDelaySeconds: 10
+                  periodSeconds: 30
+            resources:
+              requests:
+                cpu: 50m
+                memory: 256Mi
+              limits:
+                memory: 1Gi
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: false # MinIO needs to write to /data
+              capabilities: { drop: ["ALL"] }
+
+        pod:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            fsGroupChangePolicy: Always
+            seccompProfile: { type: RuntimeDefault }
+
+    service:
+      app:
+        controller: ironbuckets
+        ports:
+          http:
+            port: 8080
+      minio-api:
+        controller: ironbuckets
+        ports:
+          s3:
+            port: 9000
+      minio-console:
+        controller: ironbuckets
+        ports:
+          console:
+            port: 9001
+
+    route:
+      app:
+        hostnames: ["ironbuckets.${SECRET_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: kube-system
+            sectionName: https
+      minio:
+        hostnames: ["minio.${SECRET_DOMAIN}", "s3.${SECRET_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: kube-system
+            sectionName: https
+        rules:
+          - backendRefs:
+              - identifier: minio-api
+                port: 9000
+      minio-console:
+        hostnames: ["minio-console.${SECRET_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: kube-system
+            sectionName: https
+        rules:
+          - backendRefs:
+              - identifier: minio-console
+                port: 9001
+
+    persistence:
+      data:
+        enabled: true
+        type: persistentVolumeClaim
+        accessMode: ReadWriteOnce
+        size: 10Gi
+        advancedMounts:
+          ironbuckets:
+            minio:
+              - path: /data
+      # Temp directory for ironbuckets app (read-only root filesystem)
+      tmp:
+        enabled: true
+        type: emptyDir
+        advancedMounts:
+          ironbuckets:
+            app:
+              - path: /tmp

kubernetes/apps/ironbuckets/app/externalsecret.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ironbuckets-secret
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect # Adjust to your secret store
+  target:
+    name: ironbuckets-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: MINIO_ACCESS_KEY
+      remoteRef:
+        key: ironbuckets
+        property: MINIO_ACCESS_KEY
+    - secretKey: MINIO_SECRET_KEY
+      remoteRef:
+        key: ironbuckets
+        property: MINIO_SECRET_KEY

kubernetes/apps/ironbuckets/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./HelmRelease.yaml
+  - ./externalsecret.yaml