feat: add Helm chart and Dockerfile for deploying Latitude to Kubernetes

Adds a production-ready Helm chart under charts/latitude/ that deploys all
four services: web (TanStack Start SSR), api (Hono HTTP), ingest (telemetry
ingestion), and workers (Redpanda background jobs).

Includes a multi-stage Dockerfile with per-service build targets (api, web,
ingest, workers, migrations) and a health endpoint for the web app.

Key design decisions:
- All four app services deployed with health probes, optional HPA/PDB/Ingress
- Secret management supports both inline values (dev/test) and an external
  pre-existing Kubernetes Secret (production) via existingSecret
- ConfigMap and Secret cover all LAT_* env vars including Kafka/Redpanda,
  object storage (S3), Weaviate, ClickHouse migration vars, and admin DB URL
- Pre-install/pre-upgrade migration Job runs Postgres (drizzle-kit),
  ClickHouse (goose), and Weaviate migrations before app pods roll out
- Workers deployment uses extended terminationGracePeriodSeconds for
  in-flight job completion
- Pod annotations include config/secret checksums to trigger rolling
  restarts on configuration changes
- VITE_LAT_* vars documented as build-time (client bundle) with SSR
  runtime fallback

Made-with: Cursor

Author: claude

.dockerignore

@@ -1,13 +1,17 @@
-**/.git/
-**/.next/
-**/dist/
+.git/
+.github/
+.husky/
+.cursor/
+.turbo/
+.pnpm-store/
 **/node_modules/
-**/docker/
+**/dist/
+**/coverage/
+**/.turbo/
+**/.next/
+docker/
+charts/
 *.md
-.git
-.pnpm-store
-Dockerfile
-docker
-node_modules
 npm-debug.log
-out
+.env*
+!.env.example

Dockerfile

@@ -0,0 +1,125 @@
+# syntax=docker/dockerfile:1
+
+# ---------------------------------------------------------------------------
+# Base image — shared by all stages
+# ---------------------------------------------------------------------------
+FROM node:25-slim AS base
+
+RUN corepack enable && corepack prepare pnpm@10.30.3 --activate
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# ---------------------------------------------------------------------------
+# Install dependencies
+# ---------------------------------------------------------------------------
+FROM base AS deps
+
+COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
+COPY apps/api/package.json           apps/api/package.json
+COPY apps/web/package.json           apps/web/package.json
+COPY apps/ingest/package.json        apps/ingest/package.json
+COPY apps/workers/package.json       apps/workers/package.json
+COPY apps/workflows/package.json     apps/workflows/package.json
+
+# Copy all package.json files from packages/
+COPY packages/ /tmp/packages-src/
+RUN find /tmp/packages-src -name 'package.json' -not -path '*/node_modules/*' | while read src; do \
+      dest="packages/${src#/tmp/packages-src/}"; \
+      mkdir -p "$(dirname "$dest")"; \
+      cp "$src" "$dest"; \
+    done && rm -rf /tmp/packages-src
+
+RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
+    pnpm install --frozen-lockfile
+
+# ---------------------------------------------------------------------------
+# Source — full repo with deps installed
+# ---------------------------------------------------------------------------
+FROM base AS source
+
+COPY --from=deps /app/node_modules         ./node_modules
+COPY --from=deps /app/apps/*/node_modules   ./
+COPY --from=deps /app/packages/             ./packages/
+COPY . .
+RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
+    pnpm install --frozen-lockfile
+
+# ---------------------------------------------------------------------------
+# Build — compile all packages
+# ---------------------------------------------------------------------------
+FROM source AS build
+
+ARG VITE_LAT_API_URL
+ARG VITE_LAT_WEB_URL
+
+RUN pnpm build
+
+# ---------------------------------------------------------------------------
+# Target: api
+# ---------------------------------------------------------------------------
+FROM base AS api
+
+COPY --from=build /app ./
+
+ENV NODE_ENV=production
+EXPOSE 3001
+
+CMD ["node", "apps/api/dist/server.js"]
+
+# ---------------------------------------------------------------------------
+# Target: ingest
+# ---------------------------------------------------------------------------
+FROM base AS ingest
+
+COPY --from=build /app ./
+
+ENV NODE_ENV=production
+EXPOSE 3002
+
+CMD ["node", "apps/ingest/dist/server.js"]
+
+# ---------------------------------------------------------------------------
+# Target: workers
+# ---------------------------------------------------------------------------
+FROM base AS workers
+
+COPY --from=build /app ./
+
+ENV NODE_ENV=production
+EXPOSE 9090
+
+CMD ["node", "apps/workers/dist/server.js"]
+
+# ---------------------------------------------------------------------------
+# Target: web (TanStack Start / Vite SSR)
+# ---------------------------------------------------------------------------
+FROM base AS web
+
+COPY --from=build /app ./
+
+ENV NODE_ENV=production
+EXPOSE 3000
+
+CMD ["node", "apps/web/.output/server/index.mjs"]
+
+# ---------------------------------------------------------------------------
+# Target: migrations
+# Runs Postgres (drizzle-kit), ClickHouse (goose), and Weaviate migrations.
+# ---------------------------------------------------------------------------
+FROM base AS migrations
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends curl && \
+    GOOSE_VERSION=3.24.3 && \
+    ARCH=$(dpkg --print-architecture) && \
+    curl -fsSL "https://github.com/pressly/goose/releases/download/v${GOOSE_VERSION}/goose_linux_${ARCH}" \
+      -o /usr/local/bin/goose && \
+    chmod +x /usr/local/bin/goose && \
+    apt-get purge -y curl && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
+
+COPY --from=build /app ./
+
+ENV NODE_ENV=production
+
+CMD ["sh", "-c", "pnpm --filter @platform/db-postgres pg:migrate && pnpm --filter @platform/db-clickhouse ch:up && pnpm --filter @platform/db-weaviate wv:migrate"]

apps/api/src/middleware/touch-buffer.ts

@@ -26,7 +26,7 @@ interface TouchBufferConfig {
  *
  * Performance impact:
  * - Reduces writes by 90%+ (30s window / avg 100ms request = 300:1 reduction)
- * - lastUsedAt accuracy reduced to flush interval (±30 seconds by default)
+ * - lastUsedAt accuracy reduced to flush interval (+/-30 seconds by default)
  *
  * Usage:
  * ```typescript
@@ -111,11 +111,9 @@ class TouchBuffer {
         }).pipe(Effect.provide(apiKeyRepoLayer), Effect.provide(sqlClientLayer)),
       )
 
-      const duration = Date.now() - startTime
-      logger.info(`Flushed ${keyIds.length} touch updates in ${duration}ms`)
+      logger.info(`Flushed ${keyIds.length} touch updates in ${Date.now() - startTime}ms`)
     } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : "Unknown error"
-      logger.error(`Failed to flush touch updates: ${errorMessage}`)
+      logger.error(`Failed to flush touch updates: ${error instanceof Error ? error.message : "Unknown error"}`)
 
       // Re-add failed keys to buffer for retry (with limit to prevent unbounded growth)
       for (const [keyId, timestamp] of batch) {

apps/web/src/routeTree.gen.ts

@@ -16,6 +16,7 @@ import { Route as AuthenticatedRouteImport } from './routes/_authenticated'
 import { Route as AuthenticatedIndexRouteImport } from './routes/_authenticated/index'
 import { Route as AuthConfirmRouteImport } from './routes/auth/confirm'
 import { Route as AuthCliRouteImport } from './routes/auth/cli'
+import { Route as ApiHealthRouteImport } from './routes/api/health'
 import { Route as AuthenticatedSettingsRouteImport } from './routes/_authenticated/settings'
 import { Route as ApiAuthSplatRouteImport } from './routes/api/auth/$'
 import { Route as AuthenticatedProjectsProjectIdRouteImport } from './routes/_authenticated/projects/$projectId'
@@ -60,6 +61,11 @@ const AuthCliRoute = AuthCliRouteImport.update({
   path: '/auth/cli',
   getParentRoute: () => rootRouteImport,
 } as any)
+const ApiHealthRoute = ApiHealthRouteImport.update({
+  id: '/api/health',
+  path: '/api/health',
+  getParentRoute: () => rootRouteImport,
+} as any)
 const AuthenticatedSettingsRoute = AuthenticatedSettingsRouteImport.update({
   id: '/settings',
   path: '/settings',
@@ -121,6 +127,7 @@ export interface FileRoutesByFullPath {
   '/login': typeof LoginRoute
   '/signup': typeof SignupRoute
   '/settings': typeof AuthenticatedSettingsRoute
+  '/api/health': typeof ApiHealthRoute
   '/auth/cli': typeof AuthCliRoute
   '/auth/confirm': typeof AuthConfirmRoute
   '/projects/$projectId': typeof AuthenticatedProjectsProjectIdRouteWithChildren
@@ -137,6 +144,7 @@ export interface FileRoutesByTo {
   '/login': typeof LoginRoute
   '/signup': typeof SignupRoute
   '/settings': typeof AuthenticatedSettingsRoute
+  '/api/health': typeof ApiHealthRoute
   '/auth/cli': typeof AuthCliRoute
   '/auth/confirm': typeof AuthConfirmRoute
   '/': typeof AuthenticatedIndexRoute
@@ -155,6 +163,7 @@ export interface FileRoutesById {
   '/login': typeof LoginRoute
   '/signup': typeof SignupRoute
   '/_authenticated/settings': typeof AuthenticatedSettingsRoute
+  '/api/health': typeof ApiHealthRoute
   '/auth/cli': typeof AuthCliRoute
   '/auth/confirm': typeof AuthConfirmRoute
   '/_authenticated/': typeof AuthenticatedIndexRoute
@@ -175,6 +184,7 @@ export interface FileRouteTypes {
     | '/login'
     | '/signup'
     | '/settings'
+    | '/api/health'
     | '/auth/cli'
     | '/auth/confirm'
     | '/projects/$projectId'
@@ -191,6 +201,7 @@ export interface FileRouteTypes {
     | '/login'
     | '/signup'
     | '/settings'
+    | '/api/health'
     | '/auth/cli'
     | '/auth/confirm'
     | '/'
@@ -208,6 +219,7 @@ export interface FileRouteTypes {
     | '/login'
     | '/signup'
     | '/_authenticated/settings'
+    | '/api/health'
     | '/auth/cli'
     | '/auth/confirm'
     | '/_authenticated/'
@@ -226,6 +238,7 @@ export interface RootRouteChildren {
   DesignSystemRoute: typeof DesignSystemRoute
   LoginRoute: typeof LoginRoute
   SignupRoute: typeof SignupRoute
+  ApiHealthRoute: typeof ApiHealthRoute
   AuthCliRoute: typeof AuthCliRoute
   AuthConfirmRoute: typeof AuthConfirmRoute
   ApiAuthSplatRoute: typeof ApiAuthSplatRoute
@@ -282,6 +295,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof AuthCliRouteImport
       parentRoute: typeof rootRouteImport
     }
+    '/api/health': {
+      id: '/api/health'
+      path: '/api/health'
+      fullPath: '/api/health'
+      preLoaderRoute: typeof ApiHealthRouteImport
+      parentRoute: typeof rootRouteImport
+    }
     '/_authenticated/settings': {
       id: '/_authenticated/settings'
       path: '/settings'
@@ -400,6 +420,7 @@ const rootRouteChildren: RootRouteChildren = {
   DesignSystemRoute: DesignSystemRoute,
   LoginRoute: LoginRoute,
   SignupRoute: SignupRoute,
+  ApiHealthRoute: ApiHealthRoute,
   AuthCliRoute: AuthCliRoute,
   AuthConfirmRoute: AuthConfirmRoute,
   ApiAuthSplatRoute: ApiAuthSplatRoute,

apps/web/src/routes/api/health.ts

@@ -0,0 +1,14 @@
+import { createFileRoute } from "@tanstack/react-router"
+
+export const Route = createFileRoute("/api/health")({
+  server: {
+    handlers: {
+      GET: async () => {
+        return new Response(JSON.stringify({ status: "ok" }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        })
+      },
+    },
+  },
+})

apps/workers/src/server.ts

@@ -1,4 +1,5 @@
 import { existsSync } from "node:fs"
+import { createServer } from "node:http"
 import { fileURLToPath } from "node:url"
 import { createPollingOutboxConsumer } from "@platform/events-outbox"
 import {
@@ -22,8 +23,24 @@ if (existsSync(envFilePath)) {
 
 const pgPool = getPostgresPool(10)
 const logger = createLogger("workers")
+let ready = false
+
+const healthPort = Number(process.env.LAT_WORKERS_HEALTH_PORT) || 9090
+const healthServer = createServer((req, res) => {
+  if (req.url === "/health" && req.method === "GET") {
+    const status = ready ? 200 : 503
+    res.writeHead(status, { "Content-Type": "application/json" })
+    res.end(JSON.stringify({ status: ready ? "ok" : "starting" }))
+  } else {
+    res.writeHead(404)
+    res.end()
+  }
+})
+
+healthServer.listen(healthPort, () => {
+  logger.info(`workers health check listening on :${healthPort}/health`)
+})
 
-// Simple event handler that logs events (placeholder for actual side effect processing)
 const eventHandler = {
   handle: (event: {
     id: string
@@ -36,18 +53,14 @@ const eventHandler = {
     }),
 }
 
-// Initialize workers asynchronously
 const initializeWorkers = async () => {
-  // Load Redpanda configuration
   const kafkaConfig = Effect.runSync(loadKafkaConfig())
   const kafkaClient = createKafkaClient(kafkaConfig)
 
-  // Create Redpanda publisher (async initialization)
   const eventsPublisher = await createRedpandaEventsPublisher({
     kafka: kafkaClient,
   })
 
-  // Create outbox consumer (polls Postgres outbox and publishes to Redpanda)
   const outboxConsumer = createPollingOutboxConsumer(
     {
       pool: pgPool,
@@ -57,19 +70,18 @@ const initializeWorkers = async () => {
     eventsPublisher,
   )
 
-  // Create Redpanda event consumer (consumes from Redpanda and processes events)
   const redpandaConsumer = createRedpandaEventsConsumer({
     kafka: kafkaClient,
     groupId: kafkaConfig.groupId,
   })
 
-  // Create span ingestion worker (consumes from span-ingestion topic and writes to ClickHouse)
   const spanIngestionWorker = createSpanIngestionWorker(kafkaClient, `${kafkaConfig.groupId}-span-ingestion`)
 
-  // Start consumers
   outboxConsumer.start()
   await redpandaConsumer.start(eventHandler)
   await spanIngestionWorker.start()
+
+  ready = true
   logger.info("workers ready - outbox consumer and Redpanda consumer started")
 
   return { outboxConsumer, redpandaConsumer, spanIngestionWorker }
@@ -80,9 +92,11 @@ const workersPromise = initializeWorkers().catch((error) => {
   process.exit(1)
 })
 
-// Graceful shutdown
 process.on("SIGINT", async () => {
   logger.info("shutting down workers...")
+  ready = false
+  healthServer.close()
+
   try {
     const { outboxConsumer, redpandaConsumer, spanIngestionWorker } = await workersPromise
     await outboxConsumer.stop()
@@ -91,7 +105,7 @@ process.on("SIGINT", async () => {
   } catch (error) {
     logger.error("Error during shutdown (workers may not have started)", error)
   }
-  await pgPool.end()
 
+  await pgPool.end()
   process.exit(0)
 })