feat: polyglot deployment sources (helm, argocd, manifests/kustomize) + first-class template variables

[juicycleff]

Summary

Adds first-class support for deploying via Helm charts, ArgoCD Applications, and raw/kustomize manifests alongside the existing container-services model, plus a typed template-variable layer injected into every source. Built strictly test-first across six phases (40 commits).

• vars/ — typed variable resolver: defaults, type/enum/pattern validation, secret bindings (resolved as references, never inlined), computed expressions with topological ordering + cycle detection.
• provider + render/ — a typed DeploymentSource union (services | helm | manifests | argocd) and a render package that resolves a source against a variable scope: Go text/template for services/helm-values/argo/inline-manifests, and an in-memory kustomize build for kustomize sources. Secret-never-inlined is enforced at render via missingkey=error.
• Kubernetes engines (optional interfaces gated by new capabilities, mirroring HealthChecker):
  • Manifests — apply (create-or-update) / delete / status via the dynamic client + RESTMapper, with a per-instance ref-tracking ConfigMap for deterministic teardown.
  • Helm — install / upgrade / uninstall / status via helm.sh/helm/v3 (release owned by ctrlplane, secret driver in prod).
  • ArgoCD — create/update/delete/status of argoproj.io/v1alpha1 Applications using our own minimal typed struct marshaled to unstructured (no argo-cd module dependency, which would force k8s downgrades).
• dispatch/ — routes a rendered source to the right provider operation by type, capability-gated (ErrUnsupportedSource).
• Integration — template.Template and instance.Instance gain Variables/Source, persisted across all five store backends (postgres/sqlite JSONB, mongo bson, memory, badger) with back-compat normalization of legacy services-only rows. The instance provision path now resolves variables → renders → dispatches for every source type; teardown routes by the recorded source type.

Dependency note

helm.sh/helm/v3 v3.21.0 and sigs.k8s.io/kustomize/api v0.21.1 were verified to coexist with k8s.io/* v0.35.5 — pins held, zero replace directives added (confirmed via a throwaway build spike before any Helm engine code).

Deferred (separate follow-ups)

Dashboard/API authoring UI; secret-binding materialization into native k8s Secrets for services/manifests; OCI Helm chart loading; custom deploy strategies over non-services sources.

Test Plan

• go build ./... clean
• go vet ./... clean
• go test ./... — 27 packages pass, 0 failures
• golangci-lint run — 0 issues on all touched packages
• Every phase developed red→green→refactor; variable resolver additionally mutation-checked
• All engines unit-tested without a live cluster (fake dynamic client; Helm memory storage driver + fake kube client)
• Integration smoke test against a real cluster (Helm install / Argo apply / kustomize) — recommended before relying on the cluster-backed wiring paths, which are integration-exercised rather than unit-tested

Design + per-phase plans: _project_files/deployment-sources-and-variables-design.md and _project_files/plan-phase-*.md.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ctrl	Ready	Preview, Comment	Jun 11, 2026 8:14pm