infra: deploy orcha with helm

Dockerfile

@@ -11,4 +11,4 @@ WORKDIR /app
 RUN uv sync --locked --no-cache
 
 # Run the application.
-CMD ["/app/.venv/bin/fastapi", "run", "app/main.py", "--port", "80"]
+CMD ["/app/.venv/bin/fastapi", "run", "app/main.py", "--port", "8080"]

app/cli/main.py

@@ -72,7 +72,7 @@ def workers():
     """Start the Temporal worker."""
     typer.echo("Starting Temporal worker...")
     result = subprocess.run(
-        ["uv", "run", "python", "-m", "app.workers"],
+        [sys.executable, "-m", "app.workers"],
         cwd=PROJECT_ROOT,
     )
     sys.exit(result.returncode)
@@ -91,7 +91,7 @@ def run_all(ctx: typer.Context):
             cwd=PROJECT_ROOT,
         ),
         subprocess.Popen(
-            ["uv", "run", "python", "-m", "app.workers"],
+            [sys.executable, "-m", "app.workers"],
             cwd=PROJECT_ROOT,
         ),
     ]

app/config.py

@@ -23,8 +23,13 @@ class Settings(BaseSettings):
     auth_disabled: bool = False
     tenants_config_path: str = "tenants.json"
 
-    # Security
-    allowed_origins: list[str] = ["http://localhost:3000", "http://127.0.0.1:3000"]
+    allowed_origins: list[str] = [
+        "http://localhost:3000",
+        "http://127.0.0.1:3000",
+        "https://localhost:5000",
+        "https://127.0.0.1:5000",
+        "https://orcha.app.cern.ch",
+    ]
 
     @property
     def database_url(self) -> str:

app/main.py

@@ -35,6 +35,7 @@ async def lifespan(app: FastAPI):
 
 app = FastAPI(lifespan=lifespan)
 
+
 # Apply CORS middleware using settings
 _settings = get_settings()
 if _settings.allowed_origins:
@@ -50,5 +51,11 @@ async def lifespan(app: FastAPI):
 
 @app.get("/")
 async def root(auth=Depends(get_current_user)):
-    """Health check endpoint."""
+    """Root endpoint."""
     return {"message": "This is the backend service for Orcha!"}
+
+
+@app.get("/health", include_in_schema=False)
+async def health():
+    """Health check endpoint, non-authenticated."""
+    return {"status": "ok"}

helm/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 18.5.7
+- name: temporal
+  repository: https://go.temporal.io/helm-charts
+  version: 0.73.1
+digest: sha256:e560849947eb28377fb837ff5e664918e610cb6b1c287109472e5d35019c9c5d
+generated: "2026-03-18T18:44:55.62055+01:00"

helm/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: orcha
+description: Orcha AI workflow service
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+
+dependencies:
+  - name: postgresql
+    version: "18.5.7"
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled
+  - name: temporal
+    version: "0.73.1"
+    repository: https://go.temporal.io/helm-charts
+    condition: temporal.enabled

helm/templates/Configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "orcha.fullname" . }}
+  labels:
+    {{- include "orcha.labels" . | nindent 4 }}
+data:
+  AUTH_DISABLED: {{ .Values.config.authDisabled | quote }}
+  TEMPORAL_HOST: {{ tpl .Values.config.temporalHost . | quote }}
+  TEMPORAL_NAMESPACE: {{ .Values.config.temporalNamespace | quote }}
+  PGUSER: {{ .Values.postgresqlExternal.username | quote }}
+  PGHOST: {{ .Values.postgresqlExternal.hostname | quote }}
+  PGPORT: {{ .Values.postgresqlExternal.port | quote }}
+  PGDATABASE: {{ .Values.postgresqlExternal.database | quote }}
+

helm/templates/DeploymentFastapi.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "orcha.fullname" . }}-api
+  labels:
+    {{- include "orcha.labels" . | nindent 4 }}
+    app.kubernetes.io/component: api
+spec:
+  replicas: {{ .Values.api.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "orcha.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: api
+  template:
+    metadata:
+      labels:
+        {{- include "orcha.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: api
+    spec:
+      containers:
+      - name: api
+        image: {{ include "orcha.image" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
+        envFrom:
+          - configMapRef:
+              name: {{ include "orcha.fullname" . }}
+          - secretRef:
+              name: {{ .Values.externalSecret.name }}
+        env:
+          {{- include "orcha.config.database" . | nindent 10 }}
+          - name: TENANTS_FILE_PATH
+            value: /etc/orcha/tenants.json
+        volumeMounts:
+          - name: tenants
+            mountPath: /etc/orcha
+            readOnly: true
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        resources:
+          {{- toYaml .Values.api.resources | nindent 12 }}
+      volumes:
+        - name: tenants
+          secret:
+            secretName: orcha-tenants
+            items:
+              - key: tenants.json
+                path: tenants.json

helm/templates/DeploymentWorker.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "orcha.fullname" . }}-worker
+  labels:
+    {{- include "orcha.labels" . | nindent 4 }}
+    app.kubernetes.io/component: worker
+spec:
+  replicas: {{ .Values.worker.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "orcha.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: worker
+  template:
+    metadata:
+      labels:
+        {{- include "orcha.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: worker
+    spec:
+      containers:
+      - name: worker
+        image: {{ include "orcha.image" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/app/.venv/bin/orcha", "run", "workers"]
+        envFrom:
+          - configMapRef:
+              name: {{ include "orcha.fullname" . }}
+          - secretRef:
+              name: {{ include "orcha.fullname" . }}
+
+        resources:
+          {{- toYaml .Values.worker.resources | nindent 12 }}

helm/templates/Route.yaml

@@ -0,0 +1,21 @@
+{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1/Route" }}
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ include "orcha.fullname" . }}
+  {{- if and .Values.route .Values.route.annotations }}
+  annotations:
+    {{- .Values.route.annotations | toYaml | nindent 4 }}
+  {{- end }}
+spec:
+  host: {{ include "orcha.hostname" $ }}
+  to:
+    kind: Service
+    name: {{ include "orcha.fullname" . }}-api
+  port:
+    targetPort: http
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+  {{- end }}

helm/templates/Service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "orcha.fullname" . }}-api
+  labels:
+    {{- include "orcha.labels" . | nindent 4 }}
+    app.kubernetes.io/component: api
+spec:
+  type: {{ .Values.api.service.type }}
+  ports:
+    - port: {{ .Values.api.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "orcha.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: api