feat: New helm chart that lives alongside the code

.github/workflows/internal-chart-publish.yaml

@@ -0,0 +1,79 @@
+name: Internal Chart Publish
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v3.0.1
+
+      - id: auth
+        name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v3
+        with:
+          create_credentials_file: 'true'
+          token_format: access_token
+          project_id: wandb-production
+          workload_identity_provider: ${{ secrets.CI_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.CI_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
+
+      - name: Authorize Docker to use Google Container Registry
+        run: |
+          gcloud auth configure-docker us-docker.pkg.dev
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 1.25
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.19.0
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+        with:
+          version: v3.14.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config deploy/ct.yaml || true)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run chart-testing  (lint)
+        run: ct lint --config deploy/ct.yaml
+
+      - name: Install Ginkgo
+        run: go install github.com/onsi/ginkgo/v2/ginkgo@latest
+
+      - name: Build and Push to GAR
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          VERSION=$(grep "^version:" deploy/operator/Chart.yaml | awk '{print $2}')
+          helm dependency build deploy/operator
+          helm package deploy/operator
+          helm push operator-${VERSION}.tgz oci://$REPOSITORY
+        env:
+          REPOSITORY: us-docker.pkg.dev/wandb-production/public/wandb/charts

.github/workflows/internal-image-publish.yaml

@@ -12,9 +12,12 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -26,15 +29,17 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@v3
+        uses: google-github-actions/setup-gcloud@v3.0.1
 
       - id: auth
         name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v3
         with:
-          credentials_json: ${{ secrets.GCP_SA_CREDS }}
-          create_credentials_file: true
-          export_environment_variables: true
+          create_credentials_file: 'true'
+          token_format: access_token
+          project_id: wandb-production
+          workload_identity_provider: ${{ secrets.CI_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.CI_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
 
       - name: Authorize Docker to use Google Container Registry
         run: |

.gitignore

@@ -30,6 +30,8 @@ junit.xml
 *.swo
 *~
 
+*.tgz
+
 /charts
 /cdk8s
 /git

Makefile

@@ -121,11 +121,11 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
 docker-build: ## Build controller docker image.
-	$(CONTAINER_TOOL) build -t ${IMG} -f Dockerfile.controller .
+	$(CONTAINER_TOOL) build --platform linux/amd64 -t ${IMG} -f Dockerfile .
 
 .PHONY: docker-push
 docker-push:
-	$(CONTAINER_TOOL) push ${IMG}
+	$(CONTAINER_TOOL) push --platform linux/amd64 ${IMG}
 
 # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple
 # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
@@ -259,4 +259,4 @@ $(GINKGO): $(LOCALBIN)
 	test -s $(LOCALBIN)/ginkgo || GOBIN=$(LOCALBIN) go install github.com/onsi/ginkgo/v2/ginkgo@latest
 
 
-include dep-management.mk olm.mk
+include dep-management.mk olm.mk

Tiltfile

@@ -6,7 +6,6 @@ settings = {
         "kind-kind",
         "orbstack",
     ],
-    "installMinio": False,
     "installWandb": True,
     "wandbCRD": "wandb-default-v1",
     "installTelemetry": False,
@@ -87,31 +86,12 @@ local_resource("generate", generate(), labels=["Operator-Resources"])
 
 deploy_cert_manager()
 
-if settings.get("installMinio"):
-    k8s_yaml('./hack/testing-manifests/minio/minio.yaml')
-    k8s_resource(
-        'minio',
-        'Minio',
-        objects=[
-            'minio:service',
-            'minio:namespace'
-        ]
-    )
-
 helm_repo(
     'mysql-operator-repo',
     'https://mysql.github.io/mysql-operator',
     labels=["Helm-Repos"],
 )
 
-# helm_resource(
-#     'mariadb-operator-crds',
-#     chart='mariadb-operator-repo/mariadb-operator-crds',
-#     resource_deps=['mariadb-operator-repo'],
-#     pod_readiness='ignore',
-#     labels=["Third-Party-Operators"],
-# )
-
 helm_resource(
     'mysql-operator',
     chart='mysql-operator-repo/mysql-operator',

Tiltfile.chart

@@ -0,0 +1,39 @@
+load('ext://namespace', 'namespace_create')
+load('ext://cert_manager', 'deploy_cert_manager')
+
+deploy_cert_manager()
+# default values
+settings = {
+    "allowedContexts": [
+        "docker-desktop",
+        "minikube",
+        "kind-kind",
+        "orbstack",
+    ],
+}
+
+# global settings
+settings.update(read_json(
+    "tilt-settings.json",
+    default={},
+))
+
+# Configure global watch settings with a 2-second debounce
+watch_settings(ignore=["**/.git", "**/*.out"])
+
+# Increase timeout for helm installations and apply operations
+update_settings(k8s_upsert_timeout_secs=300)
+
+currentContext = k8s_context()
+
+if currentContext in settings.get("allowedContexts"):
+    print("Context is allowed")
+else:
+    fail("Selected context is not in allow list")
+
+allow_k8s_contexts(settings.get("allowed_k8s_contexts"))
+
+current_namespace = k8s_namespace()
+namespace_create(current_namespace)
+
+k8s_yaml(helm('./deploy/operator', 'wandb-operator', namespace=current_namespace, values=['./deploy/operator/values.yaml']))

api/v2/weightsandbiases_types.go

@@ -123,7 +123,7 @@ func (w *WeightsAndBiases) GetTolerations(spec WBInfraSpec) *[]corev1.Toleration
 type WandbAppSpec struct {
 	Hostname            string              `json:"hostname"`
 	License             string              `json:"license,omitempty"`
-	ManifestRepository  string              `json:"manifest-repository,omitempty"`
+	ManifestRepository  string              `json:"manifestRepository,omitempty"`
 	Version             string              `json:"version"`
 	Features            map[string]bool     `json:"features"`
 	InternalServiceAuth InternalServiceAuth `json:"internalServiceAuth,omitempty"`

config/crd/bases/apps.wandb.com_weightsandbiases.yaml

@@ -6484,7 +6484,7 @@ spec:
                     type: object
                   license:
                     type: string
-                  manifest-repository:
+                  manifestRepository:
                     type: string
                   oidc:
                     description: WandbOIDCSpec defines the structure for OpenID Connect

deploy/.yamllint.yaml

@@ -0,0 +1,11 @@
+extends: default
+
+rules:
+  new-line-at-end-of-file: enable
+  document-end: disable
+  line-length: disable
+  trailing-spaces: enable
+  braces: disable
+  indentation: disable
+  document-start: disable
+  hyphens: disable

deploy/ct.yaml

@@ -0,0 +1,15 @@
+# See https://github.com/helm/chart-testing#configuration
+remote: origin
+target-branch: main
+chart-dirs:
+  - deploy
+chart-repos:
+  - altinity=https://helm.altinity.com
+  - grafana=https://grafana.github.io/helm-charts/
+  - minio=https://operator.min.io/
+  - mysql=https://mysql.github.io/mysql-operator
+  - redis=https://ot-container-kit.github.io/helm-charts/
+  - strimzy=https://strimzi.io/charts/
+  - victoria-metrics=https://victoriametrics.github.io/helm-charts/
+  - wandb=https://charts.wandb.ai
+yamllint-config: .yamllint.yaml

deploy/operator/Chart.lock

@@ -0,0 +1,27 @@
+dependencies:
+- name: wandb-base
+  repository: https://charts.wandb.ai/
+  version: 0.11.8
+- name: mysql-operator
+  repository: https://mysql.github.io/mysql-operator/
+  version: 2.2.7
+- name: redis-operator
+  repository: https://ot-container-kit.github.io/helm-charts
+  version: 0.22.2
+- name: strimzi-kafka-operator
+  repository: https://strimzi.io/charts
+  version: 0.50.0
+- name: operator
+  repository: https://operator.min.io
+  version: 7.1.1
+- name: altinity-clickhouse-operator
+  repository: https://helm.altinity.com
+  version: 0.25.6
+- name: victoria-metrics-operator
+  repository: https://victoriametrics.github.io/helm-charts/
+  version: 0.58.1
+- name: grafana-operator
+  repository: https://grafana.github.io/helm-charts
+  version: 5.21.4
+digest: sha256:49b17dbf78551c3e5d5357737af85eb0825e6ff26afd37a78197e47ba03afdb5
+generated: "2026-02-09T20:30:50.180745-08:00"

deploy/operator/Chart.yaml

@@ -0,0 +1,45 @@
+apiVersion: v2
+name: operator
+description: A Helm chart for Weights & Biases operator
+type: application
+version: 1.5.2
+appVersion: "2.0.0"
+maintainers:
+  - name: wandb
+    email: support@wandb.com
+    url: https://wandb.com
+
+dependencies:
+  - name: wandb-base
+    version: 0.11.8
+    alias: wandb-operator
+    repository: https://charts.wandb.ai/
+  - name: mysql-operator
+    version: 2.2.7
+    repository: https://mysql.github.io/mysql-operator/
+    condition: mysql-operator.enabled
+  - name: redis-operator
+    version: 0.22.2
+    repository: https://ot-container-kit.github.io/helm-charts
+    condition: redis-operator.enabled
+  - name: strimzi-kafka-operator
+    version: 0.50.0
+    repository: https://strimzi.io/charts
+    condition: strimzi-kafka-operator.enabled
+  - name: operator
+    alias: minio-operator
+    version: 7.1.1
+    repository: https://operator.min.io
+    condition: minio-operator.enabled
+  - name: altinity-clickhouse-operator
+    version: 0.25.6
+    repository: https://helm.altinity.com
+    condition: altinity-clickhouse-operator.enabled
+  - name: victoria-metrics-operator
+    version: 0.58.1
+    repository: https://victoriametrics.github.io/helm-charts/
+    condition: victoria-metrics-operator.enabled
+  - name: grafana-operator
+    version: 5.21.4
+    repository: https://grafana.github.io/helm-charts
+    condition: grafana-operator.enabled