release: v0.10.0 + official Helm chart

- CHANGELOG: DuckDB 1.5.2, Kubernetes Helm chart, cluster-mode mTLS,
  PGWire `postgresql` ALPN, non-AWS S3 heartbeat resilience,
  loopback TLS via SNI
- README: version placeholders bumped to 0.10.0
- charts/boilstream: vendored official Helm chart (v0.3.0,
  appVersion 0.10.0) with EKS + Hetzner example overlays
- .github/workflows/publish-chart.yaml: OCI push to
  ghcr.io/boilingdata/charts on `chart-v*` tags

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: dforsber

.github/workflows/publish-chart.yaml

@@ -0,0 +1,40 @@
+name: Publish Helm Chart
+
+on:
+  push:
+    tags:
+      - "chart-v*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Chart version tag (e.g. 0.3.0)"
+        required: true
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.15.0
+
+      - name: Lint
+        run: helm lint charts/boilstream
+
+      - name: Package
+        run: helm package charts/boilstream -d dist/
+
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push chart
+        run: |
+          CHART_TGZ=$(ls dist/boilstream-*.tgz | head -n1)
+          helm push "$CHART_TGZ" oci://ghcr.io/boilingdata/charts

CHANGELOG.md

@@ -5,6 +5,47 @@ All notable changes to BoilStream will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.10.0] - 2026-04-18
+
+### Features
+
+- **Official Kubernetes Helm Chart**: Production-ready chart for multi-pod cluster deployments
+  - StatefulSet with headless Service for stable per-pod DNS
+  - Per-pod ClusterIP Services exposing PGWire, Kafka, FlightRPC, auth, and cluster ports
+  - Envoy Gateway integration with TLS passthrough + SNI-based routing — one external LoadBalancer IP terminates all protocols across all pods
+  - cert-manager wiring: public wildcard cert (Let's Encrypt ACME, DNS-01 or HTTP-01) and a separate internal CA for pod-to-pod mTLS
+  - PodDisruptionBudget, standard `app.kubernetes.io/*` labels, configurable `affinity` / `nodeSelector` / `tolerations` / `topologySpreadConstraints`
+  - `preStop` hook + `terminationGracePeriodSeconds` for graceful connection drain during rolling updates
+  - IRSA / Pod Identity annotations for AWS; image pull secrets for private registries
+  - Superadmin password and MFA secret sourced from pre-created `Secret`s — never committed to values
+  - Example overlays: `values-eks-example.yaml` (AWS / NLB) and `values-hetzner-example.yaml` (CloudFleet / Hetzner ARM64)
+  - K8s production-readiness test suite under `tests/k8s/` (pod health, leader election, broker registry, SNI routing, failover)
+
+- **Cluster-Mode mTLS**: Pod-to-pod cluster coordination traffic can now be encrypted with mutual TLS
+  - Separate trust root from the public-facing cert — internal CA is isolated from browser trust
+  - `cluster_mode.tls.{cert_path,key_path,ca_cert_path,require_client_cert}` configuration block
+  - `require_client_cert` is now enforced at the TLS handshake (not just at the application layer)
+  - Works out of the box with the chart's cert-manager `ClusterIssuer`
+
+- **PGWire Direct-TLS ALPN**: Server now advertises the `postgresql` ALPN token during TLS negotiation, enabling `libpq >= 18` direct-TLS clients to connect without a downgrade round-trip
+
+- **DuckDB 1.5.2**: Upgraded from 1.4.4 LTS
+  - New PostgreSQL type inference for `format_type(oid, typmod)` parameter binding — now infers `[INT8, INT4]` (was `[TEXT, INT4]`). BI tools that previously relied on the old inference may need to cast explicitly
+  - Inherits all DuckDB 1.5.x improvements (planner, vector operations, extension loader)
+
+### Fixes
+
+- **Leader heartbeat on non-AWS S3**: Heartbeat now retries with a re-read confirmation and an unconditional PUT fallback when `If-Match` ETag comparisons fail. Fixes stalled leadership on S3 implementations where ETags don't round-trip identically between GET and PUT (Hetzner Object Storage, some MinIO configurations)
+- **Cluster-sync mTLS server on promotion**: The internal coordination server now starts when a worker is promoted to leader mid-life (previously only started at boot for pods that booted as leader — caused failover gaps)
+- **Auth server loopback TLS**: The auth server on `:8443` now presents a self-signed loopback certificate for `localhost` / `127.0.0.1` SNI connections and the public cert for its real hostname. Fixes in-pod TLS handshakes when the public cert doesn't cover loopback addresses (e.g. Let's Encrypt deployments)
+
+### Improvements
+
+- **WebAuthn / RP config from single source**: The Helm chart now propagates `values.domain` into both `webauthn_rp_id` and `webauthn_rp_origin`, removing one place where the external hostname could drift
+- **Helm chart de-localized**: Example charts no longer embed localhost certificates or hard-coded dev hostnames — production deploys use real FQDNs end-to-end
+- **boilstream-admin wrapper for K8s**: New `scripts/boilstream-admin-k8s.sh` reads CA, superadmin password, and MFA secret live from Kubernetes `Secret`s; computes TOTP locally and execs the admin CLI against the in-cluster deployment
+- **`testMode.disableTurnstile` chart value**: Lets CI/test clusters skip the Turnstile CAPTCHA on `/auth/email/signup` without rebuilding the image
+
 ## [0.9.0] - 2026-04-08
 
 ### Features

README.md

@@ -34,18 +34,21 @@ Download, start, and connect with any Postgres-compatible BI tool. Data streams
 
 ## Start
 
+See [GitHub releases](https://github.com/boilingdata/boilstream/releases) for the latest version.
+
 ```bash
 # Download (linux-x64, linux-aarch64, darwin-aarch64)
-curl -L -o boilstream https://www.boilstream.com/binaries/darwin-aarch64/boilstream-0.9.0
-curl -L -o boilstream-admin https://www.boilstream.com/binaries/darwin-aarch64/boilstream-admin-0.9.0
+# Replace {VERSION} with the latest release (e.g. 0.10.0)
+curl -L -o boilstream https://www.boilstream.com/binaries/darwin-aarch64/boilstream-{VERSION}
+curl -L -o boilstream-admin https://www.boilstream.com/binaries/darwin-aarch64/boilstream-admin-{VERSION}
 chmod +x boilstream boilstream-admin
 
 SERVER_IP_ADDRESS=1.2.3.4 ./boilstream
 
-# Docker: boilinginsights/boilstream:x64-linux-0.9.0 or :aarch64-linux-0.9.0
+# Docker
 docker run -v ./config.yaml:/app/config.yaml \
    -p 443:443 -p 5432:5432 -p 50051:50051 -p 50250:50250 \
-   -e SERVER_IP_ADDRESS=1.2.3.4 boilinginsights/boilstream:aarch64-linux-0.9.0
+   -e SERVER_IP_ADDRESS=1.2.3.4 boilinginsights/boilstream:aarch64-linux-{VERSION}
 ```
 
 > _Use the accompanying `docker-compose.yml` to start Grafana and MinIO_

charts/README.md

@@ -0,0 +1,42 @@
+# BoilStream Helm Charts
+
+Official Helm charts for deploying BoilStream on Kubernetes.
+
+## Charts
+
+- **[boilstream](./boilstream/)** — StatefulSet-based cluster with Envoy Gateway SNI routing, cert-manager TLS, and optional cluster-mode mTLS.
+
+## Install via OCI
+
+```bash
+helm install boilstream oci://ghcr.io/boilingdata/charts/boilstream \
+  --version 0.3.0 \
+  -n boilstream --create-namespace \
+  -f my-values.yaml
+```
+
+## Install from source
+
+```bash
+helm install boilstream ./charts/boilstream \
+  -n boilstream --create-namespace \
+  -f my-values.yaml
+```
+
+## Prerequisites
+
+- [cert-manager](https://cert-manager.io) >= 1.13
+- [Envoy Gateway](https://gateway.envoyproxy.io) >= 1.2
+
+See [docs.boilstream.com/guide/kubernetes](https://docs.boilstream.com/guide/kubernetes.html) for the full deployment guide.
+
+## Releasing
+
+Chart releases are cut via the `publish-chart.yaml` workflow on `chart-v*` tags:
+
+```bash
+git tag chart-v0.3.0
+git push --tags
+```
+
+The workflow lints, packages, and pushes the chart to `oci://ghcr.io/boilingdata/charts`.

charts/boilstream/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# These artifacts will not be added to the chart tarball produced by
+# `helm package`. Files matching the patterns below are excluded by default.
+.DS_Store
+.git/
+.gitignore
+.bzr/
+.hg/
+.hgignore
+.svn/
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# IDE
+.vscode/
+.idea/
+# Tooling
+.helmignore
+.tool-versions
+# Tests / chart development
+ci/
+tests/
+*.tgz

charts/boilstream/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: v2
+name: boilstream
+description: |
+  BoilStream — high-performance streaming data ingestion (PGWire, Kafka,
+  Arrow Flight) with S3-coordinated cluster mode and DuckLake catalog
+  support. Each pod participates in S3-based leader election and serves
+  per-user catalogs; failed pods are recovered from S3 backups.
+type: application
+version: 0.3.0
+appVersion: "0.10.0"
+kubeVersion: ">=1.27.0"
+keywords:
+  - streaming
+  - pgwire
+  - kafka
+  - arrow-flight
+  - ducklake
+  - duckdb
+  - s3
+home: https://boilstream.com
+sources:
+  - https://github.com/boilingdata/boilstream
+maintainers:
+  - name: BoilStream
+    url: https://boilstream.com
+annotations:
+  # Documented prerequisites — operators must install these BEFORE the chart.
+  # Listed as annotations because Helm dependency support assumes a Chart we
+  # control; cert-manager and Envoy Gateway are independent installs.
+  boilstream.com/prereqs: |
+    cert-manager (>=1.13) — issues TLS Secrets via the configured ClusterIssuer
+    Envoy Gateway (>=1.2) — provides the GatewayClass referenced by gateway.className

charts/boilstream/README.md

@@ -0,0 +1,134 @@
+# BoilStream Helm chart
+
+Deploys a BoilStream cluster on Kubernetes — StatefulSet of N pods sharing
+state via S3 (cluster coordination + per-user catalog backups), with optional
+Envoy Gateway SNI routing and pod-to-pod mTLS.
+
+## Prerequisites
+
+The chart **does not** install these — operators must provide them:
+
+| Prereq | Why |
+|---|---|
+| **cert-manager ≥ 1.13** | Issues the public wildcard cert and (optionally) the internal cluster-mTLS cert. Skip if you supply both via `tls.existingSecret` and `clusterTls.existingSecret`. |
+| **A `ClusterIssuer`** named in `tls.issuer.name` (default `boilstream-ca-issuer`) | cert-manager needs an issuer to mint certs. Self-signed CA, Let's Encrypt + DNS-01, or ACM Private CA all work. |
+| **Envoy Gateway ≥ 1.2** with a `GatewayClass` named in `gateway.className` (default `eg`) | The chart-managed `Gateway` + `TLSRoute` resources reference this class. Skip by setting `gateway.enabled: false` (clients then must reach the Pods/headless Service directly). |
+| **An S3-compatible bucket** at `s3.endpoint` (real S3, MinIO, RustFS, R2…) | Stores leader.json, broker registry, per-user catalog backups. |
+
+Quick local install of the prereqs (tested on OrbStack k8s):
+
+```bash
+helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.2.1 \
+  -n envoy-gateway-system --create-namespace
+helm install cert-manager jetstack/cert-manager --version v1.16.2 \
+  -n cert-manager --create-namespace --set crds.enabled=true
+kubectl apply -f - <<'YAML'
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata: { name: selfsigned-root }
+spec: { selfSigned: {} }
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata: { name: boilstream-ca, namespace: cert-manager }
+spec:
+  isCA: true
+  commonName: BoilStream Local CA
+  secretName: boilstream-ca-tls
+  privateKey: { algorithm: ECDSA, size: 256 }
+  issuerRef: { name: selfsigned-root, kind: ClusterIssuer }
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata: { name: boilstream-ca-issuer }
+spec: { ca: { secretName: boilstream-ca-tls } }
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata: { name: eg }
+spec: { controllerName: gateway.envoyproxy.io/gatewayclass-controller }
+YAML
+```
+
+## Install
+
+**Local dev (OrbStack + RustFS, defaults):**
+
+```bash
+helm install boilstream ./charts/boilstream
+```
+
+**EKS (AWS S3 + ACM/Let's Encrypt + Pod Identity):**
+
+```bash
+helm install boilstream ./charts/boilstream \
+  -f ./charts/boilstream/values-eks-example.yaml \
+  --set image.repository=<account>.dkr.ecr.<region>.amazonaws.com/boilstream \
+  --set image.tag=0.10.0 \
+  --set superadmin.existingSecret=boilstream-superadmin \
+  --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=arn:aws:iam::...
+```
+
+## Key values
+
+| Group | Key | Default | Notes |
+|---|---|---|---|
+| Replicas | `replicas` | `3` | Min 1, recommended ≥3 for quorum-style availability. |
+| Image | `image.repository`, `image.tag`, `image.pullPolicy`, `image.pullSecrets` | `boilstream:local-1.5.2`, `Never`, `[]` | Set `pullSecrets: [{name: regcred}]` for private registries. |
+| Naming | `namespace`, `namespaceCreate`, `nameOverride`, `fullnameOverride` | `boilstream`, `true` | Set `namespaceCreate: false` if using `--create-namespace` or pre-managed namespaces. |
+| Public TLS | `tls.existingSecret`, `tls.issuer.{name,kind}` | (chart-managed) | Provide `existingSecret` to use ACM-imported or pre-issued certs. |
+| Cluster mTLS | `clusterTls.enabled`, `clusterTls.issuer.*` | `false` | Pod-to-pod gRPC on `:8444`. Separate trust root from public edge. |
+| Gateway | `gateway.enabled`, `gateway.className`, `gateway.serviceAnnotations` | `true`, `eg`, `{}` | Annotations propagate to the LB Service Envoy Gateway provisions. |
+| ServiceAccount | `serviceAccount.{create,name,annotations}` | `true`, `boilstream`, `{}` | Set `eks.amazonaws.com/role-arn` for IRSA / Pod Identity. |
+| Resources | `resources.requests`, `resources.limits` | dev-sized | **Override for production** — see EKS overlay. |
+| Disruption | `podDisruptionBudget.{enabled,maxUnavailable\|minAvailable}` | `true`, `1` | Voluntary-disruption guard during drains/upgrades. |
+| Lifecycle | `terminationGracePeriodSeconds`, `preStopSleepSeconds` | `120`, `5` | Time for in-flight S3 flush + leader stepdown. |
+| S3 | `s3.{endpoint,bucket,region,prefix,forcePathStyle,accessKey,secretKey}` | RustFS dev defaults | Leave creds empty on EKS to use the IRSA role. |
+| Superadmin | `superadmin.password` *or* `superadmin.existingSecret` | dev literal | **Always override in prod** — use `existingSecret` from sealed-secrets / ESO / SSM. |
+
+See [`values.yaml`](values.yaml) for the full set with inline comments, and
+[`values-eks-example.yaml`](values-eks-example.yaml) for a production-shaped
+override.
+
+## Architecture summary
+
+- **StatefulSet** of `replicas` pods. Each pod has an emptyDir for hot-tier
+  data (`./data/duckdb/`, `./data/tantivy/`); BoilStream uploads to S3
+  continuously, so pod loss is recoverable.
+- **Headless Service** gives every pod a stable per-pod DNS name
+  `boilstream-N.boilstream-headless.<ns>.svc.cluster.local`. Used as
+  `cluster_mode.advertised_host`.
+- **Per-pod ClusterIP Services** are the backends for SNI-routed TLSRoutes.
+- **Envoy Gateway** (when enabled) exposes one TLS-passthrough listener per
+  protocol; SNI hostname `boilstream-N.<domain>` routes to the matching pod.
+- **cert-manager** issues `*.<domain>` (public) and the cluster-mTLS cert.
+- **S3** is the source of truth for cluster coordination
+  (`<prefix>cluster_state/leader.json`, `<prefix>cluster_state/brokers/*.json`)
+  and per-user catalog backups.
+
+## Verify
+
+After install:
+
+```bash
+kubectl -n <ns> rollout status statefulset/boilstream
+kubectl -n <ns> get pods,gateway,certificate,secret
+```
+
+Production-readiness suite (from `tests/k8s/`):
+
+```bash
+cd tests/k8s
+pip install -r requirements.txt
+pytest -v -k "not destructive"
+```
+
+## Upgrade
+
+```bash
+helm upgrade boilstream ./charts/boilstream -f my-values.yaml
+```
+
+The StatefulSet selector is intentionally narrow (`app: boilstream`) to keep
+upgrade-compatible across chart-version bumps. Standard `app.kubernetes.io/*`
+labels are added on top for tooling.