wire in production setup/deployments

Author: mjudeikis

v2/Makefile

@@ -16,6 +16,27 @@ build:
 konnector:
 	cd konnector && go build -o bin/konnector ./cmd/konnector
 
+# Container image. Build context is v2/ so the konnector's `replace ../sdk` resolves.
+IMAGE ?= ghcr.io/kube-bind/konnector:dev
+.PHONY: image
+image:
+	docker build -f konnector/Dockerfile -t $(IMAGE) .
+
+CHART ?= konnector/deploy/charts/konnector
+.PHONY: helm-lint
+helm-lint:
+	helm lint $(CHART)
+
+# Render the chart to stdout for review (extra flags via HELM_ARGS=...).
+.PHONY: helm-template
+helm-template:
+	helm template konnector $(CHART) -n kube-bind $(HELM_ARGS)
+
+# Refresh the chart's bundled CRDs from the generated sdk CRDs.
+.PHONY: helm-sync-crds
+helm-sync-crds: codegen
+	cp sdk/config/crd/core.kube-bind.io_*.yaml $(CHART)/files/crds/
+
 .PHONY: codegen
 codegen:
 	cd sdk && $(CONTROLLER_GEN) object paths=./apis/...

v2/README.md

@@ -84,15 +84,43 @@ v2/
 
 Known POC simplifications (tracked against the proposal): OpenAPI synthesis is
 best-effort (fidelity limits above); the `Mapper` seam exists but only `Identity`
-ships and `relatedResources` are not yet routed through it; and productionization
-(RBAC/HA/Helm) remains.
+ships and `relatedResources` are not yet routed through it.
 
 ## Build
 
 ```sh
 cd v2/konnector && go build ./...      # workspace mode (go.work)
 ```
 
+## Deploy
+
+The konnector runs in (or against) the **consumer** cluster — it is the only
+running component of the core (no backend, no provider-side controllers).
+
+```sh
+cd v2
+make image IMAGE=ghcr.io/kube-bind/konnector:dev          # build the image
+helm install konnector konnector/deploy/charts/konnector \
+  -n kube-bind --create-namespace \
+  --set image.repository=ghcr.io/kube-bind/konnector --set image.tag=dev
+```
+
+The chart ([konnector/deploy/charts/konnector](konnector/deploy/charts/konnector))
+ships the core CRDs (`installCRDs`, default on), a `ServiceAccount`, the consumer
+RBAC (`ClusterRole`/`ClusterRoleBinding` + a namespaced leader-election `Role`),
+and the `Deployment` with liveness/readiness probes. Notable values:
+
+- `replicaCount` / `leaderElect` — HA. Leader election gates all consumer-side
+  controllers, so standby replicas engage no providers until they win the lease.
+  It is forced on automatically when `replicaCount > 1`.
+- `rbac.boundResourceGroups` (default `["*"]`) — the API groups the konnector may
+  sync. The bound APIs are open-ended, so this defaults to all groups; narrow it
+  to the specific groups your providers export to shrink the blast radius.
+
+Provider credentials are governed by the kubeconfig in each `Connection`'s
+Secret, **not** the konnector's ServiceAccount — the RBAC above is consumer-side
+only.
+
 ## Codegen (after editing types)
 
 ```sh

v2/konnector/Dockerfile

@@ -0,0 +1,44 @@
+# Copyright 2026 The Kube Bind Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# v2 slim-core konnector image.
+#
+# Build context is the v2/ directory (the konnector module's `replace
+# github.com/kube-bind/kube-bind/v2/sdk => ../sdk` needs the sibling sdk module):
+#
+#   docker build -f konnector/Dockerfile -t kube-bind/konnector:dev .
+#
+# from inside v2/.
+FROM golang:1.26.2 AS builder
+WORKDIR /workspace
+
+ARG TARGETARCH
+ARG TARGETOS
+ARG LDFLAGS
+
+# Both modules are needed: konnector requires sdk via a local replace. Build
+# standalone (GOWORK=off) so the image does not depend on the go.work file.
+COPY sdk/ sdk/
+COPY konnector/ konnector/
+
+WORKDIR /workspace/konnector
+ENV GOWORK=off
+RUN go mod download
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -ldflags="${LDFLAGS}" -o /bin/konnector ./cmd/konnector
+
+FROM gcr.io/distroless/static:nonroot
+COPY --from=builder /bin/konnector /bin/konnector
+USER 65532:65532
+ENTRYPOINT ["/bin/konnector"]

v2/konnector/cmd/konnector/main.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	mcmanager "sigs.k8s.io/multicluster-runtime/pkg/manager"
@@ -49,21 +50,34 @@ func init() {
 	utilRuntimeMust(corev1alpha1.AddToScheme(scheme))
 }
 
+// options holds the konnector's runtime flags.
+type options struct {
+	metricsAddr      string
+	probeAddr        string
+	leaderElect      bool
+	leaderElectionID string
+}
+
 func main() {
-	var metricsAddr string
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8085", "address the metric endpoint binds to")
+	var o options
+	flag.StringVar(&o.metricsAddr, "metrics-bind-address", ":8085", "address the metric endpoint binds to")
+	flag.StringVar(&o.probeAddr, "health-probe-bind-address", ":8081", "address the health/readiness probe endpoint binds to")
+	flag.BoolVar(&o.leaderElect, "leader-elect", false,
+		"enable leader election, ensuring only one active konnector replica (required for HA / multiple replicas)")
+	flag.StringVar(&o.leaderElectionID, "leader-election-id", "konnector.kube-bind.io",
+		"name of the Lease used for leader election")
 	opts := zap.Options{Development: true}
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
-	if err := run(metricsAddr); err != nil {
+	if err := run(o); err != nil {
 		ctrl.Log.Error(err, "konnector exited with error")
 		os.Exit(1)
 	}
 }
 
-func run(metricsAddr string) error {
+func run(o options) error {
 	ctx := ctrl.SetupSignalHandler()
 	log := ctrl.Log.WithName("konnector")
 
@@ -73,13 +87,25 @@ func run(metricsAddr string) error {
 	}
 
 	// Local (consumer) manager: owns the core CRDs and the consumer-side caches.
+	// Leader election gates all consumer-side controllers, so standby replicas
+	// engage no provider clusters and run no syncers until they win the lease.
 	localMgr, err := ctrl.NewManager(cfg, ctrl.Options{
-		Scheme:  scheme,
-		Metrics: metricsserver.Options{BindAddress: metricsAddr},
+		Scheme:                        scheme,
+		Metrics:                       metricsserver.Options{BindAddress: o.metricsAddr},
+		HealthProbeBindAddress:        o.probeAddr,
+		LeaderElection:                o.leaderElect,
+		LeaderElectionID:              o.leaderElectionID,
+		LeaderElectionReleaseOnCancel: true,
 	})
 	if err != nil {
 		return err
 	}
+	if err := localMgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		return err
+	}
+	if err := localMgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		return err
+	}
 
 	// Connection provider: each ready Connection becomes an engaged provider cluster.
 	connProvider, err := provider.New(localMgr, provider.Options{})

v2/konnector/deploy/charts/konnector/.helmignore

@@ -0,0 +1,8 @@
+# Patterns to ignore when building Helm packages.
+.DS_Store
+.git/
+.gitignore
+*.tmpl
+*.gotmpl
+.idea/
+*.tgz

v2/konnector/deploy/charts/konnector/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: konnector
+description: kube-bind v2 slim-core konnector — the consumer-side sync engine.
+type: application
+
+# version / appVersion are placeholders bumped by the release tooling.
+version: 0.0.0
+appVersion: "0.0.0"
+
+home: https://kube-bind.io
+sources:
+  - https://github.com/kube-bind/kube-bind
+keywords:
+  - kube-bind
+  - multicluster
+  - api-binding