Initial commit

.github/workflows/index.yaml

@@ -0,0 +1,62 @@
+name: Update Helm repository
+run-name: ${{ github.actor }} is updating the Helm repository
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main
+ paths:
+ - charts/**
+
+jobs:
+ package:
+ runs-on: ubuntu-latest
+
+ steps:
+
+ - name: 'Git Checkout'
+ uses: actions/checkout@v3
+
+
+ - name: 'Configure & Install Helm'
+ uses: azure/setup-helm@v3
+
+ - name: 'Package & Update Helm Repository'
+ run: |
+ helm package charts/* -d repo/
+ helm repo index repo/
+ git config --global user.name "${GITHUB_ACTOR}"
+ git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+ git add repo
+ git commit -m 'Update Helm repository chart index'
+ git push
+
+ release:
+ runs-on: ubuntu-latest
+ needs: package
+
+ steps:
+
+ - name: 'Git Checkout'
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+
+ - name: 'Configure & Install Helm'
+ uses: azure/setup-helm@v3
+
+ - name: 'Authorize Helm with remote container registry''
+ run: |
+ echo "TODO"
+
+ - name: 'Push modified Helm packages to the container registry'
+ env:
+ HELM_EXPERIMENTAL_OCI: '1'
+ run: |
+ git pull origin main # Pull latest changes from main.
+ git diff --name-only -r HEAD^1 HEAD | grep .tgz | while read line || [[ -n $line ]];
+ do
+ echo " > Pushing chart $line"
+ helm push $line oci://nexus.global.dns:8443/charts/charts
+ done

.github/workflows/push.yaml

@@ -0,0 +1,59 @@
+name: Release Helm Chart
+
+on:
+ workflow_dispatch:
+ inputs:
+ release_all:
+ type: boolean
+ description: "Republish all charts?"
+ default: false
+ push:
+ branches:
+ - main
+ paths:
+ - repo/**
+
+jobs:
+ release:
+ runs-on:
+ group: k8s-runners
+ steps:
+ # 1. Checkout the current Git repository.
+ - name: 'Git Checkout'
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+
+ # 2. Configure Helm
+ - name: 'Configure & Install Helm'
+ uses: azure/setup-helm@v3
+
+ # 3. Authorize Helm with Nexus
+ - name: 'Authorize Helm with Nexus'
+ run: |
+ echo ${{ secrets.NEXUS_PASSWORD}} | helm registry login -u ${{ secrets.NEXUS_USERNAME }} --password-stdin \
+ nexus.global.dns:8443/adcs/charts
+ 
+ # 4. Push changed Helm packages to Nexus.
+ - name: 'Push modified Helm packages to Nexus'
+ if: "${{ github.event.inputs.release_all == 'false' }}"
+ env:
+ HELM_EXPERIMENTAL_OCI: '1'
+ run: |
+ git diff --name-only -r HEAD^1 HEAD | grep .tgz | while read line || [[ -n $line ]];
+ do
+ echo " > Pushing chart $line"
+ helm push $line oci://nexus.global.dns:8443/adcs/charts
+ done
+ 
+ # 5. Check if all Helm charts have to be pushed to Nexus.
+ - name: 'Push all Helm charts to Nexus'
+ if: "${{ github.event.inputs.release_all != 'false' }}"
+ env:
+ HELM_EXPERIMENTAL_OCI: '1'
+ run: |
+ ls repo | grep .tgz | while read line || [[ -n $line ]];
+ do
+ echo " > Pushing chart $line"
+ helm push repo/$line oci://nexus.global.dns:8443/adcs/charts
+ done

CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+This is the `CHANGELOG` of your Helm repository. The current
+section can be used for additional templating and docs. The comment
+listed below is used as a marker to start the Changelog generation
+using `towncrier`.
+
+<!-- towncrier release notes start -->

CODEOWNERS

@@ -0,0 +1 @@
+@peinser

README.md

@@ -1,2 +1,15 @@
-# template-helm
-A Helm registry template.
+# Helm Repository
+
+A template repository for managing Helm charts specific to a single project.
+
+--------------------------------------------------------------------------------
+
+> [!WARNING]
+> Work in progress.
+
+## Changelogs
+
+
+## Conventions
+
+- We use the Helm `.Release.Name` as an identifier for the environment. That is, your deployment's name will be `{{ .Release.Name }}-sample`.

SECURITY.md

@@ -0,0 +1,3 @@
+# Security policy
+
+Our general security policy and coordinated disclosure plan: <https://peinser.com/policy/security>

charts/sample/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/sample/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: sample
+description: A sample Helm chart.
+type: application
+
+# Chart version
+version: 1.0.0
+
+# Application version
+appVersion: 1.0.0
+
+maintainers:
+- email: joeri@peinser.com
+ name: Joeri Hermans

charts/sample/templates/deployment.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: {{ .Release.Name }}-sample
+ name: {{ .Release.Name }}-sample
+spec:
+ replicas: {{ .Values.replicas | default 1 }}
+ selector:
+ matchLabels:
+ app: {{ .Release.Name }}-sample
+ template:
+ metadata:
+ labels:
+ app: {{ .Release.Name }}-sample
+ spec:
+ automountServiceAccountToken: false
+
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+
+ containers:
+
+ - image: docker.io/{{ .Values.image.name | default "peinser/sample" }}:{{ .Values.image.tag | default "latest" }}
+ imagePullPolicy: Always
+ resources:
+ {{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+ {{- else }}
+ limits: {}
+ {{- end }}
+ name: {{ .Release.Name }}-sample
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ runAsNonRoot: true
+ env:
+ - name: SOME_VARIABLE
+ value: {{ .Values.someVariable | default someValue | quote }}

charts/sample/values.yaml

@@ -0,0 +1,23 @@
+securityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+
+replicas: 1
+
+resources:
+ requests:
+ cpu: 64m
+ memory: 256Mi
+ limits:
+ memory: 1Gi
+
+image:
+ name: peinser/sample
+ tag: 1.0.0
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

towncrier.toml

@@ -0,0 +1,40 @@
+# Changelog configuration
+#
+# For more information: https://towncrier.readthedocs.io/en/latest/configuration.html
+#
+
+[tool.towncrier]
+package = "sample" # Name of the project
+directory = ".changes" # Directory of the news fragments
+filename = "CHANGELOG.md" # File which holds the CHANGELOG or news files.
+
+
+# News types (order of appearance in CHANGELOG) ###############################x
+# Whenever a news fragement is generated, the full CHANGELOG will be generated
+# according to the ordering listed below.
+#
+
+[[tool.towncrier.type]]
+directory = "security"
+name = "Security"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "feature"
+name = "Features"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "fix"
+name = "Fixes"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "bug"
+name = "Bugs"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "chore"
+name = "Chores"
+showcontent = true