From 1483020486ddd4f1002f4410a32fafd8fdd3c037 Mon Sep 17 00:00:00 2001 From: Joonas Bergius Date: Thu, 7 Nov 2024 09:28:08 -0600 Subject: [PATCH] chore: workflow for publishing secrets-vault chart Signed-off-by: Joonas Bergius --- .github/workflows/secrets-vault-chart.yml | 116 ++++++++++++++++++ .../.helmignore | 3 + .../Chart.yaml | 2 +- .../charts/secrets-vault/ci/ct.yaml | 2 + .../charts/secrets-vault/ci/nats.yaml | 8 ++ .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 20 +-- .../templates/deployment.yaml | 10 +- .../templates/service.yaml | 6 +- .../templates/serviceaccount.yaml | 4 +- .../values.yaml | 0 11 files changed, 150 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/secrets-vault-chart.yml rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/.helmignore (90%) rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/Chart.yaml (97%) create mode 100644 secrets/secrets-vault/charts/secrets-vault/ci/ct.yaml create mode 100644 secrets/secrets-vault/charts/secrets-vault/ci/nats.yaml rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/templates/NOTES.txt (100%) rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/templates/_helpers.tpl (69%) rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/templates/deployment.yaml (87%) rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/templates/service.yaml (53%) rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/templates/serviceaccount.yaml (67%) rename secrets/secrets-vault/charts/{wasmcloud-secrets-vault => secrets-vault}/values.yaml (100%) diff --git a/.github/workflows/secrets-vault-chart.yml b/.github/workflows/secrets-vault-chart.yml new file mode 100644 index 0000000..9cf5377 --- /dev/null +++ b/.github/workflows/secrets-vault-chart.yml @@ -0,0 +1,116 @@ +name: secrets-vault-chart + +env: + HELM_VERSION: v3.14.0 + CHART_DIRS: secrets/secrets-vault/charts + +on: + push: + tags: + - 'secrets-vault-chart-v[0-9].[0-9]+.[0-9]+' + pull_request: + paths: + - 'secrets/secrets-vault/charts/**' + - '.github/workflows/secrets-vault-chart.yml' + +jobs: + validate: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Fetch main branch for chart-testing + run: | + git fetch origin main:main + + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: ${{ env.HELM_VERSION }} + + # Used by helm chart-testing below + - name: Set up Python + uses: actions/setup-python@v5.3.0 + with: + python-version: '3.12.7' + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.6.1 + with: + version: v3.11.0 + yamllint_version: 1.35.1 + yamale_version: 5.0.0 + + - name: Install wash + uses: taiki-e/install-action@v2 + with: + tool: wash-cli@0.36.1 + + - name: Run chart-testing (lint) + run: | + ct lint --config ${{ env.CHART_DIRS }}/secrets-vault/ct.yaml --chart-dirs ${{ env.CHART_DIRS }} + + - name: Create kind cluster + uses: helm/kind-action@v1.10.0 + with: + version: "v0.22.0" + + - name: Install nats in the test cluster + run: | + helm repo add nats https://nats-io.github.io/k8s/helm/charts/ + helm repo update + helm install nats nats/nats -f ${{ env.CHART_DIRS }}/secrets-vault/ci/nats.yaml + + - name: Generate nkey seed + run: | + export "NKEY_SEED=$(wash key gen account -o json | jq -Mr .seed | tr -d '\n')" >> ${GITHUB_ENV} + + - name: Generate xkey seed + run: | + export "XKEY_SEED=$(wash key gen curve -o json | jq -Mr .seed | tr -d '\n')" >> ${GITHUB_ENV} + + - name: Run chart-testing install / same namespace + run: | + ct install --config ${{ env.CHART_DIRS }}/secrets-vault/ci/ct.yaml --helm-extra-set-args "--set=config.nats.address=nats-headless.default:4222 --set=config.jwks_address=127.0.0.1:3000 --set=config.nkey_seed=${{ env.NKEY_SEED }} --set=config.xkey_seed=${{ env.XKEY_SEED }} --set=config.vault.address=localhost:8222 --set=config.vault.auth_method_path=jwt --set=config.vault.defaultSecretEnginePath=secret" + + publish: + if: ${{ startsWith(github.ref, 'refs/tags/secrets-vault-chart-v') }} + runs-on: ubuntu-22.04 + needs: validate + permissions: + packages: write + + steps: + - uses: actions/checkout@v4 + + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: ${{ env.HELM_VERSION }} + + - name: Package + run: | + helm package ${{ env.CHART_DIRS }}/secrets-vault -d .helm-charts + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Lowercase the organization name for ghcr.io + run: | + echo "GHCR_REPO_NAMESPACE=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV} + + - name: Publish + run: | + for chart in .helm-charts/*; do + if [ -z "${chart:-}" ]; then + break + fi + helm push "${chart}" "oci://ghcr.io/${{ env.GHCR_REPO_NAMESPACE }}/charts" + done \ No newline at end of file diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/.helmignore b/secrets/secrets-vault/charts/secrets-vault/.helmignore similarity index 90% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/.helmignore rename to secrets/secrets-vault/charts/secrets-vault/.helmignore index 0e8a0eb..fd5add4 100644 --- a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/.helmignore +++ b/secrets/secrets-vault/charts/secrets-vault/.helmignore @@ -21,3 +21,6 @@ .idea/ *.tmproj .vscode/ +# CI artifacts +ci/ct.yaml +ci/nats.yaml \ No newline at end of file diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/Chart.yaml b/secrets/secrets-vault/charts/secrets-vault/Chart.yaml similarity index 97% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/Chart.yaml rename to secrets/secrets-vault/charts/secrets-vault/Chart.yaml index 14920e3..d8f3ee0 100644 --- a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/Chart.yaml +++ b/secrets/secrets-vault/charts/secrets-vault/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: wasmcloud-secrets-vault +name: secrets-vault description: A Helm chart for deploying wasmCloud secrets implementation for Vault KV version 2 # A chart can be either an 'application' or a 'library' chart. diff --git a/secrets/secrets-vault/charts/secrets-vault/ci/ct.yaml b/secrets/secrets-vault/charts/secrets-vault/ci/ct.yaml new file mode 100644 index 0000000..4bd9c44 --- /dev/null +++ b/secrets/secrets-vault/charts/secrets-vault/ci/ct.yaml @@ -0,0 +1,2 @@ +validate-maintainers: false +helm-extra-args: --timeout 60s \ No newline at end of file diff --git a/secrets/secrets-vault/charts/secrets-vault/ci/nats.yaml b/secrets/secrets-vault/charts/secrets-vault/ci/nats.yaml new file mode 100644 index 0000000..d4ceb7a --- /dev/null +++ b/secrets/secrets-vault/charts/secrets-vault/ci/nats.yaml @@ -0,0 +1,8 @@ +config: + jetstream: + enabled: true + fileStore: + pvc: + enabled: false + merge: + domain: default diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/NOTES.txt b/secrets/secrets-vault/charts/secrets-vault/templates/NOTES.txt similarity index 100% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/NOTES.txt rename to secrets/secrets-vault/charts/secrets-vault/templates/NOTES.txt diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/_helpers.tpl b/secrets/secrets-vault/charts/secrets-vault/templates/_helpers.tpl similarity index 69% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/_helpers.tpl rename to secrets/secrets-vault/charts/secrets-vault/templates/_helpers.tpl index 607847e..22dd742 100644 --- a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/_helpers.tpl +++ b/secrets/secrets-vault/charts/secrets-vault/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "wasmcloud-secrets-vault.name" -}} +{{- define "secrets-vault.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "wasmcloud-secrets-vault.fullname" -}} +{{- define "secrets-vault.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "wasmcloud-secrets-vault.chart" -}} +{{- define "secrets-vault.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "wasmcloud-secrets-vault.labels" -}} -helm.sh/chart: {{ include "wasmcloud-secrets-vault.chart" . }} -{{ include "wasmcloud-secrets-vault.selectorLabels" . }} +{{- define "secrets-vault.labels" -}} +helm.sh/chart: {{ include "secrets-vault.chart" . }} +{{ include "secrets-vault.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "wasmcloud-secrets-vault.selectorLabels" -}} -app.kubernetes.io/name: {{ include "wasmcloud-secrets-vault.name" . }} +{{- define "secrets-vault.selectorLabels" -}} +app.kubernetes.io/name: {{ include "secrets-vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "wasmcloud-secrets-vault.serviceAccountName" -}} +{{- define "secrets-vault.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "wasmcloud-secrets-vault.fullname" .) .Values.serviceAccount.name }} +{{- default (include "secrets-vault.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/deployment.yaml b/secrets/secrets-vault/charts/secrets-vault/templates/deployment.yaml similarity index 87% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/deployment.yaml rename to secrets/secrets-vault/charts/secrets-vault/templates/deployment.yaml index 4c42780..9b97ec5 100644 --- a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/deployment.yaml +++ b/secrets/secrets-vault/charts/secrets-vault/templates/deployment.yaml @@ -1,14 +1,14 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "wasmcloud-secrets-vault.fullname" . }} + name: {{ include "secrets-vault.fullname" . }} labels: - {{- include "wasmcloud-secrets-vault.labels" . | nindent 4 }} + {{- include "secrets-vault.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicas }} selector: matchLabels: - {{- include "wasmcloud-secrets-vault.selectorLabels" . | nindent 6 }} + {{- include "secrets-vault.selectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -16,7 +16,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "wasmcloud-secrets-vault.labels" . | nindent 8 }} + {{- include "secrets-vault.labels" . | nindent 8 }} {{- with .Values.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} @@ -25,7 +25,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "wasmcloud-secrets-vault.serviceAccountName" . }} + serviceAccountName: {{ include "secrets-vault.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/service.yaml b/secrets/secrets-vault/charts/secrets-vault/templates/service.yaml similarity index 53% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/service.yaml rename to secrets/secrets-vault/charts/secrets-vault/templates/service.yaml index 0218c02..dc6616e 100644 --- a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/service.yaml +++ b/secrets/secrets-vault/charts/secrets-vault/templates/service.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "wasmcloud-secrets-vault.fullname" . }} + name: {{ include "secrets-vault.fullname" . }} labels: - {{- include "wasmcloud-secrets-vault.labels" . | nindent 4 }} + {{- include "secrets-vault.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -12,4 +12,4 @@ spec: protocol: TCP name: jwks-endpoint selector: - {{- include "wasmcloud-secrets-vault.selectorLabels" . | nindent 4 }} + {{- include "secrets-vault.selectorLabels" . | nindent 4 }} diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/serviceaccount.yaml b/secrets/secrets-vault/charts/secrets-vault/templates/serviceaccount.yaml similarity index 67% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/serviceaccount.yaml rename to secrets/secrets-vault/charts/secrets-vault/templates/serviceaccount.yaml index 023d242..df77d7a 100644 --- a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/templates/serviceaccount.yaml +++ b/secrets/secrets-vault/charts/secrets-vault/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "wasmcloud-secrets-vault.serviceAccountName" . }} + name: {{ include "secrets-vault.serviceAccountName" . }} labels: - {{- include "wasmcloud-secrets-vault.labels" . | nindent 4 }} + {{- include "secrets-vault.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/secrets/secrets-vault/charts/wasmcloud-secrets-vault/values.yaml b/secrets/secrets-vault/charts/secrets-vault/values.yaml similarity index 100% rename from secrets/secrets-vault/charts/wasmcloud-secrets-vault/values.yaml rename to secrets/secrets-vault/charts/secrets-vault/values.yaml