chore (move): charts from private to public (#26)

* feat: add extension-manager-operator and crds charts with initial templates and values
* major refactoring of all charts
---------

Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>
Co-authored-by: Tobias Oetzel <tobias.oetzel@sap.com>
Co-authored-by: tobias-oetzel <tobias.oetzel@gmail.com>
Co-authored-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>

.github/workflows/common.yaml

@@ -16,6 +16,7 @@ jobs:
       chartName: common
       additionalTestFilesCommand: ''
       chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts'
+      skipVulnerabilityScan: true
     secrets: inherit
 
   updateVersionFile:

.github/workflows/extension-manager-operator-crds.yaml

@@ -0,0 +1,28 @@
+name: Build extension-manager-operator-crds Workflow
+on:
+  push:
+    paths:
+      - 'charts/extension-manager-operator-crds/**'
+      - '.github/workflows/extension-manager-operator-crds.yaml'
+
+jobs:
+  pipeline:
+    concurrency:
+      group: extension-manager-operator-crds-${{ github.ref }}
+      cancel-in-progress: true
+    uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main
+    with:
+      chartFolder: charts
+      chartName: extension-manager-operator-crds
+      additionalTestFilesCommand: ''
+      chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts'
+    secrets: inherit
+
+  updateVersionFile:
+    if: ${{ github.ref == 'refs/heads/main' }}
+    needs: [pipeline]
+    uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main
+    secrets: inherit
+    with:
+      componentVersionKey: "extension-manager-operator-crds"
+      version: ${{ needs.pipeline.outputs.version }}

.github/workflows/extension-manager-operator.yaml

@@ -0,0 +1,28 @@
+name: Build extension-manager-operator Workflow
+on:
+  push:
+    paths:
+      - 'charts/extension-manager-operator/**'
+      - '.github/workflows/extension-manager-operator.yaml'
+
+jobs:
+  pipeline:
+    concurrency:
+      group: extension-manager-operator-${{ github.ref }}
+      cancel-in-progress: true
+    uses: openmfp/gha/.github/workflows/pipeline-chart.yml@main
+    with:
+      chartFolder: charts
+      chartName: extension-manager-operator
+      additionalTestFilesCommand: ''
+      chartRepos: 'bitnami=https://charts.bitnami.com/bitnami,openfga=https://openfga.github.io/helm-charts'
+    secrets: inherit
+
+  updateVersionFile:
+    if: ${{ github.ref == 'refs/heads/main' }}
+    needs: [pipeline]
+    uses: openmfp/gha/.github/workflows/job-update-version-file.yml@main
+    secrets: inherit
+    with:
+      componentVersionKey: "extension-manager-operator"
+      version: ${{ needs.pipeline.outputs.version }}

.gitignore

@@ -1,2 +1,3 @@
 .idea
 .vscode/settings.json
+bin/

.helmdocsignore

@@ -0,0 +1 @@
+charts/common/test-chart

README.md

@@ -0,0 +1,18 @@
+# helm-charts
+
+This repository contains public helm charts for the OpenMFP project.
+
+## Taskfile
+It uses Taskfile and task command to local dev tooling. The following tasks are available: `lint, helmtest, test, update, validate, vulnerability, helm-docs`.
+
+## Updating charts
+If a chart is changed, it could be dependency of other chart or its dependencies must be updated. To do it, run `task update`.
+
+## Helm-docs
+Using https://github.com/norwoodj/helm-docs to generate charts documentation. Documentation can be updated by running `task helm-docs` command.
+
+## Github Actions
+Each chart is automatically tested, packaged and published to github repository. Workflows are located in the [.github/workflows](.github/workflows) folder.
+
+## OWASP vulnerability scanning
+Kube-linter and kube-score can be run locally with `task vulnerability`. PR changes are also scanned on github and found vulnerability are visible under the Security project section on Github.

Taskfile.yaml

@@ -3,27 +3,56 @@ version: '3'
 vars:
   LOCAL_BIN: bin
   CHARTS:
-    sh: "ls charts/ | sed 's/^/charts\\//g' | paste -sd ',' -"
+    sh: "printf '%s,%s' $(ls -d charts/*/ | paste -sd ',' -) 'charts/common/test-chart'"
+  CHANGED_CHARTS:
+    sh: "git status --porcelain | grep '^ M charts/' | cut -d'/' -f2 | sort -u | sed 's|^|charts/|' | paste -sd ',' -"
 tasks:
+  ## Setup
+  setup:kube-lint:
+    internal: true
+    cmds:
+      - mkdir -p $(pwd)/{{.LOCAL_BIN}}
+      - test -s {{.LOCAL_BIN}}/kube-linter || GOBIN=$(pwd)/{{.LOCAL_BIN}} go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest
+      - chmod +x $(pwd)/{{.LOCAL_BIN}}/kube-linter
+  setup:helm-docs:
+    internal: true
+    cmds:
+      - test -s {{.LOCAL_BIN}}/helm-docs || GOBIN=$(pwd)/{{.LOCAL_BIN}} go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest
   ## Development
   lint:
     deps: []
     cmds:
       - "ct lint --target-branch main --validate-maintainers=false --charts={{.CHARTS}}"
-  package:
-    cmds:
-      - helm package ./charts/openmfp
   helmtest:
     cmds:
       - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm unittest $chart; done"
   test:
     deps:
+      - task: update
       - task: helmtest
+  update-changed:
+    deps:
+      - task: helm-docs
+    cmds:
+      - "for chart in $(echo {{.CHANGED_CHARTS}} | tr ',' ' '); do helm dependency update $chart; done"
   update:
+    deps:
+      - task: helm-docs
     cmds:
       - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm dependency update $chart; done"
   validate:
     cmds:
       - task: lint
-      - task: package
-      - task: test
+      # - task: package
+      - task: test
+      - task: vulnerability
+  vulnerability:
+    deps:
+      - task: setup:kube-lint
+    cmds:
+      - "{{.LOCAL_BIN}}/kube-linter lint \"charts/\" --format \"plain\""
+  helm-docs:
+    deps:
+      - task: setup:helm-docs
+    cmds:
+      - "{{.LOCAL_BIN}}/helm-docs --chart-search-root charts/ --template-files=README.md.gotmpl"

charts/_templates.gotmpl

@@ -0,0 +1,18 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+## Configuration
+
+The chart supports the following configuration parameters in the table below. Additionally, default configuration parameters documented in [common/README.md](../common/README.md) are not explicitely listed in the table but are also supported. 
+
+{{ template "chart.valuesHeader" . }}
+
+Default configuration parameters, which can be overriden either globally or on a chart level are documented in [common/README.md](../common/README.md).
+
+{{ template "chart.valuesTable" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/account-operator-crds/Chart.yaml

@@ -4,6 +4,6 @@ description: A Helm chart for Kubernetes
 
 type: application
 
-version: 0.1.5
+version: 0.1.6
 
 appVersion: "1.16.0"

charts/account-operator-crds/README.md

@@ -0,0 +1,12 @@
+# account-operator-crds
+
+![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| kcp.enabled | bool | `false` | Enable KCP |
+

charts/account-operator-crds/values.yaml

@@ -1,2 +1,3 @@
 kcp:
+  # -- Enable KCP
   enabled: false

charts/account-operator/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: account-operator-crds
   repository: file://../account-operator-crds
-  version: 0.1.5
+  version: 0.1.6
 - name: common
   repository: file://../common
-  version: 0.1.4
-digest: sha256:9d2466bb6f196f2355a55ff621f6017cee086f9600280b009e55249ab6a6335f
-generated: "2024-11-21T17:36:43.666194+01:00"
+  version: 0.1.5
+digest: sha256:5dcb2935c71c2e917170ef3b54c5ea586ab30269a5ec960353bfcbb362c073e1
+generated: "2024-11-27T20:12:23.434477831+02:00"

charts/account-operator/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: account-operator
 description: A Helm chart for Kubernetes
 type: application
-version: 0.4.20
+version: 0.4.21
 appVersion: "0.108.0"
 dependencies:
   - name: account-operator-crds
-    version: 0.1.5
+    version: 0.1.6
     condition: crds.enabled
     repository: file://../account-operator-crds
   - name: common
-    version: 0.1.4
+    version: 0.1.5
     repository: file://../common

charts/account-operator/README.md

@@ -0,0 +1,40 @@
+# account-operator
+
+![Version: 0.4.21](https://img.shields.io/badge/Version-0.4.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.108.0](https://img.shields.io/badge/AppVersion-0.108.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| file://../account-operator-crds | account-operator-crds | 0.1.6 |
+| file://../common | common | 0.1.5 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| crds.enabled | bool | `true` | Enable CRDs |
+| deployment.specTemplate.annotations | object | `{}` | The annotations for the deployment |
+| deployment.specTemplate.labels | object | `{}` | The labels for the deployment |
+| image.name | string | `"ghcr.io/openmfp/account-operator"` | The image repository |
+| image.tag | string | `"latest"` | The image tag |
+| kcp | object | `{"enabled":false,"virtualWorkspaceUrl":""}` | The KCP configuration |
+| kcp.enabled | bool | `false` | Enable KCP |
+| kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace |
+| kubeconfigSecret | string | `""` | The secret for kubeconfig |
+| logLevel | string | `"warn"` | The log level |
+| security.mountServiceAccountToken | bool | `false` | Mount the service account token |
+| subroutines.extension.enabled | bool | `true` | Enable extension subroutines |
+| subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines |
+| subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA |
+| subroutines.fga.enabled | bool | `true` | Enable FGA subroutines |
+| subroutines.fga.grpcAddr | string | `""` | The gRPC address for FGA |
+| subroutines.fga.objectType | string | `"account"` | The object type for FGA |
+| subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA |
+| subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA |
+| subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines |
+| webhooks.certDir | string | `"/certs"` | The directory for webhook certificates |
+| webhooks.enabled | bool | `false` | Enable webhooks |
+

charts/account-operator/templates/deployment.yaml

@@ -2,13 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "common.entity.name" . }}
-  namespace: {{ .Release.Namespace }}
   {{- if .Values.webhooks.enabled }}
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "common.entity.name" . }}-serving-cert
   {{- end }}
 spec:
-  revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ include "common.getKeyValue" (dict "Values" .Values "key" "deployment.revisionHistoryLimit") }}
   selector:
     matchLabels:
       service: {{ include "common.entity.name" . }}
@@ -34,42 +33,19 @@ spec:
           - operator
           - --leader-elect
           - --log-level={{ .Values.logLevel }}
-          - "--health-probe-bind-address=:{{ .Values.health.port }}"
+          - '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}'
           image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
           name: manager
-          securityContext:
-            runAsNonRoot: true
+          {{ include "common.container.securityContext" . | nindent 10 }}
           ports:
-          - containerPort: {{ .Values.metrics.port }}
-            name: metrics
-            protocol: TCP
-          - name: health-port
-            containerPort: {{ .Values.health.port }}
-            protocol: TCP
+          {{ include "common.PortsMetricsHealth" . | nindent 10 }}
           {{- if .Values.webhooks.enabled }}
           - name: webhook-port
             containerPort: 9443
             protocol: TCP
           {{- end }}
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: {{ .Values.health.port}}
-            initialDelaySeconds: 15
-            periodSeconds: 20
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: {{ .Values.health.port}}
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          resources:
-            limits:
-              cpu: {{ .Values.deployment.resources.limits.cpu }}
-              memory: {{ .Values.deployment.resources.limits.memory }}
-            requests:
-              cpu: {{ .Values.deployment.resources.requests.cpu }}
-              memory: {{ .Values.deployment.resources.requests.memory }}
+          {{ include "common.operatorHealthAndReadyness" . | nindent 10 }}
+          {{ include "common.resources" . | nindent 10 }}
           env:
           - name: SUBROUTINES_NAMESPACE_ENABLED
             value: "{{ .Values.subroutines.namespace.enabled }}"

charts/account-operator/templates/service-account.yaml

@@ -2,5 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "common.entity.name" . }}
-  namespace: {{ .Release.Namespace }}
 {{- include "common.imagePullSecret" . }}

charts/account-operator/templates/webhook/pki.yaml

@@ -3,15 +3,13 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "common.entity.name" . }}-selfsigned-issuer
-  namespace: {{ .Release.namespace }}
 spec:
   selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "common.entity.name" . }}-serving-cert
-  namespace: {{ .Release.namespace }}
 spec:
   dnsNames:
   - {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc

charts/account-operator/templates/webhook/service.yaml

@@ -3,7 +3,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "common.entity.name" . }}-webhook
-  namespace: {{ .Release.Namespace }}
 spec:
   ports:
     - port: 443