Revert "Merge branch 'main' of https://github.com/openmfp/helm-charts"

.github/workflows/account-operator-crds.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/account-operator-crds/**'
       - '.github/workflows/account-operator-crds.yaml'
+  pull_request:
+    paths:
+      - 'charts/account-operator-crds/**'
+      - '.github/workflows/account-operator-crds.yaml'
 
 jobs:
   pipeline:

.github/workflows/account-operator.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/account-operator/**'
       - '.github/workflows/account-operator.yaml'
+  pull_request:
+    paths:
+      - 'charts/account-operator/**'
+      - '.github/workflows/account-operator.yaml'
 
 jobs:
   pipeline:

.github/workflows/common.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/common/**'
       - '.github/workflows/common.yaml'
+  pull_request:
+    paths:
+      - 'charts/common/**'
+      - '.github/workflows/common.yaml'
 
 jobs:
   pipeline:

.github/workflows/example-content.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/example-content/**'
       - 'example-content.yaml'
+  pull_request:
+    paths:
+      - 'charts/example-content/**'
+      - 'example-content.yaml'
 
 jobs:
   pipeline:

.github/workflows/extension-manager-operator-crds.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/extension-manager-operator-crds/**'
       - '.github/workflows/extension-manager-operator-crds.yaml'
+  pull_request:
+    paths:
+      - 'charts/extension-manager-operator-crds/**'
+      - '.github/workflows/extension-manager-operator-crds.yaml'
 
 jobs:
   pipeline:

.github/workflows/extension-manager-operator.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/extension-manager-operator/**'
       - '.github/workflows/extension-manager-operator.yaml'
+  pull_request:
+    paths:
+      - 'charts/extension-manager-operator/**'
+      - '.github/workflows/extension-manager-operator.yaml'
 
 jobs:
   pipeline:

.github/workflows/infra.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/infra/**'
       - '.github/workflows/infra.yaml'
+  pull_request:
+    paths:
+      - 'charts/infra/**'
+      - '.github/workflows/infra.yaml'
 
 jobs:
   pipeline:

.github/workflows/keycloak.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/keycloak/**'
       - '.github/workflows/keycloak.yaml'
+  pull_request:
+    paths:
+      - 'charts/keycloak/**'
+      - '.github/workflows/keycloak.yaml'
 
 jobs:
   pipeline:

.github/workflows/kind-localsetup.yaml

@@ -1,11 +1,11 @@
 name: Test local setup
 on:
   pull_request:
-    branches:
-      - '**'
+    paths:
+      - 'local-setup/**'
 
 concurrency:
-  group: localsetup-${{ github.ref }}
+  group: localsetup-${{ github.event.pull_request.number }}
   cancel-in-progress: false
 
 jobs:
@@ -56,15 +56,15 @@ jobs:
         echo "Describe all helmreleases which are not Ready yet"
         kubectl get helmreleases -A -o json | jq -r '.items[] | select(.status.conditions[]? | select(.type == "Ready" and .status != "True")) | "\(.metadata.namespace) \(.metadata.name)"' | while read namespace name; do kubectl describe helmrelease $name -n $namespace; done
         echo "Print imagePullSecret"
-        kubectl get secret ghcr-credentials -n openmfp-system -o yaml
+        kubectl get secret github -n openmfp-system -o yaml
         echo "Test docker login and pull"
         docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ steps.generate-token.outputs.token }}
         docker pull ghcr.io/openmfp/portal:0.287.0
 
 
     # Step 4: Prepare the NodeJS/playwright environment
     - name: Cache node modules
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~/node_modules
         key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -73,7 +73,7 @@ jobs:
 
     # Step 5: Install NodeJS and dependencies
     - name: Node ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'npm'

.github/workflows/openmfp-crds.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/openmfp-crds/**'
       - '.github/workflows/openmfp-crds.yaml'
+  pull_request:
+    paths:
+      - 'charts/openmfp-crds/**'
+      - '.github/workflows/openmfp-crds.yaml'
 
 jobs:
   pipeline:

.github/workflows/openmfp.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/openmfp/**'
       - '.github/workflows/openmfp.yaml'
+  pull_request:
+    paths:
+      - 'charts/openmfp/**'
+      - '.github/workflows/openmfp.yaml'
 
 jobs:
   pipeline:

.github/workflows/portal.yaml

@@ -4,6 +4,10 @@ on:
     paths:
       - 'charts/portal/**'
       - '.github/workflows/portal.yaml'
+  pull_request:
+    paths:
+      - 'charts/portal/**'
+      - '.github/workflows/portal.yaml'
 
 jobs:
   pipeline:

.gitignore

@@ -1,6 +1,8 @@
+.DS_Store
 .idea
 .vscode/settings.json
 .secret
 bin/
 node_modules/
-oci/
+/oci/
+local-setup/e2e/test-results/.last-run.json

.kube-linter.yaml

@@ -0,0 +1,4 @@
+checks:
+  ignorePaths:
+    - charts/keycloak/charts/keycloak/**
+    - charts/openmfp/charts/**

.reuse/dep5

@@ -4,6 +4,6 @@ Upstream-Contact:
 Source: https://github.com/openmfp/helm-charts
 
 Files: *
-Copyright: 2024 SAP SE or an SAP affiliate company and openMFP contributors and helm-charts contributors.
+Copyright: 2025 SAP SE or an SAP affiliate company and openMFP contributors and helm-charts contributors.
 License: Apache-2.0
 

CODEOWNERS

@@ -3,3 +3,5 @@
 Chart.lock
 Chart.yaml
 *.tgz
+local-setup/kustomize/components/openmfp/repository.yaml
+local-setup/kustomize/components/openmfp-crds/repository.yaml

CONTRIBUTING.md

@@ -20,6 +20,32 @@ You are welcome to contribute with your pull requests. These steps explain the c
 > **NOTE:** You should always add tests if you are adding code to our repository.
 To let chart tests run locally, run `helm unittest -u <PATH TO CHART>`.
 
+To start bootstrapping using the local charts from a local oci repository, package the charts and run the string with the `oci` parameter:
+```sh
+task helmpackage
+./local-setup/scripts/start.sh oci
+```
+
+Also ensure the proper chart versions are referenced in the OCIRepository patches, before running the start script. 
+
+To reference local chart dependencies, change the Chart.yaml file to point to local chart folder like so:
+```yaml
+apiVersion: v2
+name: openmfp
+description: The OpenMFP chart for Kubernetes
+type: application
+version: 0.0.194
+appVersion: "0.0.0"
+
+dependencies:
+  - name: keycloak
+    version: 0.61.0
+    repository: file://../keycloak
+    condition: components.keycloak.enabled
+```
+
+After such change, Increment the `version` and make sure to run `helm dependency update` on to dependencies first and last on the top-level chart which links them. Update the patch versions to reflect your changes.
+
 ## Issues
 We use GitHub issues to track bugs. Please ensure your description is
 clear and includes sufficient instructions to reproduce the issue.

README.md

@@ -1,5 +1,8 @@
 # OpenMFP - helm-charts
 
+[![REUSE status](
+https://api.reuse.software/badge/github.com/openmfp/helm-charts)](https://api.reuse.software/info/github.com/openmfp/helm-charts)
+
 This repository contains public helm charts for the OpenMFP project.
 
 ## Github Actions
@@ -31,5 +34,5 @@ Please refer to the [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) file in this reposi
 
 ## Licensing
 
-Copyright 2024 SAP SE or an SAP affiliate company and OpenMFP contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/openmfp/helm-charts).
+Copyright 2025 SAP SE or an SAP affiliate company and OpenMFP contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/openmfp/helm-charts).
 

REUSE.toml

@@ -0,0 +1,9 @@
+version = 1
+SPDX-PackageName = "helm-charts"
+SPDX-PackageDownloadLocation = "https://github.com/openmfp/helm-charts"
+
+[[annotations]]
+path = "**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2025 SAP SE or an SAP affiliate company and openMFP contributors and helm-charts contributors."
+SPDX-License-Identifier = "Apache-2.0"

Taskfile.yaml

@@ -43,10 +43,11 @@ tasks:
       - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm dependency update $chart; done"
   validate:
     cmds:
-      - task: lint
-      # - task: package
       - task: test
-      - task: vulnerability
+      - task: helm-docs
+      - task: update
+      - task: lint
+      - task: oci
   vulnerability:
     deps:
       - task: setup:kube-lint
@@ -65,3 +66,7 @@ tasks:
       - task: helmpackage
     cmds:
       - "for chart in $(echo {{.PACKAGED_CHARTS}} | tr ',' ' '); do helm push $chart oci://localhost:5000/openmfp; done"
+  oci:
+    cmds:
+      - "rm oci/* || true"
+      - task: helmpackage

charts/account-operator/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.1.11
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.2.7
-digest: sha256:076f1128f18954e6b9b2e7fe39882197c683415ae2a089f0757e358e62a018b9
-generated: "2025-01-14T21:12:11.220820816Z"
+  version: 0.2.10
+digest: sha256:d51690d7efa7b0242f5822f35f89d8657ac1fafa8c888e36e07e9aa0c60b37c5
+generated: "2025-02-13T08:50:58.976440421+02:00"

charts/account-operator/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: account-operator
 description: A Helm chart to deploy OpenMFP Account-Operator
 type: application
-version: 0.5.65
-appVersion: "0.153.0"
+version: 0.6.9
+appVersion: "0.163.0"
 dependencies:
   - name: account-operator-crds
     version: 0.1.11
     condition: crds.enabled
     repository: oci://ghcr.io/openmfp/helm-charts
   - name: common
-    version: 0.2.7
+    version: 0.2.10
     repository: oci://ghcr.io/openmfp/helm-charts

charts/account-operator/README.md

@@ -23,19 +23,19 @@ A Helm chart to deploy OpenMFP Account-Operator
 | kcp.enabled | bool | `false` | Enable KCP |
 | kcp.virtualWorkspaceUrl | string | `""` | The URL for the virtual workspace |
 | kubeconfigSecret | string | `""` | The secret for kubeconfig |
-| logLevel | string | `"warn"` | The log level |
 | security.mountServiceAccountToken | bool | `true` | Mount the service account token |
 | subroutines.extension.enabled | bool | `true` | Enable extension subroutines |
 | subroutines.extensionReady.enabled | bool | `true` | Enable extension ready subroutines |
 | subroutines.fga.creatorRelation | string | `"owner"` | The creator relation for FGA |
 | subroutines.fga.enabled | bool | `true` | Enable FGA subroutines |
-| subroutines.fga.grpcAddr | string | `""` | The gRPC address for FGA |
+| subroutines.fga.grpcAddr | string | `"openmfp-openfga:8081"` | The gRPC address for FGA |
 | subroutines.fga.objectType | string | `"account"` | The object type for FGA |
 | subroutines.fga.parentRelation | string | `"parent"` | The parent relation for FGA |
 | subroutines.fga.rootNamespace | string | `"openmfp-root"` | The root namespace for FGA |
 | subroutines.namespace.enabled | bool | `true` | Enable namespace subroutines |
 | webhooks.certDir | string | `"/certs"` | The directory for webhook certificates |
-| webhooks.enabled | bool | `false` | Enable webhooks |
+| webhooks.enabled | bool | `true` | Enable webhooks |
+| webhooks.register | bool | `false` | Register webhooks, flag to toggle if webhooks should be registered on the runtime cluster |
 
 ## Overriding Values
 

charts/account-operator/templates/deployment.yaml

@@ -32,7 +32,6 @@ spec:
         - args:
           - operator
           - --leader-elect
-          - --log-level={{ .Values.logLevel }}
           - '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}'
           image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
           name: manager
@@ -47,6 +46,7 @@ spec:
           {{- include "common.operatorHealthAndReadyness" . | nindent 10 -}}
           {{- include "common.resources" . | nindent 10 }}
           env:
+          {{- include "common.basicEnvironment" . | nindent 10 }}
           - name: SUBROUTINES_NAMESPACE_ENABLED
             value: "{{ .Values.subroutines.namespace.enabled }}"
           - name: SUBROUTINES_FGA_ENABLED

charts/account-operator/templates/webhook/mutation-webhook.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.webhooks.enabled -}}
+{{- if and .Values.webhooks.enabled .Values.webhooks.register -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -9,10 +9,7 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
-    service:
-      name: {{ include "common.entity.name" . }}-webhook
-      namespace: {{ .Release.Namespace }}
-      path: /mutate-core-openmfp-io-v1alpha1-account
+    url: {{ include "common.entity.name" . }}-webhook.{{ .Release.Namespace }}.svc:9443/mutate-core-openmfp-io-v1alpha1-account
   failurePolicy: Fail
   name: maccount.kb.io
   rules:

charts/account-operator/templates/webhook/service.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ include "common.entity.name" . }}-webhook
 spec:
   ports:
-    - port: 443
+    - port: 9443
       protocol: TCP
       targetPort: 9443
   selector: