infratographer · mikemrm · May 3, 2024 · May 3, 2024 · May 3, 2024 · May 3, 2024
@@ -0,0 +1,48 @@
+name: Helm lint and docs
+on:
+  push:
+  pull_request:
+jobs:
+  helm-lint:
+    name: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v3.5
+
+      - name: Run helm lint
+        run: helm lint chart/iam-runtime-infratographer
+  helm-docs:
+    needs: helm-lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Update docs
+        run: make docs
+
+      - uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: Helm docs updated
+          commit_options: '--no-verify --signoff'
+          file_pattern: 'chart/*/*.md'
+          skip_dirty_check: true
+          skip_fetch: true
+          skip_checkout: true
@@ -36,3 +36,20 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+
+  helm:
+    runs-on: ubuntu-latest
+    needs: goreleaser
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Publish Helm charts
+        uses: stefanprodan/helm-gh-pages@master
+        with:
+          token: ${{ secrets.RELEASEBOT_PAT }}
+          charts_dir: chart
+          charts_url: "https://infratographer.github.io/charts"
+          repository: "charts"
+          app_version: ${{  github.ref_name }}
+          chart_version: ${{  github.ref_name }}
+          branch: gh-pages
@@ -1,4 +1,6 @@
 *~
 coverage.out
 iam-runtime-infratographer
+!chart/iam-runtime-infratographer/
+chart/iam-runtime-infratographer/*.tgz
 .tools/*
@@ -6,8 +6,11 @@ GOARCH ?= amd64
 GOLANGCI_LINT_REPO = github.com/golangci/golangci-lint
 GOLANGCI_LINT_VERSION = v1.56.1
 
+HELM_DOCS_REPO = github.com/norwoodj/helm-docs
+HELM_DOCS_VERSION = v1.13.1
+
 all: test build
-PHONY: test coverage lint golint clean vendor docker-up docker-down unit-test
+PHONY: test coverage lint docs
 
 test: | lint
 	@echo Running tests...
@@ -20,6 +23,9 @@ lint: $(TOOLS_DIR)/golangci-lint
 build:
 	@CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -mod=readonly -v
 
+docs: $(TOOLS_DIR)/helm-docs
+	$(TOOLS_DIR)/helm-docs --chart-search-root ./chart/
+
 go-dependencies:
 	@go mod download
 	@go mod tidy
@@ -30,3 +36,7 @@ $(TOOLS_DIR):
 $(TOOLS_DIR)/golangci-lint: | $(TOOLS_DIR)
 	@echo "Installing $(GOLANGCI_LINT_REPO)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)"
 	@GOBIN=$(ROOT_DIR)/$(TOOLS_DIR) go install $(GOLANGCI_LINT_REPO)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)
+
+$(TOOLS_DIR)/helm-docs: | $(TOOLS_DIR)
+	@echo "Installing $(HELM_DOCS_REPO)/cmd/helm-docs@$(HELM_DOCS_VERSION)"
+	@GOBIN=$(ROOT_DIR)/$(TOOLS_DIR) go install $(HELM_DOCS_REPO)/cmd/helm-docs@$(HELM_DOCS_VERSION)
@@ -25,6 +25,8 @@ iam-runtime-infratographer can be configured using either a config file, command
 
 Below provides an example of adding the IAM runtime as a sidecar to your app deployment.
 
+Alternatively you could use the [helm chart](./chart/iam-runtime-infratographer/).
+
 ```yaml
 ---
 apiVersion: v1

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: https://charts.bitnami.com/bitnami
+  version: 2.18.0
+digest: sha256:ec6d9b1421c76196fc93c158d3fa45f9b6fa2bffef6bdb7307b2c87cbef7619d
+generated: "2024-05-03T09:29:32.953349-05:00"
@@ -0,0 +1,11 @@
+---
+apiVersion: v2
+appVersion: v0.0.1
+description: Functions which assist in deploying iam-runtime-infratographer with your app.
+name: iam-runtime-infratographer
+version: v0.0.1
+home: http://github.com/infratographer/iam-runtime-infratographer
+dependencies:
+  - name: common
+    version: 2.18.0
+    repository: https://charts.bitnami.com/bitnami
@@ -0,0 +1,85 @@
+# iam-runtime-infratographer
+
+Functions which assist in deploying iam-runtime-infratographer with your app.
+
+![Version: v0.0.1](https://img.shields.io/badge/Version-v0.0.1-informational?style=flat-square) ![AppVersion: v0.0.1](https://img.shields.io/badge/AppVersion-v0.0.1-informational?style=flat-square)
+
+## Example deployment
+
+Helm chart repository: https://infratographer.github.io/charts
+
+```yaml
+# file: templates/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-app
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: example-app
+  template:
+    metadata:
+      annotations: {{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }}
+      labels:
+        app: example-app
+    spec:
+      containers:
+        - name: example-app
+          image: {{ .Values.deployment.image }}
+          volumeMounts: {{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }}
+        - {{- include "iam-runtime-infratographer.container" $ | nindent 10 }}
+      volumes: {{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }}
+# file: values.yaml
+---
+iam-runtime-infratographer:
+  config:
+    permissions:
+      host: permissions-api.internal.example.net
+    jwt:
+      jwksURI: https://iam.example.com/jwks.json
+      issuer: https://iam.example.com/
+```
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.bitnami.com/bitnami | common | 2.18.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| config.accessToken.enabled | bool | `false` | enabled configures the access token source for GetAccessToken requests. |
+| config.accessToken.exchange.grantType | string | urn:ietf:params:oauth:grant-type:token-exchange | grantType configures the grant type |
+| config.accessToken.exchange.issuer | string | `""` | issuer specifies the URL for the issuer for the exchanged token. The Issuer must support OpenID discovery to discover the token endpoint. |
+| config.accessToken.exchange.tokenType | string | urn:ietf:params:oauth:token-type:jwt | tokenType configures the token type |
+| config.accessToken.source.clientCredentials.clientID | string | `""` | clientID is the client credentials id which is used to retrieve a token from the issuer. |
+| config.accessToken.source.clientCredentials.clientSecret | string | `""` | clientSecret is the client credentials secret which is used to retrieve a token from the issuer. |
+| config.accessToken.source.clientCredentials.issuer | string | `""` | issuer specifies the URL for the issuer for the token request. The Issuer must support OpenID discovery to discover the token endpoint. |
+| config.accessToken.source.fileToken.noReuseToken | bool | `false` | noReuseToken if enabled disables reuse of tokens while they're still valid. |
+| config.accessToken.source.fileToken.tokenPath | string | `""` | tokenPath is the path to the source jwt token. |
+| config.events.enabled | bool | `false` | enabled enables NATS event-based functions. |
+| config.events.nats.credsFile | string | `""` | credsFile path to NATS credentials file |
+| config.events.nats.publishPrefix | string | `""` | publishPrefix NATS publish prefix to use. |
+| config.events.nats.publishTopic | string | `""` | publishTopic NATS publihs topic to use. |
+| config.events.nats.token | string | `""` | token NATS user token to use. |
+| config.events.nats.url | string | `""` | url NATS server url to use. |
+| config.jwt.issuer | string | `""` | issuer Issuer to use for JWT validation. |
+| config.jwt.jwksURI | string | `""` | jwksURI JWKS URI to use for JWT validation. |
+| config.permissions.host | string | `""` | host permissions-api host to use. |
+| config.tracing.enabled | bool | `false` | enabled initializes otel tracing. |
+| config.tracing.insecure | bool | `false` | insecure if TLS should be disabled. |
+| config.tracing.url | string | `""` | url gRPC URL for OpenTelemetry collector. |
+| image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the image pull policy for the service image |
+| image.repository | string | `"ghcr.io/infratographer/iam-runtime-infratographer"` | repository is the image repository to pull the image from |
+| image.tag | string | `""` | tag is the image tag to use. Defaults to the chart's app version |
+| resources | object | `{}` | resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| restartPolicy | string | `""` | restartPolicy set to Always if using with initContainers on kube 1.29 and up with the SideContainer feature flag enabled. ref: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle |
+| securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532}` | securityContext configures the container's security context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| volumeMounts | object | `{}` | volumeMounts define additional volume mounts to include with the container ref: https://kubernetes.io/docs/concepts/storage/volumes/ |
+
@@ -0,0 +1,50 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" .  }}{{ template "chart.typeBadge" .  }}{{ template "chart.appVersionBadge" .  }}
+
+## Example deployment
+
+Helm chart repository: https://infratographer.github.io/charts
+
+```yaml
+# file: templates/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-app
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: example-app
+  template:
+    metadata:
+      annotations: {{ `{{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }}` }}
+      labels:
+        app: example-app
+    spec:
+      containers:
+        - name: example-app
+          image: {{ `{{ .Values.deployment.image }}` }}
+          volumeMounts: {{ `{{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }}` }}
+        - {{ `{{- include "iam-runtime-infratographer.container" $ | nindent 10 }}` }}
+      volumes: {{ `{{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }}` }}
+# file: values.yaml
+---
+iam-runtime-infratographer:
+  config:
+    permissions:
+      host: permissions-api.internal.example.net
+    jwt:
+      jwksURI: https://iam.example.com/jwks.json
+      issuer: https://iam.example.com/
+```
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}
@@ -0,0 +1,17 @@
+{{- define "iam-runtime-infratographer.fullname" }}
+  {{- $values := (index .Subcharts "iam-runtime-infratographer").Values -}}
+  {{- include "common.names.dependency.fullname" (dict "chartName" "iam-runtime-infratographer" "chartValues" $values "context" $) -}}
+{{- end }}
+
+{{- define "iam-runtime-infratographer.resource.fullname" }}
+  {{- $prefix := include "iam-runtime-infratographer.fullname" .context }}
+  {{- $reduce := sub (add (len $prefix) (len .suffix) 1) 63 }}
+  {{- if gt $reduce 0 }}
+    {{- $prefix = trunc (add 63 $reduce) $prefix | trimSuffix "-" }}
+  {{- end }}
+  {{- printf "%s-%s" $prefix .suffix -}}
+{{- end }}
+
+{{- define "iam-runtime-infratographer.annotations" -}}
+checksum/iam-runtime-infratographer-config: {{ toYaml (index .Subcharts "iam-runtime-infratographer").Values | sha256sum }}
+{{- end }}
@@ -0,0 +1,13 @@
+{{- define "iam-runtime-infratographer.configmap" }}
+{{- $values := (index .Subcharts "iam-runtime-infratographer").Values -}}
+{{- $defaultConfig := dict "server" (dict "socketPath" "/var/iam-runtime/runtime.sock") }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "config" "context" $) | quote }}
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+data:
+  config.yaml: |
+    {{- tpl (merge $defaultConfig $values.config | toYaml) $ | nindent 4 }}
+{{- end }}
@@ -0,0 +1,28 @@
+{{- define "iam-runtime-infratographer.container" -}}
+{{- $values := (index .Subcharts "iam-runtime-infratographer").Values -}}
+name: {{ include "iam-runtime-infratographer.fullname" $ | quote }}
+image: {{ include "iam-runtime-infratographer.container.image" $ | quote }}
+imagePullPolicy: {{ quote $values.image.pullPolicy }}
+{{- with $values.restartPolicy }}
+restartPolicy: {{ quote . }}
+{{- end }}
+{{- with $values.securityContext }}
+securityContext: {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with $values.resources }}
+resources: {{- toYaml . | nindent 2 }}
+{{- end }}
+volumeMounts:
+  - name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "config" "context" $) | quote }}
+    mountPath: /etc/iam-runtime-infratographer/
+  {{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 2 }}
+  {{- with $values.volumeMounts }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+
+{{- define "iam-runtime-infratographer.container.image" }}
+  {{- $values := (index .Subcharts "iam-runtime-infratographer").Values -}}
+  {{- $tag := default (index .Subcharts "iam-runtime-infratographer" "Chart").AppVersion $values.image.tag }}
+  {{- printf "%s:%s" $values.image.repository $tag }}
+{{- end }}
@@ -0,0 +1,13 @@
+{{- define "iam-runtime-infratographer.volumes" -}}
+{{- $values := (index .Subcharts "iam-runtime-infratographer").Values -}}
+- name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "config" "context" $) | quote }}
+  configMap:
+    name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "config" "context" $) | quote }}
+- name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "socket" "context" $) | quote }}
+  emptyDir: {}
+{{- end }}
+
+{{- define "iam-runtime-infratographer.volumeMounts" -}}
+- name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "socket" "context" $) | quote }}
+  mountPath: /var/iam-runtime/
+{{- end }}