Initial commit

.github/workflows/index.yaml

@@ -0,0 +1,62 @@
+name: Update Helm repository
+run-name: ${{ github.actor }} is updating the Helm repository
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+    paths:
+    - charts/**
+
+jobs:
+  package:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: 'Git Checkout'
+      uses: actions/checkout@v3
+
+
+    - name: 'Configure & Install Helm'
+      uses: azure/setup-helm@v3
+
+    - name: 'Package & Update Helm Repository'
+      run: |
+        helm package charts/* -d repo/
+        helm repo index repo/
+        git config --global user.name "${GITHUB_ACTOR}"
+        git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+        git add repo
+        git commit -m 'Update Helm repository chart index'
+        git push
+
+  release:
+    runs-on: ubuntu-latest
+    needs: package
+
+    steps:
+
+    - name: 'Git Checkout'
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: 'Configure & Install Helm'
+      uses: azure/setup-helm@v3
+
+    - name: 'Authorize Helm with remote container registry''
+      run: |
+        echo "TODO"
+
+    - name: 'Push modified Helm packages to the container registry'
+      env:
+        HELM_EXPERIMENTAL_OCI: '1'
+      run: |
+        git pull origin main  # Pull latest changes from main.
+        git diff --name-only -r HEAD^1 HEAD | grep .tgz | while read line || [[ -n $line ]];
+        do
+            echo " > Pushing chart $line"
+            helm push $line oci://nexus.global.dns:8443/charts/charts
+        done

.github/workflows/push.yaml

@@ -0,0 +1,59 @@
+name: Release Helm Chart
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_all:
+        type: boolean
+        description: "Republish all charts?"
+        default: false
+  push:
+    branches:
+    - main
+    paths:
+    - repo/**
+
+jobs:
+    release:
+        runs-on:
+          group: k8s-runners
+        steps:
+        # 1. Checkout the current Git repository.
+        - name: 'Git Checkout'
+          uses: actions/checkout@v3
+          with:
+            fetch-depth: 0
+
+        # 2. Configure Helm
+        - name: 'Configure & Install Helm'
+          uses: azure/setup-helm@v3
+
+        # 3. Authorize Helm with Nexus
+        - name: 'Authorize Helm with Nexus'
+          run: |
+            echo ${{ secrets.NEXUS_PASSWORD}} | helm registry login -u ${{ secrets.NEXUS_USERNAME }} --password-stdin \
+            nexus.global.dns:8443/adcs/charts
+    
+        # 4. Push changed Helm packages to Nexus.
+        - name: 'Push modified Helm packages to Nexus'
+          if: "${{ github.event.inputs.release_all == 'false' }}"
+          env:
+            HELM_EXPERIMENTAL_OCI: '1'
+          run: |
+            git diff --name-only -r HEAD^1 HEAD | grep .tgz | while read line || [[ -n $line ]];
+            do
+                echo " > Pushing chart $line"
+                helm push $line oci://nexus.global.dns:8443/adcs/charts
+            done
+    
+        # 5. Check if all Helm charts have to be pushed to Nexus.
+        - name: 'Push all Helm charts to Nexus'
+          if: "${{ github.event.inputs.release_all != 'false' }}"
+          env:
+            HELM_EXPERIMENTAL_OCI: '1'
+          run: |
+            ls repo | grep .tgz | while read line || [[ -n $line ]];
+            do
+                echo " > Pushing chart $line"
+                helm push repo/$line oci://nexus.global.dns:8443/adcs/charts
+            done

CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+This is the `CHANGELOG` of your Helm repository. The current
+section can be used for additional templating and docs. The comment
+listed below is used as a marker to start the Changelog generation
+using `towncrier`.
+
+<!-- towncrier release notes start -->

CODEOWNERS

@@ -0,0 +1 @@
+@peinser

README.md

@@ -1,2 +1,15 @@
-# template-helm
-A Helm registry template.
+# Helm Repository
+
+A template repository for managing Helm charts specific to a single project.
+
+--------------------------------------------------------------------------------
+
+> [!WARNING]
+> Work in progress.
+
+## Changelogs
+
+
+## Conventions
+
+- We use the Helm `.Release.Name` as an identifier for the environment. That is, your deployment's name will be `{{ .Release.Name }}-sample`.

SECURITY.md

@@ -0,0 +1,3 @@
+# Security policy
+
+Our general security policy and coordinated disclosure plan: <https://peinser.com/policy/security>

charts/sample/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/sample/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: sample
+description: A sample Helm chart.
+type: application
+
+# Chart version
+version: 1.0.0
+
+# Application version
+appVersion: 1.0.0
+
+maintainers:
+- email: joeri@peinser.com
+  name: Joeri Hermans

charts/sample/templates/deployment.yaml

@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ .Release.Name }}-sample
+  name: {{ .Release.Name }}-sample
+spec:
+  replicas: {{ .Values.replicas | default 1 }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-sample
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-sample
+    spec:
+      automountServiceAccountToken: false
+
+      {{- with .Values.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+
+      containers:
+
+      - image: docker.io/{{ .Values.image.name | default "peinser/sample" }}:{{ .Values.image.tag | default "latest" }}
+        imagePullPolicy: Always
+        resources:
+          {{- if .Values.resources }}
+{{ toYaml .Values.resources | indent 12 }}
+          {{- else }}
+            limits: {}
+          {{- end }}
+        name: {{ .Release.Name }}-sample
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
+        env:
+        - name: SOME_VARIABLE
+          value: {{ .Values.someVariable | default someValue | quote }}

charts/sample/values.yaml

@@ -0,0 +1,23 @@
+securityContext:
+  runAsUser: 1001
+  runAsGroup: 1001
+  fsGroup: 1001
+
+replicas: 1
+
+resources:
+  requests:
+    cpu: 64m
+    memory: 256Mi
+  limits:
+    memory: 1Gi
+
+image:
+  name: peinser/sample
+  tag: 1.0.0
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

towncrier.toml

@@ -0,0 +1,40 @@
+# Changelog configuration
+#
+# For more information: https://towncrier.readthedocs.io/en/latest/configuration.html
+#
+
+[tool.towncrier]
+package = "sample"  # Name of the project
+directory = ".changes"  # Directory of the news fragments
+filename = "CHANGELOG.md"  # File which holds the CHANGELOG or news files.
+
+
+# News types (order of appearance in CHANGELOG) ###############################x
+# Whenever a news fragement is generated, the full CHANGELOG will be generated
+# according to the ordering listed below.
+#
+
+[[tool.towncrier.type]]
+directory = "security"
+name = "Security"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "feature"
+name = "Features"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "fix"
+name = "Fixes"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "bug"
+name = "Bugs"
+showcontent = true
+
+[[tool.towncrier.type]]
+directory = "chore"
+name = "Chores"
+showcontent = true