build: add Helm chart

.dockerignore

@@ -1,4 +1,8 @@
-.github
-README.md
-LICENSE
+.github/
+chart/
+examples
 .editorconfig
+.gitignore
+LICENSE
+README.md
+skaffold.yaml

.github/workflows/release-chart.yml

@@ -0,0 +1,29 @@
+name: Release Chart
+
+on:
+  push:
+    tags: ['*']
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install Helm
+        uses: azure/setup-helm@v4.2.0
+      - name: Release chart
+        env:
+          TAG: "${{ github.ref_name}}"
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git worktree add chart/repo gh-pages
+          helm package chart --version "${{ github.ref_name}}" -d chart/repo
+          cd chart/repo
+          helm repo index . --url=https://sebastiangaiser.github.io/ca-controller-for-strimzi/
+          git add .
+          git commit -m "$TAG"
+          git push

README.md

@@ -9,5 +9,5 @@ Strimzi requires the CA key split from the rest of a Kubernetes secret of type T
 To avoid doing this manually e.g. when using [cert-manager](https://cert-manager.io/) for managing the CAs, this
 controller can be used...
 
-Please check the `example-ca.yaml` how to use the controller after deploying it and using it with cert-manager but
+Please check the `examples/example-ca.yaml` how to use the controller after deploying it and using it with cert-manager but
 it also works with normal Kubernetes secrets of type TLS.

chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: ca-controller-for-strimzi
+type: application
+version: 0.0.0
+maintainers:
+  - name: sebastiangaiser

chart/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ca-controller-for-strimzi.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ca-controller-for-strimzi.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ca-controller-for-strimzi.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ca-controller-for-strimzi.labels" -}}
+helm.sh/chart: {{ include "ca-controller-for-strimzi.chart" . }}
+{{ include "ca-controller-for-strimzi.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ca-controller-for-strimzi.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ca-controller-for-strimzi.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ca-controller-for-strimzi.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ca-controller-for-strimzi.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -0,0 +1,72 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ca-controller-for-strimzi.fullname" . }}
+  labels:
+    {{- include "ca-controller-for-strimzi.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      {{- include "ca-controller-for-strimzi.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "ca-controller-for-strimzi.selectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "ca-controller-for-strimzi.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            {{- range $key, $spec := .Values.env }}
+            - name: {{ $key }}
+              {{- toYaml $spec | nindent 14 }}
+            {{- end }}
+          envFrom:
+            {{- toYaml .Values.envFrom | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            {{- range $name, $spec := $.Values.volumes }}
+            - name: {{ $name }}
+              mountPath: {{ $spec.mountPath }}
+            {{- end -}}
+        {{- with .Values.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      {{- range $name, $spec := $.Values.volumes }}
+        - name: {{ $name }}
+          {{- toYaml (omit $spec "mountPath") | nindent 10 }}
+      {{ end -}}

chart/templates/role.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "ca-controller-for-strimzi.fullname" . }}
+  labels:
+    {{- include "ca-controller-for-strimzi.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    # "delete" not needed until the controller does cleanup, too
+    verbs: [ "get", "list", "watch", "create", "update", "patch" ]
+{{- end -}}

chart/templates/rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ca-controller-for-strimzi.fullname" . }}
+  labels:
+    {{- include "ca-controller-for-strimzi.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "ca-controller-for-strimzi.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "ca-controller-for-strimzi.fullname" . }}
+{{- end -}}

chart/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "ca-controller-for-strimzi.serviceAccountName" . }}
+  labels:
+    {{- include "ca-controller-for-strimzi.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

chart/values.yaml

@@ -0,0 +1,41 @@
+image:
+  repository: ghcr.io/sebastiangaiser/ca-controller-for-strimzi
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart version.
+  # tag:
+
+replicas: 1
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+rbac:
+  create: true
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+# fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+# runAsUser: 1000
+
+resources: {}
+nodeSelector: {}
+tolerations: {}
+affinity: {}
+extraContainers: []
+
+env: {}
+envFrom: []

skaffold.yaml

@@ -13,10 +13,10 @@ build:
         - linux/arm64
   local:
     useBuildkit: true
-#deploy:
-#  helm:
-#    releases:
-#      - name: ca-controller-for-strimzi
-#        chartPath: chart
-#        valuesFiles:
-#          - chart/values.yaml
+deploy:
+  helm:
+    releases:
+      - name: ca-controller-for-strimzi
+        chartPath: chart
+        valuesFiles:
+          - chart/values.yaml