add helm docs

Signed-off-by: Mike Mason <[email protected]>

.github/workflows/helm.yml

@@ -0,0 +1,47 @@
+name: Helm lint and docs
+on:
+  push:
+  pull_request:
+permissions:
+  contents: read
+  pull-requests: read
+jobs:
+  helm-lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/[email protected]
+
+      - name: Run helm lint
+        run: helm lint chart/iam-runtime-infratographer
+  helm-docs:
+    needs: helm-lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Update docs
+        run: make docs
+
+      - uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: Helm docs updated
+          commit_options: '--no-verify --signoff'
+          file_pattern: 'chart/*/*.md'
+          skip_dirty_check: true
+          skip_fetch: true
+          skip_checkout: true

Makefile

@@ -6,8 +6,11 @@ GOARCH ?= amd64
 GOLANGCI_LINT_REPO = github.com/golangci/golangci-lint
 GOLANGCI_LINT_VERSION = v1.56.1
 
+HELM_DOCS_REPO = github.com/norwoodj/helm-docs
+HELM_DOCS_VERSION = v1.13.1
+
 all: test build
-PHONY: test coverage lint golint clean vendor docker-up docker-down unit-test
+PHONY: test coverage lint docs
 
 test: | lint
 	@echo Running tests...
@@ -20,6 +23,9 @@ lint: $(TOOLS_DIR)/golangci-lint
 build:
 	@CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -mod=readonly -v
 
+docs: $(TOOLS_DIR)/helm-docs
+	$(TOOLS_DIR)/helm-docs --chart-search-root ./chart/
+
 go-dependencies:
 	@go mod download
 	@go mod tidy
@@ -30,3 +36,7 @@ $(TOOLS_DIR):
 $(TOOLS_DIR)/golangci-lint: | $(TOOLS_DIR)
 	@echo "Installing $(GOLANGCI_LINT_REPO)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)"
 	@GOBIN=$(ROOT_DIR)/$(TOOLS_DIR) go install $(GOLANGCI_LINT_REPO)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)
+
+$(TOOLS_DIR)/helm-docs: | $(TOOLS_DIR)
+	@echo "Installing $(HELM_DOCS_REPO)/cmd/helm-docs@$(HELM_DOCS_VERSION)"
+	@GOBIN=$(ROOT_DIR)/$(TOOLS_DIR) go install $(HELM_DOCS_REPO)/cmd/helm-docs@$(HELM_DOCS_VERSION)

README.md

@@ -25,6 +25,8 @@ iam-runtime-infratographer can be configured using either a config file, command
 
 Below provides an example of adding the IAM runtime as a sidecar to your app deployment.
 
+Alternatively you could use the [helm chart](./chart/iam-runtime-infratographer/).
+
 ```yaml
 ---
 apiVersion: v1

chart/iam-runtime-infratographer/README.md

@@ -0,0 +1,83 @@
+# iam-runtime-infratographer
+
+Functions which assist in deploying iam-runtime-infratographer with your app.
+
+![Version: v0.0.1](https://img.shields.io/badge/Version-v0.0.1-informational?style=flat-square) ![AppVersion: v0.0.1](https://img.shields.io/badge/AppVersion-v0.0.1-informational?style=flat-square)
+
+## Example deployment
+
+```yaml
+# file: templates/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-app
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: example-app
+  template:
+    metadata:
+      annotations: {{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }}
+      labels:
+        app: example-app
+    spec:
+      containers:
+        - name: example-app
+          image: {{ .Values.deployment.image }}
+          volumeMounts: {{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }}
+        - {{- include "iam-runtime-infratographer.container" $ | nindent 10 }}
+      volumes: {{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }}
+# file: values.yaml
+---
+iam-runtime-infratographer:
+  config:
+    permissions:
+      host: permissions-api.internal.example.net
+    jwt:
+      jwksuri: https://iam.example.com/jwks.json
+      issuer: https://iam.example.com/
+```
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.bitnami.com/bitnami | common | 2.18.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| config.accessToken.enabled | bool | `false` | enabled configures the access token source for GetAccessToken requests. |
+| config.accessToken.exchange.grantType | string | urn:ietf:params:oauth:grant-type:token-exchange | grantType configures the grant type |
+| config.accessToken.exchange.issuer | string | `""` | issuer specifies the URL for the issuer for the exchanged token. The Issuer must support OpenID discovery to discover the token endpoint. |
+| config.accessToken.exchange.tokenType | string | urn:ietf:params:oauth:token-type:jwt | tokenType configures the token type |
+| config.accessToken.source.clientCredentials.clientID | string | `""` | clientID is the client credentials id which is used to retrieve a token from the issuer. |
+| config.accessToken.source.clientCredentials.clientSecret | string | `""` | clientSecret is the client credentials secret which is used to retrieve a token from the issuer. |
+| config.accessToken.source.clientCredentials.issuer | string | `""` | issuer specifies the URL for the issuer for the token request. The Issuer must support OpenID discovery to discover the token endpoint. |
+| config.accessToken.source.fileToken.noReuseToken | bool | `false` | noReuseToken if enabled disables reuse of tokens while they're still valid. |
+| config.accessToken.source.fileToken.tokenPath | string | `""` | tokenPath is the path to the source jwt token. |
+| config.events.enabled | bool | `false` | enabled enables NATS event-based functions. |
+| config.events.nats.credsFile | string | `""` | credsFile path to NATS credentials file |
+| config.events.nats.publishPrefix | string | `""` | publishPrefix NATS publish prefix to use. |
+| config.events.nats.publishTopic | string | `""` | publishTopic NATS publihs topic to use. |
+| config.events.nats.token | string | `""` | token NATS user token to use. |
+| config.events.nats.url | string | `""` | url NATS server url to use. |
+| config.jwt.issuer | string | `""` | issuer Issuer to use for JWT validation. |
+| config.jwt.jwksURI | string | `""` | jwksURI JWKS URI to use for JWT validation. |
+| config.permissions.host | string | `""` | host permissions-api host to use. |
+| config.tracing.enabled | bool | `false` | enabled initializes otel tracing. |
+| config.tracing.insecure | bool | `false` | insecure if TLS should be disabled. |
+| config.tracing.url | string | `""` | url gRPC URL for OpenTelemetry collector. |
+| image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the image pull policy for the service image |
+| image.repository | string | `"ghcr.io/infratographer/iam-runtime-infratographer"` | repository is the image repository to pull the image from |
+| image.tag | string | `""` | tag is the image tag to use. Defaults to the chart's app version |
+| resources | object | `{}` | resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| restartPolicy | string | `""` | restartPolicy set to Always if using with initContainers on kube 1.29 and up with the SideContainer feature flag enabled. ref: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle |
+| securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532}` | securityContext configures the container's security context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
+| volumeMounts | object | `{}` | volumeMounts define additional volume mounts to include with the container ref: https://kubernetes.io/docs/concepts/storage/volumes/ |
+

chart/iam-runtime-infratographer/README.md.gotmpl

@@ -0,0 +1,50 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" .  }}{{ template "chart.typeBadge" .  }}{{ template "chart.appVersionBadge" .  }}
+
+## Example deployment
+
+Helm chart repository: https://infratographer.github.io/charts
+
+```yaml
+# file: templates/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-app
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: example-app
+  template:
+    metadata:
+      annotations: {{ `{{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }}` }}
+      labels:
+        app: example-app
+    spec:
+      containers:
+        - name: example-app
+          image: {{ `{{ .Values.deployment.image }}` }}
+          volumeMounts: {{ `{{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }}` }}
+        - {{ `{{- include "iam-runtime-infratographer.container" $ | nindent 10 }}` }}
+      volumes: {{ `{{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }}` }}
+# file: values.yaml
+---
+iam-runtime-infratographer:
+  config:
+    permissions:
+      host: permissions-api.internal.example.net
+    jwt:
+      jwksuri: https://iam.example.com/jwks.json
+      issuer: https://iam.example.com/
+```
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

chart/iam-runtime-infratographer/values.yaml

@@ -1,12 +1,85 @@
 ---
-config: {}
 image:
-  # repository is the image repository to pull the image from
+  # -- repository is the image repository to pull the image from
   repository: ghcr.io/infratographer/iam-runtime-infratographer
-  # pullPolicy is the image pull policy for the service image
+  # -- pullPolicy is the image pull policy for the service image
   pullPolicy: IfNotPresent
-  # tag is the image tag to use. Defaults to the chart's app version
+  # -- tag is the image tag to use. Defaults to the chart's app version
   tag: ""
+
+config:
+  jwt:
+    # -- issuer Issuer to use for JWT validation.
+    issuer: ""
+    # -- jwksURI JWKS URI to use for JWT validation.
+    jwksURI: ""
+  permissions:
+    # -- host permissions-api host to use.
+    host: ""
+  events:
+    # -- enabled enables NATS event-based functions.
+    enabled: false
+    nats:
+      # -- url NATS server url to use.
+      url: ""
+      # -- publishPrefix NATS publish prefix to use.
+      publishPrefix: ""
+      # -- publishTopic NATS publihs topic to use.
+      publishTopic: ""
+      # -- token NATS user token to use.
+      token: ""
+      # -- credsFile path to NATS credentials file
+      credsFile: ""
+  tracing:
+    # -- enabled initializes otel tracing.
+    enabled: false
+    # -- url gRPC URL for OpenTelemetry collector.
+    url: ""
+    # -- insecure if TLS should be disabled.
+    insecure: false
+  accessToken:
+    # -- enabled configures the access token source for GetAccessToken requests.
+    enabled: false
+    source:
+      fileToken:
+        # -- tokenPath is the path to the source jwt token.
+        tokenPath: ""
+        # -- noReuseToken if enabled disables reuse of tokens while they're still valid.
+        noReuseToken: false
+      clientCredentials:
+        # -- issuer specifies the URL for the issuer for the token request.
+        # The Issuer must support OpenID discovery to discover the token endpoint.
+        issuer: ""
+        # -- clientID is the client credentials id which is used to retrieve a token from the issuer.
+        clientID: ""
+        # -- clientSecret is the client credentials secret which is used to retrieve a token from the issuer.
+        clientSecret: ""
+    exchange:
+      # -- issuer specifies the URL for the issuer for the exchanged token.
+      # The Issuer must support OpenID discovery to discover the token endpoint.
+      issuer: ""
+      # -- grantType configures the grant type
+      # @default -- urn:ietf:params:oauth:grant-type:token-exchange
+      grantType: ""
+      # -- tokenType configures the token type
+      # @default -- urn:ietf:params:oauth:token-type:jwt
+      tokenType: ""
+
+# -- restartPolicy set to Always if using with initContainers on kube 1.29 and up
+# with the SideContainer feature flag enabled.
+# ref: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle
+restartPolicy: ""
+
+# -- volumeMounts define additional volume mounts to include with the container
+# ref: https://kubernetes.io/docs/concepts/storage/volumes/
+volumeMounts: {}
+
+# -- resource limits & requests
+# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+resources: {}
+
+# -- securityContext configures the container's security context.
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 securityContext:
   capabilities:
     drop: