From 2d93ffc9aff593533523e3d69da7e79e51adb849 Mon Sep 17 00:00:00 2001 From: Mike Mason Date: Fri, 3 May 2024 15:30:04 -0500 Subject: [PATCH] add helm docs Signed-off-by: Mike Mason --- .github/workflows/helm.yml | 47 +++++++++++ .github/workflows/lint-helm.yml | 20 ----- Makefile | 12 ++- README.md | 2 + chart/iam-runtime-infratographer/README.md | 83 +++++++++++++++++++ .../README.md.gotmpl | 50 +++++++++++ chart/iam-runtime-infratographer/values.yaml | 81 +++++++++++++++++- 7 files changed, 270 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/helm.yml delete mode 100644 .github/workflows/lint-helm.yml create mode 100644 chart/iam-runtime-infratographer/README.md create mode 100644 chart/iam-runtime-infratographer/README.md.gotmpl diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml new file mode 100644 index 00000000..182324c8 --- /dev/null +++ b/.github/workflows/helm.yml @@ -0,0 +1,47 @@ +name: Helm lint and docs +on: + push: + pull_request: +permissions: + contents: read + pull-requests: read +jobs: + helm-lint: + name: lint + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Helm + uses: azure/setup-helm@v3.5 + + - name: Run helm lint + run: helm lint chart/iam-runtime-infratographer + helm-docs: + needs: helm-lint + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - name: Update docs + run: make docs + + - uses: stefanzweifel/git-auto-commit-action@v5 + with: + commit_message: Helm docs updated + commit_options: '--no-verify --signoff' + file_pattern: 'chart/*/*.md' + skip_dirty_check: true + skip_fetch: true + skip_checkout: true diff --git a/.github/workflows/lint-helm.yml b/.github/workflows/lint-helm.yml deleted file mode 100644 index 93b5d32b..00000000 --- a/.github/workflows/lint-helm.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Lint - Helm -on: - push: - pull_request: -permissions: - contents: read - pull-requests: read -jobs: - helm-lint: - name: lint - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Helm - uses: azure/setup-helm@v3.5 - - - name: Run helm lint - run: helm lint chart/permissions-api diff --git a/Makefile b/Makefile index 09bf5b4b..3b031bda 100644 --- a/Makefile +++ b/Makefile @@ -6,8 +6,11 @@ GOARCH ?= amd64 GOLANGCI_LINT_REPO = github.com/golangci/golangci-lint GOLANGCI_LINT_VERSION = v1.56.1 +HELM_DOCS_REPO = github.com/norwoodj/helm-docs +HELM_DOCS_VERSION = v1.13.1 + all: test build -PHONY: test coverage lint golint clean vendor docker-up docker-down unit-test +PHONY: test coverage lint docs test: | lint @echo Running tests... @@ -20,6 +23,9 @@ lint: $(TOOLS_DIR)/golangci-lint build: @CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -mod=readonly -v +docs: $(TOOLS_DIR)/helm-docs + $(TOOLS_DIR)/helm-docs --chart-search-root ./chart/ + go-dependencies: @go mod download @go mod tidy @@ -30,3 +36,7 @@ $(TOOLS_DIR): $(TOOLS_DIR)/golangci-lint: | $(TOOLS_DIR) @echo "Installing $(GOLANGCI_LINT_REPO)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)" @GOBIN=$(ROOT_DIR)/$(TOOLS_DIR) go install $(GOLANGCI_LINT_REPO)/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION) + +$(TOOLS_DIR)/helm-docs: | $(TOOLS_DIR) + @echo "Installing $(HELM_DOCS_REPO)/cmd/helm-docs@$(HELM_DOCS_VERSION)" + @GOBIN=$(ROOT_DIR)/$(TOOLS_DIR) go install $(HELM_DOCS_REPO)/cmd/helm-docs@$(HELM_DOCS_VERSION) diff --git a/README.md b/README.md index 6d93fe73..8a60c7f3 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,8 @@ iam-runtime-infratographer can be configured using either a config file, command Below provides an example of adding the IAM runtime as a sidecar to your app deployment. +Alternatively you could use the [helm chart](./chart/iam-runtime-infratographer/). + ```yaml --- apiVersion: v1 diff --git a/chart/iam-runtime-infratographer/README.md b/chart/iam-runtime-infratographer/README.md new file mode 100644 index 00000000..902954cb --- /dev/null +++ b/chart/iam-runtime-infratographer/README.md @@ -0,0 +1,83 @@ +# iam-runtime-infratographer + +Functions which assist in deploying iam-runtime-infratographer with your app. + +![Version: v0.0.1](https://img.shields.io/badge/Version-v0.0.1-informational?style=flat-square) ![AppVersion: v0.0.1](https://img.shields.io/badge/AppVersion-v0.0.1-informational?style=flat-square) + +## Example deployment + +```yaml +# file: templates/deployment.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: example-app +spec: + replicas: 1 + revisionHistoryLimit: 1 + selector: + matchLabels: + app: example-app + template: + metadata: + annotations: {{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }} + labels: + app: example-app + spec: + containers: + - name: example-app + image: {{ .Values.deployment.image }} + volumeMounts: {{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }} + - {{- include "iam-runtime-infratographer.container" $ | nindent 10 }} + volumes: {{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }} +# file: values.yaml +--- +iam-runtime-infratographer: + config: + permissions: + host: permissions-api.internal.example.net + jwt: + jwksuri: https://iam.example.com/jwks.json + issuer: https://iam.example.com/ +``` + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | common | 2.18.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config.accessToken.enabled | bool | `false` | enabled configures the access token source for GetAccessToken requests. | +| config.accessToken.exchange.grantType | string | urn:ietf:params:oauth:grant-type:token-exchange | grantType configures the grant type | +| config.accessToken.exchange.issuer | string | `""` | issuer specifies the URL for the issuer for the exchanged token. The Issuer must support OpenID discovery to discover the token endpoint. | +| config.accessToken.exchange.tokenType | string | urn:ietf:params:oauth:token-type:jwt | tokenType configures the token type | +| config.accessToken.source.clientCredentials.clientID | string | `""` | clientID is the client credentials id which is used to retrieve a token from the issuer. | +| config.accessToken.source.clientCredentials.clientSecret | string | `""` | clientSecret is the client credentials secret which is used to retrieve a token from the issuer. | +| config.accessToken.source.clientCredentials.issuer | string | `""` | issuer specifies the URL for the issuer for the token request. The Issuer must support OpenID discovery to discover the token endpoint. | +| config.accessToken.source.fileToken.noReuseToken | bool | `false` | noReuseToken if enabled disables reuse of tokens while they're still valid. | +| config.accessToken.source.fileToken.tokenPath | string | `""` | tokenPath is the path to the source jwt token. | +| config.events.enabled | bool | `false` | enabled enables NATS event-based functions. | +| config.events.nats.credsFile | string | `""` | credsFile path to NATS credentials file | +| config.events.nats.publishPrefix | string | `""` | publishPrefix NATS publish prefix to use. | +| config.events.nats.publishTopic | string | `""` | publishTopic NATS publihs topic to use. | +| config.events.nats.token | string | `""` | token NATS user token to use. | +| config.events.nats.url | string | `""` | url NATS server url to use. | +| config.jwt.issuer | string | `""` | issuer Issuer to use for JWT validation. | +| config.jwt.jwksURI | string | `""` | jwksURI JWKS URI to use for JWT validation. | +| config.permissions.host | string | `""` | host permissions-api host to use. | +| config.tracing.enabled | bool | `false` | enabled initializes otel tracing. | +| config.tracing.insecure | bool | `false` | insecure if TLS should be disabled. | +| config.tracing.url | string | `""` | url gRPC URL for OpenTelemetry collector. | +| image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the image pull policy for the service image | +| image.repository | string | `"ghcr.io/infratographer/iam-runtime-infratographer"` | repository is the image repository to pull the image from | +| image.tag | string | `""` | tag is the image tag to use. Defaults to the chart's app version | +| resources | object | `{}` | resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| restartPolicy | string | `""` | restartPolicy set to Always if using with initContainers on kube 1.29 and up with the SideContainer feature flag enabled. ref: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle | +| securityContext | object | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532}` | securityContext configures the container's security context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| volumeMounts | object | `{}` | volumeMounts define additional volume mounts to include with the container ref: https://kubernetes.io/docs/concepts/storage/volumes/ | + diff --git a/chart/iam-runtime-infratographer/README.md.gotmpl b/chart/iam-runtime-infratographer/README.md.gotmpl new file mode 100644 index 00000000..a7009175 --- /dev/null +++ b/chart/iam-runtime-infratographer/README.md.gotmpl @@ -0,0 +1,50 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +## Example deployment + +Helm chart repository: https://infratographer.github.io/charts + +```yaml +# file: templates/deployment.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: example-app +spec: + replicas: 1 + revisionHistoryLimit: 1 + selector: + matchLabels: + app: example-app + template: + metadata: + annotations: {{ `{{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }}` }} + labels: + app: example-app + spec: + containers: + - name: example-app + image: {{ `{{ .Values.deployment.image }}` }} + volumeMounts: {{ `{{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }}` }} + - {{ `{{- include "iam-runtime-infratographer.container" $ | nindent 10 }}` }} + volumes: {{ `{{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }}` }} +# file: values.yaml +--- +iam-runtime-infratographer: + config: + permissions: + host: permissions-api.internal.example.net + jwt: + jwksuri: https://iam.example.com/jwks.json + issuer: https://iam.example.com/ +``` + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/chart/iam-runtime-infratographer/values.yaml b/chart/iam-runtime-infratographer/values.yaml index 391b74d1..05972855 100644 --- a/chart/iam-runtime-infratographer/values.yaml +++ b/chart/iam-runtime-infratographer/values.yaml @@ -1,12 +1,85 @@ --- -config: {} image: - # repository is the image repository to pull the image from + # -- repository is the image repository to pull the image from repository: ghcr.io/infratographer/iam-runtime-infratographer - # pullPolicy is the image pull policy for the service image + # -- pullPolicy is the image pull policy for the service image pullPolicy: IfNotPresent - # tag is the image tag to use. Defaults to the chart's app version + # -- tag is the image tag to use. Defaults to the chart's app version tag: "" + +config: + jwt: + # -- issuer Issuer to use for JWT validation. + issuer: "" + # -- jwksURI JWKS URI to use for JWT validation. + jwksURI: "" + permissions: + # -- host permissions-api host to use. + host: "" + events: + # -- enabled enables NATS event-based functions. + enabled: false + nats: + # -- url NATS server url to use. + url: "" + # -- publishPrefix NATS publish prefix to use. + publishPrefix: "" + # -- publishTopic NATS publihs topic to use. + publishTopic: "" + # -- token NATS user token to use. + token: "" + # -- credsFile path to NATS credentials file + credsFile: "" + tracing: + # -- enabled initializes otel tracing. + enabled: false + # -- url gRPC URL for OpenTelemetry collector. + url: "" + # -- insecure if TLS should be disabled. + insecure: false + accessToken: + # -- enabled configures the access token source for GetAccessToken requests. + enabled: false + source: + fileToken: + # -- tokenPath is the path to the source jwt token. + tokenPath: "" + # -- noReuseToken if enabled disables reuse of tokens while they're still valid. + noReuseToken: false + clientCredentials: + # -- issuer specifies the URL for the issuer for the token request. + # The Issuer must support OpenID discovery to discover the token endpoint. + issuer: "" + # -- clientID is the client credentials id which is used to retrieve a token from the issuer. + clientID: "" + # -- clientSecret is the client credentials secret which is used to retrieve a token from the issuer. + clientSecret: "" + exchange: + # -- issuer specifies the URL for the issuer for the exchanged token. + # The Issuer must support OpenID discovery to discover the token endpoint. + issuer: "" + # -- grantType configures the grant type + # @default -- urn:ietf:params:oauth:grant-type:token-exchange + grantType: "" + # -- tokenType configures the token type + # @default -- urn:ietf:params:oauth:token-type:jwt + tokenType: "" + +# -- restartPolicy set to Always if using with initContainers on kube 1.29 and up +# with the SideContainer feature flag enabled. +# ref: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle +restartPolicy: "" + +# -- volumeMounts define additional volume mounts to include with the container +# ref: https://kubernetes.io/docs/concepts/storage/volumes/ +volumeMounts: {} + +# -- resource limits & requests +# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +resources: {} + +# -- securityContext configures the container's security context. +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: capabilities: drop: