Merge pull request #49 from xentra-ai/charts

feat: add helm chart

.github/workflows/charts-lint.yaml

@@ -0,0 +1,51 @@
+name: Lint and Test Charts
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/charts-lint.yaml'
+      - 'charts/**'
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+        with:
+          version: v3.14.4
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/charts-readme-docs.yaml

@@ -0,0 +1,39 @@
+name: "Charts: Update README"
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/charts-readme-docs.yaml'
+      - 'charts/**'
+
+env:
+  HELM_DOCS_VERSION: 1.11.2
+
+jobs:
+  chart-readme:
+    name: Update README
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: install helm-docs
+        run: |
+          cd /tmp
+          wget https://github.com/norwoodj/helm-docs/releases/download/v${{env.HELM_DOCS_VERSION}}/helm-docs_Linux_x86_64.tar.gz
+          tar -xvf helm-docs_Linux_x86_64.tar.gz
+          sudo mv helm-docs /usr/local/sbin
+
+      - name: run helm-docs
+        run: |
+          helm-docs -t README.md.gotmpl -o README.md
+
+      - name: Commit changes
+        uses: stefanzweifel/git-auto-commit-action@v4
+        id: auto-commit
+        with:
+          branch: ${{ github.event.pull_request.head.ref }}

.github/workflows/charts-release-ghpages.yaml

@@ -0,0 +1,54 @@
+name: "Charts: Release to GHCR OCI"
+
+on:
+  workflow_dispatch: {}
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/charts-release-ghpages.yaml'
+      - 'charts/**'
+
+env:
+  CHARTS_SRC_DIR: "charts"
+  TARGET_REGISTRY: ghcr.io
+
+jobs:
+  release-charts:
+    name: Release Charts
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.TARGET_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          charts_dir: ${{ env.CHARTS_SRC_DIR }}
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Publish Helm Chart to GHCR
+        run: |
+          helm package charts/kube-guardian
+          helm push kube-guardian-*.tgz oci://${{ env.TARGET_REGISTRY }}/${{ github.repository_owner }}/charts
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

charts/kube-guardian/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/kube-guardian/Chart.yaml

@@ -0,0 +1,36 @@
+apiVersion: v2
+name: kube-guardian
+description: A Helm chart for Kubernetes
+home: https://xentra.ai/
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.8
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+kubeVersion: ">= 1.18.0-0"
+
+keywords:
+  - BPF
+  - eBPF
+  - Kubernetes
+  - Networking
+  - Security
+  - Observability
+  - Troubleshooting
+
+sources:
+  - https://github.com/xentra-ai/charts
+
+maintainers:
+  # Mahesh Rayas
+  - name: maheshrayas
+    email: [email protected]
+  # Michael Fornaro
+  - name: xunholy
+    email: [email protected]

charts/kube-guardian/README.md

@@ -0,0 +1,175 @@
+# Xentra Helm Chart
+
+This chart bootstraps the [Xentra]() controlplane onto a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+![Version: 0.0.8](https://img.shields.io/badge/Version-0.0.8-informational?style=flat-square)
+
+## Overview
+
+This Helm chart deploys:
+
+- A Xentra control plane configured to your specifications
+- Additional features and components (optional)
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.0+
+
+**Note:** *If you're using cilium ensure the following setting is set otherwise PodIPs are not correctly aggregated when determining traffic origin and desgination: `bpf.masquerade: false`*
+
+## Install the Chart
+
+To install the chart with the release name `my-release`:
+
+Add the chart repo
+
+```bash
+helm repo add xentra https://xentra-ai.github.io/charts
+```
+
+You can then run `helm search repo xentra` to search the charts.
+
+Install chart using Helm v3.0+
+
+```bash
+helm install kube-guardian xentra/kube-guardian --namespace kube-guardian --create-namespace
+```
+
+If you want to use the OCI variant of the helm chart, you can use the following command:
+
+```bash
+helm template kube-guardian oci://ghcr.io/xentra-ai/charts/kube-guardian --namespace kube-guardian --create-namespace
+```
+
+**Note:** *If you have the [Pod Securty Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) enabled for your cluster you will need to add the following annotation to the namespace that the chart is deployed*
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+  name: kube-guardian
+```
+
+## Directory Structure
+
+The following shows the directory structure of the Helm chart.
+
+```bash
+charts/xentra/
+├── .helmignore   # Contains patterns to ignore when packaging Helm charts.
+├── Chart.yaml    # Information about your chart
+├── values.yaml   # The default values for your templates
+├── charts/       # Charts that this chart depends on
+└── templates/    # The template files
+    └── tests/    # The test files
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the Xentra chart and their default values.
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| broker.affinity | object | `{}` |  |
+| broker.autoscaling.enabled | bool | `false` |  |
+| broker.autoscaling.maxReplicas | int | `100` |  |
+| broker.autoscaling.minReplicas | int | `1` |  |
+| broker.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| broker.container.port | int | `9090` |  |
+| broker.fullnameOverride | string | `""` |  |
+| broker.image.pullPolicy | string | `"Always"` |  |
+| broker.image.repository | string | `"ghcr.io/xentra-ai/images/guardian-broker"` |  |
+| broker.image.sha | string | `""` |  |
+| broker.image.tag | string | `"latest"` |  |
+| broker.imagePullSecrets | list | `[]` |  |
+| broker.nameOverride | string | `""` |  |
+| broker.nodeSelector | object | `{"kubernetes.io/arch":"amd64"}` | Node labels for the kube-guardian broker pod assignment |
+| broker.podAnnotations | object | `{}` |  |
+| broker.podSecurityContext | object | `{}` |  |
+| broker.priorityClassName | string | `""` |  |
+| broker.replicaCount | int | `1` | Number of broker replicas to deploy |
+| broker.resources | object | `{}` |  |
+| broker.securityContext | object | `{}` |  |
+| broker.service.name | string | `"broker"` |  |
+| broker.service.port | int | `9090` |  |
+| broker.service.type | string | `"ClusterIP"` |  |
+| broker.serviceAccount.annotations | object | `{}` |  |
+| broker.serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| broker.serviceAccount.create | bool | `true` |  |
+| broker.serviceAccount.name | string | `""` |  |
+| broker.tolerations | list | `[]` | Tolerations for the kube-guardian broker pod assignment |
+| controller.affinity | object | `{}` |  |
+| controller.autoscaling.enabled | bool | `false` |  |
+| controller.autoscaling.maxReplicas | int | `100` |  |
+| controller.autoscaling.minReplicas | int | `1` |  |
+| controller.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| controller.fullnameOverride | string | `""` |  |
+| controller.image.pullPolicy | string | `"Always"` |  |
+| controller.image.repository | string | `"ghcr.io/xentra-ai/images/guardian-controller"` |  |
+| controller.image.sha | string | `""` | Overrides the image tag. |
+| controller.image.tag | string | `"edge"` |  |
+| controller.imagePullSecrets | list | `[]` |  |
+| controller.nameOverride | string | `""` |  |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for the kube-guardian controller pod assignment |
+| controller.podAnnotations | object | `{}` |  |
+| controller.podSecurityContext | object | `{}` |  |
+| controller.priorityClassName | string | `""` | Priority class to be used for the kube-guardian controller pods |
+| controller.resources | object | `{}` |  |
+| controller.securityContext | object | `{}` |  |
+| controller.service.port | int | `80` |  |
+| controller.service.type | string | `"ClusterIP"` |  |
+| controller.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| controller.serviceAccount.automountServiceAccountToken | bool | `false` | Automount API credentials for a service account |
+| controller.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| controller.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| controller.tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"}]` | Tolerations for the kube-guardian controller pod assignment |
+| database.affinity | object | `{}` |  |
+| database.autoscaling.enabled | bool | `false` |  |
+| database.autoscaling.maxReplicas | int | `100` |  |
+| database.autoscaling.minReplicas | int | `1` |  |
+| database.autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| database.container.port | int | `5432` |  |
+| database.fullnameOverride | string | `""` |  |
+| database.image.pullPolicy | string | `"Always"` |  |
+| database.image.repository | string | `"postgres"` |  |
+| database.image.sha | string | `""` |  |
+| database.image.tag | string | `"latest"` |  |
+| database.imagePullSecrets | list | `[]` |  |
+| database.name | string | `"guardian-db"` |  |
+| database.nameOverride | string | `""` |  |
+| database.nodeSelector | object | `{}` | Node labels for the kube-guardian database pod assignment |
+| database.persistence.enabled | bool | `false` |  |
+| database.persistence.existingClaim | string | `""` |  |
+| database.podAnnotations | object | `{}` |  |
+| database.podSecurityContext | object | `{}` |  |
+| database.priorityClassName | string | `""` | Priority class to be used for the kube-guardian database pods |
+| database.resources | object | `{}` |  |
+| database.securityContext | object | `{}` |  |
+| database.service.name | string | `"guardian-db"` |  |
+| database.service.port | int | `80` |  |
+| database.service.type | string | `"ClusterIP"` |  |
+| database.serviceAccount.annotations | object | `{}` |  |
+| database.serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| database.serviceAccount.create | bool | `true` |  |
+| database.serviceAccount.name | string | `""` |  |
+| database.tolerations | list | `[]` | Tolerations for the kube-guardian database pod assignment |
+| global.annotations | object | `{"foo":"bar"}` | Annotations to apply to all resources |
+| global.labels | object | `{}` | Labels to apply to all resources |
+| global.priorityClassName | string | `""` | Priority class to be used for the kube-guardian pods |
+| namespace.annotations | object | `{}` | Annotations to add to the namespace |
+| namespace.labels | object | `{}` | Labels to add to the namespace |
+| namespace.name | string | `""` |  |
+
+## Uninstalling the Chart
+
+To uninstall/delete the my-release deployment:
+
+```bash
+helm uninstall my-release
+```