Merge pull request #6 from philips-labs/spire-chart

Spire chart and spire-client-example

.github/README.md.tmpl

@@ -0,0 +1,19 @@
+{{ template "chart.header" . }}
+
+<!-- This README.md is generated. -->
+
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}

.github/helm-docs.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPTPATH=$(dirname "$0")
+HELM_DOCS_VERSION="1.5.0"
+
+function install_helm_docs {
+  case "$(uname -s)" in
+    Linux*)
+      machine=Linux
+      shasum=sha256sum
+      ;;
+    Darwin*)
+      machine=Darwin
+      shasum=shasum
+      ;;
+    esac
+
+    curl -LO https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz
+    curl -L --output /tmp/checksums_helm-docs.txt https://github.com/norwoodj/helm-docs/releases/download/v${HELM_DOCS_VERSION}/checksums.txt
+    cat /tmp/checksums_helm-docs.txt | grep helm-docs_${HELM_DOCS_VERSION}_${machine}_x86_64.tar.gz | $shasum -c -
+    mkdir -p $SCRIPTPATH/bin
+    tar -xf helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz helm-docs
+    mv helm-docs $SCRIPTPATH/bin/
+    rm helm-docs_"${HELM_DOCS_VERSION}"_${machine}_x86_64.tar.gz
+}
+
+if [ ! -f "$SCRIPTPATH/bin/helm-docs" ] ; then
+  install_helm_docs
+elif [[ ! "$($SCRIPTPATH/bin/helm-docs --version)" =~ .*"$HELM_DOCS_VERSION".* ]] ; then
+  install_helm_docs
+else
+  echo "Using '$($SCRIPTPATH/bin/helm-docs --version)'"
+fi
+
+# validate docs
+$SCRIPTPATH/bin/helm-docs -t $SCRIPTPATH/README.md.tmpl
+git diff --exit-code

.github/kubeval.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPTPATH=$(dirname "$0")
+KUBEVAL_VERSION="0.15.0"
+
+function install_kubeval {
+  case "$(uname -s)" in
+    Linux*)
+      machine=linux
+      shasum=sha256sum
+      ;;
+    Darwin*)
+      machine=darwin
+      shasum=shasum
+      ;;
+    esac
+
+    curl -LO https://github.com/instrumenta/kubeval/releases/download/"${KUBEVAL_VERSION}"/kubeval-${machine}-amd64.tar.gz
+    curl -L --output /tmp/checksums_kubeval.txt https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/checksums.txt
+    cat /tmp/checksums_kubeval.txt | grep kubeval-${machine}-amd64.tar.gz | $shasum -c -
+    mkdir -p $SCRIPTPATH/bin
+    tar -xf kubeval-${machine}-amd64.tar.gz kubeval
+    mv kubeval $SCRIPTPATH/bin/
+    rm kubeval-${machine}-amd64.tar.gz
+}
+
+if [ ! -f "$SCRIPTPATH/bin/kubeval" ] ; then
+  install_kubeval
+elif [[ ! "$($SCRIPTPATH/bin/kubeval --version)" =~ .*"$KUBEVAL_VERSION".* ]] ; then
+  install_kubeval
+else
+  echo "Using '$($SCRIPTPATH/bin/kubeval --version)'"
+fi
+
+SCHEMA_LOCATION="https://raw.githubusercontent.com/instrumenta/kubernetes-json-schema/master/"
+
+for chart in $(ls -d charts/* | grep -v dctna) ; do
+  helm dependency update $chart
+  helm template $chart | $SCRIPTPATH/bin/kubeval --strict --ignore-missing-schemas --kubernetes-version "${KUBERNETES_VERSION#v}" --schema-location "${SCHEMA_LOCATION}"
+done

.github/local-helm-repo.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPTPATH=$(dirname "$0")
+
+function install_chartmuseum {
+  curl https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum | bash
+}
+
+if [ ! -f "/usr/local/bin/chartmuseum" ] ; then
+  install_chartmuseum
+else
+  echo "Using '$(/usr/bin/chartmuseum --version)'"
+fi
+
+chartmuseum --debug --port=8879 \
+  --storage="local" \
+  --storage-local-rootdir="./chartmuseum" &
+
+sleep 1
+
+helm repo add philips-labs http://127.0.0.1:8879
+
+for chart in $(ls -d charts/* | grep -v dctna); do
+  helm package -u $chart
+  chart_package=$(ls -f | grep "${chart#*/}")
+  curl --data-binary "@$chart_package" http://localhost:8879/api/charts
+  rm -rf $chart_package
+done

.github/workflows/ci.yml

@@ -0,0 +1,95 @@
+name: Continuous Integration
+
+on:
+  push:
+    paths:
+      - 'charts/**'
+  pull_request:
+    paths:
+      - 'charts/**'
+
+jobs:
+  lint-chart:
+    runs-on: ubuntu-20.04
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.5.0
+
+      - name: Set up Python
+        uses: actions/[email protected]
+        with:
+          python-version: 3.7
+
+      - name: Setup chart-testing
+        uses: helm/[email protected]
+        with:
+          version: v3.3.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch main)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Host charts localhost
+        if: ${{ steps.list-changed.outputs.changed }}
+        run: .github/local-helm-repo.sh
+
+      - name: Run chart-testing (lint)
+        run: |
+          ct lint --debug \
+            --target-branch main \
+            --chart-repos philips-labs=http://127.0.0.1:8879
+
+      - name: Shutdown chartmuseum
+        if: ${{ always() }}
+        run: |
+          killall chartmuseum
+
+      - name: Run helm-docs
+        run: .github/helm-docs.sh
+
+    outputs:
+      changed: ${{ steps.list-changed.outputs.changed }}
+
+  kubeval-chart:
+    runs-on: ubuntu-20.04
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
+    needs:
+      - lint-chart
+    strategy:
+      matrix:
+        k8s:
+          - v1.15.7
+          - v1.16.4
+          - v1.17.4
+          - v1.18.1
+          - v1.19.3
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Host charts localhost
+        if: ${{ needs.lint-chart.outputs.changed }}
+        run: .github/local-helm-repo.sh
+
+      - name: Run kubeval
+        env:
+          KUBERNETES_VERSION: ${{ matrix.k8s }}
+        run: .github/kubeval.sh
+
+      - name: Shutdown chartmuseum
+        if: ${{ always() }}
+        run: |
+          killall chartmuseum

.gitignore

@@ -0,0 +1,2 @@
+.github/bin/
+chartmuseum/

.helmdocsignore

@@ -0,0 +1 @@
+charts/dctna

charts/spire-client-example/.gitignore

@@ -0,0 +1 @@
+charts/*.tgz

charts/spire-client-example/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/spire-client-example/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: spire-client-example
+description: A Helm chart for deploying a spire workload as example.
+type: application
+version: 0.1.0
+appVersion: "0.12.0"
+keywords: ["spiffe", "spire", "client", "example"]
+home: https://github.com/philips-labs/helm-charts/charts/spire-client-example
+sources:
+  - https://github.com/philips-labs/helm-charts/charts/spire-client-example
+maintainers:
+  - name: marcofranssen
+    email: [email protected]
+    url: https://marcofranssen.nl
+kubeVersion: ">=1.19.0-0"

charts/spire-client-example/README.md

@@ -0,0 +1,53 @@
+# spire-client-example
+
+<!-- This README.md is generated. -->
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.12.0](https://img.shields.io/badge/AppVersion-0.12.0-informational?style=flat-square)
+
+A Helm chart for deploying a spire workload as example.
+
+**Homepage:** <https://github.com/philips-labs/helm-charts/charts/spire-client-example>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| marcofranssen | [email protected] | https://marcofranssen.nl |
+
+## Source Code
+
+* <https://github.com/philips-labs/helm-charts/charts/spire-client-example>
+
+## Requirements
+
+Kubernetes: `>=1.19.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| autoscaling.enabled | bool | `false` |  |
+| autoscaling.maxReplicas | int | `100` |  |
+| autoscaling.minReplicas | int | `1` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| fullnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"gcr.io/spiffe-io/spire-agent"` |  |
+| image.tag | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| securityContext | object | `{}` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| spire.agentServiceAccount | string | `"spire-agent"` |  |
+| spire.clusterName | string | `"example-cluster"` |  |
+| spire.namespace | string | `"spire"` |  |
+| spire.trustDomain | string | `"example.org"` |  |
+| tolerations | list | `[]` |  |

charts/spire-client-example/templates/NOTES.txt

@@ -0,0 +1,5 @@
+1. You can verify the example client has succesfully registered via following command.
+
+  export CLIENT_EXAMPLE=$(kubectl -n {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l app.kubernetes.io/name={{ include "spire-client-example.fullname" . }})
+  kubectl -n {{ .Release.Namespace }} exec -it $CLIENT_EXAMPLE -- \
+    bin/spire-agent api fetch -socketPath /run/spire/sockets/agent.sock

charts/spire-client-example/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spire-client-example.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spire-client-example.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spire-client-example.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spire-client-example.labels" -}}
+helm.sh/chart: {{ include "spire-client-example.chart" . }}
+{{ include "spire-client-example.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spire-client-example.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spire-client-example.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spire-client-example.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spire-client-example.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}