allanger/helmzoo
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Activity

Just one binary helmule

Browse Source
This commit is contained in:
Nikolai Rodionov 2025-02-18 17:32:46 +01:00
parent 055072f491
commit 09b1dd522b
Signed by: allanger
GPG Key ID: 09F8B434D0FDD99B
53 changed files with 483 additions and 2124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

763
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

19
Cargo.toml
View File

@ -1,15 +1,18 @@
[workspace] [package]
resolver = "2" name = "helmule"
members = [ version = "0.1.0"
"helmule", edition = "2021"
"helmudi",
"lib",
]
[workspace.dependencies] [dependencies]
serde = { version = "1.0.193", features = ["derive"] } serde = { version = "1.0.193", features = ["derive"] }
serde_json = "1.0.110" serde_json = "1.0.110"
serde_yaml = "0.9.29" serde_yaml = "0.9.29"
clap = { version = "4.4.18", features = ["derive"] } clap = { version = "4.4.18", features = ["derive"] }
tempfile = "3.9.0" tempfile = "3.9.0"
base64 = "0.21.7" base64 = "0.21.7"
dircpy = "0.3.15"
regex = "1.10.3"
which = "7.0.2"
chrono = "0.4.39"
console = "0.15.10"
handlebars = "6.3.1"

19
example/helmule.yaml Normal file
View File

@ -0,0 +1,19 @@
repositories:
- name: grafana
helm:
url: https://grafana.github.io/helm-charts
charts:
- name: k8s-monitoring
repository: grafana
mirrors:
- custom-command
mirrors:
- name: custom-commands
custom_command:
package:
- mkdir -p /tmp/repository
- helm package -d package .
upload:
- mv ./package/{{ name }}-{{ version }}.tgz /tmp/repository
- rm -rf ./package

10
helmudi/Cargo.toml
View File

@ -1,10 +0,0 @@
[package]
name = "helmudi"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
clap = { version = "4.4.18", features = ["derive"] }
helmzoo_lib = { path = "../lib" }

46
helmudi/src/main.rs
View File

@ -1,46 +0,0 @@
use std::{error::Error, process::exit};
use helmzoo_lib::{
self,
output::{message_empty, message_error},
};
use clap::Parser;
/// Simple program to greet a person
#[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)]
struct Args {
/// Name of the working dir
#[arg(short, long)]
workdir: Option<String>,
/// Path to the configuration file
#[arg(short, long)]
config: String,
/// Dry run
#[arg(short, long, default_value = "false")]
dry_run: bool,
#[arg(long, default_value = "false")]
skip_prerequisites_check: bool,
/// Init git patch. Use it if you want to create git patch for a chart
/// It's going to pull a chart and init a git repo there, so you can
/// apply changes and create a patch file
/// It's not going to try mirroring changes, but will apply extensions
/// and patches that are already defined
#[arg(long)]
init_git_patch: Option<Vec<String>>,
}
fn exec(args: Args) -> Result<(), Box<dyn Error>> {
let workdir_path = helmzoo_lib::workdir::setup_workdir(args.workdir)?;
Ok(())
}
fn main() {
match exec(Args::parse()) {
Ok(()) => message_empty("Thanks for using helmule"),
Err(err) => {
message_error(err);
exit(1)
}
}
}

17
helmule/Cargo.toml
View File

@ -1,17 +0,0 @@
[package]
name = "helmule"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
clap = { workspace = true }
dircpy = "0.3.15"
helmzoo_lib = { path = "../lib" }
regex = "1.10.3"
serde = { workspace = true }
serde_json ={ workspace = true }
serde_yaml = { workspace = true }
tempfile = { workspace = true }
base64 = { workspace = true }

28
helmule/examples/extensions/flux2/crd-configmap.yaml
View File

@ -1,28 +0,0 @@
{{/*
We have to create individual configmaps for each CRD - they exceed the total
allowed length for a configmap if they are combined.
*/}}
{{ $currentScope := . }}
{{- if .Values.crds.install }}
{{- range $path, $_ := .Files.Glob "crd-base/**" }}
{{- with $currentScope }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "crdInstall" . }}-{{ $path | base | trimSuffix ".yaml" }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-5"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
data:
content: |
{{ tpl (.Files.Get $path) . | indent 4 }}
{{- end }}
{{- end }}
{{- end }}

80
helmule/examples/extensions/flux2/crd-job.yaml
View File

@ -1,80 +0,0 @@
{{- if .Values.crds.install }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "crdInstallJob" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-1"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
spec:
ttlSecondsAfterFinished: 3600
template:
metadata:
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 8 }}
spec:
serviceAccountName: {{ include "crdInstall" . }}
securityContext:
runAsUser: 1000
runAsGroup: 2000
{{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
{{- with .Values.crds.podSeccompProfile }}
seccompProfile:
{{- . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
containers:
- name: kubectl
image: "{{ .Values.images.registry }}/giantswarm/docker-kubectl:1.23.6"
command:
- sh
- -c
- |
set -o errexit ; set -o xtrace ; set -o nounset
# piping stderr to stdout means kubectl's errors are surfaced
# in the pod's logs.
kubectl apply -f /data/ 2>&1
securityContext:
readOnlyRootFilesystem: true
{{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
{{- with .Values.crds.seccompProfile }}
seccompProfile:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
volumeMounts:
{{- range $path, $_ := .Files.Glob "crd-base/**" }}
- name: {{ $path | base | trimSuffix ".yaml" }}
mountPath: /data/{{ $path | base }}
subPath: {{ $path | base }}
{{- end }}
resources: {{- toYaml .Values.crds.resources | nindent 10 }}
volumes:
{{ $currentScope := . }}
{{- range $path, $_ := .Files.Glob "crd-base/**" }}
{{- with $currentScope }}
- name: {{ $path | base | trimSuffix ".yaml" }}
configMap:
name: {{ include "crdInstall" . }}-{{ $path | base | trimSuffix ".yaml" }}
items:
- key: content
path: {{ $path | base }}
{{- end }}
{{- end }}
restartPolicy: Never
backoffLimit: 4
{{- end }}

59
helmule/examples/extensions/flux2/crd-np.yaml
View File

@ -1,59 +0,0 @@
{{- if .Values.crds.install }}
{{- if .Capabilities.APIVersions.Has "cilium.io/v2/CiliumNetworkPolicy" }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: {{ include "crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-7"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
spec:
egress:
- toEntities:
- kube-apiserver
endpointSelector: {}
{{- else }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ include "crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-7"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 6 }}
# allow egress traffic to the Kubernetes API
egress:
- ports:
- port: 443
protocol: TCP
# legacy port kept for compatibility
- port: 6443
protocol: TCP
to:
{{- range tuple "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" }}
- ipBlock:
cidr: {{ . }}
{{- end }}
# deny ingress traffic
ingress: []
policyTypes:
- Egress
- Ingress
{{- end }}
{{- end }}

62
helmule/examples/extensions/flux2/crd-rbac.yaml
View File

@ -1,62 +0,0 @@
{{- if .Values.crds.install }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-3"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
rules:
- apiGroups:
- ""
resources:
- jobs
verbs:
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- patch
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ include "crdInstall" . }}
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-2"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.common" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "crdInstall" . }}
subjects:
- kind: ServiceAccount
name: {{ include "crdInstall" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

15
helmule/examples/extensions/flux2/crd-serviceaccount.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.crds.install }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "crdInstall" . }}
namespace: {{ .Release.Namespace }}
annotations:
# create hook dependencies in the right order
"helm.sh/hook-weight": "-4"
{{- include "crdInstallAnnotations" . | nindent 4 }}
labels:
app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
{{- include "labels.selector" . | nindent 4 }}
role: {{ include "crdInstallSelector" . | quote }}
{{- end }}

30
helmule/examples/extensions/vaultwarden/virtual-service.yaml
View File

@ -1,30 +0,0 @@
{{- if .Values.virtualservice.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if $.Capabilities.APIVersions.Has "networking.istio.io/v1beta1" }}
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
gateways:
- {{ .Values.virtaulservice.gatewayRef }}
hosts:
- ci.badhouseplants.ne
http:
- match:
- uri:
prefix: /
route:
- destination:
host: woodpecker-ci-server
port:
number: 80
{{- end }}
{{- end }}

7
helmule/examples/giantswarm/charts/external-secrets-operator.yaml
View File

@ -1,7 +0,0 @@
name: external-secrets
repository: external-secrets
variables:
target_repo: app-external-secrets-operator
version: 0.8.3
mirrors:
- apps-git

61
helmule/examples/giantswarm/charts/gitops-server.yaml
View File

@ -1,61 +0,0 @@
# -------------------------------------------------------------------
# -- GitOps Server Application
# -------------------------------------------------------------------
- name: weave-gitops
repository: weave
version: 4.0.15
variables:
target_repo: app-gitops-server
mirrors:
- apps-git
extensions:
- name: Add VPA
source_dir: ../extensions/vpa-gitops-server
target_dir: templates/gs-vpa
patches:
- name: Git patch
git:
path: ../patches/git/gitops-server.patch
- name: Generate values.schema
custom_command:
commands:
- helm schema-gen values.yaml > values.schema.json
- name: Git patch for values schema
git:
path: ../patches/git/gitops-server-values-schema.patch
- name: Git patch for test-job security
git:
path: ../patches/git/gitops-server-test-job.patch
# -- Update Chart.ymal
#- name: Change the chart name
# yq:
# op: Replace
# file: Chart.yaml
# key: .name
# value: gitops-server
- name: Set the home URL
yq:
op: Add
file: Chart.yaml
key: .home
value: https://github.com/giantswarm/gitops-server-app
- name: set the icon url
yq:
op: Add
file: Chart.yaml
key: .icon
value: https://s.giantswarm.io/app-icons/weaveworks/1/icon_light.svg
- name: Add keywords
yq:
op: Add
file: Chart.yaml
key: .keywords
value: '["gitops", "flux"]'
- name: team annotation
- name: gs version
yq:
op: Add
key: .annotations."config.giantswarm.io/version"
value: 1.x.x
file: Chart.yaml
- name: yamlfmt

25
helmule/examples/giantswarm/charts/zot.yaml
View File

@ -1,25 +0,0 @@
# -------------------------------------------------------------------
# -- Zot Application
# -------------------------------------------------------------------
name: zot
repository: zot-git
extensions:
- name: Add VPA
source_dir: ../extensions/vpa
target_dir: templates/gs-vpa
- name: Add values for CI
source_dir: ../extensions/ci-values
target_dir: ci
variables:
target_repo: zot-app
patches:
- name: team annotation
- name: set home
- name: set engine
- name: yamlfmt
- name: Git patch
git:
path: ../patches/git/zot.patch
mirrors:
# - apps-git
- custom-command

9
helmule/examples/giantswarm/extensions/ci-values/values-vpa.yaml
View File

@ -1,9 +0,0 @@
resources:
requests:
memory: 100Mi
cpu: 70m
limits:
memory: 700Mi
cpu: 400m
vpa:
enabled: true

27
helmule/examples/giantswarm/extensions/vpa-gitops-server/vpa.yaml
View File

@ -1,27 +0,0 @@
{{ if eq (include "resource.vpa.enabled" .) "true" }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: gitops-server
namespace: {{ .Release.Namespace }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
resourcePolicy:
containerPolicies:
- containerName: {{ .Chart.Name }}
controlledValues: RequestsAndLimits
minAllowed:
cpu: {{ .Values.giantswarm.resources.server.requests.cpu }}
memory: {{ .Values.giantswarm.resources.server.requests.memory }}
maxAllowed:
cpu: 1000m
memory: 1000Mi
mode: Auto
targetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "chart.fullname" . }}
updatePolicy:
updateMode: Auto
{{ end }}

51
helmule/examples/giantswarm/extensions/vpa/_helpers.tpl
View File

@ -1,51 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "chart.labels" -}}
helm.sh/chart: {{ include "chart.chart" . }}
{{ include "chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

29
helmule/examples/giantswarm/extensions/vpa/vpa.yaml
View File

@ -1,29 +0,0 @@
{{ if (.Values.vpa).enabled }}
{{ if .Values.resources }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: {{ include "chart.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
resourcePolicy:
containerPolicies:
- containerName: manager
controlledValues: RequestsAndLimits
minAllowed:
cpu: {{ .Values.resources.requests.cpu }}
memory: {{ .Values.resources.requests.memory }}
maxAllowed:
cpu: {{ .Values.resources.limits.cpu }}
memory: {{ .Values.resources.limits.memory }}
mode: Auto
targetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "chart.fullname" . }}
updatePolicy:
updateMode: Auto
{{- end }}
{{- end }}

61
helmule/examples/giantswarm/helmule.yaml
View File

@ -1,61 +0,0 @@
variables:
global: example
include:
- kind: Charts
path: ./charts/zot.yaml
patches:
- name: yamlfmt
custom_command:
commands:
- "cat <<EOT >> .yamlfmt\n formatter:\n pad_line_comments: 2\nEOT"
- yamlfmt values.yaml --conf ./yamlfmt.yaml
- rm -f yamlfmt.yaml
- name: team annotation
yq:
op: Add
key: .annotations."application.giantswarm.io/team"
value: team-honeybadger
file: Chart.yaml
- name: set home
yq:
op: Add
key: .home
value: https://github.com/giantswarm/flux-app
file: Chart.yaml
- name: set engine
yq:
op: Add
key: .engine
value: gtpl
file: Chart.yaml
repositories:
# -- Because their helm repo seems not to be accessible
- name: zot-git
git:
url: https://github.com/project-zot/helm-charts.git
git_ref: zot-0.1.42
path: charts
- name: weave
helm:
url: https://helm.gitops.weave.works
- name: external-secrets
helm:
url: https://charts.external-secrets.io
mirrors:
- name: apps-git
git:
url: git@git.badhouseplants.net:allanger/{{ variables.target_repo }}.git
git_dir: app-{{ name }}-git
branch: upgrade-{{ name }}-to-{{ version }}
path: helm/{{ name }}
commit: |-
chore: mirror {{ name }}-{{ version }}
upstream_repo: {{ repo_url }}
- name: custom-commands
custom_command:
package:
- helm package -d package .
upload:
- helm push ./package/{{ name }}-{{ version }}.tgz oci://registry.badhouseplants.net
- rm -rf ./package

19
helmule/examples/giantswarm/patches/git/gitops-server-test-job.patch
View File

@ -1,19 +0,0 @@
diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml
index 8dfed87..b4b98bc 100644
--- a/templates/tests/test-connection.yaml
+++ b/templates/tests/test-connection.yaml
@@ -9,7 +9,13 @@ metadata:
spec:
containers:
- name: wget
- image: busybox
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.test.image }}:{{ .Values.giantswarm.images.test.tag }}"
+ imagePullPolicy: {{ .Values.giantswarm.images.test.pullPolicy }}
command: ['wget']
args: ['{{ include "chart.fullname" . }}:{{ .Values.service.port }}']
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 1000
+ resources:
+ {{- toYaml .Values.giantswarm.resources.test | nindent 8 }}
restartPolicy: Never

210
helmule/examples/giantswarm/patches/git/gitops-server-values-schema.patch
View File

@ -1,210 +0,0 @@
diff --git a/values.schema.json b/values.schema.json
index f759f82..c0762fa 100644
--- a/values.schema.json
+++ b/values.schema.json
@@ -43,10 +43,51 @@
}
},
"extraVolumeMounts": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ }
+ }
},
"extraVolumes": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "csi": {
+ "type": "object",
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "type": "object",
+ "properties": {
+ "secretProviderClass": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "name": {
+ "type": "string"
+ }
+ }
+ }
},
"fullnameOverride": {
"type": "string"
@@ -91,7 +132,30 @@
"type": "object",
"properties": {
"additionalRules": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "apiGroups": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "verbs": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
},
"create": {
"type": "boolean"
@@ -106,7 +170,10 @@
"type": "boolean"
},
"resourceNames": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
}
},
@@ -117,7 +184,10 @@
"type": "boolean"
},
"resourceNames": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
}
}
@@ -134,6 +204,14 @@
"resources": {
"type": "object",
"properties": {
+ "vpa":{
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ },
"server": {
"type": "object",
"properties": {
@@ -187,14 +265,6 @@
}
}
}
- },
- "vpa": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- }
}
}
}
@@ -209,7 +279,15 @@
}
},
"imagePullSecrets": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ }
+ }
},
"ingress": {
"type": "object",
@@ -224,10 +302,46 @@
"type": "boolean"
},
"hosts": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "paths": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "pathType": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
},
"tls": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "hosts": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "secretName": {
+ "type": "string"
+ }
+ }
+ }
}
}
},

307
helmule/examples/giantswarm/patches/git/gitops-server.patch
View File

@ -1,307 +0,0 @@
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index af32c5b..1fdf723 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -39,6 +39,7 @@ helm.sh/chart: {{ include "chart.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
@@ -75,3 +76,16 @@ Return the target Kubernetes version
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- end -}}
+
+{{- define "resource.vpa.enabled" -}}
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }}
+{{- end -}}
+
+{{- define "deployment.resources" -}}
+requests:
+{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}}
+{{ if eq (include "resource.vpa.enabled" .) "false" }}
+limits:
+{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}}
+{{- end -}}
+{{- end -}}
diff --git a/templates/admin-user-roles.yaml b/templates/admin-user-roles.yaml
index 74a1844..c0fa72c 100644
--- a/templates/admin-user-roles.yaml
+++ b/templates/admin-user-roles.yaml
@@ -30,8 +30,8 @@ rules:
resources: ["terraforms"]
verbs: [ "get", "list", "watch", "patch" ]
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
{{- end }}
{{- if .Values.adminUser.createClusterRole }}
---
@@ -72,8 +72,8 @@ rules:
resources: [ "providers", "alerts" ]
verbs: [ "get", "list", "watch", "patch" ]
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
{{- end -}}
{{- end }}
{{- end }}
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index a54c37c..a498259 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -36,8 +36,8 @@ spec:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
- imagePullPolicy: {{ .Values.image.pullPolicy }}
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }}
args:
- "--log-level"
- "{{ .Values.logLevel }}"
@@ -88,7 +88,7 @@ spec:
{{- end }}
{{- end }}
resources:
- {{- toYaml .Values.resources | nindent 12 }}
+ {{- include "deployment.resources" . | nindent 12 }}
{{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }}
volumeMounts:
{{- end }}
diff --git a/templates/role.yaml b/templates/role.yaml
index b292176..5a55339 100644
--- a/templates/role.yaml
+++ b/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.giantswarm.rbac.create -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else }}
@@ -6,32 +6,39 @@ apiVersion: rbac.authorization.k8s.io/v1
{{- end }}
kind: ClusterRole
metadata:
- name: {{ include "chart.fullname" . }}
+ name: {{ include "chart.fullname" . }}
rules:
# impersonation rules for ui calls
+ {{- if .Values.giantswarm.rbac.impersonation.users.enabled }}
- apiGroups: [""]
- resources: {{ .Values.rbac.impersonationResources | toJson }}
+ resources: ["users"]
verbs: [ "impersonate" ]
- {{- with .Values.rbac.impersonationResourceNames }}
+ {{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
+ {{- end }}
+ {{- if .Values.giantswarm.rbac.impersonation.groups.enabled }}
+ {{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }}
+ {{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }}
+ {{- end }}
+ - apiGroups: [""]
+ resources: ["groups"]
+ verbs: [ "impersonate" ]
+ {{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }}
+ resourceNames: {{ . | toJson }}
+ {{- end }}
+ {{- end }}
# Access to enterprise entitlement
- apiGroups: [""]
resources: [ "secrets" ]
verbs: [ "get", "list" ]
- {{- if and .Values.rbac.viewSecrets .Values.rbac.viewSecretsResourceNames }}
- {{- fail "You've supplied both rbac.viewSecrets and rbac.viewSecretsResourceNames. Please only use rbac.viewSecretsResourceNames" }}
- {{- end }}
- # or should return the first non-falsy result
- {{- with (or .Values.rbac.viewSecretsResourceNames .Values.rbac.viewSecrets) }}
+ {{- with .Values.giantswarm.rbac.viewSecretsResourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
-
# The service account needs to read namespaces to know where it can query
- apiGroups: [ "" ]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
-
# The service account needs to list custom resources to query if given feature
# is available or not.
- apiGroups: [ "apiextensions.k8s.io" ]
diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml
index b8756fe..df718ff 100644
--- a/templates/rolebinding.yaml
+++ b/templates/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.giantswarm.rbac.create -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else }}
@@ -9,7 +9,7 @@ metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
- {{- with .Values.rbac.annotations }}
+ {{- with .Values.giantswarm.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
diff --git a/values.yaml b/values.yaml
index 374ad32..7b3b35f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,16 +1,57 @@
-# Default values for chart.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+giantswarm:
+ images:
+ server:
+ image: giantswarm/weaveworks-wego-app
+ pullPolicy: IfNotPresent
+ tag: v0.18.0
+ test:
+ image: giantswarm/busybox
+ pullPolicy: IfNotPresent
+ tag: 1.36.0
+ resources:
+ vpa:
+ enabled: true
+ server:
+ limits:
+ cpu: 200m
+ memory: 256Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ test:
+ requests:
+ cpu: 10m
+ memory: 2Mi
+ limits:
+ cpu: 10m
+ memory: 4Mi
+ rbac:
+ create: true
+ impersonation:
+ users:
+ enabled: true
+ # -- If non-empty, this limits the users names that the service account
+ # can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']`
+ resourceNames: []
+ groups:
+ enabled: true
+ # -- If non-empty, this limits the groups names that the service account
+ # can impersonate, e.g. `['admins', 'operations', 'devops']`
+ resourceNames: []
+ # -- If non-empty, this limits the secrets that can be accessed by
+ # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
+ viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
+ # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
+ # for example,
+ # additionalRules:
+ # - apiGroups: ["infra.contrib.fluxcd.io"]
+ # resources: ["terraforms"]
+ # verbs: [ "get", "list", "patch" ]
+ additionalRules: []
-# Note: paragraphs starting with `# --` will end up in our manual -
-# see https://github.com/norwoodj/helm-docs
replicaCount: 1
image:
- # FIXME check the app name
- repository: ghcr.io/weaveworks/wego-app
- pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
- tag: "v0.18.0"
+ registry: gsoci.azurecr.io
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
@@ -43,28 +84,9 @@ serviceAccount:
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
-rbac:
- # -- Specifies whether the clusterRole & binding to the service account should be created
- create: true
- # -- If non-empty, this limits the resources that the service
- # account can impersonate. This applies to both users and groups, e.g.
- # `['user1@corporation.com', 'user2@corporation.com', 'operations']`
- impersonationResourceNames: []
- # -- Limit the type of principal that can be impersonated
- impersonationResources: ["users", "groups"]
- # -- If non-empty, this limits the secrets that can be accessed by
- # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
- viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
- # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
- # for example,
- # additionalRules:
- # - apiGroups: ["infra.contrib.fluxcd.io"]
- # resources: ["terraforms"]
- # verbs: [ "get", "list", "patch" ]
- additionalRules: []
adminUser:
# -- Whether the local admin user should be created.
- # If you use this make sure you add it to `rbac.impersonationResourceNames`.
+ # If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`.
create: false
# -- Specifies whether the clusterRole & binding to the admin user should be created.
# Will be created only if `adminUser.create` is enabled. Without this,
@@ -82,7 +104,7 @@ adminUser:
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
# This needs to have been hashed using bcrypt.
# You can do this via our CLI with `gitops get bcrypt-hash`.
- passwordHash:
+ passwordHash: ""
podAnnotations: {}
podLabels: {}
# aadpodidbinding: identity
@@ -111,7 +133,7 @@ ingress:
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
- hosts:
+ hosts: []
# - host: chart-example.local
# paths:
# - path: /
@@ -123,8 +145,8 @@ ingress:
# - chart-example.local
extraVolumes: []
extraVolumeMounts: []
-# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
-# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
+# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
+# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
# secretProviderClass so this will be created by the secrets store CSI driver.
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
# extraVolumeMounts:
@@ -138,17 +160,6 @@ extraVolumeMounts: []
# readOnly: true
# volumeAttributes:
# secretProviderClass: ww-gitops-oauth-provider
-resources: {}
-# We usually recommend not to specify default resources and to leave this as a conscious
-# choice for the user. This also increases chances charts run on environments with little
-# resources, such as Minikube. If you do want to specify resources, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-# limits:
-# cpu: 100m
-# memory: 128Mi
-# requests:
-# cpu: 100m
-# memory: 128Mi
networkPolicy:
# -- Specifies whether default network policies should be created.

121
helmule/examples/giantswarm/patches/git/zot.patch
View File

@ -1,121 +0,0 @@
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index c48dda1..b6de3af 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -24,12 +24,28 @@ spec:
{{- end }}
serviceAccountName: {{ include "zot.serviceAccountName" . }}
securityContext:
- {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ fsGroup: 1337
+ {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+ {{- with .Values.podSeccompProfile }}
+ seccompProfile:
+ {{- . | toYaml | nindent 10 }}
+ {{- end }}
+ {{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ {{- with .Values.containerSecurityContext }}
+ {{- . | toYaml | nindent 12 }}
+ {{- end }}
+ readOnlyRootFilesystem: true
+ runAsUser: 100
+ {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+ {{- with .Values.seccompProfile }}
+ seccompProfile:
+ {{- . | toYaml | nindent 14 }}
+ {{- end }}
+ {{- end }}
+ image: "{{ .Values.image.registry }}/{{ .Values.image.image }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- toYaml .Values.env | nindent 12 }}
diff --git a/templates/tests/test-connection-fails.yaml b/templates/tests/test-connection-fails.yaml
index 0e7a059..6ec4916 100644
--- a/templates/tests/test-connection-fails.yaml
+++ b/templates/tests/test-connection-fails.yaml
@@ -8,8 +8,28 @@ metadata:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
+ securityContext:
+ fsGroup: 1337
+ {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+ {{- with .Values.podSeccompProfile }}
+ seccompProfile:
+ {{- . | toYaml | nindent 10 }}
+ {{- end }}
+ {{- end }}
containers:
- name: wget
+ securityContext:
+ {{- with .Values.containerSecurityContext }}
+ {{- . | toYaml | nindent 12 }}
+ {{- end }}
+ readOnlyRootFilesystem: true
+ runAsUser: 100
+ {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+ {{- with .Values.seccompProfile }}
+ seccompProfile:
+ {{- . | toYaml | nindent 14 }}
+ {{- end }}
+ {{- end }}
image: alpine:3.18
command:
- sh
diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml
index 59c64b4..2ded317 100644
--- a/templates/tests/test-connection.yaml
+++ b/templates/tests/test-connection.yaml
@@ -8,8 +8,28 @@ metadata:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
+ securityContext:
+ fsGroup: 1337
+ {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+ {{- with .Values.podSeccompProfile }}
+ seccompProfile:
+ {{- . | toYaml | nindent 10 }}
+ {{- end }}
+ {{- end }}
containers:
- name: wget
+ securityContext:
+ {{- with .Values.containerSecurityContext }}
+ {{- . | toYaml | nindent 12 }}
+ {{- end }}
+ readOnlyRootFilesystem: true
+ runAsUser: 100
+ {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+ {{- with .Values.seccompProfile }}
+ seccompProfile:
+ {{- . | toYaml | nindent 14 }}
+ {{- end }}
+ {{- end }}
image: alpine:3.18
command:
- sh
diff --git a/values.yaml b/values.yaml
index ac7f0f0..9730e9c 100644
--- a/values.yaml
+++ b/values.yaml
@@ -3,10 +3,10 @@
# Declare variables to be passed into your templates.
replicaCount: 1
image:
- repository: ghcr.io/project-zot/zot-linux-amd64
- pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
- tag: "v2.0.0"
+ registry: gsoci.azurecr.io
+ image: dummy/zot-linux
+ pullPolicy: Always
+ tag: ""
serviceAccount:
# Specifies whether a service account should be created
create: true

89
helmule/examples/giantswarm/patches/regexp/values-patches.yaml
View File

@ -1,89 +0,0 @@
---
name: Replace image repository in values
targets:
- values.yaml
before: |-
image:
repository: ghcr.io/project-zot/zot-linux-amd64
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "v2.0.0"
after: |-
image:
repository: gsoci/dummy/zot-linux
pullPolicy: Always
tag: ""
---
name: Fix security policies in the deployment
targets:
- templates/deployment.yaml
before: |-
\{\{- toYaml .Values.podSecurityContext .*
after: |-
fsGroup: 1337
{{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
{{- with .Values.podSeccompProfile }}
seccompProfile:
{{- . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
---
name: Fix security policies in container
targets:
- templates/deployment.yaml
before: |-
\{\{- toYaml .Values.securityContext .*
after: |-
{{- with .Values.containerSecurityContext }}
{{- . | toYaml | nindent 12 }}
{{- end }}
readOnlyRootFilesystem: true
runAsUser: 100
{{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
{{- with .Values.seccompProfile }}
seccompProfile:
{{- . | toYaml | nindent 14 }}
{{- end }}
{{- end }}
---
name: Fix security policies in test jobs
targets:
- templates/tests/test-connection-fails.yaml
- templates/tests/test-connection.yaml
before: |-
spec:
containers:
after: |-
spec:
securityContext:
fsGroup: 1337
{{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
{{- with .Values.podSeccompProfile }}
seccompProfile:
{{- . | toYaml | nindent 10 }}
{{- end }}
{{- end }}
containers:
---
name: Fix security policies in test jobs containers
targets:
- templates/tests/test-connection-fails.yaml
- templates/tests/test-connection.yaml
before: |-
containers:
- name: wget
after: |-
containers:
- name: wget
securityContext:
{{- with .Values.containerSecurityContext }}
{{- . | toYaml | nindent 12 }}
{{- end }}
readOnlyRootFilesystem: true
runAsUser: 100
{{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
{{- with .Values.seccompProfile }}
seccompProfile:
{{- . | toYaml | nindent 14 }}
{{- end }}
{{- end }}

51
helmule/examples/patches/flux-regexp/patch.yaml
View File

@ -1,51 +0,0 @@
---
name: Remove CRDs leftovers from values
targets:
- values.yaml
before: |-
installCRDs: true
crds:
# -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
annotations: \{\}
after: |-
crds:
install: true
# Add seccomp to pod security context
podSeccompProfile:
type: RuntimeDefault
# Add seccomp to container security context
seccompProfile:
type: RuntimeDefault
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
---
name: Append crd install data to helpers
targets:
- templates/_helper.tpl
after: |-
{{- define "crdInstall" -}}
{{- printf "%s-%s" ( include "name" . ) "crd-install" | replace "+" "_" | trimSuffix "-" -}}
{{- end -}}
{{- define "crdInstallJob" -}}
{{- printf "%s-%s-%s" ( include "name" . ) "crd-install" .Chart.AppVersion | replace "+" "_" | replace "." "-" | trimSuffix "-" | trunc 63 -}}
{{- end -}}
{{- define "crdInstallAnnotations" -}}
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
{{- end -}}
{{/* Create a label which can be used to select any orphaned crd-install hook resources */}}
{{- define "crdInstallSelector" -}}
{{- printf "%s" "crd-install-hook" -}}
{{- end -}}

34
helmule/examples/patches/git/patch-2.diff
View File

@ -1,34 +0,0 @@
diff --git a/values.yaml b/values.yaml
index 7ed6839..2b144ad 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,6 +1,6 @@
image:
repository: registry.hub.docker.com/vaultwarden/server
- pullPolicy: IfNotPresent
+ pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
@@ -10,13 +10,14 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
-securityContext: {}
-# capabilities:
-# drop:
-# - ALL
-# readOnlyRootFilesystem: true
-# runAsNonRoot: true
-# runAsUser: 1000
+securityContext:
+capabilities:
+ drop:
+ - ALL
+
+readOnlyRootFilesystem: true
+runAsNonRoot: true
+runAsUser: 1000
service:
type: ClusterIP

13
helmule/examples/patches/git/patch.diff
View File

@ -1,13 +0,0 @@
diff --git a/Chart.yaml b/Chart.yaml
index d8995d5..0e5f5a5 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -8,7 +8,7 @@ keywords:
- bitwarden
- bitwarden_rs
maintainers:
-- email: allanger@badhouseplants.net
+- email: Somebody else
name: Nikolai Rodionov
url: https://badhouseplants.net
name: vaultwarden

7
helmule/examples/patches/regexp/patch.yaml
View File

@ -1,7 +0,0 @@
---
name: Add spaces before comments
targets:
- values.yaml
before: |-
^.*[\S]+.*#
after: " #"

27
helmule/examples/use/charts/vaultwarden.yaml
View File

@ -1,27 +0,0 @@
name: vaultwarden
repository: badhouseplants
version: latest
extensions:
- name: Add virtual service to the chartc
target_dir: templates/extensions
source_dir: ../../extensions/vaultwarden
patches:
- name: Git patch 1
git:
path: ../../patches/git/patch.diff
- name: Git patch 2
git:
path: ../../patches/git/patch-2.diff
- name: yaml-fmt
custom_command:
commands:
- |-
cat <<EOT >> .yamlfmt
formatter:
pad_line_comments: 2
EOT
- yamlfmt values.yaml --conf ./yamlfmt.yaml
- rm -f yamlfmt.yaml
mirrors:
- badhouseplants-git
- custom-command

54
helmule/examples/use/charts/vaultwardens.yaml
View File

@ -1,54 +0,0 @@
- name: vaultwarden
repository: badhouseplants
version: latest
extensions:
- name: Add virtual service to the chartc
target_dir: templates/extensions
source_dir: ./examples/extensions/vaultwarden
patches:
- name: Git patch 1
git:
path: ./examples/patches/git/patch.diff
- name: Git patch 2
git:
path: ./examples/patches/git/patch-2.diff
- name: yaml-fmt
custom_command:
commands:
- |-
cat <<EOT >> .yamlfmt
formatter:
pad_line_comments: 2
EOT
- yamlfmt values.yaml --conf ./yamlfmt.yaml
- rm -f yamlfmt.yaml
mirrors:
- badhouseplants-git
- custom-command
- name: vaultwarden
repository: badhouseplants
version: latest
extensions:
- name: Add virtual service to the chartc
target_dir: templates/extensions
source_dir: ./examples/extensions/vaultwarden
patches:
- name: Git patch 1
git:
path: ./examples/patches/git/patch.diff
- name: Git patch 2
git:
path: ./examples/patches/git/patch-2.diff
- name: yaml-fmt
custom_command:
commands:
- |-
cat <<EOT >> .yamlfmt
formatter:
pad_line_comments: 2
EOT
- yamlfmt values.yaml --conf ./yamlfmt.yaml
- rm -f yamlfmt.yaml
mirrors:
- badhouseplants-git
- custom-command

1
helmule/examples/yamlfmt.yml
View File

@ -1 +0,0 @@
pad_line_comments: 2

21
lib/Cargo.toml
View File

@ -1,21 +0,0 @@
[package]
name = "helmzoo_lib"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
serde = { workspace = true }
serde_json ={ workspace = true }
serde_yaml = { workspace = true }
tempfile = { workspace = true }
base64 = { workspace = true }
console = "0.15.8"
dialoguer = "0.11.0"
env_logger = "0.10.1"
indicatif = "0.17.7"
log = "0.4.20"
which = "6.0.0"
handlebars = "5.0.0"
chrono = "0.4.31"

86
lib/src/config.rs
View File

@ -1,86 +0,0 @@
use std::{error::Error, ffi::OsStr, fs::File, path::Path};
use serde::de::DeserializeOwned;
pub trait ConfigImpl {
fn apply_includes(&mut self, config_path: String) -> Result<(), Box<dyn Error>>;
}
pub fn read_config<T: DeserializeOwned>(path: String) -> Result<T, Box<dyn Error>> {
let config_content = File::open(path.clone())?;
let config = match get_extension_from_filename(&path) {
Some(ext) => match ext {
"yaml" | "yml" => serde_yaml::from_reader(config_content)?,
_ => return Err(Box::from(format!("{} files are not supported", ext))),
},
None => return Err(Box::from("can't read file without extension")),
};
Ok(config)
}
fn get_extension_from_filename(filename: &str) -> Option<&str> {
Path::new(filename).extension().and_then(OsStr::to_str)
}
#[cfg(test)]
mod tests {
use super::{get_extension_from_filename, read_config};
use serde::{Deserialize, Serialize};
use std::{error::Error, fs::File, io::Write};
use tempfile::tempdir;
#[test]
fn test_extension_getter() {
let filepath = "/tmp/config.yaml";
let extension = get_extension_from_filename(filepath);
assert_eq!(extension, Some("yaml"));
}
#[test]
fn test_extension_getter_empty() {
let filepath = "/tmp/config";
let extension = get_extension_from_filename(filepath);
assert_eq!(extension, None);
}
#[derive(Serialize, Deserialize, PartialEq, Debug, Clone)]
struct DummyConfig {
string: String,
amounts: Vec<DummyProperty>,
}
#[derive(Serialize, Deserialize, PartialEq, Debug, Clone)]
struct DummyProperty {
amount: i32,
}
fn prepare_test_file(name: &str, data: &str) -> Result<String, Box<dyn Error>> {
let dir = tempdir()?;
let file_path = dir.into_path().join(&name);
let mut file = File::create(file_path.clone())?;
file.write_all(data.as_bytes())?;
let path = file_path.into_os_string().to_str().unwrap().to_string();
Ok(path)
}
#[test]
fn test_config_reader() -> Result<(), Box<dyn Error>> {
let content = "---
string: test
amounts:
- amount: 4
- amount: 5
";
let file_path = prepare_test_file("config.yaml", content)?;
let config_data: DummyConfig;
config_data = read_config(file_path)?;
let expected = DummyConfig {
string: "test".to_string(),
amounts: vec![DummyProperty { amount: 4 }, DummyProperty { amount: 5 }],
};
assert_eq!(expected, config_data);
Ok(())
}
}

23
lib/src/lib.rs
View File

@ -1,23 +0,0 @@
pub mod cli;
pub mod config;
pub mod git;
pub mod helm;
pub mod include;
pub mod output;
pub mod template;
pub mod workdir;
pub fn add(left: usize, right: usize) -> usize {
left + right
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn it_works() {
let result = add(2, 2);
assert_eq!(result, 4);
}
}

0
lib/src/cli.rs → src/cli.rs
View File

93
helmule/src/config.rs → src/config.rs
View File

@ -1,8 +1,8 @@
use std::{collections::HashMap, error::Error}; use std::{collections::HashMap, error::Error, ffi::OsStr, fs::File, path::Path};
use helmzoo_lib::{ use serde::de::DeserializeOwned;
use super::{
cli::is_path_relative, cli::is_path_relative,
config::ConfigImpl,
helm::{chart::Chart, repository::Repository}, helm::{chart::Chart, repository::Repository},
include::Include, include::Include,
output::message_info, output::message_info,
@ -11,6 +11,26 @@ use serde::{Deserialize, Serialize};
use crate::{extensions::Extension, mirror::Mirror, patches::Patch}; use crate::{extensions::Extension, mirror::Mirror, patches::Patch};
pub trait ConfigImpl {
fn apply_includes(&mut self, config_path: String) -> Result<(), Box<dyn Error>>;
}
pub fn read_config<T: DeserializeOwned>(path: String) -> Result<T, Box<dyn Error>> {
let config_content = File::open(path.clone())?;
let config = match get_extension_from_filename(&path) {
Some(ext) => match ext {
"yaml" | "yml" => serde_yaml::from_reader(config_content)?,
_ => return Err(Box::from(format!("{} files are not supported", ext))),
},
None => return Err(Box::from("can't read file without extension")),
};
Ok(config)
}
fn get_extension_from_filename(filename: &str) -> Option<&str> {
Path::new(filename).extension().and_then(OsStr::to_str)
}
#[derive(Serialize, Deserialize, PartialEq, Debug, Clone, PartialOrd, Ord, Eq)] #[derive(Serialize, Deserialize, PartialEq, Debug, Clone, PartialOrd, Ord, Eq)]
pub(crate) enum SupportedIncludes { pub(crate) enum SupportedIncludes {
Repositories, Repositories,
@ -58,7 +78,7 @@ pub(crate) struct Config {
pub(crate) patches: Option<Vec<Patch>>, pub(crate) patches: Option<Vec<Patch>>,
#[serde(default = "empty_vec")] #[serde(default = "empty_vec")]
pub(crate) mirrors: Vec<Mirror>, pub(crate) mirrors: Vec<Mirror>,
pub(crate) hooks: Hooks, pub(crate) hooks: Option<Hooks>,
} }
fn empty_vec<T>() -> Vec<T> { fn empty_vec<T>() -> Vec<T> {
@ -189,7 +209,7 @@ fn include_charts(path: String) -> Result<Vec<ChartExtended>, Box<dyn Error>> {
mod tests { mod tests {
use std::{error::Error, fs::File, io::Write}; use std::{error::Error, fs::File, io::Write};
use helmzoo_lib::{ use super::{
config::ConfigImpl, config::ConfigImpl,
helm::{helm_repository::HelmRepo, repository::Repository}, helm::{helm_repository::HelmRepo, repository::Repository},
include::Include, include::Include,
@ -313,3 +333,66 @@ helm:
Ok(()) Ok(())
} }
} }
#[cfg(test)]
mod tests {
use super::{get_extension_from_filename, read_config};
use serde::{Deserialize, Serialize};
use std::{error::Error, fs::File, io::Write};
use tempfile::tempdir;
#[test]
fn test_extension_getter() {
let filepath = "/tmp/config.yaml";
let extension = get_extension_from_filename(filepath);
assert_eq!(extension, Some("yaml"));
}
#[test]
fn test_extension_getter_empty() {
let filepath = "/tmp/config";
let extension = get_extension_from_filename(filepath);
assert_eq!(extension, None);
}
#[derive(Serialize, Deserialize, PartialEq, Debug, Clone)]
struct DummyConfig {
string: String,
amounts: Vec<DummyProperty>,
}
#[derive(Serialize, Deserialize, PartialEq, Debug, Clone)]
struct DummyProperty {
amount: i32,
}
fn prepare_test_file(name: &str, data: &str) -> Result<String, Box<dyn Error>> {
let dir = tempdir()?;
let file_path = dir.into_path().join(&name);
let mut file = File::create(file_path.clone())?;
file.write_all(data.as_bytes())?;
let path = file_path.into_os_string().to_str().unwrap().to_string();
Ok(path)
}
#[test]
fn test_config_reader() -> Result<(), Box<dyn Error>> {
let content = "---
string: test
amounts:
- amount: 4
- amount: 5
";
let file_path = prepare_test_file("config.yaml", content)?;
let config_data: DummyConfig;
config_data = read_config(file_path)?;
let expected = DummyConfig {
string: "test".to_string(),
amounts: vec![DummyProperty { amount: 4 }, DummyProperty { amount: 5 }],
};
assert_eq!(expected, config_data);
Ok(())
}
}

2
helmule/src/extensions.rs → src/extensions.rs
View File

@ -1,6 +1,6 @@
use std::fs::create_dir; use std::fs::create_dir;
use helmzoo_lib::{ use super::{
cli::{copy_recursively, is_path_relative}, cli::{copy_recursively, is_path_relative},
output::message_info, output::message_info,
}; };

0
lib/src/git.rs → src/git.rs
View File

0
lib/src/helm/chart.rs → src/helm/chart.rs
View File

0
lib/src/helm/git_repository.rs → src/helm/git_repository.rs
View File

0
lib/src/helm/helm_repository.rs → src/helm/helm_repository.rs
View File

0
lib/src/helm/mod.rs → src/helm/mod.rs
View File

0
lib/src/helm/repository.rs → src/helm/repository.rs
View File

0
lib/src/include.rs → src/include.rs
View File

21
helmule/src/main.rs → src/main.rs
View File

@ -1,12 +1,7 @@
use clap::Parser; use clap::Parser;
use config::Config; use cli::{check_prerequisites, get_full_path_dir};
use helmzoo_lib::{ use config::{read_config, Config, ConfigImpl};
self, use output::{message_empty, message_error};
cli::{check_prerequisites, get_full_path_dir},
config::{read_config, ConfigImpl},
helm::repository::RepositoryImpl,
output::{message_empty, message_error},
};
use std::{error::Error, process::exit}; use std::{error::Error, process::exit};
use crate::mirror::mirror_from_mirror_obj; use crate::mirror::mirror_from_mirror_obj;
@ -15,8 +10,14 @@ mod config;
mod extensions; mod extensions;
mod mirror; mod mirror;
mod patches; mod patches;
pub mod cli;
pub mod git;
pub mod helm;
pub mod include;
pub mod output;
pub mod template;
pub mod workdir;
/// Simple program to greet a person
#[derive(Parser, Debug)] #[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)] #[command(author, version, about, long_about = None)]
struct Args { struct Args {
@ -49,7 +50,7 @@ struct Args {
fn exec(args: Args) -> Result<(), Box<dyn Error>> { fn exec(args: Args) -> Result<(), Box<dyn Error>> {
let prerequisites = vec![args.helm_bin, args.git_bin, args.yq_bin]; let prerequisites = vec![args.helm_bin, args.git_bin, args.yq_bin];
check_prerequisites(prerequisites)?; check_prerequisites(prerequisites)?;
let workdir_path = helmzoo_lib::workdir::setup_workdir(args.workdir)?; let workdir_path = workdir::setup_workdir(args.workdir)?;
let mut config: Config = read_config(args.config.clone())?; let mut config: Config = read_config(args.config.clone())?;
let config_full_path = get_full_path_dir(args.config.clone())?; let config_full_path = get_full_path_dir(args.config.clone())?;
config.apply_includes(config_full_path.clone())?; config.apply_includes(config_full_path.clone())?;

4
helmule/src/mirror/custom_command.rs → src/mirror/custom_command.rs
View File

@ -1,4 +1,4 @@
use helmzoo_lib::{cli::cli_exec_from_dir, template}; use crate::{cli::cli_exec_from_dir, template};
use crate::config::ChartExtended; use crate::config::ChartExtended;
@ -18,7 +18,7 @@ impl Target for CustomCommands {
dry_run: bool, dry_run: bool,
) -> Result<(), Box<dyn std::error::Error>> { ) -> Result<(), Box<dyn std::error::Error>> {
for cmd_tmpl in self.package.clone() { for cmd_tmpl in self.package.clone() {
let mut reg = helmzoo_lib::template::register_handlebars(); let mut reg = template::register_handlebars();
reg.register_template_string("cmd", cmd_tmpl)?; reg.register_template_string("cmd", cmd_tmpl)?;
let cmd = reg.render("cmd", &chart_local)?; let cmd = reg.render("cmd", &chart_local)?;
cli_exec_from_dir(cmd, chart_path.clone())?; cli_exec_from_dir(cmd, chart_path.clone())?;

4
helmule/src/mirror/git.rs → src/mirror/git.rs
View File

@ -1,7 +1,7 @@
use base64::{engine::general_purpose, Engine}; use base64::{engine::general_purpose, Engine};
use dircpy::*; use dircpy::*;
use helmzoo_lib::git::{CheckoutOptions, CommitOptions, Git, GitOptions, PushOptions}; use crate::git::{CheckoutOptions, CommitOptions, Git, GitOptions, PushOptions};
use helmzoo_lib::template; use crate::template;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use crate::config::ChartExtended; use crate::config::ChartExtended;

0
helmule/src/mirror/mod.rs → src/mirror/mod.rs
View File

0
lib/src/output.rs → src/output.rs
View File

2
helmule/src/patches.rs → src/patches.rs
View File

@ -4,7 +4,7 @@
path::{Path, PathBuf}, path::{Path, PathBuf},
}; };
use helmzoo_lib::{ use super::{
cli::{cli_exec, cli_exec_from_dir}, cli::{cli_exec, cli_exec_from_dir},
output::message_info, output::message_info,
}; };

0
lib/src/template.rs → src/template.rs
View File

0
lib/src/workdir.rs → src/workdir.rs
View File