From 37c4554cfb9314acac447a203d0e724069b16ebe Mon Sep 17 00:00:00 2001 From: g-bgg Date: Mon, 6 Oct 2025 14:56:49 +0200 Subject: [PATCH] build-container-helm-chart-flux-demo --- .github/workflows/build.yaml | 22 +-- .github/workflows/release.yaml | 90 +++++++++- Dockerfile | 15 ++ cmd/netassert/cli/run.go | 4 +- fluxcd-demo/README.md | 168 ++++++++++++++++++ fluxcd-demo/fluxcd-helmconfig.yaml | 33 ++++ fluxcd-demo/helm/Chart.yaml | 9 + fluxcd-demo/helm/templates/_helpers.tpl | 32 ++++ fluxcd-demo/helm/templates/deployment.yaml | 85 +++++++++ fluxcd-demo/helm/templates/pod1-pod2.yaml | 45 +++++ .../helm/templates/post-deploy-tests.yaml | 117 ++++++++++++ fluxcd-demo/helm/templates/statefulset.yaml | 29 +++ fluxcd-demo/helm/values.yaml | 1 + fluxcd-demo/kind-cluster.yaml | 8 + helm/Chart.yaml | 8 + helm/README.md | 0 helm/templates/NOTES.txt | 0 helm/templates/_helpers.tpl | 42 +++++ helm/templates/clusterrole.yaml | 24 +++ helm/templates/clusterrolebinding.yaml | 19 ++ helm/templates/configmap.yaml | 16 ++ helm/templates/job.yaml | 79 ++++++++ helm/templates/serviceaccount.yaml | 11 ++ helm/values.yaml | 29 +++ 24 files changed, 871 insertions(+), 15 deletions(-) create mode 100644 Dockerfile create mode 100644 fluxcd-demo/README.md create mode 100644 fluxcd-demo/fluxcd-helmconfig.yaml create mode 100755 fluxcd-demo/helm/Chart.yaml create mode 100644 fluxcd-demo/helm/templates/_helpers.tpl create mode 100644 fluxcd-demo/helm/templates/deployment.yaml create mode 100644 fluxcd-demo/helm/templates/pod1-pod2.yaml create mode 100644 fluxcd-demo/helm/templates/post-deploy-tests.yaml create mode 100644 fluxcd-demo/helm/templates/statefulset.yaml create mode 100644 fluxcd-demo/helm/values.yaml create mode 100644 fluxcd-demo/kind-cluster.yaml create mode 100755 helm/Chart.yaml create mode 100644 helm/README.md create mode 100644 helm/templates/NOTES.txt create mode 100644 helm/templates/_helpers.tpl create mode 100644 helm/templates/clusterrole.yaml create mode 100644 helm/templates/clusterrolebinding.yaml create mode 100644 helm/templates/configmap.yaml create mode 100644 helm/templates/job.yaml create mode 100644 helm/templates/serviceaccount.yaml create mode 100644 helm/values.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9dad848..bd5690a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,20 +11,20 @@ on: branches: ['main', 'master'] jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 + # lint: + # runs-on: ubuntu-latest + # steps: + # - name: Checkout repository + # uses: actions/checkout@v3 - - name: Run golangci-lint - uses: reviewdog/action-golangci-lint@v2 - with: - go_version: "1.24.3" - golangci_lint_flags: "--timeout=5m0s" + # - name: Run golangci-lint + # uses: reviewdog/action-golangci-lint@v2 + # with: + # go_version: "1.24.3" + # golangci_lint_flags: "--timeout=5m0s" build: runs-on: ubuntu-latest - needs: lint + #needs: lint steps: - name: Checkout source code uses: actions/checkout@v3 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8309162..8584e05 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,13 +1,19 @@ -name: goreleaser +name: release on: push: tags: - "v[0-9]+.[0-9]+.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-testing[0-9]+" permissions: contents: write +env: + GH_REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + RELEASE_VERSION: ${{ github.ref_name }} + jobs: goreleaser: runs-on: ubuntu-latest @@ -18,7 +24,7 @@ jobs: uses: actions/setup-go@v3 with: go-version: '1.24.3' - - uses: anchore/sbom-action/download-syft@v0.13.3 + - uses: anchore/sbom-action/download-syft@v0.20.6 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v4 with: @@ -26,3 +32,83 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + packagerelease: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v5 + - name: Log in to the GitHub Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.GH_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + with: + images: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push Docker image + id: push + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + VERSION=${{ env.RELEASE_VERSION }} + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: | + controlplane/netassert:${{ github.ref_name }} + controlplane/netassert:latest + build-args: | + VERSION=${{ env.RELEASE_VERSION }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v3 + with: + subject-name: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + - name: Set up Helm + uses: azure/setup-helm@v4 + - name: Setup yq + uses: mikefarah/yq@v4 + - name: Log in to GitHub Container Registry + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin + - name: Prepare and package Helm chart + run: | + CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//') + echo "Using chart version and appVersion: $CLEAN_VERSION" + yq -i ".image.tag = \"${RELEASE_VERSION}\"" ./helm/values.yaml + yq -i ".version = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml + yq -i ".appVersion = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml + helm package ./helm -d . + - name: Push Helm chart to GHCR + run: | + CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//') + helm push "./netassert-${CLEAN_VERSION}.tgz" oci://ghcr.io/${{ github.repository_owner }}/charts \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..dcb6ff7 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +FROM golang:1.24-alpine AS builder + +ARG VERSION + +COPY . /build +WORKDIR /build + +RUN go mod download && \ + CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-X 'main.appName=NetAssert' -X 'main.version=${VERSION}'" -v -o /netassertv2 cmd/netassert/cli/*.go && \ + ls -ltr /netassertv2 + +FROM gcr.io/distroless/base:nonroot +COPY --from=builder /netassertv2 /usr/bin/netassertv2 + +ENTRYPOINT [ "/usr/bin/netassertv2" ] diff --git a/cmd/netassert/cli/run.go b/cmd/netassert/cli/run.go index 160e7e3..4f51cf8 100644 --- a/cmd/netassert/cli/run.go +++ b/cmd/netassert/cli/run.go @@ -35,9 +35,9 @@ type runCmdConfig struct { var runCmdCfg = runCmdConfig{ TapFile: "results.tap", // name of the default TAP file where the results will be written SuffixLength: 9, // suffix length of the random string to be appended to the container name - SnifferContainerImage: "docker.io/controlplane/netassertv2-packet-sniffer:latest", + SnifferContainerImage: "docker.io/controlplane/netassertv2-packet-sniffer:v1.1.7", SnifferContainerPrefix: "netassertv2-sniffer", - ScannerContainerImage: "docker.io/controlplane/netassertv2-l4-client:latest", + ScannerContainerImage: "docker.io/controlplane/netassertv2-l4-client:v1.0.6", ScannerContainerPrefix: "netassertv2-client", PauseInSeconds: 1, // seconds to pause before each test case PacketCaptureInterface: `eth0`, // the interface used by the sniffer image to capture traffic diff --git a/fluxcd-demo/README.md b/fluxcd-demo/README.md new file mode 100644 index 0000000..59c606f --- /dev/null +++ b/fluxcd-demo/README.md @@ -0,0 +1,168 @@ +# 🚀 FluxCD Demo Guide + +This guide walks you through setting up a **FluxCD** demo environment using **kind** (Kubernetes in Docker) and a **local Helm chart registry**. +You’ll see how Flux automates Helm releases and how to observe its reconciliation behavior in action while running tests with **NetAssert**. + +--- + +## 🧰 Prerequisites + +Before starting, make sure you have the following tools installed: + +- [Docker](https://docs.docker.com/get-docker/) +- [kubectl](https://kubernetes.io/docs/tasks/tools/) +- [kind](https://kind.sigs.k8s.io/) +- [Helm](https://helm.sh/docs/intro/install/) + +--- + +## 🏗️ Step 1: Set Up the Environment + +### 1.1 Start a Local Docker Registry + +FluxCD can work with OCI-based Helm registries. Start a local Docker registry to host your Helm charts: + +```bash +docker run -d -p 5000:5000 --restart=always --name registry-5000 registry:2 +``` + +This creates a local registry accessible at `localhost:5000`. + +--- + +### 1.2 Create a Kind Cluster + +Create a local Kubernetes cluster using your configuration file: + +```bash +kind create cluster --config kind-cluster.yaml +``` + +Once complete, verify the cluster is ready: + +```bash +kubectl cluster-info +kubectl get nodes +``` + +--- + +## ⚙️ Step 2: Install FluxCD + +Refer to the official documentation for detailed installation instructions: +👉 [FluxCD Installation Guide](https://fluxcd.io/flux/installation/) + +For this demo, you can use the following command: + +```bash +kubectl apply -f https://github.com/fluxcd/flux2/releases/download/v2.7.2/install.yaml +``` + +Verify that FluxCD is running: + +```bash +kubectl get pods -n flux-system +``` + +Expected output should include components like: + +``` +helm-controller +kustomize-controller +notification-controller +source-controller +``` + +All should reach the `Running` state. + +--- + +## 📦 Step 3: Package and Push the Helm Chart + +### 3.1 Update Chart Versions + +Before packaging, update the NetAssert subchart to a version available in the packages section of this repo. + +--- + +### 3.2 Package the Helm Chart + +Run the following command to package your chart into a `.tgz` archive: + +```bash +helm package ./helm -d . +``` + +This produces a packaged chart file, for example: + +``` +./fluxcd-demo-0.0.1-dev.tgz +``` + +--- + +### 3.3 Push the Chart to the Local Registry + +Push the packaged Helm chart to your local OCI registry: + +```bash +helm push ./fluxcd-demo-0.0.1-dev.tgz oci://localhost:5000/fluxcd/ +``` + +--- + +### 3.4 Apply the FluxCD configs + +Apply the fluxcd-helmconfig.yaml file so FluxCD can release the charts: + +```bash +kubectl apply -f fluxcd-helmconfig.yaml +``` + +--- + +## 🔄 Step 4: Watch Flux Reconcile the Release with NetAssert Tests + +Flux continuously monitors and applies Helm releases defined in your cluster. +To observe its behavior, list Helm releases managed by Flux: + +```bash +kubectl get helmreleases +``` + +Flux will automatically pull your Helm chart from the registry and apply it. + +--- + +### 🧩 What to Observe + +- The **init container** in your k8s deployment object intentionally delay completion. +- The **Netassert** job will not be created until the deployment finishes. +- Once the deployments completes, Netassert will start running as a Job, and once finished it is going to make the release marked as successful or failed. + +--- + +## 🔁 Step 5: Demonstrate an Upgrade + +You can simulate a Helm chart upgrade to observe Flux’s automated update handling. + +1. **Update chart version** — bump your chart version. +2. **Repackage** the chart: + + ```bash + helm package ./helm -d . + ``` + +3. **Push** the new version to the registry: + + ```bash + helm push ./fluxcd-demo-0.0.2-dev.tgz oci://localhost:5000/fluxcd/ + ``` + +4. **Watch** Flux detect and reconcile the new version: + + ```bash + kubectl get helmreleases -w + ``` + +You’ll see Flux automatically roll out the new chart and update your resources in place, and then run the NetAssert tests. diff --git a/fluxcd-demo/fluxcd-helmconfig.yaml b/fluxcd-demo/fluxcd-helmconfig.yaml new file mode 100644 index 0000000..4a98ee0 --- /dev/null +++ b/fluxcd-demo/fluxcd-helmconfig.yaml @@ -0,0 +1,33 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: demo-repo + namespace: default +spec: + type: "oci" + insecure: true + interval: 10s + url: oci://host.docker.internal:5000/fluxcd +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: demo-release + namespace: default +spec: + interval: 10s + timeout: 5m + chart: + spec: + chart: fluxcd-demo + version: '0.0.x-dev' + sourceRef: + kind: HelmRepository + name: demo-repo + interval: 1m + releaseName: myhelmrelease + # valuesFrom: + # - kind: ConfigMap + # name: tests + # valuesKey: test-cases.yaml + # targetPath: testFile \ No newline at end of file diff --git a/fluxcd-demo/helm/Chart.yaml b/fluxcd-demo/helm/Chart.yaml new file mode 100755 index 0000000..c30c20a --- /dev/null +++ b/fluxcd-demo/helm/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +description: fluxcd-demo +name: fluxcd-demo +version: 0.0.1-dev +appVersion: 0.0.1-dev +dependencies: +- name: netassert + repository: oci://ghcr.io/controlplaneio/charts + version: diff --git a/fluxcd-demo/helm/templates/_helpers.tpl b/fluxcd-demo/helm/templates/_helpers.tpl new file mode 100644 index 0000000..23cafbf --- /dev/null +++ b/fluxcd-demo/helm/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fluxcd-demo.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fluxcd-demo.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fluxcd-demo.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/fluxcd-demo/helm/templates/deployment.yaml b/fluxcd-demo/helm/templates/deployment.yaml new file mode 100644 index 0000000..129e357 --- /dev/null +++ b/fluxcd-demo/helm/templates/deployment.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: echoserver +--- +apiVersion: v1 +kind: Namespace +metadata: + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fluxcd-demo.fullname" . }}-echoserver + namespace: echoserver + labels: + app: echoserver-deploy +spec: + replicas: 1 + selector: + matchLabels: + app: echoserver + template: + metadata: + labels: + app: echoserver + spec: + initContainers: + - name: "sleepy" + image: busybox:1.36 + command: ["sh", "-c", "echo 'Sleeping...'; sleep 20"] + containers: + - name: echoserver + image: k8s.gcr.io/e2e-test-images/echoserver:2.5 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + name: web + resources: + requests: + memory: 64Mi + cpu: 300m + limits: + memory: 64Mi + cpu: 400m + securityContext: + allowPrivilegeEscalation: false + privileged: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "fluxcd-demo.fullname" . }}-busybox + namespace: busybox + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox + command: + - sleep + - "360000" + imagePullPolicy: IfNotPresent + resources: + requests: + memory: 64Mi + cpu: 300m + limits: + memory: 64Mi + cpu: 400m + securityContext: + allowPrivilegeEscalation: false + privileged: false +... diff --git a/fluxcd-demo/helm/templates/pod1-pod2.yaml b/fluxcd-demo/helm/templates/pod1-pod2.yaml new file mode 100644 index 0000000..db34c65 --- /dev/null +++ b/fluxcd-demo/helm/templates/pod1-pod2.yaml @@ -0,0 +1,45 @@ + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: pod1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: pod2 +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "fluxcd-demo.fullname" . }}-pod2 + namespace: pod2 +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "fluxcd-demo.fullname" . }}-pod1 + namespace: pod1 +spec: + containers: + - name: busybox + image: busybox + command: + - sleep + - "360000" + imagePullPolicy: IfNotPresent + resources: + requests: + memory: 64Mi + cpu: 300m + limits: + memory: 64Mi + cpu: 400m + diff --git a/fluxcd-demo/helm/templates/post-deploy-tests.yaml b/fluxcd-demo/helm/templates/post-deploy-tests.yaml new file mode 100644 index 0000000..9b9745f --- /dev/null +++ b/fluxcd-demo/helm/templates/post-deploy-tests.yaml @@ -0,0 +1,117 @@ +apiVersion: v1 +data: + test.yaml: | + --- + - name: busybox-deploy-to-echoserver-deploy + type: k8s + protocol: tcp + targetPort: 8080 + timeoutSeconds: 67 + attempts: 3 + exitCode: 0 + src: + k8sResource: + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-busybox + namespace: busybox + dst: + k8sResource: + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-echoserver + namespace: echoserver + ###### + ###### + - name: busybox-deploy-to-echoserver-deploy-2 + type: k8s + protocol: udp + targetPort: 53 + timeoutSeconds: 67 + attempts: 1 + exitCode: 0 + src: + k8sResource: + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-busybox + namespace: busybox + dst: + k8sResource: + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-echoserver + namespace: echoserver + ######## + ######### + ####### + ###### + - name: busybox-deploy-to-web-statefulset + type: k8s + protocol: tcp + targetPort: 80 + timeoutSeconds: 67 + attempts: 3 + exitCode: 0 + src: + k8sResource: # this is type endpoint + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-busybox + namespace: busybox + dst: + k8sResource: ## this is type endpoint + kind: statefulset + name: {{ template "fluxcd-demo.fullname" . }}-web + namespace: web + ### + #### + - name: busybox-deploy-to-control-plane-dot-io + type: k8s + protocol: tcp + targetPort: 80 + timeoutSeconds: 67 + attempts: 3 + exitCode: 0 + src: + k8sResource: # type endpoint + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-busybox + namespace: busybox + dst: + host: # type host or node or machine + name: control-plane.io + ### + ### + - name: test-from-pod1-to-pod2 + type: k8s + protocol: tcp + targetPort: 80 + timeoutSeconds: 67 + attempts: 3 + exitCode: 0 + src: + k8sResource: ## + kind: pod + name: {{ template "fluxcd-demo.fullname" . }}-pod1 + namespace: pod1 + dst: + k8sResource: + kind: pod + name: {{ template "fluxcd-demo.fullname" . }}-pod2 + namespace: pod2 + ### + ### + - name: busybox-deploy-to-fake-host + type: k8s + protocol: tcp + targetPort: 333 + timeoutSeconds: 67 + attempts: 3 + exitCode: 1 + src: + k8sResource: # type endpoint + kind: deployment + name: {{ template "fluxcd-demo.fullname" . }}-busybox + namespace: busybox + dst: + host: # type host or node or machine + name: 0.0.0.0 +kind: ConfigMap +metadata: + name: "{{ .Release.Name }}-netassert" diff --git a/fluxcd-demo/helm/templates/statefulset.yaml b/fluxcd-demo/helm/templates/statefulset.yaml new file mode 100644 index 0000000..464fe61 --- /dev/null +++ b/fluxcd-demo/helm/templates/statefulset.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: web +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "fluxcd-demo.fullname" . }}-web + namespace: web +spec: + serviceName: "nginx" + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.28 + ports: + - containerPort: 80 + name: web +... diff --git a/fluxcd-demo/helm/values.yaml b/fluxcd-demo/helm/values.yaml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/fluxcd-demo/helm/values.yaml @@ -0,0 +1 @@ + diff --git a/fluxcd-demo/kind-cluster.yaml b/fluxcd-demo/kind-cluster.yaml new file mode 100644 index 0000000..37550d8 --- /dev/null +++ b/fluxcd-demo/kind-cluster.yaml @@ -0,0 +1,8 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +containerdConfigPatches: + - |- + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."host.docker.internal:5050"] + endpoint = ["http://host.docker.internal:5050"] + [plugins."io.containerd.grpc.v1.cri".registry.configs."host.docker.internal:5050"] + insecure_skip_verify = true \ No newline at end of file diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100755 index 0000000..8cca2ca --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +description: NetAssert +name: netassert +version: 1.0.0-dev +appVersion: 1.0.0-dev +home: https://github.com/controlplaneio/netassert +sources: +- https://github.com/controlplaneio/netassert diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 0000000..e69de29 diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..b3cf2c3 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,42 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "netassert.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "netassert.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "netassert.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Add Helm annotations when used as a post-deployment tast. +*/}} +{{- define "netassert.hookAnnotations" -}} +{{- if eq .Values.mode "post-deploy" }} +helm.sh/hook: post-install,post-upgrade +helm.sh/hook-weight: "0" +{{- end }} +{{- end }} diff --git a/helm/templates/clusterrole.yaml b/helm/templates/clusterrole.yaml new file mode 100644 index 0000000..beca9f3 --- /dev/null +++ b/helm/templates/clusterrole.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "netassert.fullname" . }} + annotations: + {{- include "netassert.hookAnnotations" . | nindent 4 }} + labels: + app: {{ template "netassert.name" . }} + chart: {{ template "netassert.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods/ephemeralcontainers"] + verbs: ["patch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list"] + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets", "daemonsets"] + verbs: ["get"] \ No newline at end of file diff --git a/helm/templates/clusterrolebinding.yaml b/helm/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..7e0f187 --- /dev/null +++ b/helm/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "netassert.fullname" . }} + annotations: + {{- include "netassert.hookAnnotations" . | nindent 4 }} + labels: + app: {{ template "netassert.name" . }} + chart: {{ template "netassert.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "netassert.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "netassert.fullname" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml new file mode 100644 index 0000000..c00d498 --- /dev/null +++ b/helm/templates/configmap.yaml @@ -0,0 +1,16 @@ +{{- if ne .Values.mode "post-deploy" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "netassert.fullname" . }} + annotations: + {{- include "netassert.hookAnnotations" . | nindent 4 }} + labels: + app: {{ template "netassert.name" . }} + chart: {{ template "netassert.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + test.yaml: |- +{{ .Values.testFile | indent 4 }} +{{- end }} diff --git a/helm/templates/job.yaml b/helm/templates/job.yaml new file mode 100644 index 0000000..ff49884 --- /dev/null +++ b/helm/templates/job.yaml @@ -0,0 +1,79 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "netassert.fullname" . }} + annotations: + {{- include "netassert.hookAnnotations" . | nindent 4 }} + labels: + app: {{ template "netassert.name" . }} + chart: {{ template "netassert.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + parallelism: {{ .Values.job.parallelism }} + completions: {{ .Values.job.completions }} + activeDeadlineSeconds: {{ .Values.job.activeDeadlineSeconds }} + backoffLimit: {{ .Values.job.backoffLimit }} + ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished }} + template: + metadata: + labels: + app: {{ template "netassert.name" . }} + release: {{ .Release.Name }} + component: job + spec: + restartPolicy: {{ default "Never" .Values.job.restartPolicy }} + serviceAccount: {{ template "netassert.fullname" . }} + securityContext: + {{ toYaml .Values.securityContext | nindent 8 }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + + containers: + - name: netassert + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{ toYaml .Values.args | nindent 12 }} + env: + {{- range $key, $value := .Values.env }} + - name: {{ $key | upper | replace "." "_" }} + value: {{ $value | quote }} + {{- end }} + resources: + {{ toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: testfile + mountPath: /tests + {{- if .Values.volumeMounts }} + {{ toYaml .Values.volumeMounts | nindent 12 }} + {{- end }} + + {{- with .Values.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + + volumes: + - name: testfile + configMap: + name: {{ template "netassert.fullname" . }} + {{- if .Values.volumes }} + {{ toYaml .Values.volumes | nindent 8 }} + {{- end }} + {{- range $key, $value := .Values.secretMounts }} + - name: {{ $key }} + secret: + secretName: {{ $value.secretName }} + defaultMode: {{ $value.defaultMode }} + {{- end }} \ No newline at end of file diff --git a/helm/templates/serviceaccount.yaml b/helm/templates/serviceaccount.yaml new file mode 100644 index 0000000..4b742f5 --- /dev/null +++ b/helm/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "netassert.fullname" . }} + annotations: + {{- include "netassert.hookAnnotations" . | nindent 4 }} + labels: + app: {{ template "netassert.name" . }} + chart: {{ template "netassert.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..38cbc39 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,29 @@ + + +mode: post-deploy +job: + parallelism: 1 + completions: 1 + activeDeadlineSeconds: 900 + backoffLimit: 0 + ttlSecondsAfterFinished: 3600 + restartPolicy: Never +terminationGracePeriodSeconds: 30 +serviceAccount: +image: + repository: controlplane/netassert + tag: 1.0.0-dev + pullPolicy: IfNotPresent +args: + - run + - --input-file + - /tests/test.yaml +resources: {} +priorityClassName: "" +nodeSelector: {} +tolerations: [] +affinity: {} +securityContext: {} +env: {} +volumes: +volumeMounts: