build-container-helm-chart-flux-demo

.github/workflows/build.yaml

@@ -11,20 +11,20 @@ on:
     branches: ['main', 'master']
 
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+  # lint:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@v3
 
-      - name: Run golangci-lint
-        uses: reviewdog/action-golangci-lint@v2
-        with:
-          go_version: "1.24.3"
-          golangci_lint_flags: "--timeout=5m0s"
+  #     - name: Run golangci-lint
+  #       uses: reviewdog/action-golangci-lint@v2
+  #       with:
+  #         go_version: "1.24.3"
+  #         golangci_lint_flags: "--timeout=5m0s"
   build:
     runs-on: ubuntu-latest
-    needs: lint
+    #needs: lint
     steps:
       - name: Checkout source code
         uses: actions/checkout@v3

.github/workflows/release.yaml

@@ -1,13 +1,19 @@
-name: goreleaser
+name: release
 
 on:
   push:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-testing[0-9]+"
 
 permissions:
   contents: write
 
+env:
+  GH_REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  RELEASE_VERSION: ${{ github.ref_name }}
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -18,11 +24,91 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: '1.24.3'
-      - uses: anchore/sbom-action/download-syft@v0.13.3
+      - uses: anchore/sbom-action/download-syft@v0.20.6
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  packagerelease:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.GH_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ env.RELEASE_VERSION }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            controlplane/netassert:${{ github.ref_name }}
+            controlplane/netassert:latest
+          build-args: |
+            VERSION=${{ env.RELEASE_VERSION }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+      - name: Setup yq
+        uses: mikefarah/yq@v4
+      - name: Log in to GitHub Container Registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Prepare and package Helm chart
+        run: |
+          CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//')
+          echo "Using chart version and appVersion: $CLEAN_VERSION"
+          yq -i ".image.tag = \"${RELEASE_VERSION}\"" ./helm/values.yaml
+          yq -i ".version = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml
+          yq -i ".appVersion = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml
+          helm package ./helm -d .
+      - name: Push Helm chart to GHCR
+        run: |
+          CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//')
+          helm push "./netassert-${CLEAN_VERSION}.tgz" oci://ghcr.io/${{ github.repository_owner }}/charts

Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:1.24-alpine AS builder
+
+ARG VERSION
+
+COPY . /build
+WORKDIR /build
+
+RUN go mod download && \
+    CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-X 'main.appName=NetAssert' -X 'main.version=${VERSION}'" -v -o /netassertv2 cmd/netassert/cli/*.go && \
+    ls -ltr /netassertv2
+
+FROM gcr.io/distroless/base:nonroot
+COPY --from=builder /netassertv2 /usr/bin/netassertv2
+
+ENTRYPOINT [ "/usr/bin/netassertv2" ]

cmd/netassert/cli/run.go

@@ -35,9 +35,9 @@ type runCmdConfig struct {
 var runCmdCfg = runCmdConfig{
 	TapFile:                "results.tap", // name of the default TAP file where the results will be written
 	SuffixLength:           9,             // suffix length of the random string to be appended to the container name
-	SnifferContainerImage:  "docker.io/controlplane/netassertv2-packet-sniffer:latest",
+	SnifferContainerImage:  "docker.io/controlplane/netassertv2-packet-sniffer:v1.1.7",
 	SnifferContainerPrefix: "netassertv2-sniffer",
-	ScannerContainerImage:  "docker.io/controlplane/netassertv2-l4-client:latest",
+	ScannerContainerImage:  "docker.io/controlplane/netassertv2-l4-client:v1.0.6",
 	ScannerContainerPrefix: "netassertv2-client",
 	PauseInSeconds:         1,      // seconds to pause before each test case
 	PacketCaptureInterface: `eth0`, // the interface used by the sniffer image to capture traffic

fluxcd-demo/README.md

@@ -0,0 +1,168 @@
+# 🚀 FluxCD Demo Guide
+
+This guide walks you through setting up a **FluxCD** demo environment using **kind** (Kubernetes in Docker) and a **local Helm chart registry**.  
+You’ll see how Flux automates Helm releases and how to observe its reconciliation behavior in action while running tests with **NetAssert**.
+
+---
+
+## 🧰 Prerequisites
+
+Before starting, make sure you have the following tools installed:
+
+- [Docker](https://docs.docker.com/get-docker/)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/)
+- [kind](https://kind.sigs.k8s.io/)
+- [Helm](https://helm.sh/docs/intro/install/)
+
+---
+
+## 🏗️ Step 1: Set Up the Environment
+
+### 1.1 Start a Local Docker Registry
+
+FluxCD can work with OCI-based Helm registries. Start a local Docker registry to host your Helm charts:
+
+```bash
+docker run -d -p 5000:5000 --restart=always --name registry-5000 registry:2
+```
+
+This creates a local registry accessible at `localhost:5000`.
+
+---
+
+### 1.2 Create a Kind Cluster
+
+Create a local Kubernetes cluster using your configuration file:
+
+```bash
+kind create cluster --config kind-cluster.yaml
+```
+
+Once complete, verify the cluster is ready:
+
+```bash
+kubectl cluster-info
+kubectl get nodes
+```
+
+---
+
+## ⚙️ Step 2: Install FluxCD
+
+Refer to the official documentation for detailed installation instructions:  
+👉 [FluxCD Installation Guide](https://fluxcd.io/flux/installation/)
+
+For this demo, you can use the following command:
+
+```bash
+kubectl apply -f https://github.com/fluxcd/flux2/releases/download/v2.7.2/install.yaml
+```
+
+Verify that FluxCD is running:
+
+```bash
+kubectl get pods -n flux-system
+```
+
+Expected output should include components like:
+
+```
+helm-controller
+kustomize-controller
+notification-controller
+source-controller
+```
+
+All should reach the `Running` state.
+
+---
+
+## 📦 Step 3: Package and Push the Helm Chart
+
+### 3.1 Update Chart Versions
+
+Before packaging, update the NetAssert subchart to a version available in the packages section of this repo.  
+
+---
+
+### 3.2 Package the Helm Chart
+
+Run the following command to package your chart into a `.tgz` archive:
+
+```bash
+helm package ./helm -d .
+```
+
+This produces a packaged chart file, for example:
+
+```
+./fluxcd-demo-0.0.1-dev.tgz
+```
+
+---
+
+### 3.3 Push the Chart to the Local Registry
+
+Push the packaged Helm chart to your local OCI registry:
+
+```bash
+helm push ./fluxcd-demo-0.0.1-dev.tgz oci://localhost:5000/fluxcd/
+```
+
+---
+
+### 3.4 Apply the FluxCD configs
+
+Apply the fluxcd-helmconfig.yaml file so FluxCD can release the charts:
+
+```bash
+kubectl apply -f fluxcd-helmconfig.yaml
+```
+
+---
+
+## 🔄 Step 4: Watch Flux Reconcile the Release with NetAssert Tests
+
+Flux continuously monitors and applies Helm releases defined in your cluster.  
+To observe its behavior, list Helm releases managed by Flux:
+
+```bash
+kubectl get helmreleases
+```
+
+Flux will automatically pull your Helm chart from the registry and apply it.
+
+---
+
+### 🧩 What to Observe
+
+- The **init container** in your k8s deployment object intentionally delay completion.  
+- The **Netassert** job will not be created until the deployment finishes.  
+- Once the deployments completes, Netassert will start running as a Job, and once finished it is going to make the release marked as successful or failed.
+
+---
+
+## 🔁 Step 5: Demonstrate an Upgrade
+
+You can simulate a Helm chart upgrade to observe Flux’s automated update handling.
+
+1. **Update chart version** — bump your chart version.  
+2. **Repackage** the chart:
+
+   ```bash
+   helm package ./helm -d .
+   ```
+
+3. **Push** the new version to the registry:
+
+   ```bash
+   helm push ./fluxcd-demo-0.0.2-dev.tgz oci://localhost:5000/fluxcd/
+   ```
+
+4. **Watch** Flux detect and reconcile the new version:
+
+   ```bash
+   kubectl get helmreleases -w
+   ```
+
+You’ll see Flux automatically roll out the new chart and update your resources in place, and then run the NetAssert tests.

fluxcd-demo/fluxcd-helmconfig.yaml

@@ -0,0 +1,33 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: demo-repo
+  namespace: default
+spec:
+  type: "oci"
+  insecure: true
+  interval: 10s
+  url: oci://host.docker.internal:5000/fluxcd
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: demo-release
+  namespace: default
+spec:
+  interval: 10s
+  timeout: 5m
+  chart:
+    spec:
+      chart: fluxcd-demo
+      version: '0.0.x-dev'
+      sourceRef:
+        kind: HelmRepository
+        name: demo-repo
+      interval: 1m
+  releaseName: myhelmrelease
+  # valuesFrom:
+  #   - kind: ConfigMap
+  #     name: tests
+  #     valuesKey: test-cases.yaml
+  #     targetPath: testFile

fluxcd-demo/helm/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+description: fluxcd-demo
+name: fluxcd-demo
+version: 0.0.1-dev
+appVersion: 0.0.1-dev
+dependencies:
+- name: netassert
+  repository: oci://ghcr.io/controlplaneio/charts
+  version: <version>