ci: add fasit feature

nais · Nov 20, 2024 · 885060f · 885060f
1 parent 0d5577d
commit 885060f
Show file tree

Hide file tree

Showing 7 changed files with 273 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,12 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
       - name: Build
         run: cargo build --verbose
       - name: Run tests
         run: cargo test --verbose --features docker
-      - uses: nais/platform-build-push-sign@main
+      - uses: nais/platform-build-push-sign@main # ratchet:exclude
         id: build_push_sign
         with:
           name: texas
@@ -33,3 +33,50 @@ jobs:
           push_ghcr: true
           multi-platform: 'true'
           workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # ratchet:azure/setup-helm@v4
+        name: 'Setup Helm'
+        with:
+          version: '3.16.3'
+      - name: Package chart
+        id: package_chart
+        env:
+          CHART_PATH: ./charts/texas
+        run: |
+          base_version="$(yq '.version' < "${{ env.CHART_PATH }}/Chart.yaml")"
+          chart_version="${base_version}-${{ steps.build_push_sign.outputs.version }}"
+
+          yq eval \
+            '.version="'"$chart_version"'"' \
+            "${{ env.CHART_PATH }}/Chart.yaml" --inplace
+          yq eval \
+            '.image.tag="${{ steps.build_push_sign.outputs.version }}"' \
+            "${{ env.CHART_PATH }}/values.yaml" --inplace
+
+          # helm dependency update "${{ env.CHART_PATH }}"
+          helm package "${{ env.CHART_PATH }}" --destination .
+
+          name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml")
+          echo "name=$name" >> $GITHUB_OUTPUT
+          echo "version=$chart_version" >> $GITHUB_OUTPUT
+          echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT
+      - name: Push Chart
+        run: |-
+          chart="${{ steps.package_chart.outputs.archive }}"
+          echo "Pushing: $chart"
+          helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature
+        outputs:
+          chart_name: ${{ steps.package_chart.outputs.name }}
+          chart_version: ${{ steps.package_chart.outputs.version }}
+          chart_archive: ${{ steps.package_chart.outputs.archive }}
+  rollout:
+    name: Rollout
+    if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master'
+    needs: build
+    runs-on: fasit-deploy
+    permissions:
+      id-token: write
+    steps:
+      - uses: nais/fasit-deploy@v2 # ratchet:exclude
+        with:
+          chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ needs.build.outputs.chart_name }}
+          version: ${{ needs.build.outputs.chart_version }}
diff --git a/charts/texas/.helmignore b/charts/texas/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/texas/Chart.yaml b/charts/texas/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+description: Token exchange as a sidecar / service.
+name: texas
+type: application
+version: 1.0.0
+sources:
+  - https://github.com/nais/texas/tree/master/charts/texas
diff --git a/charts/texas/Feature.yaml b/charts/texas/Feature.yaml
@@ -0,0 +1,116 @@
+dependencies:
+  - allOf:
+      - aiven-operator
+      - aivenator
+      - replicator
+environmentKinds:
+  - tenant
+  - legacy
+timeout: "1800s"
+values:
+  aiven.project:
+    description: Aiven project for Redis.
+    computed:
+      template: '"{{ .Env.aiven_project }}"'
+  aiven.redisPlan:
+    description: Aiven plan for Redis.
+    required: true
+    config:
+      type: string
+  aiven.prometheusEndpointId:
+    description: Aiven Prometheus integration endpoint ID.
+    computed:
+      template: '"{{ .Env.aiven_prometheus_endpoint_id }}"'
+  azure.enabled:
+    description: Enable Azure AD. Requires Azurerator to be enabled.
+    config:
+      type: bool
+  azure.forwardAuth.enabled:
+    description: Enables forward auth server. Requires Azurerator and loadbalancer-fa to be enabled.
+    config:
+      type: bool
+  azure.forwardAuth.groupIds:
+    description: Additional group IDs to grant access to
+    config:
+      type: string_array
+  azure.forwardAuth.sessionCookieEncryptionKey:
+    description: Cookie encryption key, 256 bits (e.g. 32 ASCII characters) encoded with standard base64.
+    config:
+      type: string
+      secret: true
+  azure.forwardAuth.ssoDomain:
+    description: Cookie domain for forward auth
+    config:
+      type: string
+  azure.forwardAuth.ssoDefaultRedirectURL:
+    description: Default redirect URL for forward auth
+    config:
+      type: string
+  idporten.enabled:
+    description: Enable ID-porten. Requires Digdirator to be enabled.
+    config:
+      type: bool
+  idporten.legacyCookie:
+    description: Set legacy session cookie for logins.
+    config:
+      type: bool
+  idporten.openidResourceIndicator:
+    description: Resource indicator for audience-restricted tokens.
+    config:
+      type: string
+  idporten.openidPostLogoutRedirectURL:
+    description: Where to redirect the user after global logout.
+    config:
+      type: string
+  idporten.replicasMax:
+    description: Maximum replicas for SSO server.
+    config:
+      type: int
+  idporten.replicasMin:
+    description: Minimum replicas for SSO server.
+    config:
+      type: int
+  idporten.sessionCookieEncryptionKey:
+    description: Cookie encryption key, 256 bits (e.g. 32 ASCII characters) encoded with standard base64.
+    config:
+      type: string
+      secret: true
+  idporten.sessionCookieName:
+    description: Cookie name for SSO sessions.
+    config:
+      type: string
+  idporten.ssoDefaultRedirectURL:
+    description: Fallback URL for invalid SSO redirects.
+    config:
+      type: string
+  idporten.ssoDomain:
+    description: Allowed domain for SSO (for cookies, CORS and redirect URL validation).
+    config:
+      type: string
+  idporten.ssoServerHost:
+    description: Host for SSO server.
+    config:
+      type: string
+  idporten.ingressClassName:
+    description: Ingress class for SSO server.
+    config:
+      type: string
+  image.tag:
+    config:
+      type: string
+  openid.enabled:
+    description: Enable OpenID config.
+    config:
+      type: bool
+    ignoreKind:
+      - legacy
+  openid.wellKnownUrl:
+    description: Well-known URL to the identity provider.
+    config:
+      type: string
+    ignoreKind:
+      - legacy
+  resourceSuffix:
+    description: Suffix for resources that may conflict in parallel environments.
+    config:
+      type: string
diff --git a/charts/texas/templates/_helpers.tpl b/charts/texas/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "texas.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "texas.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "texas.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "texas.labels" -}}
+helm.sh/chart: {{ include "texas.chart" . }}
+{{ include "texas.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "texas.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "texas.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "texas.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "texas.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/texas/templates/configmap.yaml b/charts/texas/templates/configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "texas.fullname" . }}
+  labels:
+    {{- include "texas.labels" . | nindent 4 }}
+  annotations:
+    reloader.stakater.com/match: "true"
+data:
+  texas_image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/charts/texas/values.yaml b/charts/texas/values.yaml
@@ -0,0 +1,6 @@
+nameOverride: ""
+fullnameOverride: ""
+
+image:
+  repository: europe-north1-docker.pkg.dev/nais-io/nais/images/texas
+  tag: latest