Skip to content

Commit

Permalink
Added staging helm chart (#485)
Browse files Browse the repository at this point in the history 
* added staging helm chart and added action to update them on release

* reverted main chart and updated releasing.md

* fixed revert version

* updated the staging chart version
  • Loading branch information
@abheda-crest
abheda-crest authored Feb 11, 2025
1 parent 624625e commit 4759a9a
Show file tree
Hide file tree
Showing 9 changed files with 402 additions and 0 deletions.
173 changes: 173 additions & 0 deletions .github/workflows/bump-chart-versions.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
name: Bump Helm Charts Versions

on:
pull_request:
types:
- closed # Trigger when the PR is closed (merged or declined)
branches:
- main # When merged branch is main

jobs:
bump_charts_version:
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write

# Skip the job if the PR source branch does not start with 'release-'
if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release-')

steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Extract latest version
run: |
# Extract the version from the branch name (e.g., release-1.2.3)
VERSION=$(echo "${{ github.event.pull_request.head.ref }}" | sed -E 's/^release-([0-9]+\.[0-9]+\.[0-9]+)$/\1/')
# Check if the version matches the expected format
if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "The PR was merged from a release branch with version: $VERSION"
echo "VERSION=$VERSION" >> $GITHUB_ENV
else
echo "Invalid branch name format. The release branch must match 'release-X.X.X'."
exit 1
fi
- name: Validate version
run: |
if [[ -z "$VERSION" ]]; then
echo "Error: Version not found. Branch should follow 'release-<version>' pattern."
exit 1
fi
- name: Fetch tags
run: git fetch --tags

- name: Get second last release versions
id: second_last_release_version
run: |
# Extract Second last release TAG for update in Main Helm Chart
SECOND_LAST_RELEASE_TAG=$(git tag -l --sort=-creatordate | head -n 2 | tail -n 1)
SECOND_LAST_RELEASE_TAG=$(echo "$SECOND_LAST_RELEASE_TAG" | sed 's/^v//')
echo "Second last release version: $SECOND_LAST_RELEASE_TAG"
echo "SECOND_LAST_RELEASE_TAG=$SECOND_LAST_RELEASE_TAG" >> $GITHUB_ENV
- name: Install yq
run: |
# Install yq to parse YAML files
wget https://github.com/mikefarah/yq/releases/download/v4.16.1/yq_linux_amd64 -O /usr/local/bin/yq
chmod +x /usr/local/bin/yq
- name: Set up Git user identity
run: |
git config --global user.name "GitHub Actions"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
- name: Update main helm chart with second last version
run: |
# Update the version in the /charts/secrets-store-csi-driver-provider-gcp/Chart.yaml file
VERSION_TO_UPDATE=$SECOND_LAST_RELEASE_TAG
if [[ -z "$SECOND_LAST_RELEASE_TAG" ]]; then
echo "No last release tag found. Skipping version update."
else
VERSION_TO_UPDATE=$SECOND_LAST_RELEASE_TAG
fi
echo "Updating /charts/secrets-store-csi-driver-provider-gcp/Chart.yaml with version $VERSION_TO_UPDATE"
yq e ".appVersion = \"$VERSION_TO_UPDATE\"" -i charts/secrets-store-csi-driver-provider-gcp/Chart.yaml
git add charts/secrets-store-csi-driver-provider-gcp/Chart.yaml
git commit -m "Update Chart.yaml with version $VERSION_TO_UPDATE"
git push
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Update staging helm chart with latest version
run: |
# Update the version in the manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml file
LAST_VERSION_TO_UPDATE=$VERSION
if [[ -z "$VERSION" ]]; then
echo "No last release tag found. Skipping version update."
else
LAST_VERSION_TO_UPDATE=$VERSION
fi
echo "Updating manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml with version $LAST_VERSION_TO_UPDATE"
yq e ".appVersion = \"$LAST_VERSION_TO_UPDATE\"" -i manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml
git add manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml
git commit -m "Update Staging Chart.yaml with version $LAST_VERSION_TO_UPDATE"
git push
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Extract latest release image digest
id: extract_latest_digest
run: |
# Extract the image digest from the `deploy/provider-gcp-plugin.yaml` file
IMAGE_PATH=$(yq e '.spec.template.spec.containers[].image' deploy/provider-gcp-plugin.yaml)
echo "Docker image with digest: $IMAGE_PATH"
# Split the IMAGE_PATH to extract the digest part
# Example image format: 'gcr.io/my-project/my-image@sha256:<digest>'
DIGEST=$(echo $IMAGE_PATH | awk -F'@' '{print $2}')
echo "Extracted digest: $DIGEST"
# Save the digest to an environment variable
echo "DIGEST=$DIGEST" >> $GITHUB_ENV
- name: Extract second last release image digest
id: extract_second_last_digest
run: |
# Extracting last release image from staging chart as it should be pointing to last/latest release
file_path="manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml"
image_hash=$(yq e '.image.hash' "$file_path" | xargs)
if [[ -z "$image_hash" ]]; then
echo "Invalid/Empty digest found: $image_hash"
exit 1
fi
echo "Extracted second last release digest: $image_hash"
# Export the digest as an environment variable
echo "SECOND_LAST_RELEASE_DIGEST=$image_hash" >> $GITHUB_ENV
- name: Update Main Helm Chart with Last Image digest value
run: |
# Ensure the SECOND_LAST_RELEASE_DIGEST environment variable is set
if [ -z "$SECOND_LAST_RELEASE_DIGEST" ]; then
echo "SECOND_LAST_RELEASE_DIGEST environment variable is not set"
exit 1
fi
# Use yq to update the image.hash field in values.yaml with the DIGEST value
yq eval ".image.hash = \"$SECOND_LAST_RELEASE_DIGEST\"" -i charts/secrets-store-csi-driver-provider-gcp/values.yaml
git add charts/secrets-store-csi-driver-provider-gcp/values.yaml
git commit -m "Update Chart.yaml with DIGEST $SECOND_LAST_RELEASE_DIGEST"
git push
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Update Staging Helm Chart with New Image digest value
run: |
# Ensure the DIGEST environment variable is set
if [ -z "$DIGEST" ]; then
echo "DIGEST environment variable is not set"
exit 1
fi
# Use yq to update the image.hash field in values.yaml with the DIGEST value
yq eval ".image.hash = \"$DIGEST\"" -i manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml
git add manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml
git commit -m "Update manifest_staging value.yaml with DIGEST $DIGEST"
git push
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
1 change: 1 addition & 0 deletions docs/releasing.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ Notes on building a release.
5. Manually test release image
6. Tag the commit from step 4 as `vX.X.X` by creating a new release
7. Merge changes from `release-X.X` into `main`
8. After the changes are merged, ensure the latest tag is updated for the `manifest_staging` Helm chart, along with the main Helm chart being updated with the previous release tag, once the `Bump Helm Charts Versions` job is completed.

## Release template

Expand Down
6 changes: 6 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: secrets-store-csi-driver-provider-gcp
description: A Helm chart to install Google Secret Manager Provider for Secret Store CSI Driver inside a Kubernetes cluster.
type: application
version: 0.1.0
appVersion: "1.7.0"
60 changes: 60 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.labels" -}}
helm.sh/chart: {{ include "secrets-store-csi-driver-provider-gcp.chart" . }}
{{ include "secrets-store-csi-driver-provider-gcp.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.selectorLabels" -}}
app: {{ default "default" .Values.app }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.serviceAccountName" -}}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}

{{/*
Create the name of the daemon set to use
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.daemonSetName" -}}
{{- default "default" .Values.app }}
{{- end }}

{{/*
Create the name of the cluster role to use
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.clusterRoleName" -}}
{{- .Chart.Name }}-role
{{- end }}

{{/*
Create the name of the cluster role binding to use
*/}}
{{- define "secrets-store-csi-driver-provider-gcp.clusterRoleBindingName" -}}
{{- .Chart.Name }}-rolebinding
{{- end }}
19 changes: 19 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "secrets-store-csi-driver-provider-gcp.clusterRoleName" . }}
labels:
{{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
14 changes: 14 additions & 0 deletions ...st_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "secrets-store-csi-driver-provider-gcp.clusterRoleBindingName" . }}
labels:
{{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "secrets-store-csi-driver-provider-gcp.clusterRoleName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }}
namespace: kube-system
87 changes: 87 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "secrets-store-csi-driver-provider-gcp.daemonSetName" . }}
namespace: kube-system
labels:
{{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }}
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
{{- include "secrets-store-csi-driver-provider-gcp.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "secrets-store-csi-driver-provider-gcp.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }}
initContainers:
- name: chown-provider-mount
image: busybox
command:
- chown
- "1000:1000"
- /etc/kubernetes/secrets-store-csi-providers
volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
name: providervol
hostNetwork: false
hostPID: false
hostIPC: false
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: provider
image: "{{ .Values.image.repository }}@{{ .Values.image.hash }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
- name: TARGET_DIR
value: "/etc/kubernetes/secrets-store-csi-providers"
volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
name: providervol
mountPropagation: None
readOnly: false
livenessProbe:
failureThreshold: 3
httpGet:
path: /live
port: 8095
initialDelaySeconds: 5
timeoutSeconds: 10
periodSeconds: 30
volumes:
- name: providervol
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
11 changes: 11 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }}
namespace: kube-system
labels:
{{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
Loading

0 comments on commit 4759a9a

Please sign in to comment.