From 9e4f3d92b9f9df301454eac5e1ece3d27fbdde59 Mon Sep 17 00:00:00 2001 From: Krzysztof G at nobl9 <106727629+kgreczka9@users.noreply.github.com> Date: Thu, 8 Sep 2022 09:58:02 +0200 Subject: [PATCH] SRE-862 Publish helm chart (#8) --- .github/workflows/lint.yaml | 34 -------- .github/workflows/release.yaml | 16 ++++ .github/workflows/test.yaml | 42 ++++++++++ README.md | 2 +- charts/nobl9-agent/Chart.yaml | 3 +- charts/nobl9-agent/README.md | 54 ++++++------- charts/nobl9-agent/templates/_helpers.tpl | 11 +++ charts/nobl9-agent/templates/deployment.yaml | 24 +++--- charts/nobl9-agent/templates/secret.yaml | 10 ++- charts/nobl9-agent/values.yaml | 81 +++++++++++++------- ct.yaml | 3 + 11 files changed, 175 insertions(+), 105 deletions(-) delete mode 100644 .github/workflows/lint.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .github/workflows/test.yaml create mode 100644 ct.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index 4cde8fe..0000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,34 +0,0 @@ -name: Lint chart - -on: push - -jobs: - lint-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@v1 - with: - version: v3.9.0 - - # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and - # yamllint (https://github.com/adrienverge/yamllint) which require Python - - name: Set up Python - uses: actions/setup-python@v2 - with: - python-version: 3.7 - - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.1.0 - - - name: Run chart-testing (lint) - run: ct lint --all - - - name: Run kube-linter - uses: stackrox/kube-linter-action@v1.0.4 - with: - directory: charts diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..75214a7 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,16 @@ +name: Release Charts +on: + release: + types: [published] + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Publish Helm charts + uses: stefanprodan/helm-gh-pages@v1.4.1 + with: + token: ${{ secrets.CR_TOKEN }} + charts_dir: charts diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..61479c2 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,42 @@ +name: Lint and Test Charts + +on: + push: + paths: + - 'charts/**' + +jobs: + lint-chart: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v1 + - name: Run chart-testing (lint) + uses: helm/chart-testing-action@main + with: + command: lint --all + config: ./ct.yaml + + install-chart: + name: install-chart + runs-on: ubuntu-latest + needs: + - lint-chart + strategy: + matrix: + k8s: + - v1.22.9 + - v1.23.6 + - v1.24.3 + steps: + - name: Checkout + uses: actions/checkout@v1 + - name: Create kind ${{ matrix.k8s }} cluster + uses: helm/kind-action@main + with: + node_image: kindest/node:${{ matrix.k8s }} + - name: Run chart-testing (install) + uses: helm/chart-testing-action@main + with: + command: install --all + config: ./ct.yaml diff --git a/README.md b/README.md index 293dbb8..94a0898 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ You can then run `helm search repo nobl9` to see the charts. More information on each chart can be found in the chart's README. ## Available Charts -- [Nobl9 Agent](https://github.com/nobl9/helm-charts/tree/main/charts/nobl9-agent). Some great description of what this is +- [Nobl9 Agent](https://github.com/nobl9/helm-charts/tree/main/charts/nobl9-agent) - Agent to retrieve SLI metrics from configured data sources and send the data back to the Nobl9 backend. ## License diff --git a/charts/nobl9-agent/Chart.yaml b/charts/nobl9-agent/Chart.yaml index c381b78..128e563 100644 --- a/charts/nobl9-agent/Chart.yaml +++ b/charts/nobl9-agent/Chart.yaml @@ -8,4 +8,5 @@ sources: - https://github.com/nobl9/helm-charts/tree/main/charts/nobl9-agent maintainers: - name: nobl9 - email: sre-team@nobl9.com + email: support@nobl9.com + url: https://nobl9.com diff --git a/charts/nobl9-agent/README.md b/charts/nobl9-agent/README.md index fae3619..15aaede 100644 --- a/charts/nobl9-agent/README.md +++ b/charts/nobl9-agent/README.md @@ -10,7 +10,7 @@ Agent to retrieve SLI metrics from configured data sources and send the data bac | Name | Email | Url | | ---- | ------ | --- | -| nobl9 | | | +| nobl9 | | | ## Source Code @@ -20,31 +20,31 @@ Agent to retrieve SLI metrics from configured data sources and send the data bac | Key | Type | Default | Description | |-----|------|---------|-------------| -| config.authServer | string | `"auseg9kiegWKEtJZC416"` | | -| config.clientId | string | `""` | | -| config.clientSecret | string | `""` | | -| config.datasourceName | string | `""` | | -| config.intakeUrl | string | `"https://nobl9.com/api/input"` | | -| config.oktaOrgUrl | string | `"https://accounts.nobl9.com"` | | -| config.organization | string | `""` | | -| config.project | string | `"default"` | | -| dataSourceAuthMethod | string | `nil` | | -| dataSourceAuthNames | string | `nil` | | -| dataSourceAuthSecrets | string | `nil` | | -| deployment.annotations | object | `{}` | | -| deployment.image | string | `"nobl9/agent"` | | -| deployment.pullPolicy | string | `"Always"` | | -| deployment.version | string | `"0.48.0"` | | -| extraLabels | object | `{}` | | -| podLabels | object | `{}` | | -| resources.limits.cpu | string | `"1.0"` | | -| resources.limits.memory | string | `"1Gi"` | | -| resources.requests.cpu | string | `"0.1"` | | -| resources.requests.memory | string | `"350Mi"` | | -| securityContext.allowPrivilegeEscalation | bool | `false` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | -| securityContext.runAsNonRoot | bool | `true` | | -| securityContext.runAsUser | int | `2000` | | +| config.allowedUrls | string | `nil` | Populates N9_ALLOWED_URLS that limits the URLs which an Agent is able to query | +| config.authServer | string | `"auseg9kiegWKEtJZC416"` | Nobl9 Auth Server ID | +| config.clientId | string | `""` | Nobl9 Client ID, creates secret with this value, leave empty and use deployment.extraEnvs to load from existing Secret | +| config.clientSecret | string | `""` | Nobl9 Client secret, creates secret with this value, leave empty and use deployment.extraEnvs to load from existing Secret | +| config.datasourceName | string | `""` | Nobl9 Data Source name | +| config.intakeUrl | string | `"https://nobl9.com/api/input"` | Nobl9 API URL | +| config.oktaOrgUrl | string | `"https://accounts.nobl9.com"` | Nobl9 Okta Organization URL | +| config.organization | string | `""` | Nobl9 Organization name | +| config.project | string | `"default"` | Nobl9 Project name | +| deployment.annotations | object | `{}` | Custom annotations | +| deployment.extraEnvs | string | `nil` | Additional Envs | +| deployment.extraLabels | object | `{}` | Additional Labels | +| deployment.image | string | `"nobl9/agent"` | Image used by chart | +| deployment.pullPolicy | string | `"Always"` | Image Pull Policy | +| deployment.version | string | `"0.48.0"` | Agent version (image tag) | +| namespaceOverride | string | `nil` | Override the namespace | +| resources.limits.cpu | string | `"1.0"` | CPU limit | +| resources.limits.memory | string | `"1Gi"` | Memory limit | +| resources.requests.cpu | string | `"0.1"` | CPU request | +| resources.requests.memory | string | `"350Mi"` | Memory request | +| secret.extraData | string | `nil` | Extra stringData to be included in secret, use deployment.extraEnvs to load as deployment Envs | +| securityContext.allowPrivilegeEscalation | bool | `false` | Grants container a privileged status if set to true | +| securityContext.readOnlyRootFilesystem | bool | `true` | ReadOnly file system mode if set to true | +| securityContext.runAsNonRoot | bool | `true` | Runs the container as a root user if set to false | +| securityContext.runAsUser | int | `2000` | Runs the container with specified PID | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/nobl9-agent/templates/_helpers.tpl b/charts/nobl9-agent/templates/_helpers.tpl index 2ab408b..6813e3f 100644 --- a/charts/nobl9-agent/templates/_helpers.tpl +++ b/charts/nobl9-agent/templates/_helpers.tpl @@ -26,3 +26,14 @@ Create chart name and version as used by the chart label. {{- define "nobl9-agent.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "nobl9-agent.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} diff --git a/charts/nobl9-agent/templates/deployment.yaml b/charts/nobl9-agent/templates/deployment.yaml index 44b233f..3e9ebf6 100644 --- a/charts/nobl9-agent/templates/deployment.yaml +++ b/charts/nobl9-agent/templates/deployment.yaml @@ -2,14 +2,14 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "nobl9-agent.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ template "nobl9-agent.namespace" . }} labels: helm.sh/chart: {{ template "nobl9-agent.chart" . }} app.kubernetes.io/name: {{ template "nobl9-agent.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - {{- with .Values.podLabels }} + {{- with .Values.deployment.extraLabels }} {{ toYaml . | nindent 4 }} {{- end }} spec: @@ -45,29 +45,22 @@ spec: imagePullPolicy: {{ .Values.deployment.pullPolicy }} {{- with .Values.resources }} resources: - {{ toYaml . | nindent 12 }} + {{- toYaml . | nindent 12 }} {{- end }} env: + {{- if .Values.config.clientId }} - name: N9_CLIENT_ID valueFrom: secretKeyRef: key: client_id name: {{ template "nobl9-agent.fullname" . }} + {{- end }} + {{- if .Values.config.clientSecret }} - name: N9_CLIENT_SECRET valueFrom: secretKeyRef: key: client_secret name: {{ template "nobl9-agent.fullname" . }} - {{- range $key, $value := .Values.dataSourceAuthMethod }} - - name: {{ $key }} - value: {{ $value }} - {{- end }} - {{- range $key, $value := .Values.dataSourceAuthName }} - - name: {{ $key }} - valueFrom: - secretKeyRef: - key: {{ $value }} - name: {{ template "nobl9-agent.fullname" $ }} {{- end }} - name: N9_INTAKE_URL value: {{ .Values.config.intakeUrl | quote }} @@ -75,7 +68,12 @@ spec: value: {{ .Values.config.authServer | quote }} - name: N9_OKTA_ORG_URL value: {{ .Values.config.oktaOrgUrl | quote }} + {{- if .Values.config.allowedUrls }} - name: N9_ALLOWED_URLS value: {{ .Values.config.allowedUrls | quote }} + {{- end }} + {{- with .Values.deployment.extraEnvs }} + {{- toYaml . | nindent 12 }} + {{- end }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} diff --git a/charts/nobl9-agent/templates/secret.yaml b/charts/nobl9-agent/templates/secret.yaml index 588a451..fc02602 100644 --- a/charts/nobl9-agent/templates/secret.yaml +++ b/charts/nobl9-agent/templates/secret.yaml @@ -1,8 +1,9 @@ +{{- if or (.Values.config.clientId) (.Values.config.clientSecret) (.Values.secret.extraData) }} apiVersion: v1 kind: Secret metadata: name: {{ template "nobl9-agent.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ template "nobl9-agent.namespace" . }} labels: helm.sh/chart: {{ template "nobl9-agent.chart" . }} app.kubernetes.io/name: {{ template "nobl9-agent.name" . }} @@ -11,8 +12,13 @@ metadata: app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} type: Opaque stringData: + {{- if .Values.config.clientId }} client_id: {{ .Values.config.clientId | quote }} + {{- end }} + {{- if .Values.config.clientSecret }} client_secret: {{ .Values.config.clientSecret | quote }} - {{- range $key, $value := .Values.dataSourceAuthSecrets }} + {{- end }} + {{- range $key, $value := .Values.secret.extraData }} {{ $key }}: {{ $value | quote }} {{- end }} +{{- end }} diff --git a/charts/nobl9-agent/values.yaml b/charts/nobl9-agent/values.yaml index 0e887a8..f146108 100644 --- a/charts/nobl9-agent/values.yaml +++ b/charts/nobl9-agent/values.yaml @@ -1,56 +1,83 @@ +# -- Override the namespace +namespaceOverride: + deployment: + # -- Image used by chart image: "nobl9/agent" + # -- Agent version (image tag) version: "0.48.0" + # -- Image Pull Policy pullPolicy: Always + # -- Additional Envs + extraEnvs: + # - name: API_KEY + # value: my-api-key + # - name: splunk_api_token + # valueFrom: + # secretKeyRef: + # key: my-existing-secret-key + # name: my-existing-secret + # - name: N9_CLIENT_ID + # valueFrom: + # secretKeyRef: + # key: client_id + # name: my-existing-secret + # - name: N9_CLIENT_SECRET + # valueFrom: + # secretKeyRef: + # key: client_secret + # name: my-existing-secret + # -- Custom annotations annotations: {} + # -- Additional Labels + extraLabels: {} + +secret: + # -- Extra stringData to be included in secret, use deployment.extraEnvs to load as deployment Envs + extraData: + # splunk_api_token: my-api-token resources: - limits: - cpu: "1.0" - memory: "1Gi" requests: + # -- CPU request cpu: "0.1" + # -- Memory request memory: "350Mi" + limits: + # -- CPU limit + cpu: "1.0" + # -- Memory limit + memory: "1Gi" -## Security context securityContext: + # -- Grants container a privileged status if set to true allowPrivilegeEscalation: false + # -- ReadOnly file system mode if set to true readOnlyRootFilesystem: true + # -- Runs the container as a root user if set to false runAsNonRoot: true + # -- Runs the container with specified PID runAsUser: 2000 -## Authentification method environment variable required by some data sources -dataSourceAuthMethod: -# AUTH_METHOD: api_token - -## Name of the secrets environment variables for authentification required by data source as NAME: key -dataSourceAuthNames: -# API_TOKEN: instana_api_token - -## Secrets for authentification required by data source as key: value -dataSourceAuthSecrets: -# instana_api_token: abcd1234!@#$ - -## Navigate to the Integrations tab in Nobl9 UI to obtain below values config: + # -- Nobl9 Project name project: "default" + # -- Nobl9 Organization name organization: "" + # -- Nobl9 Data Source name datasourceName: "" + # -- Nobl9 Client ID, creates secret with this value, leave empty and use deployment.extraEnvs to load from existing Secret clientId: "" + # -- Nobl9 Client secret, creates secret with this value, leave empty and use deployment.extraEnvs to load from existing Secret clientSecret: "" - ## Values below should not be changed while working Nobl9 backend + # -- Nobl9 API URL intakeUrl: "https://nobl9.com/api/input" + # -- Nobl9 Auth Server ID authServer: "auseg9kiegWKEtJZC416" + # -- Nobl9 Okta Organization URL oktaOrgUrl: "https://accounts.nobl9.com" - ## N9_ALLOWED_URLS is an optional safety parameter that limits the URLs that an Agent is able to query - ## for metrics. URLs defined in the Nobl9 app are prefix-compared against the N9_ALLOWED_URLS list of - ## comma separated URLs. - # allowedUrls: - -## Apply additional container labels -extraLabels: {} + # -- Populates N9_ALLOWED_URLS that limits the URLs which an Agent is able to query + allowedUrls: -## Pod Labels -podLabels: {} diff --git a/ct.yaml b/ct.yaml new file mode 100644 index 0000000..3a90e7a --- /dev/null +++ b/ct.yaml @@ -0,0 +1,3 @@ +chart-dirs: + - charts +helm-extra-args: --timeout 600s