Initial commit

.github/linters/.checkov.yaml

@@ -0,0 +1,12 @@
+---
+compact: true
+directory:
+  - .
+skip-path:
+  - tests
+skip-check:
+  - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
+  - CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
+  - CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
+  - CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
+  - CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles

.github/linters/.jscpd.json

@@ -0,0 +1,10 @@
+{
+    "ignore": [
+        "templates/plumbing/applications.yaml",
+        "templates/imperative/_helpers.tpl",
+        "templates/core/subscriptions.yaml",
+        "templates/core/namespaces.yaml",
+        "templates/core/nodes.yaml",
+        "templates/_helpers.tpl"
+    ]
+}

.github/linters/.textlintrc

@@ -0,0 +1,10 @@
+{
+  "rules": {
+    "terminology": {
+      // Excludes terms
+      "exclude": [
+        "URL"
+        ]
+    }
+  }
+}

.github/workflows/helm-lint.yml

@@ -0,0 +1,29 @@
+---
+name: Helm lint
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+permissions: read-all
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Run helm lint over the chart
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'v3.14.0'
+
+      - name: Run make helmlint
+        run: |
+          make helm-lint

.github/workflows/helm-unittest.yml

@@ -0,0 +1,25 @@
+---
+name: Helm Unit Test
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+permissions: read-all
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Run helm lint over the chart
+    # It has to be 24.04 because -latest has a podman version that is too old
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Run make helmlint
+        run: |
+          make helm-unittest

.github/workflows/jsonschema.yaml

@@ -0,0 +1,31 @@
+---
+name: Verify json schema
+on: [push, pull_request]
+
+permissions: read-all
+
+jobs:
+  jsonschema_tests:
+    name: Json Schema tests
+    strategy:
+      matrix:
+        python-version: [3.11.3]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install check-jsonschema
+
+      - name: Verify ClusterGroup values.schema.json
+        run: |
+          check-jsonschema --schemafile ./values.schema.json "values.yaml"

.github/workflows/superlinter.yml

@@ -0,0 +1,36 @@
+---
+name: Super linter
+
+on: [push, pull_request]
+permissions: read-all
+
+jobs:
+  build:
+    # Name the Job
+    name: Super linter
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@v7
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # These are the validation we disable atm
+          VALIDATE_JSON_PRETTIER: false
+          VALIDATE_KUBERNETES_KUBECONFORM: false
+          VALIDATE_MARKDOWN: false
+          VALIDATE_MARKDOWN_PRETTIER: false
+          VALIDATE_YAML: false
+          VALIDATE_YAML_PRETTIER: false

.github/workflows/update-helm-repo.yml

@@ -0,0 +1,30 @@
+# This invokes the workflow named 'publish-charts' in the umbrella repo
+# It expects to have a secret called CHARTS_REPOS_TOKEN which contains
+# the GitHub token that has permissions to invoke workflows and commit code
+# inside the umbrella-repo.
+# The following fine-grained permissions were used in testing and were limited
+# to the umbrella repo only:
+# - Actions: r/w
+# - Commit statuses: r/w
+# - Contents: r/w
+# - Deployments: r/w
+# - Pages: r/w
+#
+
+name: vp-patterns/update-helm-repo
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  helmlint:
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
+    permissions:
+      contents: read
+
+  update-helm-repo:
+    needs: [helmlint]
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@985ba37e0eb50b1b35ec194fc999eae2d0ae1486
+    permissions: read-all
+    secrets: inherit

Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+description: A Helm chart to configure ansible-automation-platform
+keywords:
+- pattern
+name: ansible-automation-platform
+version: 0.1.0
+dependencies: