Skyscanner · maruina · May 31, 2022 · May 30, 2022 · May 30, 2022 · May 30, 2022
@@ -10,6 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       IMG: skyscanner/kms-issuer:dev
+      CERT_MANAGER_VERSION: v1.8.0
     steps:
       - uses: actions/[email protected]
 
@@ -36,7 +37,7 @@ jobs:
         run: kubectl wait --for=condition=Ready -l app=local-kms -n local-kms pod
 
       - name: Install cert-manager
-        run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
+        run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml
 
       - name: Install kms-issuer CRDs
         run: make install

@@ -0,0 +1,82 @@
+name: Helm Chart Tests
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  test-build:
+    name: test-helm-chart
+    runs-on: ubuntu-latest
+    env:
+      IMG: skyscanner/kms-issuer:dev
+      CERT_MANAGER_VERSION: v1.8.0
+
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.17
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+        with:
+          version: v3.5.2
+
+      # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
+      # yamllint (https://github.com/adrienverge/yamllint) which require Python
+      - uses: actions/[email protected]
+        with:
+          python-version: '3.x'
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+        with:
+          version: v3.6.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Create k8s Kind Cluster
+        uses: helm/[email protected]
+        with:
+          cluster_name: kind
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Install cert-manager
+        run: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Build the testing kms-issuer docker image
+        run: docker build -t ${IMG} .
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Load test docker image into the kind cluster
+        run: kind load docker-image ${IMG}
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml --helm-extra-set-args "--set=img.repository=${REPOSITORY},--set=img.tag=${TAG}"
+        if: steps.list-changed.outputs.changed == 'true'
+
+  helm-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Run helm-docs
+        uses: docker://jnorwood/helm-docs:v1.10.0
@@ -0,0 +1,17 @@
+name: Release artifacts
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Publish Helm charts
+        uses: stefanprodan/helm-gh-pages@master
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,3 +24,4 @@ testbin/*
 *.swo
 *~
 .vscode
+ct_previous*
@@ -42,6 +42,7 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/kms-issuer/crds
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

@@ -11,6 +11,28 @@ In this guide, we assume that you have a [Kubernetes](https://kubernetes.io/) en
 
 For any details on Cert-Manager, check the [official documentation](https://cert-manager.io/docs/usage/).
 
+## Install
+
+You can install the controller using the official helm chart:
+
+```console
+helm repo add kms-issuer 'https://skyscanner.github.io/kms-issuer'
+helm repo update
+```
+
+To install the chart with the release name `kmsrelease`:
+
+```console
+    # Create the infrabin namespace:
+
+    kubectl create namespace kms-issuer-system
+
+    Run helm install:
+
+    helm upgrade --install kmsrelease kms-issuer/kms-issuer \
+    --namespace kms-issuer-system
+```console
+
 ### Usage
 
 1. Install [cert-manager](https://cert-manager.io/docs/installation/). The operator has been tested with version v0.15.1

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,31 @@
+apiVersion: v2
+name: kms-issuer
+description: A Helm chart to install kms-issuer
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v2.0.0"
+
+keywords:
+  - cert-manager
+  - kubernetes
+  - kms
+maintainers:
+  - name: maruina
@@ -0,0 +1,41 @@
+# kms-issuer
+
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.0.0](https://img.shields.io/badge/AppVersion-v2.0.0-informational?style=flat-square)
+
+A Helm chart to install kms-issuer
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| args.enableApprovedCheck | bool | `true` | Enable waiting for CertificateRequests to have an approved condition before signing |
+| args.healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to |
+| args.leaderElect | bool | `true` | Enable leader election for controller manager. |
+| args.localAwsEndpoint | string | `""` | The address of a local-kms endpoint for testing |
+| args.metricsBindAddress | string | `":8080"` | The address the metric endpoint binds to. |
+| certManagerApprovalRBAC.enable | bool | `true` | Enable a ClusterRoleBinding for cert-manager to approve CSR |
+| certManagerApprovalRBAC.namespace | string | `"cert-manager"` | The namespace where cert-manager service account is deployed |
+| certManagerApprovalRBAC.serviceAccountName | string | `"cert-manager"` | The service account name that cert-manager is using |
+| enableMetricsRbacProxy | bool | `false` | Enable an RBAC proxy to protect the metrics endpoint |
+| env[0] | object | `{"name":"AWS_REGION","value":""}` | The AWS region the controller is deployed to |
+| fullnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"ghcr.io/skyscanner/kms-issuer"` |  |
+| image.tag | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podDisruptionBudget.enable | bool | `false` |  |
+| podDisruptionBudget.maxUnavailable | string | `""` |  |
+| podDisruptionBudget.minAvailable | int | `1` |  |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)
@@ -0,0 +1,9 @@
+# {{ template "chart.name" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}
@@ -0,0 +1,11 @@
+# Keep in sync with the IMG variable in .github/workflows/helm.yml
+image:
+  repository: skyscanner/kms-issuer
+  tag: dev
+
+env:
+  - name: AWS_REGION
+    value: test-region
+
+podDisruptionBudget:
+  enable: true
@@ -0,0 +1,6 @@
+# Keep in sync with the IMG variable in .github/workflows/helm.yml
+image:
+  repository: skyscanner/kms-issuer
+  tag: dev
+
+replicaCount: 2
@@ -0,0 +1,6 @@
+# Keep in sync with the IMG variable in .github/workflows/helm.yml
+image:
+  repository: skyscanner/kms-issuer
+  tag: dev
+
+enableMetricsRbacProxy: true
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,3 +24,4 @@ testbin/* @@
     *.swo
     *~
     .vscode
+    ct_previous*