From 964231c369723742e3a4b381e9d1a6b9aae670c7 Mon Sep 17 00:00:00 2001 From: Fyodor Doletov Date: Tue, 11 Nov 2025 03:50:36 +0300 Subject: [PATCH] init --- .gitea/workflows/build.yaml | 16 ++++++ Chart.yaml | 5 ++ templates/_helpers.tpl | 26 +++++++++ templates/cm-env.yaml | 12 +++++ templates/deployment.yaml | 85 +++++++++++++++++++++++++++++ templates/dockerconfig.yaml | 18 +++++++ templates/pvc.yaml | 14 +++++ templates/secret-env.yaml | 19 +++++++ templates/service.yaml | 18 +++++++ templates/vault-auth.yaml | 16 ++++++ values.yaml | 104 ++++++++++++++++++++++++++++++++++++ 11 files changed, 333 insertions(+) create mode 100644 .gitea/workflows/build.yaml create mode 100644 Chart.yaml create mode 100644 templates/_helpers.tpl create mode 100644 templates/cm-env.yaml create mode 100644 templates/deployment.yaml create mode 100644 templates/dockerconfig.yaml create mode 100644 templates/pvc.yaml create mode 100644 templates/secret-env.yaml create mode 100644 templates/service.yaml create mode 100644 templates/vault-auth.yaml create mode 100644 values.yaml diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml new file mode 100644 index 0000000..7f2bc98 --- /dev/null +++ b/.gitea/workflows/build.yaml @@ -0,0 +1,16 @@ +name: Publish Helm Chart +on: + push: + tags: + - '*' + workflow_dispatch: { } + +jobs: + publish: + name: Build and publish Helm chart + uses: public/ci-templates/.gitea/workflows/helm_chart_publish.yaml@v1 + with: + registry_user: ${{ vars.REGISTRY_USER }} + secrets: + registry_access_token: ${{ secrets.REGISTRY_ACCESS_TOKEN }} + diff --git a/Chart.yaml b/Chart.yaml new file mode 100644 index 0000000..9479e84 --- /dev/null +++ b/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: generic +description: generic Helm chart +type: application +version: 1.0.0 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 0000000..299089d --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,26 @@ +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "template.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "template.labels" -}} +helm.sh/chart: {{ include "template.chart" . }} +{{ include "template.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "template.selectorLabels" -}} +app.kubernetes.io/name: {{ .Values.name }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/templates/cm-env.yaml b/templates/cm-env.yaml new file mode 100644 index 0000000..b37bb16 --- /dev/null +++ b/templates/cm-env.yaml @@ -0,0 +1,12 @@ +{{- if .Values.env }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.name }}-env + annotations: + reloader.stakater.com/match: "true" +data: +{{- range $k, $v := .Values.env }} + {{- $k | nindent 2 }}: {{ $v | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/deployment.yaml b/templates/deployment.yaml new file mode 100644 index 0000000..8aaa792 --- /dev/null +++ b/templates/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.name }} + labels: {{ include "template.labels" . | nindent 4 }} + annotations: + {{- if .Values.env }} + reloader.stakater.com/search: "true" + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit | default 0 }} + selector: + matchLabels: {{ include "template.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: {{ include "template.labels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- with .Values.volumes }} + volumes: {{ toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken | default false }} + securityContext: + {{- if .Values.podSecurityContext }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- else }} + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + {{- end }} + containers: + - name: {{ .Values.name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.customCommand }} + {{- with .command }} + command: {{ toYaml . | nindent 12}} + {{- end}} + {{- with .args }} + args: {{ toYaml . | nindent 12 }} + {{- end }} + {{- end }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- else }} + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} + envFrom: + {{- if .Values.env }} + - configMapRef: + name: {{ .Values.name }}-env + {{- end }} + {{- if .Values.vault }} + {{- if .Values.vault.path }} + - secretRef: + name: {{ .Values.name }}-env + {{- end }} + {{- end }} + {{- if .Values.services }} + ports: + {{- range $name, $s := .Values.services }} + - name: {{ $name }} + containerPort: {{ $s.port }} + protocol: {{ $s.protocol }} + {{- end }} + {{- end }} + {{- with .Values.livenessProbe }} + livenessProbe: {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} + volumeMounts: {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} diff --git a/templates/dockerconfig.yaml b/templates/dockerconfig.yaml new file mode 100644 index 0000000..fffabcf --- /dev/null +++ b/templates/dockerconfig.yaml @@ -0,0 +1,18 @@ +{{- if .Values.vault }} +{{- if .Values.vault.imagePullSecret }} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: imagepull +spec: + type: kv-v2 + mount: {{ .Values.vault.mount }} + path: {{ .Values.vault.imagePullSecret.path }} + destination: + name: {{ .Values.vault.imagePullSecret.name }} + create: true + type: kubernetes.io/dockerconfigjson + refreshAfter: 30s + vaultAuthRef: vault-auth +{{- end }} +{{- end }} diff --git a/templates/pvc.yaml b/templates/pvc.yaml new file mode 100644 index 0000000..b1fe32b --- /dev/null +++ b/templates/pvc.yaml @@ -0,0 +1,14 @@ +{{- range $pvc := .Values.pvc }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $pvc.name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ $pvc.capacity }} + volumeName: {{ $pvc.volume }} + storageClassName: {{ $pvc.storageClass }} +{{- end }} diff --git a/templates/secret-env.yaml b/templates/secret-env.yaml new file mode 100644 index 0000000..b41064e --- /dev/null +++ b/templates/secret-env.yaml @@ -0,0 +1,19 @@ +{{- if .Values.vault }} +{{- if .Values.vault.path }} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: {{ .Values.name }}-env +spec: + type: kv-v2 + mount: {{ .Values.vault.mount }} + path: {{ .Values.vault.path }} + destination: + name: {{ .Values.name }}-env + create: true + annotations: + reloader.stakater.com/match: "true" + refreshAfter: 30s + vaultAuthRef: vault-auth +{{- end }} +{{- end }} \ No newline at end of file diff --git a/templates/service.yaml b/templates/service.yaml new file mode 100644 index 0000000..42bfd00 --- /dev/null +++ b/templates/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.services }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.name }} + labels: + {{- include "template.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + {{- range $name, $s := .Values.services }} + - name: {{ $name }} + port: {{ $s.port }} + protocol: {{ $s.protocol }} + {{- end}} + selector: + {{- include "template.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/templates/vault-auth.yaml b/templates/vault-auth.yaml new file mode 100644 index 0000000..472e307 --- /dev/null +++ b/templates/vault-auth.yaml @@ -0,0 +1,16 @@ +{{- if .Values.vault }} +{{- if .Values.vault.auth }} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth +spec: + method: kubernetes + mount: {{ .Values.vault.auth.mount }} + kubernetes: + role: {{ .Values.vault.auth.role }} + serviceAccount: default + audiences: + - vault +{{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..ee25160 --- /dev/null +++ b/values.yaml @@ -0,0 +1,104 @@ +replicaCount: 1 +revisionHistoryLimit: 0 +name: appname # name of the app + +image: + pullPolicy: Always +# repository: git.romalex.cc/user/app +# tag: "76d27c" + +#imagePullSecrets: +# - name: image-pull + +# override entrypoint +customCommand: +# command: ["run-something"] +# args: ["--db=1234"] + +# map of insecure environment variables +env: +# DB: xxxx +# DBUSER: yyyyy + +# Set to true if you need to mount K8S JWT token into pod (/var/run/secrets/kubernetes.io/) +automountServiceAccountToken: false + +vault: +# auth: +# role: user-ro # role to auth +# mount: romalex-k8s # name of kubernetes auth mount +# mount: user # name of kv engine +# path: "user/odoo" # path inside the engine. omit if you don't need to import env from vault +# imagePullSecret: # omit if you don't need to import dockerconfigjson from vault +# name: "image-pull" # name of the dockerconfigjson secret to generate +# path: "romalex/imagePull" # path to secret with dockerconfigjson in the vault.mount engine + +services: +# http: +# port: 8080 # port and targetPort have the same value +# protocol: TCP + +livenessProbe: +# httpGet: +# path: /health +# port: http +# initialDelaySeconds: 40 +# periodSeconds: 90 +# timeoutSeconds: 10 + +# nodeSelector -- Configure +# [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). +nodeSelector: +# storage: nfs +# contabo: pn + +# Configures the Pod Security Context +# https://kubernetes.io/docs/tasks/configure-pod-container/security-context +podSecurityContext: + +# Configures the Container Security Context +# https://kubernetes.io/docs/tasks/configure-pod-container/security-context +securityContext: + +# volume claims +pvc: +# - name: mypvc # pvc name +# volume: myvol # pv name +# capacity: # capacity request +# storageClass: local-storage + +# Additional volumes on the output Deployment definition. +volumes: +# - name: mypvc +# persistentVolumeClaim: +# claimName: mypvc +# - name: foo +# secret: +# secretName: mysecret +# optional: false +# - name: odoo-conf +# configMap: +# name: odoo-conf + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: +# - name: grafana-varlib +# mountPath: /var/lib/grafana +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true +# - name: odoo-conf +# mountPath: /etc/odoo/odoo.conf +# subPath: odoo.conf +# readOnly: true + +resources: +# requests: +# memory: 3Gi +# cpu: 100m +# ephemeral-storage: 200Mi +# limits: +# memory: 6Gi +# cpu: 100m +# ephemeral-storage: 200Mi +