Create official helm chart (#7)

lint, package, test and publish helm chart to helm.estafette.io

.estafette.yaml

@@ -2,18 +2,18 @@ builder:
   track: dev
 
 labels:
-  app-group: estafette-various
+  app-group: estafette-controllers
   team: estafette-team
   language: golang
 
 version:
   semver:
     major: 1
-    minor: 0
+    minor: 2
 
 stages:
   build:
-    image: golang:1.13.0-alpine3.10
+    image: golang:1.13.4-alpine3.10
     env:
       CGO_ENABLED: 0
       GOOS: linux
@@ -49,15 +49,70 @@ stages:
     action: push
     repositories:
     - estafette
-    when:
-      status == 'succeeded' &&
-      branch == 'master' &&
-      server == 'gocd'
+
+  lint-helm-chart:
+    image: extensions/helm:dev
+    action: lint
+    prerelease: true
+
+  package-helm-chart:
+    image: extensions/helm:dev
+    action: package
+    prerelease: true
+
+  test-helm-chart:
+    services:
+    - name: kubernetes
+      image: bsycorp/kind:latest-1.12
+      ports:
+      - port: 8443
+      - port: 10080
+        readiness:
+          path: /kubernetes-ready
+          timeoutSeconds: 180
+    image: extensions/helm:dev
+    action: test
+    prerelease: true
+    values:
+    - serviceAccountProjectID=my-project-id
+
+  clone-charts-repo:
+    image: extensions/git-clone:dev
+    repo: helm-charts
+    branch: master
+
+  publish-helm-chart:
+    image: extensions/helm:dev
+    action: publish
+    prerelease: true
 
   slack-notify:
     image: extensions/slack-build-status:dev
     workspace: estafette
     channels:
     - '#build-status'
     when:
-      status == 'failed'
+      status == 'failed'
+
+releases:
+  release:
+    clone: true
+    stages:
+      package-helm-chart:
+        image: extensions/helm:dev
+        action: package
+
+      clone-charts-repo:
+        image: extensions/git-clone:dev
+        repo: helm-charts
+        branch: master
+
+      publish-helm-chart:
+        image: extensions/helm:dev
+        action: publish
+        purgePrerelease: true
+
+      create-github-release:
+        image: extensions/github-release:dev
+        version: ${ESTAFETTE_BUILD_VERSION_MAJOR}.${ESTAFETTE_BUILD_VERSION_MINOR}.0
+        closeMilestone: true

README.md

@@ -8,39 +8,27 @@ This small Kubernetes application creates and renews Let's Encrypt SSL certifica
 
 In order to create GCP service accounts and store their keyfiles in Kubernetes secrets. This improves developer self-service.
 
-## Usage
+## Installation
 
-As a Kubernetes administrator, you first need to deploy the rbac.yaml file which set role and permissions.
-Then deploy the application to Kubernetes cluster using the manifest below.
-
-```
-cat rbac.yaml | kubectl apply -f -
-```
-
-Create a google service account with keyfile and the following roles for bootstrapping only:
+Create a google service account with keyfile and the following roles:
 
 ```
 Service Account Admin
 Service Account Key Admin
 ```
 
-Create a secret with the bootstrap key only once:
+Prepare using Helm:
 
 ```
-cat bootstrap-secret.yaml | TEAM_NAME=tooling GOOGLE_SERVICE_ACCOUNT=<base64 encoded bootstrap service account keyfile> envsubst | kubectl apply -f -
+brew install kubernetes-helm
+kubectl -n kube-system create serviceaccount tiller
+kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
+helm init --service-account tiller --wait
 ```
 
-Then create the deployment and other resources with
+Then install or upgrade with Helm:
 
 ```
-cat kubernetes.yaml | TEAM_NAME=tooling SERVICE_ACCOUNT_PREFIX=dev SERVICE_ACCOUNT_PROJECT_ID=my-gcp-sa-container-project-id KEY_ROTATION_AFTER_HOURS=360 envsubst | kubectl apply -f -
+helm repo add estafette https://helm.estafette.io
+helm upgrade --install estafette-gcp-service-account --namespace estafette estafette/estafette-gcp-service-account
 ```
-
-The bootstrap service account will be replaced with a dedicated service account, which now needs the same roles as well:
-
-```
-Service Account Admin
-Service Account Key Admin
-```
-
-From now on the keys in the secrets will be rotated every KEY_ROTATION_AFTER_HOURS hours.

estafette-gcp-service-account/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

estafette-gcp-service-account/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: Kubernetes controller to fetch GCP service account keyfiles for annotated secrets
+name: estafette-gcp-service-account
+version: 0.1.0

estafette-gcp-service-account/templates/NOTES.txt

@@ -0,0 +1,2 @@
+1. Get the application logs by running this command:
+kubectl logs -f -l app.kubernetes.io/name={{ include "estafette-gcp-service-account.name" . }},app.kubernetes.io/instance={{ .Release.Name }} -n {{ .Release.Namespace }}

estafette-gcp-service-account/templates/_helpers.tpl

@@ -0,0 +1,66 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "estafette-gcp-service-account.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "estafette-gcp-service-account.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "estafette-gcp-service-account.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "estafette-gcp-service-account.labels" -}}
+app.kubernetes.io/name: {{ include "estafette-gcp-service-account.name" . }}
+helm.sh/chart: {{ include "estafette-gcp-service-account.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- range $key, $value := .Values.extraLabels }}
+{{ $key }}: {{ $value }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "estafette-gcp-service-account.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "estafette-gcp-service-account.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the tag of the image to use
+*/}}
+{{- define "estafette-gcp-service-account.imageTag" -}}
+{{ default .Chart.AppVersion .Values.image.tag }}
+{{- end -}}

estafette-gcp-service-account/templates/clusterrole.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.rbac.enable -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "estafette-gcp-service-account.fullname" . }}
+  labels:
+{{ include "estafette-gcp-service-account.labels" . | indent 4 }}
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+{{- end -}}

estafette-gcp-service-account/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.enable -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "estafette-gcp-service-account.fullname" . }}
+  labels:
+{{ include "estafette-gcp-service-account.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "estafette-gcp-service-account.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "estafette-gcp-service-account.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}