undust helm chart (#17)

.goreleaser.yml

@@ -1,5 +1,6 @@
 before:
   hooks:
+    - go mod download
     - go vet ./...
     - go test -v ./...
 builds:
@@ -26,8 +27,9 @@ dockers:
     image_templates:
     - quay.io/mittwald/kubernetes-secret-generator:latest
     - quay.io/mittwald/kubernetes-secret-generator:stable
+    - quay.io/mittwald/kubernetes-replicator:v{{ .Major }}
+    - quay.io/mittwald/kubernetes-replicator:v{{ .Major }}.{{ .Minor }}
     - quay.io/mittwald/kubernetes-secret-generator:{{ .Tag }}
-    - quay.io/mittwald/kubernetes-secret-generator:{{ .Tag }}-go{{ .Env.GO_VERSION }}
     binaries:
       - kubernetes-secret-generator
     goos: linux

.travis.yml

@@ -1,37 +1,40 @@
 language: go
 
+os: linux
+
+dist: bionic
+
 go:
   - '1.12'
 
-before_script:
-  - sudo sysctl -w net.ipv4.ip_forward=1
-
 services:
   - docker
 
 env:
   global:
     - GO111MODULE=on
     - CGO_ENABLED=0
-    - GO_VERSION=1.12
-    - secure: a6FJSuOoyjy4SZMvBLobprLMtKReOAX8c528jCe/HapvWkd0b8muSNDqiDNuf9S4dxkBd7Vq93LblPCs8mCVnMDx3Isx/Z1n6SeNefXmWMDaRUR72G0Dlb6gUfDEwqej9dMOAoFHFqtzGHB6TexTBjyM3y5GGo0T5Kt1AcslMt/bWcAu460+meuPRoFKd5pLjz/kCx7a2FGm63Jt0Zi8uN8vqAkJb15kcZWBNHyJJL0YXFIeBNJsfrAeBeRX20bpRWKuGJDAZiKlnUVQolHaUxrg8ZvHBGbCKEJQqRe+ZpMNo9Im7Xm00pHCPcgcGLDg5+8xtjQPmanhpY9Aun5PAD9oPXNlQ7wEKkC7SiXOyfm5PaT71yaZfi+7Qe4HwbwoZMXDF+XvgFjGoLT5hVawKW32/bs6SfuLWcl2nKRtIDjHm2K8P6uzO7YUUEidF2CsjS9Rf7fHuoAHLov82xdO+iUTEmZ3mySdrY3WO3niPcuBMg0C4E4aYRbDpP/LMNl75odwA1i/FZwFsTTp9yho9A0nn/djNq3INUumac/D8N0lPbvRyy5Xh69MVXb9YovbV4iHi8D8OZLOBoe98DOKy/zpNy0hzesJWR3ytWOBuVhseu1CiHoVOrJsyaGE9hOZz3k9g/NYHOtw3UJ01Kuhm7rJCyWclaxqmRZkHOOjQq8=
+
 script:
-  - bash <(wget -qO- https://git.io/goreleaser) --snapshot --skip-publish --rm-dist
+  - curl -sL https://git.io/goreleaser | bash -s -- --snapshot --skip-publish --rm-dist
 
 before_deploy:
-  - if [[ -n "${DOCKER_LOGIN_USERNAME}" ]] && [[ -n "${DOCKER_LOGIN_PASSWORD}" ]] && [[ -n "${DOCKER_LOGIN_URL}" ]]; then docker login -u "${DOCKER_LOGIN_USERNAME}" -p "${DOCKER_LOGIN_PASSWORD}" "${DOCKER_LOGIN_URL}"; fi
-  - export FULL_IMAGE="${DOCKER_LOGIN_URL}/mittwald/kubernetes-secret-generator"
+  - docker login -u "${DOCKER_LOGIN_USERNAME}" -p "${DOCKER_LOGIN_PASSWORD}" quay.io
 deploy:
   - provider: script
-    skip_cleanup: true
-    script: curl -sL https://git.io/goreleaser | bash -s -- --snapshot --skip-publish --rm-dist && docker push "${FULL_IMAGE}:latest"
+    cleanup: false
+    script: >-
+      curl -sL https://git.io/goreleaser | bash -s -- --snapshot --skip-publish --rm-dist &&
+      docker push "quay.io/mittwald/kubernetes-secret-generator:latest"
     on:
       tags: false
       branch: master
       condition: $TRAVIS_OS_NAME = linux
   - provider: script
-    skip_cleanup: true
-    script: curl -sL https://git.io/goreleaser | bash -s -- --rm-dist
+    cleanup: false
+    script: >-
+      curl -sL https://git.io/goreleaser | bash -s -- --rm-dist &&
+      bash ./scripts/bump-app-version.sh publish
     on:
       tags: true
       condition: $TRAVIS_OS_NAME = linux

deploy/helm-chart/kubernetes-secret-generator/Chart.yaml

@@ -0,0 +1,13 @@
+# apiVersion will be set to v2 as soon as Github Workflows supports Helmv2 Charts
+# https://github.com/mittwald/helm-charts/blob/master/README.md#limitations
+apiVersion: v1
+name: kubernetes-secret-generator
+description: Controller for replicating secrets+configmaps across namespaces
+
+# type will be set to soon as Github Workflows supports Helmv2 Charts
+# https://github.com/mittwald/helm-charts/blob/master/README.md#limitations
+#type: application
+
+version: 2.1.1
+
+appVersion: v2.1.1

deploy/helm-chart/kubernetes-secret-generator/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubernetes-secret-generator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubernetes-secret-generator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubernetes-secret-generator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubernetes-secret-generator.labels" -}}
+helm.sh/chart: {{ include "kubernetes-secret-generator.chart" . }}
+{{ include "kubernetes-secret-generator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubernetes-secret-generator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubernetes-secret-generator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubernetes-secret-generator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "kubernetes-secret-generator.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

deploy/helm-chart/kubernetes-secret-generator/templates/deployment.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kubernetes-secret-generator.fullname" . }}
+  labels:
+    {{- include "kubernetes-secret-generator.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "kubernetes-secret-generator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kubernetes-secret-generator.selectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "kubernetes-secret-generator.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args: {{ toYaml .Values.args | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

deploy/helm-chart/kubernetes-secret-generator/templates/rbac.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kubernetes-secret-generator.serviceAccountName" . }}
+  labels:
+{{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+{{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list", "update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  labels:
+{{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace | quote }}
+    name: {{ include "kubernetes-secret-generator.serviceAccountName" . }}
+{{- end -}}

deploy/helm-chart/kubernetes-secret-generator/values.yaml

@@ -0,0 +1,45 @@
+image:
+  repository: quay.io/mittwald/kubernetes-secret-generator
+  # tag: latest # if no tag is given, the chart's appVersion is used
+  pullPolicy: Always
+
+args:
+  - "-logtostderr"
+  - "-all-namespaces"
+  - "-regenerate-insecure"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}