feat: add helm chart (#379)

* Added helm chart source for the operator

This commit includes a new directory, helm, which contains the necessary files for deploying the application to Kubernetes clusters using the Helm package manager.

The chart includes:

- Deployment
- Role and role binding
- Service account
- CRD definition

Resources for the Pulumi Kubernetes Operator, as well as the configurable values file (values.yaml) for specifying the deployment of the Operator.

This change will allow our customers to more easily manage and deploy the Operator on various Kubernetes environments, streamlining the process and reducing the potential for errors.

Signed-off-by: Engin Diri <[email protected]>

* Add GitHub workflows to build, test and distribute the Helm chart

This commit introduces a series of GitHub workflows to the codebase, which will be used to automate various tasks related to continuous integration and deployment. These workflows are defined in the `.github/workflows` directory, and include the following:

- `ct-linting-and-testing.yaml`: This workflow is triggered on pull requests, and is responsible for linting and testing the chart to ensure that it is in a releasable state.

- `chart-publish.yaml`: This workflow is triggered on the main branch only when changes are detected in the chart directory, and is responsible for releasing the chart as traditional bundle and OCI artefact.

- Diverse linter configuration files to tune the linting process to our needs.

Overall, these workflows will help to streamline the development process of the Helm charts and ensure that templating code is always in a deployable state.

Signed-off-by: Engin Diri <[email protected]>

* feat: update all actions

Signed-off-by: Engin Diri <[email protected]>

* feat: update all actions

Signed-off-by: Engin Diri <[email protected]>

* feat: update helm chart name

Signed-off-by: Engin Diri <[email protected]>

* chore: add changelog entry

---------

Signed-off-by: Engin Diri <[email protected]>
Co-authored-by: Engin Diri <[email protected]>
Co-authored-by: Ramon Quitales <[email protected]>

.github/configs/cr.yaml

@@ -0,0 +1,2 @@
+## Reference: https://github.com/helm/chart-releaser
+index-path: "./index.yaml"

.github/configs/ct-install.yaml

@@ -0,0 +1,13 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+# Don't add the 'debug' attribute, otherwise the workflow won't work anymore
+# Only Used for the CT Lint Stage
+remote: origin
+target-branch: master
+chart-dirs:
+  - deploy/helm
+helm-extra-args: "--timeout 600s"
+validate-chart-schema: false
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

.github/configs/ct-lint.yaml

@@ -0,0 +1,13 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+# Don't add the 'debug' attribute, otherwise the workflow won't work anymore
+# Only Used for the CT Lint Stage
+remote: origin
+target-branch: master
+chart-dirs:
+  - deploy/helm
+helm-extra-args: "--timeout 600s"
+validate-chart-schema: false
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

.github/configs/lintconf.yaml

@@ -0,0 +1,42 @@
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 1
+  document-end: disable
+  document-start: disable # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning

.github/workflows/chart-lint-and-test.yml

@@ -0,0 +1,75 @@
+name: ct-linting-and-testing
+on:
+  pull_request:
+    paths:
+      - deploy/helm/**
+
+permissions: read-all
+
+jobs:
+  chart-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.6.3
+
+      - name: Set up python
+        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0
+        with:
+          python-version: 3.7
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          scan-ref: 'deploy/helm/pulumi-operator'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+
+      - name: List changed charts
+        id: list-changed
+        run: |
+          ## If executed with debug this won't work anymore.
+          changed=$(ct --config ./.github/configs/ct-lint.yaml list-changed)
+          charts=$(echo "$changed" | tr '\n' ' ' | xargs)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+            echo "::set-output name=changed_charts::$charts"
+          fi
+
+      - name: Run Artifact Hub lint
+        run: |
+          curl -s https://api.github.com/repos/artifacthub/hub/releases/latest | grep -E 'browser_download_url' | grep linux_amd64.tar.gz\" | grep -Eo 'https://[^\"]*' | xargs wget -O - | tar -xz
+          ./ah lint -p deploy/helm/pulumi-operator || exit 1
+          rm -f ./ah
+
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config ./.github/configs/ct-lint.yaml
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/chart-publish.yaml

@@ -0,0 +1,79 @@
+---
+name: chart-publish
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "deploy/helm/**"
+env:
+  HELM_DOCS_VERSION: "1.11.0"
+
+permissions: read-all
+
+jobs:
+  publish:
+    permissions:
+      contents: write # for helm/chart-releaser-action to push chart release and create a release
+      packages: write # for helm/chart-releaser-action to push chart release and create a release
+      id-token: write # for helm/chart-releaser-action to push chart release and create a release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: install helm-docs
+        run: |
+          cd /tmp
+          wget https://github.com/norwoodj/helm-docs/releases/download/v${{env.HELM_DOCS_VERSION}}/helm-docs_${{env.HELM_DOCS_VERSION}}_Linux_x86_64.tar.gz
+          tar -xvf helm-docs_${{env.HELM_DOCS_VERSION}}_Linux_x86_64.tar.gz
+          sudo mv helm-docs /usr/local/sbin
+
+      - name: run helm-docs
+        run: |
+          helm-docs -t README.md.gotmpl -o README.md -b for-the-badge
+
+      - name: Login to GHCR
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${ GITHUB_REPOSITORY_OWNER }
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Artifact Hub lint
+        run: |
+          curl -s https://api.github.com/repos/artifacthub/hub/releases/latest | grep -E 'browser_download_url' | grep linux_amd64.tar.gz\" | grep -Eo 'https://[^\"]*' | xargs wget -O - | tar -xz
+          ./ah lint -p deploy/helm/pulumi-operator || exit 1
+          rm -f ./ah
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
+        with:
+          config: "./.github/configs/cr.yaml"
+          charts_dir: "deploy/helm"
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 # v3.0.3
+      - name: Push chart to GHCR
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" oci://ghcr.io/pulumi/helm-charts |& tee .digest
+            cosign sign -y $(cat .digest | awk -F "[, ]+" '/Pushed/{print $NF}')
+          done          

CHANGELOG.md

@@ -3,6 +3,7 @@ CHANGELOG
 
 ## HEAD (unreleased)
 - Use digest field for Flux source artifact if present [#459](https://github.com/pulumi/pulumi-kubernetes-operator/pull/459)
+- Add Helm chart support for installing the Pulumi Operator. [#379](https://github.com/pulumi/pulumi-kubernetes-operator/pull/379)
 
 ## 1.12.1 (2023-05-19)
 - Update to [Pulumi SDK v3.68.0](https://github.com/pulumi/pulumi/releases/tag/v3.68.0) and the base

deploy/helm/pulumi-operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/helm/pulumi-operator/Chart.yaml

@@ -0,0 +1,38 @@
+apiVersion: v2
+name: pulumi-kubernetes-operator
+description: A Helm chart for the Pulumi Kubernetes Operator
+home: https://pulumi.com
+sources:
+  - https://github.com/pulumi/pulumi-kubernetes-operator
+
+icon: https://www.pulumi.com/logos/brand/twitter-card.png
+
+type: application
+
+version: 0.1.0
+appVersion: "1.10.1"
+
+keywords:
+  - pulumi
+  - kubernetes
+  - operator
+
+maintainers:
+  - name: dirien
+    email: [email protected]
+    url: https://pulumi.com
+
+annotations:
+  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/changes: |
+    - initial release
+  artifacthub.io/images: |
+    - name: pulumi-kubernetes-operator
+      image: docker.io/pulumi-kubernetes-operator:v1.10.1
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/links: |
+    - name: website
+      url: https://pulumi.com
+  artifacthub.io/maintainers: |
+    - name: dirien
+      email: [email protected]