cyberchef: add initial chart

.github/workflows/build.yaml → .github/workflows/chart-build.yaml

@@ -1,4 +1,4 @@
-name: Build Charts
+name: Build Helm Charts
 
 on:
   pull_request:
@@ -29,6 +29,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: create-matrix
 
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -66,6 +70,12 @@ jobs:
 
       - name: Check for chart version change
         run: |
+          if git cat-file -e origin/main:charts/${{ matrix.chart }}/Chart.yaml >/dev/null; then
+            echo "Chart exists in main branch"
+          else
+            echo "Chart does not exist in main branch"
+            exit 0
+          fi
           old_version=$(git show origin/main:charts/${{ matrix.chart }}/Chart.yaml | yq eval ".version")
           new_version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml)
           if [ "$old_version" == "$new_version" ]; then
@@ -76,6 +86,6 @@ jobs:
       - name: Push chart to GHCR
         run: |
           version=$(yq eval ".version" charts/${{ matrix.chart }}/Chart.yaml)
-          yq e -i '.version = "env(version)-${{ github.base_ref }}.${{ github.run_id }}"' charts/${{ matrix.chart }}/Chart.yaml
           echo "Pushing chart ${{ matrix.chart }} with version $version-${{ github.head_ref }}.${GITHUB_SHA::7}"
-          helm push "${{ matrix.chart }}" "oci://ghcr.io/${{ github.repository }}"
+          helm package charts/${{ matrix.chart }} --version "$version-${{ github.head_ref }}.${GITHUB_SHA::7}"
+          helm push "${{ matrix.chart }}-$version-${{ github.head_ref }}.${GITHUB_SHA::7}.tgz" "oci://ghcr.io/${{ github.repository }}"

.github/workflows/image-build.yaml

@@ -0,0 +1,100 @@
+name: Build Images
+
+on:
+  push:
+    paths:
+      - 'images/**'
+  pull_request:
+    paths:
+      - 'images/**'
+
+jobs:
+  create-matrix:
+    runs-on: ubuntu-latest
+
+    outputs:
+      images: ${{ steps.images.outputs.images }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Create changed images matrix
+        id: images
+        run: |
+          images=$(git diff --merge-base origin/main --name-only | grep ^images/ | cut -d/ -f2 | uniq | sort | jq -R -s -c 'split("\n")[:-1]')
+          echo "images=${images}"
+          echo "images=${images}" >> "$GITHUB_OUTPUT"
+
+  build-images:
+    runs-on: ubuntu-latest
+    needs: create-matrix
+
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        imageName: ${{ fromJSON(needs.create-matrix.outputs.images) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get short SHA
+        id: sha
+        run: |
+          sha=$(echo "${GITHUB_SHA::7}")
+          echo "SHA=$sha"
+          echo "SHA=$sha" >> "$GITHUB_OUTPUT"
+
+      - name: Get version from Dockerfile
+        id: version
+        run: |
+          version=$(head -n 1 images/${{ matrix.imageName }}/Dockerfile | awk -F: '{print $NF}' | awk '{print $1}')
+          echo "VERSION=$version"
+          echo "VERSION=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        if: github.ref == 'refs/heads/main'
+        with:
+          context: 'images/${{ matrix.imageName }}'
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}:latest
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}
+          push: true
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        if: github.ref != 'refs/heads/main'
+        with:
+          context: 'images/${{ matrix.imageName }}'
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }}:${{ steps.version.outputs.VERSION }}-${{ github.head_ref }}.${{ steps.sha.outputs.SHA }}
+          push: true

charts/cyberchef/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cyberchef/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cyberchef
+version: 1.0.0

charts/cyberchef/README.md

@@ -0,0 +1,16 @@
+# Cyberchef
+
+## How to use
+
+Add repository by running:
+
+```bash
+helm repo add k8s-at-our-home https://k8s-at-our-homes.github.io/helm-charts/
+helm install cyberchef k8s-at-our-home/cyberchef
+```
+
+Or get the chart from ghcr.io:
+
+```bash
+helm install cyberchef oci://ghcr.io/k8s-at-our-homes/helm-charts/cyberchef
+```

charts/cyberchef/templates/_helpers.tpl

@@ -0,0 +1,31 @@
+{{- define "common.name" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.fullname" -}}
+{{- if contains .Chart.Name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "chartName" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.selectorLabels" -}}
+app.kubernetes.io/name: {{ template "common.name" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: "cyberchef"
+{{- end -}}
+
+{{- define "common.labels" -}}
+app.kubernetes.io/name: {{ template "common.name" . }}
+helm.sh/chart: {{ include "chartName" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Values.image.tag | quote }}
+app.kubernetes.io/part-of: "cyberchef"
+{{- end -}}

charts/cyberchef/templates/deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "common.fullname" . }}
+  labels: {{- include "common.labels" . | nindent 4 }}
+spec:
+  revisionHistoryLimit: 0
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels: {{- include "common.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{- include "common.selectorLabels" . | nindent 8 }}
+    spec:
+      nodeSelector: {{ .Values.nodeSelector | toYaml | nindent 8 }}
+      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: core
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          resources: {{ toYaml .Values.resources | nindent 12 }}
+          securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            - mountPath: /tmp/
+              name: cache
+      volumes:
+        - name: cache
+          emptyDir: {}

charts/cyberchef/templates/ingress.yaml

@@ -0,0 +1,28 @@
+{{ if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "common.fullname" . }}
+  annotations: {{ toYaml .Values.ingress.annotations | nindent 4 }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.class }}
+  rules:
+    - host: {{ .Values.ingress.domain }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: {{ template "common.fullname" . }}
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.domain }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
+{{ end }}

charts/cyberchef/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "common.fullname" . }}
+  labels:
+    {{- include "common.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      targetPort: 8080
+      port: 8080
+      protocol: TCP
+  selector:
+    {{- include "common.selectorLabels" . | nindent 4 }}

charts/cyberchef/values.yaml

@@ -0,0 +1,38 @@
+replicas: 1
+
+nodeSelector: {}
+
+resources: {}
+#  requests:
+#    memory: 512Mi
+#    cpu: 100m
+#  limits:
+#    memory: 2048Mi
+
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  runAsNonRoot: true
+
+securityContext:
+  capabilities:
+    drop: [ "ALL" ]
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  privileged: false
+
+image:
+  registry: ghcr.io
+  repository: k8s-at-our-homes/cyberchef
+  tag: 10.18.9
+  pullPolicy: IfNotPresent
+
+ingress:
+  enabled: true
+  domain: cyberchef.example.com
+  class:
+  annotations: {}
+  tls:
+    enabled: true
+    secretName:

images/cyberchef/Dockerfile

@@ -0,0 +1,4 @@
+FROM ghcr.io/gchq/cyberchef:10.18.9 AS build
+FROM nginxinc/nginx-unprivileged:1.27.0-alpine3.19 AS run
+
+COPY --from=build /usr/share/nginx/html /usr/share/nginx/html