diff --git a/Dockerfile.dapper b/Dockerfile.dapper index ac4f0e9..0d81129 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -14,6 +14,9 @@ RUN if [ "${ARCH}" == "amd64" ]; then \ curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.40.1; \ fi +ENV YQ_VERSION=v4.25.1 +RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${ARCH} -O /usr/bin/yq && chmod +x /usr/bin/yq; + COPY --from=helm ./helm/bin/helm /usr/local/bin/ ENV DAPPER_ENV REPO TAG DRONE_TAG CROSS diff --git a/charts/example-chart/Chart.yaml b/charts/example-chart/Chart.yaml index dd7d5a8..82ffe69 100644 --- a/charts/example-chart/Chart.yaml +++ b/charts/example-chart/Chart.yaml @@ -8,4 +8,4 @@ annotations: catalog.cattle.io/hidden: "true" catalog.cattle.io/release-name: example-chart catalog.cattle.io/os: linux,windows - catalog.cattle.io/permits-os: linux,windows \ No newline at end of file + catalog.cattle.io/permits-os: linux,windows diff --git a/charts/example-chart/README.md b/charts/example-chart/README.md index eda76af..c25c95c 100644 --- a/charts/example-chart/README.md +++ b/charts/example-chart/README.md @@ -2,4 +2,4 @@ This chart is a dummy chart that is deployed on behalf of the default Helm Project Operator. -This chart is primarily intended for testing purposes. \ No newline at end of file +This chart is primarily intended for testing purposes. diff --git a/charts/example-chart/questions.yaml b/charts/example-chart/questions.yaml index 4992816..2464e35 100644 --- a/charts/example-chart/questions.yaml +++ b/charts/example-chart/questions.yaml @@ -4,4 +4,4 @@ questions: description: My Data type: string required: true - group: Data \ No newline at end of file + group: Data diff --git a/charts/example-chart/templates/configmaps.yaml b/charts/example-chart/templates/configmaps.yaml index 168a0ef..55336db 100644 --- a/charts/example-chart/templates/configmaps.yaml +++ b/charts/example-chart/templates/configmaps.yaml @@ -42,4 +42,4 @@ data: cattle-url: |- {{ .Values.global.cattle.url | toYaml | indent 4 }} cluster-id: |- -{{ .Values.global.cattle.clusterId | toYaml | indent 4 }} \ No newline at end of file +{{ .Values.global.cattle.clusterId | toYaml | indent 4 }} diff --git a/charts/example-chart/templates/dashboard-values-configmap.yaml b/charts/example-chart/templates/dashboard-values-configmap.yaml index 4bfccd4..a117a47 100644 --- a/charts/example-chart/templates/dashboard-values-configmap.yaml +++ b/charts/example-chart/templates/dashboard-values-configmap.yaml @@ -7,4 +7,4 @@ metadata: helm.cattle.io/dashboard-values-configmap: {{ .Release.Name }} data: data.json: |- -{{ .Values.data | toJson | indent 4 }} \ No newline at end of file +{{ .Values.data | toJson | indent 4 }} diff --git a/charts/example-chart/values.yaml b/charts/example-chart/values.yaml index d59e110..c4c2d53 100644 --- a/charts/example-chart/values.yaml +++ b/charts/example-chart/values.yaml @@ -31,4 +31,4 @@ global: aggregateToDefaultRoles: true data: - hello: world \ No newline at end of file + hello: world diff --git a/charts/helm-project-operator/Chart.yaml b/charts/helm-project-operator/Chart.yaml index ffaea38..602da46 100644 --- a/charts/helm-project-operator/Chart.yaml +++ b/charts/helm-project-operator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: helm-project-operator description: Helm Project Operator -version: 0.0.3 -appVersion: 0.0.1 +version: 0.1.0 +appVersion: 0.1.0 annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Helm Project Operator @@ -10,6 +10,6 @@ annotations: catalog.cattle.io/namespace: cattle-helm-system catalog.cattle.io/permits-os: linux,windows catalog.cattle.io/provides-gvr: helm.cattle.io.projecthelmchart/v1alpha1 - catalog.cattle.io/rancher-version: '>= 2.6.0-0 <=2.6.99-0' + catalog.cattle.io/rancher-version: '>= 2.6.0-0' catalog.cattle.io/release-name: helm-project-operator - catalog.cattle.io/os: linux,windows \ No newline at end of file + catalog.cattle.io/os: linux,windows diff --git a/charts/helm-project-operator/README.md b/charts/helm-project-operator/README.md index ad46be6..fc1d39e 100644 --- a/charts/helm-project-operator/README.md +++ b/charts/helm-project-operator/README.md @@ -74,4 +74,4 @@ By default, the `example-chart` (the underlying chart deployed by Helm Project O |`hardenedNamespaces.enabled`| Whether to automatically patch the default ServiceAccount with `automountServiceAccountToken: false` and create a default NetworkPolicy in all managed namespaces in the cluster; the default values ensure that the creation of the namespace does not break a CIS 1.16 hardened scan | |`hardenedNamespaces.configuration`| The configuration to be supplied to the default ServiceAccount or auto-generated NetworkPolicy on managing a namespace | |`helmController.enabled`| Whether to enable an embedded k3s-io/helm-controller instance within the Helm Project Operator. Should be disabled for RKE2 clusters since RKE2 clusters already run Helm Controller to manage internal Kubernetes components | -|`helmLocker.enabled`| Whether to enable an embedded rancher/helm-locker instance within the Helm Project Operator. | \ No newline at end of file +|`helmLocker.enabled`| Whether to enable an embedded rancher/helm-locker instance within the Helm Project Operator. | diff --git a/charts/helm-project-operator/app-readme.md b/charts/helm-project-operator/app-readme.md new file mode 100644 index 0000000..fd55146 --- /dev/null +++ b/charts/helm-project-operator/app-readme.md @@ -0,0 +1,20 @@ +# Helm Project Operator + +This chart installs the example [Helm Project Operator](https://github.com/rancher/helm-project-operator) onto your cluster. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. \ No newline at end of file diff --git a/charts/helm-project-operator/questions.yaml b/charts/helm-project-operator/questions.yaml index 370dfb5..054361a 100644 --- a/charts/helm-project-operator/questions.yaml +++ b/charts/helm-project-operator/questions.yaml @@ -1,4 +1,10 @@ questions: +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + type: boolean + group: "Security Settings" - variable: helmController.enabled label: Enable Embedded Helm Controller description: 'Note: If you are running this chart in an RKE2 cluster, this should be disabled.' @@ -34,4 +40,4 @@ questions: type: string default: view required: false - group: RBAC \ No newline at end of file + group: RBAC diff --git a/charts/helm-project-operator/templates/NOTES.txt b/charts/helm-project-operator/templates/NOTES.txt index aa34aa6..32baeeb 100644 --- a/charts/helm-project-operator/templates/NOTES.txt +++ b/charts/helm-project-operator/templates/NOTES.txt @@ -1,3 +1,2 @@ {{ $.Chart.Name }} has been installed. Check its status by running: kubectl --namespace {{ template "helm-project-operator.namespace" . }} get pods -l "release={{ $.Release.Name }}" - diff --git a/charts/helm-project-operator/templates/_helpers.tpl b/charts/helm-project-operator/templates/_helpers.tpl index 104178d..97dd6b3 100644 --- a/charts/helm-project-operator/templates/_helpers.tpl +++ b/charts/helm-project-operator/templates/_helpers.tpl @@ -52,7 +52,7 @@ Allow the release namespace to be overridden for multi-namespace deployments in {{- end }} {{/* Generate basic labels */}} -{{- define "helm-project-operator.labels" }} +{{- define "helm-project-operator.labels" -}} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}" @@ -63,4 +63,4 @@ heritage: {{ $.Release.Service | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} {{- end }} -{{- end }} +{{- end -}} diff --git a/charts/helm-project-operator/templates/cleanup.yaml b/charts/helm-project-operator/templates/cleanup.yaml index 4c5967e..9867564 100644 --- a/charts/helm-project-operator/templates/cleanup.yaml +++ b/charts/helm-project-operator/templates/cleanup.yaml @@ -16,13 +16,13 @@ spec: app: {{ template "helm-project-operator.name" . }} spec: serviceAccountName: {{ template "helm-project-operator.name" . }} - securityContext: - runAsNonRoot: false - runAsUser: 0 +{{- if .Values.cleanup.securityContext }} + securityContext: {{ toYaml .Values.cleanup.securityContext | nindent 8 }} +{{- end }} initContainers: - name: add-cleanup-annotations image: {{ template "system_default_registry" . }}{{ .Values.cleanup.image.repository }}:{{ .Values.cleanup.image.tag }} - imagePullPolicy: IfNotPresent + imagePullPolicy: "{{ .Values.image.pullPolicy }}" command: - /bin/sh - -c @@ -42,6 +42,12 @@ spec: kubectl label projecthelmcharts -n ${namespace} ${projectHelmChart} helm.cattle.io/helm-project-operator-cleanup=true --overwrite; done; done; +{{- if .Values.cleanup.resources }} + resources: {{ toYaml .Values.cleanup.resources | nindent 12 }} +{{- end }} +{{- if .Values.cleanup.containerSecurityContext }} + securityContext: {{ toYaml .Values.cleanup.containerSecurityContext | nindent 12 }} +{{- end }} containers: - name: ensure-subresources-deleted image: {{ template "system_default_registry" . }}{{ .Values.cleanup.image.repository }}:{{ .Values.cleanup.image.tag }} @@ -59,6 +65,12 @@ spec: sleep 3; done; echo "Successfully deleted all HelmCharts and HelmReleases in ${SYSTEM_NAMESPACE}!"; +{{- if .Values.cleanup.resources }} + resources: {{ toYaml .Values.cleanup.resources | nindent 12 }} +{{- end }} +{{- if .Values.cleanup.containerSecurityContext }} + securityContext: {{ toYaml .Values.cleanup.containerSecurityContext | nindent 12 }} +{{- end }} restartPolicy: OnFailure nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} {{- if .Values.cleanup.nodeSelector }} diff --git a/charts/helm-project-operator/templates/deployment.yaml b/charts/helm-project-operator/templates/deployment.yaml index 4fe0e98..c730980 100644 --- a/charts/helm-project-operator/templates/deployment.yaml +++ b/charts/helm-project-operator/templates/deployment.yaml @@ -99,13 +99,16 @@ spec: value: {{ .Values.valuesOverride | toYaml | sha256sum }} {{- if .Values.resources }} resources: {{ toYaml .Values.resources | nindent 12 }} +{{- end }} +{{- if .Values.containerSecurityContext }} + securityContext: {{ toYaml .Values.containerSecurityContext | nindent 12 }} {{- end }} volumeMounts: - name: config mountPath: "/etc/helmprojectoperator/config" serviceAccountName: {{ template "helm-project-operator.name" . }} {{- if .Values.securityContext }} - securityContext: {{ toYaml .Values.securityContext | indent 8 }} + securityContext: {{ toYaml .Values.securityContext | nindent 8 }} {{- end }} nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} {{- if .Values.nodeSelector }} @@ -118,4 +121,4 @@ spec: volumes: - name: config configMap: - name: {{ template "helm-project-operator.name" . }}-config \ No newline at end of file + name: {{ template "helm-project-operator.name" . }}-config diff --git a/charts/helm-project-operator/templates/psp.yaml b/charts/helm-project-operator/templates/psp.yaml index c733329..73dcc45 100644 --- a/charts/helm-project-operator/templates/psp.yaml +++ b/charts/helm-project-operator/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.global.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies") }} +{{- if .Values.global.cattle.psp.enabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/helm-project-operator/templates/rbac.yaml b/charts/helm-project-operator/templates/rbac.yaml index 56cb364..b1c4092 100644 --- a/charts/helm-project-operator/templates/rbac.yaml +++ b/charts/helm-project-operator/templates/rbac.yaml @@ -8,9 +8,6 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "cluster-admin" # see note below - # apiGroup: rbac.authorization.k8s.io - # kind: ClusterRole - # name: {{ template "helm-project-operator.name" . }} subjects: - kind: ServiceAccount name: {{ template "helm-project-operator.name" . }} @@ -31,93 +28,5 @@ imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} # As of now, due to the fact that the k3s-io/helm-controller can only deploy jobs that are cluster-bound to the cluster-admin # ClusterRole, the only way for this operator to be able to perform that binding is if it is also bound to the cluster-admin ClusterRole. # -# As a result, this ClusterRole will be left as a work-in-progress until changes are made in k3s-io/helm-controller to allow us to grant +# As a result, this ClusterRoleBinding will be left as a work-in-progress until changes are made in k3s-io/helm-controller to allow us to grant # only scoped down permissions to the Job that is deployed. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: ClusterRole -# metadata: -# name: {{ template "helm-project-operator.name" . }} -# labels: {{ include "helm-project-operator.labels" . | nindent 4 }} -# app: {{ template "helm-project-operator.name" . }} -# rules: -# # Helm Project Operator -# - apiGroups: -# - helm.cattle.io -# resources: -# - projecthelmcharts -# - projecthelmcharts/status -# verbs: -# - "*" -# - apiGroups: -# - "" -# resources: -# - namespaces -# verbs: -# - create -# - get -# - list -# - watch -# - update -# - patch -# # Helm Controller -# - apiGroups: -# - helm.cattle.io -# resources: -# - helmcharts -# - helmcharts/status -# - helmchartconfigs -# - helmchartconfigs/status -# verbs: -# - "*" -# - apiGroups: -# - batch -# resources: -# - jobs -# verbs: -# - "*" -# - apiGroups: -# - "" -# resources: -# - serviceaccounts -# verbs: -# - "*" -# - apiGroups: -# - rbac.authorization.k8s.io -# resources: -# - clusterrolebindings -# verbs: -# - "*" -# # Helm Locker -# - apiGroups: -# - helm.cattle.io -# resources: -# - helmreleases -# - helmreleases/status -# verbs: -# - "*" -# - apiGroups: -# - "" -# resources: -# - secrets -# verbs: -# - create -# - get -# - list -# - watch -# - update -# - patch -# # Common -# - apiGroups: -# - "" -# resources: -# - configmaps -# verbs: -# - "*" -# - apiGroups: -# - "" -# - events.k8s.io -# resources: -# - events -# verbs: -# - "*" diff --git a/charts/helm-project-operator/templates/system-namespaces-configmap.yaml b/charts/helm-project-operator/templates/system-namespaces-configmap.yaml index ebfe336..f4c8525 100644 --- a/charts/helm-project-operator/templates/system-namespaces-configmap.yaml +++ b/charts/helm-project-operator/templates/system-namespaces-configmap.yaml @@ -59,4 +59,4 @@ roleRef: name: {{ template "helm-project-operator.name" . }}-system-namespaces subjects: {{ .Values.systemNamespacesConfigMap.rbac.subjects | toYaml | nindent 2 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/helm-project-operator/templates/validate-psp-install.yaml b/charts/helm-project-operator/templates/validate-psp-install.yaml new file mode 100644 index 0000000..a30c59d --- /dev/null +++ b/charts/helm-project-operator/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/helm-project-operator/values.yaml b/charts/helm-project-operator/values.yaml index 62a2854..8505cd0 100644 --- a/charts/helm-project-operator/values.yaml +++ b/charts/helm-project-operator/values.yaml @@ -7,6 +7,8 @@ global: cattle: clusterId: "" + psp: + enabled: false projectLabel: field.cattle.io/projectId systemDefaultRegistry: "" systemProjectId: "" @@ -22,7 +24,6 @@ global: ## Aggregate default user ClusterRoles into default k8s ClusterRoles aggregateToDefaultRoles: true - pspEnabled: true pspAnnotations: {} ## Specify pod annotations ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor @@ -127,7 +128,7 @@ namespaceOverride: "" image: repository: rancher/helm-project-operator - tag: v0.0.3 + tag: v0.1.0 pullPolicy: IfNotPresent helmController: @@ -167,10 +168,20 @@ resources: {} # memory: 100Mi # cpu: 100m -securityContext: {} +containerSecurityContext: {} # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # privileged: false # readOnlyRootFilesystem: true +securityContext: {} + # runAsGroup: 1000 + # runAsUser: 1000 + # supplementalGroups: + # - 1000 + debug: false debugLevel: 0 @@ -178,7 +189,38 @@ cleanup: image: repository: rancher/shell tag: v0.1.19-rc8 + pullPolicy: IfNotPresent + ## Define which Nodes the Pods are scheduled on. + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## nodeSelector: {} + ## Tolerations for use with node taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## tolerations: [] + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + + containerSecurityContext: {} + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # privileged: false + # readOnlyRootFilesystem: true + + securityContext: + runAsNonRoot: false + runAsUser: 0 + + resources: {} + # limits: + # memory: 500Mi + # cpu: 1000m + # requests: + # memory: 100Mi + # cpu: 100m diff --git a/crds/crd-helmchartconfigs.yaml b/crds/crd-helmchartconfigs.yaml index 4fdf613..33165da 100644 --- a/crds/crd-helmchartconfigs.yaml +++ b/crds/crd-helmchartconfigs.yaml @@ -27,5 +27,3 @@ spec: type: object served: true storage: true - subresources: - status: {} diff --git a/crds/crd-helmcharts.yaml b/crds/crd-helmcharts.yaml index db81d17..b0c232b 100644 --- a/crds/crd-helmcharts.yaml +++ b/crds/crd-helmcharts.yaml @@ -12,34 +12,27 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - description: Job associated with updates to this chart - jsonPath: .status.jobName + - jsonPath: .status.jobName name: Job type: string - - description: Helm Chart name - jsonPath: .spec.chart + - jsonPath: .spec.chart name: Chart type: string - - description: Helm Chart target namespace - jsonPath: .spec.targetNamespace - name: Target Namespace + - jsonPath: .spec.targetNamespace + name: TargetNamespace type: string - - description: Helm Chart version - jsonPath: .spec.version + - jsonPath: .spec.version name: Version type: string - - description: Helm Chart repository URL - jsonPath: .spec.repo + - jsonPath: .spec.repo name: Repo type: string - - description: Helm version used to manage the selected chart - jsonPath: .spec.helmVersion - name: Helm Version + - jsonPath: .spec.helmVersion + name: HelmVersion type: string - - description: True if this is chart is needed to bootstrap the cluste - jsonPath: .spec.bootstrap + - jsonPath: .spec.bootstrap name: Bootstrap - type: boolean + type: string name: v1 schema: openAPIV3Schema: @@ -97,5 +90,3 @@ spec: type: object served: true storage: true - subresources: - status: {} diff --git a/go.mod b/go.mod index 5ae91de..dcf42c8 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,6 @@ module github.com/rancher/helm-project-operator go 1.17 replace ( - // temporary until PR gets merged - github.com/k3s-io/helm-controller => github.com/aiyengar2/helm-controller v0.0.0-20220507022807-c1867182d515 - k8s.io/api => k8s.io/api v0.22.3 k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.3 k8s.io/apimachinery => k8s.io/apimachinery v0.22.3 @@ -14,7 +11,7 @@ replace ( ) require ( - github.com/k3s-io/helm-controller v0.12.0 + github.com/k3s-io/helm-controller v0.13.1 github.com/rancher/helm-locker v0.0.0-20220511204622-3b216418e2f4 github.com/rancher/lasso v0.0.0-20220303220127-8cf5555ec03c github.com/rancher/wrangler v0.8.11-0.20220217210408-3ecd23dfea3b diff --git a/go.sum b/go.sum index 3f7a320..13391a1 100644 --- a/go.sum +++ b/go.sum @@ -115,8 +115,6 @@ github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdko github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= -github.com/aiyengar2/helm-controller v0.0.0-20220507022807-c1867182d515 h1:qqf2+6FaazSL+dA8+/LYwkht/ulSm1ZrKUXagq/o8IE= -github.com/aiyengar2/helm-controller v0.0.0-20220507022807-c1867182d515/go.mod h1:ZmIZBP7FigARnQfS7da0X6hPQEqYdmbOl5V/e397ZLc= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -691,6 +689,8 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/k3s-io/helm-controller v0.13.1 h1:eG2yZ0QzbtcfMe8GpTVtRtP6HgMDO/Pr9Q1EGbMKKCA= +github.com/k3s-io/helm-controller v0.13.1/go.mod h1:f8aOuHQDpkshmUK/GiE+jJCJkUL8vp+EzCjV0uCFcsY= github.com/karrick/godirwalk v1.15.8 h1:7+rWAZPn9zuRxaIqqT8Ohs2Q2Ac0msBqwRdxNCr2VVs= github.com/karrick/godirwalk v1.15.8/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= diff --git a/scripts/ci b/scripts/ci index 5233410..2df510e 100755 --- a/scripts/ci +++ b/scripts/ci @@ -7,4 +7,5 @@ cd $(dirname $0) ./test ./validate ./validate-ci +./validate-chart ./package diff --git a/scripts/validate-chart b/scripts/validate-chart new file mode 100755 index 0000000..120e808 --- /dev/null +++ b/scripts/validate-chart @@ -0,0 +1,12 @@ +#!/bin/bash +set -e + +cd $(dirname $0)/.. + +app_version=$(yq e '.appVersion' charts/helm-project-operator/Chart.yaml) +image_tag=$(yq e '.image.tag' charts/helm-project-operator/values.yaml) + +if [[ "${image_tag}" != "v${app_version}" ]]; then + echo "ERROR: .image.tag in charts/helm-project-operator/values.yaml (found: ${image_tag}) must match appVersion in charts/helm-project-operator/Chart.yaml (found ${app_version})" + exit 1 +fi