Helm #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Helm Chart CI/CD | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| paths: | |
| - 'chart/**' | |
| - '.github/workflows/helm.yml' | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| paths: | |
| - 'chart/**' | |
| - '.github/workflows/helm.yml' | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| HELM_REGISTRY: oci://ghcr.io/flanksource/charts | |
| jobs: | |
| lint-and-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: '3.14.0' | |
| - name: Set up chart-testing | |
| uses: helm/chart-testing-action@v2.6.1 | |
| - name: Add Helm repositories | |
| run: | | |
| helm repo add bitnami https://charts.bitnami.com/bitnami | |
| helm repo update | |
| - name: Lint Helm chart | |
| run: | | |
| helm lint chart/ | |
| ct lint --config .github/ct.yaml --charts chart/ | |
| - name: Create kind cluster | |
| uses: helm/kind-action@v1.8.0 | |
| with: | |
| cluster_name: postgres-upgrade-test | |
| - name: Load Docker images | |
| run: | | |
| # Pull the latest PostgreSQL upgrade images for testing | |
| docker pull ghcr.io/flanksource/postgres-upgrade:to-17-latest || echo "Image not found, will use fallback" | |
| - name: Install and test Helm chart | |
| run: | | |
| # Install chart with test values | |
| helm install postgres-upgrade-test chart/ \ | |
| --set postgresql.password=testpassword123 \ | |
| --set image.tag=to-17-latest \ | |
| --set resources.requests.memory=512Mi \ | |
| --set resources.limits.memory=1Gi \ | |
| --wait --timeout=5m | |
| # Wait for PostgreSQL to be ready | |
| kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=postgres-upgrade --timeout=300s | |
| # Run Helm tests | |
| helm test postgres-upgrade-test --timeout=10m | |
| # Check if StatefulSet is ready | |
| kubectl get statefulset | |
| kubectl describe statefulset postgres-upgrade-test | |
| # Check PostgreSQL logs | |
| kubectl logs -l app.kubernetes.io/name=postgres-upgrade --tail=50 | |
| - name: Cleanup | |
| if: always() | |
| run: | | |
| helm uninstall postgres-upgrade-test || true | |
| kubectl delete pvc --all || true | |
| package-and-publish: | |
| needs: lint-and-test | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: '3.14.0' | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Package and push Helm chart | |
| run: | | |
| # Package the chart | |
| helm package chart/ --destination .helm-packages/ | |
| # Get the chart version | |
| CHART_VERSION=$(helm show chart chart/ | grep '^version:' | cut -d' ' -f2) | |
| CHART_NAME=$(helm show chart chart/ | grep '^name:' | cut -d' ' -f2) | |
| echo "Packaging $CHART_NAME version $CHART_VERSION" | |
| # Push to OCI registry | |
| helm push .helm-packages/${CHART_NAME}-${CHART_VERSION}.tgz ${{ env.HELM_REGISTRY }} | |
| echo "Successfully pushed $CHART_NAME:$CHART_VERSION to ${{ env.HELM_REGISTRY }}" | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Checkov | |
| uses: bridgecrewio/checkov-action@master | |
| with: | |
| directory: chart/ | |
| framework: kubernetes | |
| soft_fail: true | |
| output_format: sarif | |
| output_file_path: checkov-results.sarif | |
| - name: Upload Checkov results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: checkov-results.sarif |