feat: manage BuildConfigs and ImageStreams via chart, wire deployment image triggers

- Add openshift.build values block to configure BuildConfig source, branch,
  webhook secret, and ImageStream ownership
- New buildconfig.yaml template renders pint and freeradius BuildConfigs;
  output tag tracks pint/freeradius image.tag
- New imagestream.yaml template creates the shared pint and freeradius
  ImageStreams when openshift.build.manageImageStream=true (prod only)
- Add image.openshift.io/triggers annotation to both Deployments so OpenShift
  rolls them out automatically on each completed build
- Default image tag to "latest" (was Chart.appVersion); dev overrides to "dev"
- Bump chart version to 0.3.0

Author: mbillow

chart/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: pint
 description: Pouring IPA for Network Trust - CSH WiFi EAP-TLS enrollment and home RadSec management
 type: application
-version: 0.2.0
+version: 0.3.0
 appVersion: "0.1.0"

chart/templates/_helpers.tpl

@@ -32,7 +32,7 @@ Standard Helm labels / selector labels for the PINT pod.
 {{- define "pint.labels" -}}
 helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{ include "pint.selectorLabels" . }}
-app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.pint.image.tag | quote }}
+app.kubernetes.io/version: {{ .Values.pint.image.tag | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
@@ -86,7 +86,7 @@ so it always matches these labels exactly.
 {{- define "pint.freeradiusLabels" -}}
 helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{ include "pint.freeradiusSelectorLabels" . }}
-app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.freeradius.image.tag | quote }}
+app.kubernetes.io/version: {{ .Values.freeradius.image.tag | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
@@ -103,9 +103,9 @@ app.kubernetes.io/name={{ include "pint.freeradiusFullname" . }},app.kubernetes.
 Container image references: tag falls back to Chart.appVersion.
 */}}
 {{- define "pint.image" -}}
-{{ .Values.pint.image.repository }}:{{ default .Chart.AppVersion .Values.pint.image.tag }}
+{{ .Values.pint.image.repository }}:{{ .Values.pint.image.tag }}
 {{- end }}
 
 {{- define "pint.freeradiusImage" -}}
-{{ .Values.freeradius.image.repository }}:{{ default .Chart.AppVersion .Values.freeradius.image.tag }}
+{{ .Values.freeradius.image.repository }}:{{ .Values.freeradius.image.tag }}
 {{- end }}

chart/templates/buildconfig.yaml

@@ -0,0 +1,73 @@
+{{- if .Values.openshift.build.enabled }}
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: {{ include "pint.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pint.labels" . | nindent 4 }}
+  annotations:
+    app.openshift.io/vcs-ref: {{ .Values.openshift.build.gitRef | quote }}
+    app.openshift.io/vcs-uri: {{ .Values.openshift.build.gitRepo | quote }}
+spec:
+  output:
+    to:
+      kind: ImageStreamTag
+      name: {{ printf "%s:%s" .Values.openshift.build.imageStreamName .Values.pint.image.tag | quote }}
+  successfulBuildsHistoryLimit: 3
+  failedBuildsHistoryLimit: 2
+  strategy:
+    type: Docker
+    dockerStrategy:
+      dockerfilePath: Dockerfile
+  source:
+    type: Git
+    git:
+      uri: {{ .Values.openshift.build.gitRepo | quote }}
+      ref: {{ .Values.openshift.build.gitRef | quote }}
+    contextDir: /
+  triggers:
+    - type: ConfigChange
+    - type: GitHub
+      github:
+        secretReference:
+          name: {{ .Values.openshift.build.webhookSecret | quote }}
+  runPolicy: Serial
+{{- if .Values.freeradius.enabled }}
+---
+apiVersion: build.openshift.io/v1
+kind: BuildConfig
+metadata:
+  name: {{ include "pint.freeradiusFullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pint.freeradiusLabels" . | nindent 4 }}
+  annotations:
+    app.openshift.io/vcs-ref: {{ .Values.openshift.build.gitRef | quote }}
+    app.openshift.io/vcs-uri: {{ .Values.openshift.build.gitRepo | quote }}
+spec:
+  output:
+    to:
+      kind: ImageStreamTag
+      name: {{ printf "%s:%s" .Values.openshift.build.freeradiusImageStreamName .Values.freeradius.image.tag | quote }}
+  successfulBuildsHistoryLimit: 3
+  failedBuildsHistoryLimit: 2
+  strategy:
+    type: Docker
+    dockerStrategy:
+      dockerfilePath: Dockerfile
+  source:
+    type: Git
+    git:
+      uri: {{ .Values.openshift.build.gitRepo | quote }}
+      ref: {{ .Values.openshift.build.gitRef | quote }}
+    contextDir: /dev/freeradius
+  triggers:
+    - type: ConfigChange
+    - type: GitHub
+      github:
+        secretReference:
+          name: {{ .Values.openshift.build.webhookSecret | quote }}
+  runPolicy: Serial
+{{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -6,6 +6,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "pint.labels" . | nindent 4 }}
+  {{- if .Values.openshift.build.enabled }}
+  annotations:
+    image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"{{ .Values.openshift.build.imageStreamName }}:{{ .Values.pint.image.tag }}","namespace":"{{ .Release.Namespace }}"},"fieldPath":"spec.template.spec.containers[?(@.name==\"pint\")].image","paused":"false"}]'
+  {{- end }}
 spec:
   replicas: 1
   selector:

chart/templates/freeradius-deployment.yaml

@@ -6,6 +6,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "pint.freeradiusLabels" . | nindent 4 }}
+  {{- if .Values.openshift.build.enabled }}
+  annotations:
+    image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"{{ .Values.openshift.build.freeradiusImageStreamName }}:{{ .Values.freeradius.image.tag }}","namespace":"{{ .Release.Namespace }}"},"fieldPath":"spec.template.spec.containers[?(@.name==\"freeradius\")].image","paused":"false"}]'
+  {{- end }}
 spec:
   replicas: 1
   selector:

chart/templates/imagestream.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.openshift.build.enabled .Values.openshift.build.manageImageStream }}
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: {{ .Values.openshift.build.imageStreamName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pint.labels" . | nindent 4 }}
+spec:
+  lookupPolicy:
+    local: false
+{{- if .Values.freeradius.enabled }}
+---
+apiVersion: image.openshift.io/v1
+kind: ImageStream
+metadata:
+  name: {{ .Values.openshift.build.freeradiusImageStreamName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pint.freeradiusLabels" . | nindent 4 }}
+spec:
+  lookupPolicy:
+    local: false
+{{- end }}
+{{- end }}

chart/values.schema.json

@@ -174,7 +174,8 @@
             },
             "tag": {
               "type": "string",
-              "description": "Image tag. Defaults to the chart appVersion."
+              "description": "Image tag.",
+              "default": "latest"
             },
             "pullPolicy": {
               "type": "string",
@@ -218,7 +219,8 @@
             },
             "tag": {
               "type": "string",
-              "description": "Image tag. Defaults to the chart appVersion."
+              "description": "Image tag.",
+              "default": "latest"
             },
             "pullPolicy": {
               "type": "string",
@@ -286,6 +288,46 @@
               "description": "Route hostname. Omit for an auto-assigned hostname."
             }
           }
+        },
+        "build": {
+          "type": "object",
+          "description": "OpenShift BuildConfig and ImageStream management.",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "description": "Create BuildConfigs and wire image-change triggers on the Deployments.",
+              "default": false
+            },
+            "gitRepo": {
+              "type": "string",
+              "description": "Git repository URL for source builds.",
+              "default": "https://github.com/ComputerScienceHouse/pint.git"
+            },
+            "gitRef": {
+              "type": "string",
+              "description": "Git branch or tag to build from (e.g. 'dev' or 'main')."
+            },
+            "webhookSecret": {
+              "type": "string",
+              "description": "Name of the Secret containing the GitHub webhook secret.",
+              "default": "github-webhook-secret"
+            },
+            "manageImageStream": {
+              "type": "boolean",
+              "description": "Create/own the shared ImageStream objects. Set true in exactly one release (typically prod).",
+              "default": false
+            },
+            "imageStreamName": {
+              "type": "string",
+              "description": "Name of the ImageStream for the pint application image.",
+              "default": "pint"
+            },
+            "freeradiusImageStreamName": {
+              "type": "string",
+              "description": "Name of the ImageStream for the freeradius image.",
+              "default": "freeradius"
+            }
+          }
         }
       }
     }

chart/values.yaml

@@ -10,7 +10,7 @@ pint:
   enabled: true
   image:
     repository: pint
-    tag: ""  # defaults to Chart.appVersion
+    tag: "latest"
     pullPolicy: IfNotPresent
 
 # Non-sensitive PINT application configuration rendered into a ConfigMap.
@@ -79,7 +79,7 @@ freeradius:
   enabled: true
   image:
     repository: pint-freeradius
-    tag: ""  # defaults to Chart.appVersion
+    tag: "latest"
     pullPolicy: IfNotPresent
   service:
     type: NodePort
@@ -109,3 +109,20 @@ openshift:
   enabled: false
   route:
     host: ""
+
+  # OpenShift BuildConfig and ImageStream management.
+  # When enabled, the chart creates BuildConfigs that build pint and freeradius
+  # images from source and push them to internal ImageStreamTags.  The Deployments
+  # are annotated so OpenShift rolls them out automatically when a new image lands.
+  build:
+    enabled: false
+    gitRepo: "https://github.com/ComputerScienceHouse/pint.git"
+    gitRef: ""  # branch/tag to build from (e.g. "dev" or "main")
+    webhookSecret: "github-webhook-secret"  # Secret name containing the GitHub webhook secret
+
+    # Set true in exactly one release to own the shared ImageStream objects.
+    # Both dev and prod BuildConfigs push to the same ImageStreams (different tags),
+    # so only one release should create/delete them.
+    manageImageStream: false
+    imageStreamName: "pint"
+    freeradiusImageStreamName: "freeradius"