feat: add Helm chart for Kubernetes deployment #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Helm Chart | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'helm/**' | |
| - '.github/workflows/helm.yaml' | |
| pull_request: | |
| paths: | |
| - 'helm/**' | |
| - '.github/workflows/helm.yaml' | |
| release: | |
| types: [published] | |
| env: | |
| CHART_DIR: helm | |
| CHART_NAME: tempo-monitor | |
| OCI_REGISTRY: ghcr.io | |
| jobs: | |
| # Lint | |
| lint: | |
| name: Lint Helm chart | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.17.0 | |
| - name: Add Bitnami repo | |
| run: | | |
| helm repo add bitnami https://charts.bitnami.com/bitnami --force-update | |
| helm repo update | |
| - name: Helm lint | |
| run: | | |
| helm lint --strict --set profile=full --set tempo.image=ghcr.io/tempoxyz/tempo:1.4.1 ./helm | |
| # Validate (dry-run install) | |
| validate: | |
| name: Validate Kubernetes install (dry-run) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.17.0 | |
| - name: Create genesis placeholder | |
| run: | | |
| mkdir -p consensus | |
| echo '{"config":{},"genesis_time":"","nonce":"0x0000000000000000","extradata":"","alloc":{},"number":"0","gas_limit":"0","difficulty":"0"}' \ | |
| > consensus/genesis.json | |
| - name: Helm dry-run (consensus profile) | |
| run: | | |
| helm template release-test ./helm \ | |
| --namespace tempo-test \ | |
| --create-namespace \ | |
| --set profile=consensus \ | |
| --set tempo.image=ghcr.io/tempoxyz/tempo:1.4.1 \ | |
| --set validators.count=2 \ | |
| --set rpc.count=1 \ | |
| --set faucet.enabled=true \ | |
| --set monitoring.enabled=false \ | |
| --debug --dry-run=server 2>&1 | head -200 | |
| - name: Helm dry-run (full profile) | |
| run: | | |
| helm template release-test ./helm \ | |
| --namespace tempo-test \ | |
| --create-namespace \ | |
| --set profile=full \ | |
| --set tempo.image=ghcr.io/tempoxyz/tempo:1.4.1 \ | |
| --set validators.count=4 \ | |
| --set rpc.count=2 \ | |
| --set monitoring.enabled=true \ | |
| --debug --dry-run=server 2>&1 | head -200 | |
| # Package | |
| package: | |
| name: Package Helm chart | |
| runs-on: ubuntu-latest | |
| needs: [lint, validate] | |
| outputs: | |
| chart_version: ${{ steps.meta.outputs.version }} | |
| chart_basename: ${{ steps.meta.outputs.basename }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.17.0 | |
| - name: Copy genesis placeholder into chart | |
| run: | | |
| mkdir -p consensus | |
| echo '{"config":{},"genesis_time":"","nonce":"0x0000000000000000","extradata":"","alloc":{},"number":"0","gas_limit":"0","difficulty":"0"}' \ | |
| > consensus/genesis.json | |
| - id: meta | |
| run: | | |
| VERSION=$(helm show chart ./helm/Chart.yaml | grep '^version:' | awk '{print $2}' | xargs) | |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "basename=tempo-monitor-${VERSION}.tgz" >> $GITHUB_OUTPUT | |
| - name: Helm package | |
| run: | | |
| helm package ./helm/Chart.yaml --destination /tmp/helm-charts/ | |
| ls -la /tmp/helm-charts/ | |
| - name: Upload chart artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ steps.meta.outputs.chart_basename }} | |
| path: /tmp/helm-charts/${{ steps.meta.outputs.chart_basename }} | |
| retention-days: 5 | |
| # Publish to GHCR (on main / release only) | |
| publish: | |
| name: Publish Helm chart to GHCR | |
| runs-on: ubuntu-latest | |
| needs: [package] | |
| permissions: | |
| contents: read | |
| packages: write | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| env: | |
| HELM_EXPERIMENTAL_OCI: 1 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.17.0 | |
| key: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.OCI_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Download chart artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ needs.package.outputs.chart_basename }} | |
| path: /tmp/helm-charts/ | |
| - name: Push chart to GHCR | |
| env: | |
| HELM_EXPERIMENTAL_OCI: 1 | |
| run: | | |
| CHART_REF="${{ env.OCI_REGISTRY }}/${{ github.repository_owner }}/${{ env.CHART_NAME }}" | |
| VERSION="${{ needs.package.outputs.chart_version }}" | |
| FILE="${{ needs.package.outputs.chart_basename }}" | |
| helm chart save /tmp/helm-charts/${FILE} ${CHART_REF}:${VERSION} | |
| helm chart push ${CHART_REF}:${VERSION} | |
| helm chart save /tmp/helm-charts/${FILE} ${CHART_REF}:latest | |
| helm chart push ${CHART_REF}:latest | |
| - name: Show published tags | |
| run: | | |
| CHART_REF="${{ env.OCI_REGISTRY }}/${{ github.repository_owner }}/${{ env.CHART_NAME }}" | |
| VERSION="${{ needs.package.outputs.chart_version }}" | |
| echo "Published: ${CHART_REF}:${VERSION}" | |
| echo "Published: ${CHART_REF}:latest" | |
| # SLSA provenance | |
| provenance: | |
| name: Generate SLSA provenance | |
| runs-on: ubuntu-latest | |
| needs: [publish] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download chart artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ needs.package.outputs.chart_basename }} | |
| path: /tmp/ | |
| - name: Generate SLSA provenance | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: "${{ env.OCI_REGISTRY }}/${{ github.repository_owner }}/${{ env.CHART_NAME }}" | |
| sha512: ${{ hashFiles('/tmp/*.tgz') }} |