update chart structure

Author: charlie-haley

charts/marmot/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: marmot
 description: Marmot is an open-source data catalog that helps teams discover, understand, and govern their data assets. It's designed for modern data ecosystems where data flows through multiple systems, formats, and teams.
 type: application
-version: 0.8.0
-appVersion: "0.7.0"
+version: 1.0.0
+appVersion: "0.8.0"
 icon: https://marmotdata.github.io/charts/marmot.png
 home: https://github.com/marmotdata/marmot
 sources:

charts/marmot/templates/NOTES.txt

@@ -22,7 +22,7 @@ To access Marmot:
 
 Default credentials: admin / admin
 
-{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+{{- if and (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
 
 ═══════════════════════════════════════════════════════════════
 ⚠️  ENCRYPTION KEY AUTO-GENERATED
@@ -47,7 +47,7 @@ The secret will persist even if you uninstall this release.
 ═══════════════════════════════════════════════════════════════
 {{- end }}
 
-{{- if .Values.config.server.allowUnencrypted }}
+{{- if .Values.config.server.allow_unencrypted }}
 
 ═══════════════════════════════════════════════════════════════
 ⚠️  WARNING: ENCRYPTION DISABLED

charts/marmot/templates/configmap.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "marmot.fullname" . }}-config
+  labels:
+    {{- include "marmot.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- $config := deepCopy .Values.config }}
+    {{- /* Strip secrets and Helm-only keys */}}
+    {{- $_ := unset $config.server "encryptionKeySecretRef" }}
+    {{- $_ := unset $config.server "autoGenerateEncryptionKey" }}
+    {{- $_ := unset $config.database "passwordSecretRef" }}
+    {{- if and (hasKey $config "search") (hasKey $config.search "elasticsearch") }}
+    {{- $_ := unset $config.search.elasticsearch "passwordSecretRef" }}
+    {{- end }}
+    {{- range $name := list "okta" "google" "github" "gitlab" "keycloak" "slack" "auth0" "generic_oidc" }}
+      {{- if hasKey $config.auth $name }}
+        {{- $_ := unset (index $config.auth $name) "clientSecretRef" }}
+      {{- end }}
+    {{- end }}
+    {{- toYaml $config | nindent 4 }}

charts/marmot/templates/deployment.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+{{- if and (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
 apiVersion: batch/v1
 kind: Job
 metadata:

charts/marmot/templates/encryption-key-job.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+{{- if and (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

charts/marmot/templates/role.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+{{- if and (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

charts/marmot/templates/rolebinding.yaml

@@ -0,0 +1,122 @@
+suite: test configmap
+templates:
+  - configmap.yaml
+tests:
+  - it: should render a ConfigMap
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-marmot-config
+
+  - it: should include config.yaml data key
+    asserts:
+      - isNotNull:
+          path: data["config.yaml"]
+
+  - it: should include default server config
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "port: 8080"
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "host: 0\\.0\\.0\\.0"
+
+  - it: should include default logging config
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "level: info"
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "format: json"
+
+  - it: should include default database config
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "host: postgresql"
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "sslmode: disable"
+
+  - it: should NOT include Helm-only keys in ConfigMap
+    asserts:
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "encryptionKeySecretRef"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "autoGenerateEncryptionKey"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "passwordSecretRef"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "clientSecretRef"
+
+  - it: should always use raw config.database values (subchart overrides are env vars)
+    set:
+      postgresql.enabled: true
+      postgresql.auth.username: "testuser"
+      postgresql.auth.database: "testdb"
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "host: postgresql"
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "user: marmot"
+
+  - it: should include auth provider config without clientSecretRef
+    set:
+      config.auth.okta:
+        enabled: true
+        client_id: "my-client-id"
+        clientSecretRef:
+          name: "okta-secret"
+          key: "client-secret"
+        url: "https://test.okta.com"
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "client_id: my-client-id"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "clientSecretRef"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "okta-secret"
+
+  - it: should strip elasticsearch passwordSecretRef from ConfigMap
+    set:
+      config.search.elasticsearch:
+        enabled: true
+        addresses:
+          - "http://elasticsearch:9200"
+        username: "elastic"
+        passwordSecretRef:
+          name: "es-secret"
+          key: "password"
+        index: "marmot"
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "username: elastic"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "passwordSecretRef"
+      - notMatchRegex:
+          path: data["config.yaml"]
+          pattern: "es-secret"
+
+  - it: should include pipelines config
+    asserts:
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "max_workers: 10"
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: "scheduler_interval: 60"