Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2025-08-14T09:17:18Z by kres 9f63e23-dirty.
# Generated on 2026-01-30T10:07:13Z by kres d81080ef-dirty.

*
!cmd
Expand All @@ -11,3 +11,4 @@
!README.md
!.markdownlint.json
!hack/govulncheck.sh
!test/test-helm-chart
119 changes: 119 additions & 0 deletions .github/workflows/helm.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2026-01-30T10:33:51Z by kres ae0b9fab-dirty.

concurrency:
group: helm-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
"on":
push:
tags:
- v*
pull_request:
branches:
- main
- release-*
paths:
- test/**
name: helm
jobs:
default:
permissions:
actions: read
contents: write
id-token: write
issues: read
packages: write
pull-requests: read
runs-on:
group: generic
steps:
- name: gather-system-info
id: system-info
uses: kenchan0130/actions-system-info@59699597e84e80085a750998045983daa49274c4 # version: v1.4.0
continue-on-error: true
- name: print-system-info
run: |
MEMORY_GB=$((${{ steps.system-info.outputs.totalmem }}/1024/1024/1024))

OUTPUTS=(
"CPU Core: ${{ steps.system-info.outputs.cpu-core }}"
"CPU Model: ${{ steps.system-info.outputs.cpu-model }}"
"Hostname: ${{ steps.system-info.outputs.hostname }}"
"NodeName: ${NODE_NAME}"
"Kernel release: ${{ steps.system-info.outputs.kernel-release }}"
"Kernel version: ${{ steps.system-info.outputs.kernel-version }}"
"Name: ${{ steps.system-info.outputs.name }}"
"Platform: ${{ steps.system-info.outputs.platform }}"
"Release: ${{ steps.system-info.outputs.release }}"
"Total memory: ${MEMORY_GB} GB"
)

for OUTPUT in "${OUTPUTS[@]}";do
echo "${OUTPUT}"
done
continue-on-error: true
- name: checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # version: v6.0.1
- name: Unshallow
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # version: v3.12.0
with:
driver: remote
endpoint: tcp://buildkit-amd64.ci.svc.cluster.local:1234
timeout-minutes: 10
- name: Install Helm
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # version: v4.3.1
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # version: v4.0.0
- name: Login to registry
if: github.event_name != 'pull_request'
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # version: v3.6.0
with:
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
username: ${{ github.repository_owner }}
- name: Lint chart
if: github.event_name == 'pull_request'
run: |
helm lint test/test-helm-chart
- name: Template chart
if: github.event_name == 'pull_request'
run: |
helm template -f test/test-helm-chart/ci-values.yaml test-helm-chart test/test-helm-chart
- name: Install unit test plugin
if: github.event_name == 'pull_request'
run: |
make helm-plugin-install
- name: Unit test chart
if: github.event_name == 'pull_request'
run: |
make chart-unittest
- name: Generate schema
if: github.event_name == 'pull_request'
run: |
make chart-gen-schema
- name: Generate docs
if: github.event_name == 'pull_request'
run: |
make helm-docs
- name: Check dirty
if: github.event_name == 'pull_request'
run: |
make check-dirty
- name: helm login
if: startsWith(github.ref, 'refs/tags/')
env:
HELM_CONFIG_HOME: /var/tmp/.config/helm
run: |
helm registry login -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
- name: Release chart
if: startsWith(github.ref, 'refs/tags/')
env:
HELM_CONFIG_HOME: /var/tmp/.config/helm
run: |
make helm-release
8 changes: 8 additions & 0 deletions .kres.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,11 @@ spec:
matchDatasources:
- docker
allowedVersions: /^24\.\d+\.\d+-alpine$/
---
kind: auto.Helm
spec:
enabled: true
chartDir: test/test-helm-chart
template:
valuesFiles:
- test/test-helm-chart/ci-values.yaml
18 changes: 17 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,16 @@

# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2026-01-16T08:46:36Z by kres 6f7b97a-dirty.
# Generated on 2026-01-30T10:46:03Z by kres 7e95617c-dirty.

ARG TOOLCHAIN=scratch

# helm toolchain
FROM --platform=${BUILDPLATFORM} ${TOOLCHAIN} AS helm-toolchain
ARG HELMDOCS_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build,id=kres/root/.cache/go-build --mount=type=cache,target=/go/pkg,id=kres/go/pkg go install github.com/norwoodj/helm-docs/cmd/helm-docs@${HELMDOCS_VERSION} \
&& mv /go/bin/helm-docs /bin/helm-docs

FROM ghcr.io/siderolabs/ca-certificates:v1.12.0 AS image-ca-certificates

FROM ghcr.io/siderolabs/fhs:v1.12.0 AS image-fhs
Expand All @@ -22,6 +28,12 @@ RUN bunx markdownlint --ignore "CHANGELOG.md" --ignore "**/node_modules/**" --ig
FROM --platform=${BUILDPLATFORM} ${TOOLCHAIN} AS toolchain
RUN apk --update --no-cache add bash build-base curl jq protoc protobuf-dev

# runs helm-docs
FROM helm-toolchain AS helm-docs-run
WORKDIR /src
COPY test/test-helm-chart /src/test/test-helm-chart
RUN --mount=type=cache,target=/root/.cache/go-build,id=kres/root/.cache/go-build --mount=type=cache,target=/root/.cache/helm-docs,id=kres/root/.cache/helm-docs,sharing=locked helm-docs --badge-style=flat

# build tools
FROM --platform=${BUILDPLATFORM} toolchain AS tools
ENV GO111MODULE=on
Expand All @@ -44,6 +56,10 @@ ARG GOFUMPT_VERSION
RUN go install mvdan.cc/gofumpt@${GOFUMPT_VERSION} \
&& mv /go/bin/gofumpt /bin/gofumpt

# clean helm-docs output
FROM scratch AS helm-docs
COPY --from=helm-docs-run /src/test/test-helm-chart test/test-helm-chart

# tools and sources
FROM tools AS base
WORKDIR /src
Expand Down
47 changes: 45 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2026-01-28T15:12:29Z by kres edff623.
# Generated on 2026-01-30T11:12:05Z by kres e27c601c-dirty.

# common variables

Expand Down Expand Up @@ -36,6 +36,9 @@ GOTOOLCHAIN ?= local
GOEXPERIMENT ?=
GO_BUILDFLAGS += -tags $(GO_BUILDTAGS)
TESTPKGS ?= ./...
HELMREPO ?= $(REGISTRY)/$(USERNAME)/charts
COSIGN_ARGS ?=
HELMDOCS_VERSION ?= v1.14.2
KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest

Expand Down Expand Up @@ -76,6 +79,7 @@ COMMON_ARGS += --build-arg=DEEPCOPY_VERSION="$(DEEPCOPY_VERSION)"
COMMON_ARGS += --build-arg=GOLANGCILINT_VERSION="$(GOLANGCILINT_VERSION)"
COMMON_ARGS += --build-arg=GOFUMPT_VERSION="$(GOFUMPT_VERSION)"
COMMON_ARGS += --build-arg=TESTPKGS="$(TESTPKGS)"
COMMON_ARGS += --build-arg=HELMDOCS_VERSION="$(HELMDOCS_VERSION)"
TOOLCHAIN ?= docker.io/golang:1.25-alpine

# help menu
Expand Down Expand Up @@ -144,7 +148,7 @@ else
GO_LDFLAGS += -s
endif

all: unit-tests kres image-kres lint
all: unit-tests kres image-kres helm lint

$(ARTIFACTS): ## Creates artifacts directory.
@mkdir -p $(ARTIFACTS)
Expand Down Expand Up @@ -177,6 +181,7 @@ check-dirty:

generate: ## Generate .proto definitions.
@$(MAKE) local-$@ DEST=./
@sed -i "s/appVersion: .*/appVersion: \"$$(cat internal/version/data/tag)\"/" test/test-helm-chart/Chart.yaml

lint-golangci-lint: ## Runs golangci-lint linter.
@$(MAKE) target-$@
Expand Down Expand Up @@ -255,6 +260,44 @@ lint-fmt: lint-golangci-lint-fmt ## Run all linter formatters and fix up the so
image-kres: ## Builds image for kres.
@$(MAKE) registry-$@ IMAGE_NAME="kres"

.PHONY: helm
helm: $(ARTIFACTS) ## Package helm chart
@helm package test/test-helm-chart -d $(ARTIFACTS)

.PHONY: helm-release
helm-release: helm ## Release helm chart
@helm push $(ARTIFACTS)/test-helm-chart-*.tgz oci://$(HELMREPO) 2>&1 | tee $(ARTIFACTS)/.digest
@cosign sign --yes $(COSIGN_ARGS) $(HELMREPO)/test-helm-chart@$$(cat $(ARTIFACTS)/.digest | awk -F "[, ]+" '/Digest/{print $$NF}')

.PHONY: chart-lint
chart-lint: ## Lint helm chart
@helm lint test/test-helm-chart

.PHONY: helm-plugin-install
helm-plugin-install: ## Install helm plugins
-helm plugin install https://github.com/helm-unittest/helm-unittest.git --verify=false --version=v1.0.3
-helm plugin install https://github.com/losisin/helm-values-schema-json.git --verify=false --version=v2.3.1
Comment on lines +278 to +279

Copilot AI Jan 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The helm plugin install commands here download and execute third-party Helm plugins directly from GitHub using a mutable tag and --verify=false, which creates a supply chain risk if the upstream repositories or tags are compromised. An attacker controlling https://github.com/helm-unittest/helm-unittest.git or https://github.com/losisin/helm-values-schema-json.git at the specified versions could execute arbitrary code in your CI or developer environment (with access to kubeconfig, registry credentials, etc.). To reduce this risk, pin these plugins to immutable identifiers (e.g., specific commit SHAs or verified release artifacts) and enable integrity verification or vendor them into a trusted location instead of installing from a mutable remote Git repo.

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for your opinion


.PHONY: kuttl-plugin-install
kuttl-plugin-install: ## Install kubectl kuttl plugin
kubectl krew install kuttl

.PHONY: chart-e2e
chart-e2e: ## Run helm chart e2e tests
export KUBECONFIG=$(shell pwd)/$(ARTIFACTS)/kubeconfig && cd test/e2e && kubectl kuttl test

.PHONY: chart-unittest
chart-unittest: $(ARTIFACTS) ## Run helm chart unit tests
@helm unittest test/test-helm-chart --output-type junit --output-file $(ARTIFACTS)/helm-unittest-report.xml

.PHONY: chart-gen-schema
chart-gen-schema: ## Generate helm chart schema
@helm schema --use-helm-docs --draft=7 --indent=2 --values=test/test-helm-chart/values.yaml --output=test/test-helm-chart/values.schema.json

.PHONY: helm-docs
helm-docs: ## Runs helm-docs and generates chart documentation
@$(MAKE) local-$@ DEST=.

.PHONY: rekres
rekres:
@docker pull $(KRES_IMAGE)
Expand Down
31 changes: 18 additions & 13 deletions internal/output/ghworkflow/gh_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -481,23 +481,28 @@ func DefaultJobPermissions() map[string]string {
}
}

// SetupBuildxStep returns the buildx setup step.
func SetupBuildxStep() *JobStep {
return &JobStep{
Name: "Set up Docker Buildx",
ID: "setup-buildx",
Uses: ActionRef{
Image: "docker/setup-buildx-action@" + config.SetupBuildxActionRef,
Comment: "version: " + config.SetupBuildxActionVersion,
},
With: map[string]string{
"driver": "remote",
"endpoint": "tcp://buildkit-amd64.ci.svc.cluster.local:1234",
},
TimeoutMinutes: 10,
}
}

// DefaultSteps returns default steps for the workflow.
func DefaultSteps() []*JobStep {
return append(
CommonSteps(),
&JobStep{
Name: "Set up Docker Buildx",
ID: "setup-buildx",
Uses: ActionRef{
Image: "docker/setup-buildx-action@" + config.SetupBuildxActionRef,
Comment: "version: " + config.SetupBuildxActionVersion,
},
With: map[string]string{
"driver": "remote",
"endpoint": "tcp://buildkit-amd64.ci.svc.cluster.local:1234",
},
TimeoutMinutes: 10,
},
SetupBuildxStep(),
)
}

Expand Down
11 changes: 6 additions & 5 deletions internal/project/auto/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,12 @@ type Helm struct {

// HelmTemplate defines helm template settings.
type HelmTemplate struct {
Set []string `yaml:"set"`
SetFile []string `yaml:"setFile"`
SetJSON []string `yaml:"setJSON"`
SetLiteral []string `yaml:"setLiteral"`
SetString []string `yaml:"setString"`
ValuesFiles []string `yaml:"valuesFiles"`
Set []string `yaml:"set"`
SetFile []string `yaml:"setFile"`
SetJSON []string `yaml:"setJSON"`
SetLiteral []string `yaml:"setLiteral"`
SetString []string `yaml:"setString"`
}

// IntegrationTests defines integration tests builder to be generated.
Expand Down
4 changes: 4 additions & 0 deletions internal/project/auto/helm.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ func (builder *builder) DetectHelm() (bool, error) {

var flags []string

for _, valuesFile := range helm.Template.ValuesFiles {
flags = append(flags, "-f", valuesFile)
}

for _, flag := range helm.Template.Set {
flags = append(flags, "--set", flag)
}
Expand Down
10 changes: 6 additions & 4 deletions internal/project/helm/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func NewBuild(meta *meta.Options) *Build {
func (helm *Build) CompileDockerfile(output *dockerfile.Output) error {
output.Stage("helm-toolchain").
Description("helm toolchain").
From("base").
From("--platform=${BUILDPLATFORM} ${TOOLCHAIN}").
Step(step.Arg("HELMDOCS_VERSION")).
Step(step.Script(
fmt.Sprintf(
Expand All @@ -58,8 +58,9 @@ func (helm *Build) CompileDockerfile(output *dockerfile.Output) error {
output.Stage("helm-docs-run").
Description("runs helm-docs").
From("helm-toolchain").
Step(step.WorkDir("/src")).
Step(step.Copy(helm.meta.HelmChartDir, filepath.Join("/src", helm.meta.HelmChartDir))).
Step(step.Run("helm-docs", "--badge-style=flat", "--template-files=README.md.gotpl").
Step(step.Run("helm-docs", "--badge-style=flat").
MountCache(filepath.Join(helm.meta.CachePath, "go-build"), helm.meta.GitHubRepository).
MountCache(filepath.Join(helm.meta.CachePath, "helm-docs"), helm.meta.GitHubRepository, step.CacheLocked))

Expand Down Expand Up @@ -98,6 +99,7 @@ func (helm *Build) CompileMakefile(output *makefile.Output) error {
output.Target("helm").
Description("Package helm chart").
Phony().
Depends("$(ARTIFACTS)").
Script(fmt.Sprintf("@helm package %s -d $(ARTIFACTS)", helm.meta.HelmChartDir))

output.Target("helm-release").
Expand Down Expand Up @@ -180,8 +182,7 @@ func (helm *Build) CompileGitHubWorkflow(output *ghworkflow.Output) error {
}

templateStep := ghworkflow.Step("Template chart").
SetCommand(fmt.Sprintf("helm template -f %s %s %s %s",
filepath.Join(helm.meta.HelmChartDir, "values.yaml"),
SetCommand(fmt.Sprintf("helm template %s %s %s",
strings.Join(helm.meta.HelmTemplateFlags, " "),
filepath.Base(helm.meta.HelmChartDir),
helm.meta.HelmChartDir,
Expand Down Expand Up @@ -246,6 +247,7 @@ func (helm *Build) CompileGitHubWorkflow(output *ghworkflow.Output) error {
jobPermissions["id-token"] = "write"

jobSteps := []*ghworkflow.JobStep{
ghworkflow.SetupBuildxStep(),
{
Name: "Install Helm",
Uses: ghworkflow.ActionRef{
Expand Down
Loading