diff --git a/helm/githubapp/Chart.yaml b/helm/githubapp/Chart.yaml new file mode 100644 index 0000000..1db4aba --- /dev/null +++ b/helm/githubapp/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: githubapp +description: Wire Github-App - A Helm chart for deploying the Wire Github app +type: application +version: 0.0.1 +appVersion: "0.0.1" +home: https://github.com/wireapp/github-app +maintainers: + - name: Wire Integrations Team diff --git a/helm/githubapp/DEPLOYMENT.md b/helm/githubapp/DEPLOYMENT.md new file mode 100644 index 0000000..653bae1 --- /dev/null +++ b/helm/githubapp/DEPLOYMENT.md @@ -0,0 +1,5 @@ +## Deployment notes + +Helm charts are here, while values for each environment are in the `argocd-integrations` repo. + +That repo uses ArgoCD with an ImageUpdater to trigger deploys when new images are published. diff --git a/helm/githubapp/templates/NOTES.txt b/helm/githubapp/templates/NOTES.txt new file mode 100644 index 0000000..d0d8a69 --- /dev/null +++ b/helm/githubapp/templates/NOTES.txt @@ -0,0 +1,54 @@ +Wire Github-App has been deployed successfully! + +DEPLOYMENT INFORMATION: +{{- if .Values.persistence.enabled }} +- Persistent storage: {{ .Values.persistence.size }} ({{ .Values.persistence.storageClass | default "default" }} storage class) +{{- end }} +- Health checks: Startup, liveness, and readiness probes configured +- Resource limits: {{ .Values.resources.limits.cpu }} CPU, {{ .Values.resources.limits.memory }} memory +- Service: {{ .Values.service.type }} on port {{ .Values.service.port }} -> {{ .Values.service.targetPort }} + +MONITORING & DEBUGGING: + +1. Check application status: + kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "githubapp.name" . }} + +2. View application logs: + kubectl logs -f deployment/{{ include "githubapp.fullname" . }} -n {{ .Release.Namespace }} + +3. Access health endpoint: +{{- if contains "ClusterIP" .Values.service.type }} + kubectl port-forward -n {{ .Release.Namespace }} svc/{{ include "githubapp.fullname" . }} 8080:{{ .Values.service.port }} + # Then visit: http://localhost:8080/health +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "githubapp.fullname" . }}) + export NODE_IP=$(kubectl get nodes -n {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + # Visit: http://$NODE_IP:$NODE_PORT/health +{{- else if contains "LoadBalancer" .Values.service.type }} + export SERVICE_IP=$(kubectl get svc -n {{ .Release.Namespace }} {{ include "githubapp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + # Visit: http://$SERVICE_IP:{{ .Values.service.port }}/health +{{- end }} + +4. Check configuration: + kubectl describe configmap/{{ include "githubapp.fullname" . }} -n {{ .Release.Namespace }} +{{- if .Values.secrets.secretName }} + kubectl describe secret/{{ .Values.secrets.secretName }} -n {{ .Release.Namespace }} +{{- end }} + +CONFIGURATION: +{{- range .Values.env }} +{{- if eq .name "WIRE_SDK_ENVIRONMENT" }} +- Wire SDK Environment: {{ .value | default "Not configured" }} +{{- end }} +{{- if eq .name "WIRE_ENV" }} +- Wire Environment: {{ .value | default "Not configured" }} +{{- end }} +{{- if eq .name "PORT" }} +- Application Port: {{ .value | default "8080" }} +{{- end }} +{{- end }} +{{- if .Values.secrets.secretName }} +- Secrets mounted at: {{ .Values.secrets.mountPath }} +{{- end }} + +The app is ready for Wire environments! diff --git a/helm/githubapp/templates/_helpers.tpl b/helm/githubapp/templates/_helpers.tpl new file mode 100644 index 0000000..9306cc7 --- /dev/null +++ b/helm/githubapp/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "githubapp.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "githubapp.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "githubapp.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "githubapp.labels" -}} +helm.sh/chart: {{ include "githubapp.chart" . }} +{{ include "githubapp.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "githubapp.selectorLabels" -}} +app.kubernetes.io/name: {{ include "githubapp.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "githubapp.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "githubapp.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/githubapp/templates/configmap.yaml b/helm/githubapp/templates/configmap.yaml new file mode 100644 index 0000000..b7f1c04 --- /dev/null +++ b/helm/githubapp/templates/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "githubapp.fullname" . }}-config + labels: + {{- include "githubapp.labels" . | nindent 4 }} diff --git a/helm/githubapp/templates/pvc.yaml b/helm/githubapp/templates/pvc.yaml new file mode 100644 index 0000000..adc2a63 --- /dev/null +++ b/helm/githubapp/templates/pvc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "githubapp.fullname" . }}-pvc + annotations: + "helm.sh/resource-policy": keep + labels: + {{- include "githubapp.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.persistence.size }} + storageClassName: {{ .Values.persistence.storageClass }} diff --git a/helm/githubapp/templates/service.yaml b/helm/githubapp/templates/service.yaml new file mode 100644 index 0000000..46e08ef --- /dev/null +++ b/helm/githubapp/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "githubapp.fullname" . }} + labels: + {{- include "githubapp.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "githubapp.selectorLabels" . | nindent 4 }} diff --git a/helm/githubapp/templates/serviceaccount.yaml b/helm/githubapp/templates/serviceaccount.yaml new file mode 100644 index 0000000..86c681a --- /dev/null +++ b/helm/githubapp/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "githubapp.serviceAccountName" . }} + labels: + {{- include "githubapp.labels" . | nindent 4 }} diff --git a/helm/githubapp/templates/servicemonitor.yaml b/helm/githubapp/templates/servicemonitor.yaml new file mode 100644 index 0000000..f8e746e --- /dev/null +++ b/helm/githubapp/templates/servicemonitor.yaml @@ -0,0 +1,13 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "githubapp.fullname" . }} + labels: + {{- include "githubapp.labels" . | nindent 4 }} +spec: + endpoints: + - port: http + path: /metrics + selector: + matchLabels: + {{- include "githubapp.selectorLabels" . | nindent 6 }} diff --git a/helm/githubapp/templates/statefulset.yaml b/helm/githubapp/templates/statefulset.yaml new file mode 100644 index 0000000..9100f18 --- /dev/null +++ b/helm/githubapp/templates/statefulset.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "githubapp.fullname" . }} + labels: + {{- include "githubapp.labels" . | nindent 4 }} +spec: + serviceName: {{ include "githubapp.fullname" . }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "githubapp.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "githubapp.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "githubapp.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.targetPort }} + protocol: TCP + {{- if .Values.livenessProbe }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + {{- end }} + {{- if .Values.startupProbe }} + startupProbe: + {{- toYaml .Values.startupProbe | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + {{- range .Values.env }} + - name: {{ .name }} + value: {{ .value | quote }} + {{- end }} + {{- if .Values.secrets.secretName }} + - name: WIRE_SDK_API_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.secretName }} + key: WIRE_SDK_API_TOKEN + - name: WIRE_SDK_CRYPTOGRAPHY_STORAGE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.secretName }} + key: WIRE_SDK_CRYPTOGRAPHY_STORAGE_PASSWORD + {{- end }} + volumeMounts: + - name: data + mountPath: /opt/githubapp/storage + {{- if .Values.secrets.secretName }} + - name: secrets + mountPath: {{ .Values.secrets.mountPath }} + readOnly: true + {{- end }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ include "githubapp.fullname" . }}-pvc + {{- if .Values.secrets.secretName }} + - name: secrets + secret: + secretName: {{ .Values.secrets.secretName }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/githubapp/values.yaml b/helm/githubapp/values.yaml new file mode 100644 index 0000000..1977c38 --- /dev/null +++ b/helm/githubapp/values.yaml @@ -0,0 +1,106 @@ +replicaCount: 1 + +image: + repository: quay.io/wire/github-app + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "github-app" +fullnameOverride: "github-app" + +serviceAccount: + create: true + annotations: {} + name: "github-app-account" + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +service: + type: ClusterIP + port: 80 + targetPort: 8080 + +# External secrets configuration +secrets: + secretName: "githubapp-secrets" + mountPath: "/etc/secrets" + +# Persistent storage configuration +persistence: + enabled: true + storageClass: "gp3-automode-nodepool" + accessMode: ReadWriteOnce + size: 1Gi + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 200m + memory: 256Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Environment variables for the application +env: + - name: WIRE_SDK_APP_ID + value: "" + - name: WIRE_SDK_API_HOST + value: "" + - name: GHAPP_API_HOST + value: "" + - name: GHAPP_SERVER_PORT + value: "" + - name: GHAPP_REDIS_HOST + value: "" + - name: GHAPP_REDIS_PORT + value: "" + +# Health check configuration (latest Kubernetes spec) +livenessProbe: + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + +startupProbe: + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 18