Initial helmchart (#35)

* Add initial helm chart

* rename to Charts

* remove helm folder

* add publish helm workflow

Author: jacobfilik

.github/workflows/publish-containers.yml

@@ -46,6 +46,9 @@ jobs:
         uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
         with:
           images: ${{ env.IMAGE_REPOSITORY }}
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.

.github/workflows/publish-helm.yml

@@ -0,0 +1,72 @@
+name: Package helm charts
+
+on:
+  release:
+    types: [published]
+
+env:
+  HELM_VERSION_TO_INSTALL: 3.14.3
+
+jobs:
+  package-helm-charts:
+    name: Package and Push Helm Chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install helm
+        uses: Azure/setup-helm@v3
+        with:
+          version: ${{ env.HELM_VERSION_TO_INSTALL }}
+
+      # Check that alpha/beta versions have the form X.Y.Z-alpha.A requried by Helm.
+      # An early check saves waiting for the entire build before finding a problem.
+      - name: Check helm version tag
+        if: ${{ github.ref_type == 'tag' }}
+        env:
+          VERSION: "${{ github.ref_name }}"
+        run: |
+          if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-alpha|-beta|-rc).*?$ ]]; then
+              echo "Valid version format: ${VERSION}"
+          else
+              echo "Invalid version: ${VERSION}. Expected: X.Y.Z or X.Y.Z-beta.1 or X.Y.Z-alpha.1"
+              exit 1
+          fi
+
+      - name: Package helm charts
+        env:
+          VERSION: "${{ github.ref_type == 'tag' && github.ref_name || '0.0.0' }}"
+        run: |
+          set -xe
+
+          mkdir -p charts
+          for i in $(find Charts -type d -maxdepth 1 -mindepth 1); do
+            if [[ ${i} =~ ^.*-ioc$ ]]; then
+              echo "Skipping IOC schema chart: ${i}"
+              continue
+            fi
+            echo "Packaging chart: ${i}"
+            helm package -u --app-version ${VERSION} --version ${VERSION} ${i}
+            mv $(basename ${i})-*.tgz charts/
+          done
+
+      - name: Upload helm chart values schemas
+        uses: actions/upload-artifact@v4
+        with:
+          name: helm-chart-schemas
+          path: schemas/*
+
+      - name: Push tagged helm chart to registry
+        # TODO - switch to using https://github.com/helm/chart-releaser-action of maybe the docker action?
+        if: ${{ github.ref_type == 'tag' }}
+        run: |
+          set -x
+
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io/${{ github.repository_owner }} --username ${{ github.repository_owner }} --password-stdin
+          REGISTRY=oci://ghcr.io/${{github.repository_owner }}/charts
+          for i in charts/*.tgz; do
+            helm push "${i}" ${REGISTRY,,}
+          done

Charts/web-conexs/.gitignore

@@ -0,0 +1,8 @@
+# Created by https://www.toptal.com/developers/gitignore/api/helm
+# Edit at https://www.toptal.com/developers/gitignore?templates=helm
+
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz
+
+# End of https://www.toptal.com/developers/gitignore/api/helm

Charts/web-conexs/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 12.4.1
+- name: oauth2-proxy
+  repository: https://oauth2-proxy.github.io/manifests/
+  version: 7.5.1
+digest: sha256:edfe90fd4cbfb521123b798b9dfbb2edf43eb7f3c1493150482a9ce6d20554f8
+generated: "2025-08-29T09:21:49.022387356+01:00"

Charts/web-conexs/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: v2
+name: web-conexs-app
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
+
+dependencies:
+  - name: postgresql
+    version: "12.4.1"
+    repository: https://charts.bitnami.com/bitnami
+  - name: oauth2-proxy
+    version: "7.5.1"
+    repository: https://oauth2-proxy.github.io/manifests/

Charts/web-conexs/templates/_helpers.tpl

@@ -0,0 +1,31 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "web-conexs.name" -}}
+{{- default .Values.global.name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+
+{{- define "web-conexs.fullname2" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Values.global.name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{- define "web-conexs.fullname" -}}
+{{ "web-conexs-app" }}
+{{- end }}

Charts/web-conexs/templates/api_deployment.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "web-conexs.fullname" . }}-api
+spec:
+  replicas: {{ .Values.api.deployment.replicas }}
+  selector:
+    matchLabels:
+      app: {{ include "web-conexs.fullname" . }}-api
+  template:
+    metadata:
+      labels:
+        app: {{ include "web-conexs.fullname" . }}-api
+    spec:
+      volumes:
+        - name: data-pv-volume
+          persistentVolumeClaim:
+            claimName: data-pv-claim
+      containers:
+        - name: {{ include "web-conexs.fullname" . }}-api
+          image:  "{{ .Values.api.deployment.image.repository }}:{{ .Values.api.deployment.image.tag | default .Chart.AppVersion }}"
+          args: ["-m", "web_conexs_api"]
+          resources:
+            {{- toYaml .Values.api.resources | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.api.service.targetPort }}
+          volumeMounts:
+            - mountPath: {{ .Values.data.mountPath}}
+              name: data-pv-volume
+          env:
+            - name: POSTGRESS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: application-passwords
+                  key: passwords
+            - name: POSTGRESURL
+              value: {{ .Values.database.protocol }}://{{ .Values.database.username }}:$(POSTGRESS_PASSWORD)@{{.Release.Name}}-postgresql.{{.Release.Namespace}}.svc.cluster.local/{{ .Values.database.dbname }}
+            - name: OIDC_USER_INFO_ENDPOINT
+              value: {{ .Values.auth.userInfoEndpoint}}
+            - name: OIDC_ID_KEY
+              value: {{ .Values.auth.idKey}}
+            - name: CONEXS_STORAGE_DIR
+              value: {{ .Values.data.location}}
+            - name: PMG_MAPI_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: matproj-api-key
+                  key: key
+          envFrom:
+            - configMapRef:
+                name: {{ include "web-conexs.fullname" . }}-dbenv-configmap

Charts/web-conexs/templates/api_service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "web-conexs.fullname" . }}-api-svc
+spec:
+  ports:
+    - name: http
+      port: {{ .Values.global.api.port }}
+      protocol: TCP
+      targetPort: {{ .Values.api.service.targetPort }}
+  selector:
+    app: {{ include "web-conexs.fullname" . }}-api
+  type: {{ .Values.api.service.type }}

Charts/web-conexs/templates/client_deployment.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "web-conexs.fullname" . }}-client
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "web-conexs.fullname" . }}-client
+  template:
+    metadata:
+      labels:
+        app: {{ include "web-conexs.fullname" . }}-client
+    spec:
+      containers:
+        - name: {{ include "web-conexs.fullname" . }}-client
+          image: "{{ .Values.client.deployment.image.repository }}:{{ .Values.client.deployment.image.tag | default .Chart.AppVersion }}"
+          resources:
+            {{- toYaml .Values.api.resources | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 80

Charts/web-conexs/templates/client_service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "web-conexs.fullname" . }}-client-svc
+spec:
+  ports:
+  - name: http
+    port: {{ .Values.global.client.port }}
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: {{ include "web-conexs.fullname" . }}-client
+  type: {{ .Values.client.service.type }}