build-container-helm-chart-flux-demo

Author: g-bgg

.github/workflows/build.yaml

@@ -11,20 +11,20 @@ on:
     branches: ['main', 'master']
 
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+  # lint:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@v3
 
-      - name: Run golangci-lint
-        uses: reviewdog/action-golangci-lint@v2
-        with:
-          go_version: "1.24.3"
-          golangci_lint_flags: "--timeout=5m0s"
+  #     - name: Run golangci-lint
+  #       uses: reviewdog/action-golangci-lint@v2
+  #       with:
+  #         go_version: "1.24.3"
+  #         golangci_lint_flags: "--timeout=5m0s"
   build:
     runs-on: ubuntu-latest
-    needs: lint
+    #needs: lint
     steps:
       - name: Checkout source code
         uses: actions/checkout@v3

.github/workflows/release.yaml

@@ -1,13 +1,19 @@
-name: goreleaser
+name: release
 
 on:
   push:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-testing[0-9]+"
 
 permissions:
   contents: write
 
+env:
+  GH_REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  RELEASE_VERSION: ${{ github.ref_name }}
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -18,11 +24,91 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: '1.24.3'
-      - uses: anchore/sbom-action/download-syft@v0.13.3
+      - uses: anchore/sbom-action/download-syft@v0.20.6
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  packagerelease:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.GH_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ env.RELEASE_VERSION }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            controlplane/netassert:${{ github.ref_name }}
+            controlplane/netassert:latest
+          build-args: |
+            VERSION=${{ env.RELEASE_VERSION }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+      - name: Setup yq
+        uses: mikefarah/yq@v4
+      - name: Log in to GitHub Container Registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Prepare and package Helm chart
+        run: |
+          CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//')
+          echo "Using chart version and appVersion: $CLEAN_VERSION"
+          yq -i ".image.tag = \"${RELEASE_VERSION}\"" ./helm/values.yaml
+          yq -i ".version = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml
+          yq -i ".appVersion = \"${CLEAN_VERSION}\"" ./helm/Chart.yaml
+          helm package ./helm -d .
+      - name: Push Helm chart to GHCR
+        run: |
+          CLEAN_VERSION=$(echo "$RELEASE_VERSION" | sed 's/^v//')
+          helm push "./netassert-${CLEAN_VERSION}.tgz" oci://ghcr.io/${{ github.repository_owner }}/charts

Dockerfile

@@ -0,0 +1,15 @@
+FROM golang:1.24-alpine AS builder
+
+ARG VERSION
+
+COPY . /build
+WORKDIR /build
+
+RUN go mod download && \
+    CGO_ENABLED=0 GO111MODULE=on go build -ldflags="-X 'main.appName=NetAssert' -X 'main.version=${VERSION}'" -v -o /netassertv2 cmd/netassert/cli/*.go && \
+    ls -ltr /netassertv2
+
+FROM gcr.io/distroless/base:nonroot
+COPY --from=builder /netassertv2 /usr/bin/netassertv2
+
+ENTRYPOINT [ "/usr/bin/netassertv2" ]

cmd/netassert/cli/run.go

@@ -35,9 +35,9 @@ type runCmdConfig struct {
 var runCmdCfg = runCmdConfig{
 	TapFile:                "results.tap", // name of the default TAP file where the results will be written
 	SuffixLength:           9,             // suffix length of the random string to be appended to the container name
-	SnifferContainerImage:  "docker.io/controlplane/netassertv2-packet-sniffer:latest",
+	SnifferContainerImage:  "docker.io/controlplane/netassertv2-packet-sniffer:v1.1.7",
 	SnifferContainerPrefix: "netassertv2-sniffer",
-	ScannerContainerImage:  "docker.io/controlplane/netassertv2-l4-client:latest",
+	ScannerContainerImage:  "docker.io/controlplane/netassertv2-l4-client:v1.0.6",
 	ScannerContainerPrefix: "netassertv2-client",
 	PauseInSeconds:         1,      // seconds to pause before each test case
 	PacketCaptureInterface: `eth0`, // the interface used by the sniffer image to capture traffic

fluxcd-demo/README.md

@@ -0,0 +1,18 @@
+Fluxcd Demo
+
+doc to be finished
+
+
+docker run -d -p 5000:5000 --restart=always --name registry-5000 registry:2
+kind create cluster --config kind-cluster.yaml
+
+
+kubectl apply -f https://github.com/fluxcd/flux2/releases/download/v2.7.2/install.yaml
+
+update chart version
+helm package ./helm -d .
+helm push ./fluxcd-demo-0.0.1-dev.tgz oci://localhost:5000/fluxcd/
+kubectl get helmreleases
+
+
+kind delete cluster

fluxcd-demo/fluxcd-helmconfig.yaml

@@ -0,0 +1,33 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: demo-repo
+  namespace: default
+spec:
+  type: "oci"
+  insecure: true
+  interval: 10s
+  url: oci://host.docker.internal:5000/fluxcd
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: demo-release
+  namespace: default
+spec:
+  interval: 10s
+  timeout: 5m
+  chart:
+    spec:
+      chart: fluxcd-demo
+      version: '0.0.x-dev'
+      sourceRef:
+        kind: HelmRepository
+        name: demo-repo
+      interval: 1m
+  releaseName: myhelmrelease
+  # valuesFrom:
+  #   - kind: ConfigMap
+  #     name: tests
+  #     valuesKey: test-cases.yaml
+  #     targetPath: testFile

fluxcd-demo/helm/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+description: fluxcd-demo
+name: fluxcd-demo
+version: 0.0.1-dev
+appVersion: 0.0.1-dev
+dependencies:
+- name: netassert
+  repository: ghcr.io/controlplaneio/charts/netassert
+  version: 1.0.0-dev

fluxcd-demo/helm/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fluxcd-demo.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fluxcd-demo.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fluxcd-demo.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

fluxcd-demo/helm/templates/deployment.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: echoserver
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: busybox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "fluxcd-demo.fullname" . }}-echoserver
+  namespace: echoserver
+  labels:
+    app: echoserver-deploy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: echoserver
+  template:
+    metadata:
+      labels:
+        app: echoserver
+    spec:
+      initContainers:
+        - name: "sleepy"
+          image: busybox:1.36
+          command: ["sh", "-c", "echo 'Sleeping...'; sleep 20"]
+      containers:
+        - name: echoserver
+          image: k8s.gcr.io/e2e-test-images/echoserver:2.5
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+              name: web
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: 300m
+            limits:
+              memory: 64Mi
+              cpu: 400m
+          securityContext:
+            allowPrivilegeEscalation: false
+            privileged: false
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "fluxcd-demo.fullname" . }}-busybox
+  namespace: busybox
+  labels:
+    app: busybox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command:
+            - sleep
+            - "360000"
+          imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: 300m
+            limits:
+              memory: 64Mi
+              cpu: 400m
+          securityContext:
+            allowPrivilegeEscalation: false
+            privileged: false
+...