ci: improvements

Signed-off-by: Marc 'risson' Schmitt <[email protected]>

.github/configs/ct-install.yaml

@@ -0,0 +1,13 @@
+---
+remote: origin
+target-branch: main
+chart-dirs:
+  - charts
+chart-repos:
+  - authentik=https://charts.goauthentik.io
+helm-extra-args: --timeout 180s
+check-version-increment: false
+validate-maintainers: false
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

ct.yaml → .github/configs/ct-lint.yaml

@@ -1,7 +1,11 @@
 ---
+remote: origin
 target-branch: main
+chart-dirs:
+  - charts
 chart-repos:
   - authentik=https://charts.goauthentik.io
-helm-extra-args: --timeout 180s
 check-version-increment: false
 validate-maintainers: false
+exclude-deprecated: true
+excluded-charts: []

.github/configs/lintconf.yaml

@@ -0,0 +1,42 @@
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 1
+  document-end: disable
+  document-start: disable # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning

.github/workflows/lint-test.yaml

@@ -1,3 +1,4 @@
+---
 name: "Lint and Test Chart"
 
 on:
@@ -7,36 +8,71 @@ on:
   pull_request:
 
 jobs:
-  lint-and-test:
-    runs-on: ubuntu-20.04
+  linter-artifacthub:
+    runs-on: ubuntu-latest
+    container:
+      image: public.ecr.aws/artifacthub/ah:v1.14.0
+      options: --user 1001
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run ah lint
+        working-directory: ./charts
+        run: ah lint
+
+  chart-test:
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: "0"
+          fetch-depth: 0
+
       - name: Set up Helm
-        uses: azure/[email protected]
-      - uses: actions/setup-python@v5
+        uses: azure/setup-helm@v3
+
+      - name: Set up python
+        uses: actions/setup-python@v5
         with:
-          python-version: 3.9.2
-      - name: Set up chart-testing
-        uses: helm/[email protected]
-      - name: Run chart-testing (list-changed)
+          python-version: "3.9"
+
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@v2
+
+      - name: List changed charts
         id: list-changed
         run: |
-          changed=$(ct list-changed  --config ct.yaml)
+          changed=$(ct --config ./.github/configs/ct-lint.yaml list-changed)
+          charts=$(echo "$changed" | tr '\n' ' ' | xargs)
           if [[ -n "$changed" ]]; then
             echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed_charts=$charts" >> $GITHUB_OUTPUT
           fi
+
       - name: Run chart-testing (lint)
-        run: ct lint --config ct.yaml
+        run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml
+
+      - name: Run docs-testing (helm-docs)
+        id: helm-docs
+        run: |
+          ./scripts/helm-docs.sh
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mDocumentation outdated!\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1
         if: steps.list-changed.outputs.changed == 'true'
+
       - name: Run chart-testing (install)
-        if: steps.list-changed.outputs.changed == 'true'
         run: |
           namespace=authentik-$(uuidgen)
           kubectl create ns $namespace
           kubectl apply -n $namespace -f charts/authentik/ci/manifests/
-          ct install --namespace=$namespace --config ct.yaml
+          ct install --namespace=$namespace --config ./.github/configs/ct-install.yaml
+        if: steps.list-changed.outputs.changed == 'true'

charts/authentik/README.md

@@ -86,7 +86,7 @@ redis:
 | authentik.redis.password | string | `""` |  |
 | authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install |
 | blueprints | list | `[]` | List of config maps to mount blueprints from. Only keys in the configmap ending with ".yaml" wil be discovered and applied |
-| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` |
+| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible |
 | geoip.accountId | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup |
 | geoip.containerSecurityContext | object | See [values.yaml] | GeoIP container-level security context |
 | geoip.editionIds | string | `"GeoLite2-City"` |  |
@@ -110,12 +110,14 @@ redis:
 | global.deploymentStrategy | object | `{}` | Deployment strategy for all deployed Deployments |
 | global.env | list | `[]` (See [values.yaml]) | Environment variables to pass to all deployed Deployments. Does not apply to GeoIP See configuration options at https://goauthentik.io/docs/installation/configuration/ |
 | global.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to all deployed Deployments. Does not apply to GeoIP |
+| global.fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` |
 | global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
 | global.image.digest | string | `""` | If defined, an image digest applied to all authentik deployments |
 | global.image.pullPolicy | string | `"IfNotPresent"` | If defined, an imagePullPolicy applied to all authentik deployments |
 | global.image.repository | string | `"ghcr.io/goauthentik/server"` | If defined, a repository applied to all authentik deployments |
 | global.image.tag | string | `""` | Overrides the global authentik whose default is the chart appVersion |
 | global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry |
+| global.nameOverride | string | `""` | Provide a name in place of `authentik` |
 | global.nodeSelector | object | `{}` | Default node selector for all components |
 | global.podAnnotations | object | `{}` | Annotations for all deployed pods |
 | global.podLabels | object | `{}` | Labels for all deployed pods |
@@ -125,7 +127,7 @@ redis:
 | global.tolerations | list | `[]` | Default tolerations for all components |
 | global.topologySpreadConstraints | list | `[]` | Default [TopologySpreadConstraints] rules for all components # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ |
 | kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests |
-| nameOverride | string | `"authentik"` | Provide a name in place of `authentik` |
+| nameOverride | string | `"authentik"` | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible |
 | postgresql.auth.database | string | `"authentik"` |  |
 | postgresql.auth.username | string | `"authentik"` |  |
 | postgresql.enabled | bool | `false` | enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values. |
@@ -226,8 +228,8 @@ redis:
 | server.service.labels | object | `{}` | authentik server service labels |
 | server.service.loadBalancerIP | string | `""` | LoadBalancer will get created with the IP specified in this field |
 | server.service.loadBalancerSourceRanges | list | `[]` | Source IP ranges to allow access to service from |
-| server.service.nodePortHttp | int | `30443` | authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) |
 | server.service.nodePortHttp | int | `30080` | authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`) |
+| server.service.nodePortHttp | int | `30443` | authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) |
 | server.service.servicePortHttp | int | `80` | authentik server service http port |
 | server.service.servicePortHttpName | string | `"http"` | authentik server service http port name |
 | server.service.servicePortHttps | int | `443` | authentik server service https port |
@@ -249,8 +251,6 @@ redis:
 | server.volumes | list | `[]` | Additional volumes to the authentik server pod |
 | serviceAccount.annotations | object | `{}` | additional service account annotations |
 | serviceAccount.create | bool | `true` | Create service account. Needed for managed outposts |
-| serviceAccount.fullnameOverride | string | `"authentik"` |  |
-| serviceAccount.nameOverride | string | `"authentik"` |  |
 | serviceAccount.serviceAccountSecret.enabled | bool | `false` |  |
 | worker.affinity | object | `{}` (defaults to the global.affinity preset) | Assign custom [affinity] rules to the deployment |
 | worker.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. |

scripts/helm-docs.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+## Reference: https://github.com/norwoodj/helm-docs
+set -eux
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+echo "$REPO_ROOT"
+
+echo "Running Helm-Docs"
+docker run \
+    --rm \
+    -v "$REPO_ROOT:/helm-docs" \
+    -u $(id -u) \
+    jnorwood/helm-docs:v1.12.0

scripts/lint.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Reference: https://github.com/helm/chart-testing
+set -eux
+
+SRCROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+echo -e "\n-- Linting all Helm Charts --\n"
+docker run \
+    --rm \
+    -v "$SRCROOT:/workdir" \
+    --entrypoint /bin/sh \
+    quay.io/helmpack/chart-testing:v3.10.1 \
+    -c cd /workdir \
+    ct lint \
+    --config .github/configs/ct-lint.yaml \
+    --lint-conf .github/configs/lintconf.yaml \
+    --debug