SYSTEMS-5246: Initial base chart based on helm create (#1)

Nextdoor · Mar 16, 2021 · 8e0c6c8 · 8e0c6c8
1 parent 6ed8a94
commit 8e0c6c8
Show file tree

Hide file tree

Showing 12 changed files with 343 additions and 68 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -30,6 +30,6 @@ jobs:
         uses: helm/chart-releaser-action@v1.1.0
         with:
           charts_dir: charts
-          charts_repo_url: https://oss.nextdoor.com/k8s-public-charts
+          charts_repo_url: https://k8s-charts.nextdoor-test.com/
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/README.md b/README.md
@@ -1,25 +1,33 @@
 # Shared Private Helm Chart Components
 
+[argo_submodules]: https://argo-cd.readthedocs.io/en/stable/user-guide/private-repositories/#git-submodules
+
 This repo holds a series of common helm-charts that we've developed just to
 help speed up our internal development and reduce repetition. These charts are
 private - we do not publish them at a public endpoint, instead we use Git
 Submodules to bring them into your project.
 
 ## Installation of this repo
 
-...
+From your own application repo, create a Git Submodule. This submodule has many
+charts in it, so you'll then be able to pick and choose the charts that matter
+to you for your application.
+
+_ArgoCD [natively supports Git Submodules][argo_submodules] - so you don't have
+to do anything in Argo for it to resolve these modules!_
+
+    $ git submodule github.com:Nextdoor/k8s-charts k8s-charts
 
 ## Charts
 
 All charts are fully documented in their individual values files. Use `helm
 show values charts/<chart name>` to see the documentated values for each chart.
 
-## Using Charts in your Helm Chart
+### Using Charts in your Helm Chart
 
 The intention of this repository is to make re-usable components - not projects
 that are launched on their own. Given your existing `Chart.yaml` that looks like this:
 
-
     apiVersion: v2
     appVersion: "1.0"
     description: Launches the Nextdoor Widget Service
@@ -35,19 +43,21 @@ then configure it with your `values.yaml` files. Here's the new `Chart.yaml` for
     name: neighbors-widget
     version: 0.1.0
     dependencies:
-      - name: prometheus-alerts
+      - name: simple-app
         version: 0.0.2
-        repository: https://oss.nextdoor.com/k8s-public-harts
+        repository: file://../k8s-charts/simple-app
+        alias: neighbors-widget
 
 And you might then configure your `values.yaml` like this:
 
-    # My own app configs..
-    image: ...
-    tag: ...
+    # All parameters for the simple-app chart go into a key matching the alias
+    # we used above.
+    neighbors-widget:
+      ...
+
+## Development
 
-    # Customize the alerting for this project
-    prometheus-alerts:
-      alertManager:
-        enabled: true
-        pagerduty:
-          routing_key: ...
+All of the charts in this repository have a specific development pattern that
+must be followed. Documentation must be well written, and tests are strongly
+encouraged. Each chart must be fully functional by default (even if you use a
+hello-world type image as a default for testing purposes).
diff --git a/charts/simple-app/Chart.yaml b/charts/simple-app/Chart.yaml
@@ -1,24 +1,9 @@
 apiVersion: v2
 name: simple-app
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+description: Default Microservice Helm Chart
 type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
+version: 0.1.1
+appVersion: "latest"
+maintainers:
+  - name: diranged
+    email: matt@nextdoor.com
diff --git a/charts/simple-app/README.md b/charts/simple-app/README.md
@@ -0,0 +1,68 @@
+# simple-app
+
+Default Microservice Helm Chart
+
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+
+[deployments]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+[hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+
+This chart provides a default deployment for a simple application that operates
+in a [Deployment][deployments]. The chart automatically configures various
+defaults for you like the Kubernetes [Horizontal Pod Autoscaler][hpa].
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| autoscaling.enabled | bool | `false` |  |
+| autoscaling.maxReplicas | int | `100` |  |
+| autoscaling.minReplicas | int | `1` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| env | list | `[]` |  |
+| fullnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` | (String) Always, Never or IfNotPresent |
+| image.repository | string | `"nginx"` | (String) The Docker image name and repository for your application |
+| image.tag | string | `""` | (String) Overrides the image tag whose default is the chart appVersion. |
+| imagePullSecrets | list | `[]` | If |
+| ingress.annotations."alb.ingress.kubernetes.io/actions.ssl-redirect" | string | `"{\"Type\": \"redirect\", \"RedirectConfig\": { \"Protocol\": \"HTTPS\", \"Port\": \"443\", \"StatusCode\": \"HTTP_301\" }}"` |  |
+| ingress.enabled | bool | `false` |  |
+| ingress.hosts[0].host | string | `"chart-example.local"` |  |
+| ingress.hosts[0].path | string | `""` |  |
+| ingress.hosts[0].sslRedirect | bool | `true` |  |
+| ingress.tls | list | `[]` |  |
+| ingressGateway.annotations | object | `{}` |  |
+| ingressGateway.enabled | bool | `false` | (Boolean) Maps the Service to an Istio IngressGateway, exposing the service outside of the Kubernetes cluster. |
+| ingressGateway.gateway | string | `"default-gateway"` |  |
+| ingressGateway.hosts | string | `"- {{ include \"simple-app.fullname\" . }}.{{ .Release.Namespace }}"` |  |
+| ingressGateway.http | string | `"- match:\n    - uri:\n        prefix: /\n  route:\n    - destination:\n        host: {{ include \"simple-app.fullname\" . }}\n        port:\n          number: {{ .Values.ingressGateway.port }}"` | (String) VirtualService "http" blob in text-form. This is run through the tpl function so you may use template variables here. |
+| ingressGateway.namespace | string | `"istio-system"` |  |
+| ingressGateway.port | int | `80` |  |
+| ingressGateway.tls | string | `""` |  |
+| livenessProbe | object | `{"httpGet":{"path":"/","port":"http"}}` | A PodSpec container "livenessProbe" configuration object. Note that this livenessProbe will be applied to the proxySidecar container instead if that is enabled. |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| ports | list | `[{"containerPort":80,"name":"http","protocol":"TCP"},{"containerPort":443,"name":"https","protocol":"TCP"}]` | A list of Port objects that are exposed by the service. These ports are applied to the main container, or the proxySidecar container (if enabled). The port list is also used to generate Network Policies that allow ingress into the pods. |
+| proxySidecar.enabled | bool | `false` | (Boolean) Enables injecting a pre-defined reverse proxy sidecar container into the Pod containers list. |
+| proxySidecar.env | list | `[]` | (List) Environment variables passed into the proxy container |
+| proxySidecar.image.pullPolicy | string | `"Always"` | (String) Always, Never or IfNotPresent |
+| proxySidecar.image.repository | string | `"nginx"` | (String) The Docker image name and repository for the sidecar |
+| proxySidecar.image.tag | string | `"latest"` | (String) The Docker tag for the sidecar |
+| proxySidecar.name | string | `"proxy"` | (String) The name of the proxy sidecar container |
+| proxySidecar.resources | object | `{}` | A PodSpec "Resources" object for the proxy container |
+| readinessProbe | object | `{"httpGet":{"path":"/","port":"http"}}` | A PodSpec container "readinessProbe" configuration object. Note that this readinessProbe will be applied to the proxySidecar container instead if that is enabled. |
+| replicaCount | int | `1` | The number of Pods to start up by default |
+| resources | object | `{}` |  |
+| securityContext | object | `{}` |  |
+| service.port | int | `80` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0)
diff --git a/charts/simple-app/README.md.gotmpl b/charts/simple-app/README.md.gotmpl
@@ -0,0 +1,17 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" .  }}{{ template "chart.typeBadge" .  }}{{ template "chart.appVersionBadge" .  }}
+
+[deployments]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+[hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+
+This chart provides a default deployment for a simple application that operates
+in a [Deployment][deployments]. The chart automatically configures various
+defaults for you like the Kubernetes [Horizontal Pod Autoscaler][hpa].
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}
diff --git a/charts/simple-app/templates/deployment.yaml b/charts/simple-app/templates/deployment.yaml
@@ -28,25 +28,39 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
+        {{- if .Values.proxySidecar.enabled }}
+        - name: {{ .Values.proxySidecar.name }}
+          image: "{{ .Values.proxySidecar.image.repository }}:{{ .Values.proxySidecar.image.tag }}"
+          imagePullPolicy: {{ .Values.proxySidecar.image.pullPolicy }}
+          env:
+            {{- toYaml .Values.proxySidecar.env | nindent 12 }}
+          ports:
+            {{- toYaml .Values.ports | nindent 12 }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.proxySidecar.resources | nindent 12 }}
+        {{- end }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            {{- toYaml .Values.env | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.proxySidecar.enabled }}
+          {{- else }}
           ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
+            {{- toYaml .Values.ports | nindent 12 }}
           livenessProbe:
-            httpGet:
-              path: /
-              port: http
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
-            httpGet:
-              path: /
-              port: http
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/simple-app/templates/ingress.yaml → ...simple-app/templates/ingress/ingress.yaml b/charts/simple-app/templates/ingress.yaml → ...simple-app/templates/ingress/ingress.yaml
@@ -1,11 +1,7 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "simple-app.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -31,11 +27,29 @@ spec:
     - host: {{ .host | quote }}
       http:
         paths:
-          {{- range .paths }}
+          {{- /*
+
+          The ssl-redirect action must be the first action in the list, if
+          we're going to use it. It is combined with the the
+          "alb.ingress.kubernetes.io/actions.ssl-redirect" annotation to do
+          ALB-level HTTP->HTTPS routing.
+
+          */}}
+          {{- if .sslRedirect }}
           - path: {{ .path }}
+            pathType: ImplementationSpecific
             backend:
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
+              service:
+                name: ssl-redirect
+                port:
+                  name: use-annotation
           {{- end }}
+          - path: {{ .path }}
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
     {{- end }}
   {{- end }}
diff --git a/charts/simple-app/templates/ingress/networkpolicy.yaml b/charts/simple-app/templates/ingress/networkpolicy.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "simple-app.fullname" . }}-ingress-access
+  labels:
+    {{- include "simple-app.labels" . | nindent 4 }}
+spec:
+  policyTypes: [Ingress]
+  podSelector:
+    matchLabels:
+      {{- include "simple-app.selectorLabels" . | nindent 6 }}
+  ingress:
+    - ports:
+      {{- range $port := .Values.ports }}
+      - port: {{ $port.containerPort }}
+        protocol: {{ $port.protocol }}
+      {{- end }}
+{{- end }}
diff --git a/charts/simple-app/templates/istio/networkpolicy.yaml b/charts/simple-app/templates/istio/networkpolicy.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.ingressGateway.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "simple-app.fullname" . }}-ingressgateway-access
+  labels:
+    {{- include "simple-app.labels" . | nindent 4 }}
+spec:
+  policyTypes: [Ingress]
+  podSelector:
+    matchLabels:
+      {{- include "simple-app.selectorLabels" . | nindent 6 }}
+  ingress:
+    - ports:
+      {{- range $port := .Values.ports }}
+      - port: {{ $port.containerPort }}
+        protocol: {{ $port.protocol }}
+      {{- end }}
+      from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: istio-ingressgateway
+{{- end }}
diff --git a/charts/simple-app/templates/istio/virtualservice.yaml b/charts/simple-app/templates/istio/virtualservice.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.ingressGateway.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: {{ include "simple-app.fullname" . }}
+  labels:
+    {{- include "simple-app.labels" . | nindent 4 }}
+  {{- with .Values.ingressGateway.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  hosts:
+    {{- tpl .Values.ingressGateway.hosts . | nindent 4 }}
+  gateways:
+    - {{ .Values.ingressGateway.namespace }}/{{ .Values.ingressGateway.gateway }}
+  {{- if .Values.ingressGateway.http }}
+  http:
+    {{- tpl .Values.ingressGateway.http . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.ingressGateway.tls }}
+  tls:
+    {{- tpl .Values.ingressGateway.tls . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/simple-app/templates/service.yaml b/charts/simple-app/templates/service.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.ports }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -7,9 +8,12 @@ metadata:
 spec:
   type: {{ .Values.service.type }}
   ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
+    {{- range $port := .Values.ports }}
+    - port: {{ $port.containerPort }}
+      targetPort: {{ $port.name }}
+      protocol: {{ $port.protocol }}
+      name: {{ $port.name }}
+    {{- end }}
   selector:
     {{- include "simple-app.selectorLabels" . | nindent 4 }}
+{{- end }}