dBildungsplattform · YannickEvers · Oct 18, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024
diff --git a/.github/workflows/check-helm-kics-on-pr.yaml b/.github/workflows/check-helm-kics-on-pr.yaml
@@ -0,0 +1,13 @@
+name: Kics check on PR
+on:
+  pull_request:
+      branches:
+        - main
+
+jobs:
+  scan_pr:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@7
+    permissions:
+      contents: read
+    with: 
+      chart_path: "."
diff --git a/.github/workflows/helm-chart-release-on-push-status.yaml b/.github/workflows/helm-chart-release-on-push-status.yaml
@@ -0,0 +1,26 @@
+name: Release Status Chart on branch
+on:
+  push:
+    branches-ignore:
+      - 'main'
+    paths:
+      - 'status/**'
+
+concurrency:
+  group: chart-release
+
+jobs:
+  scan:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@7
+    permissions:
+      contents: read
+    with: 
+      chart_path: "."
+  release_helm:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7
+    secrets: inherit
+    with:
+      chart_path: "."
+      chart_name: status
+      helm_chart_version_generation: ticket_from_branch_timestamp
+      image_tag_generation: chart_yaml
diff --git a/.github/workflows/helm-chart-release-on-tag.yaml b/.github/workflows/helm-chart-release-on-tag.yaml
@@ -0,0 +1,38 @@
+name: Release Charts on Tag
+on:
+  push:
+    tags:
+      - '.+-[0-9]+.[0-9]+.[0-9]+'
+
+concurrency:
+  group: chart-release
+
+jobs:
+  get_tag:
+    runs-on: ubuntu-latest
+    outputs:
+      chart: ${{ steps.nameTag.outputs.chart }}
+      version: ${{ steps.nameTag.outputs.version }}
+    steps:
+      - name: Filter Tag name
+        uses: olegtarasov/[email protected]
+        id: nameTag
+        with:
+          tagRegex: "(?<chart>.+?)-(?<version>[0-9]+.[0-9]+.[0-9]+)"
+
+  scan:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@7
+    permissions:
+      contents: read
+    with: 
+      chart_path: "."
+  release_helm:
+    needs: get_tag
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7
+    secrets: inherit
+    with:
+      chart_path: "."
+      chart_name: ${{ needs.get_tag.outputs.chart }}
+      helm_chart_version_generation: specified
+      helm_chart_version: ${{ needs.get_tag.outputs.version }}
+      image_tag_generation: chart_yaml
diff --git a/LICENSE b/LICENSE
diff --git a/README.md b/README.md
@@ -0,0 +1,4 @@
+# helm-charts
+
+This is the place for reusable helm charts.
+They are published in the [helm-charts-registry](https://github.com/dBildungsplattform/helm-charts-registry) repository when pushing on a branch (Version 0.0.0-\<ticket>-\<timestamp>) or when adding a tag in the format \<chart name>-X.X.X.
diff --git a/status/Chart.yaml b/status/Chart.yaml
@@ -12,10 +12,7 @@ description: A Helm chart for Kubernetes
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.2
+version: 0.0.0 # Managed by Tagging
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/status/templates/deployment.yaml b/status/templates/deployment.yaml
@@ -23,7 +23,7 @@
    {{- end }}
      labels:
        {{- include "status.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
@@ -31,10 +31,11 @@
      serviceAccountName: {{ include "status.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            allowPrivilegeEscalation: false
+            runAsUser: {{ .Values.runAsUser }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           lifecycle:
@@ -92,7 +93,7 @@
          - name: {{ include "status.fullname" . }}-files
            mountPath: /var/www/html/app/seedData.json
            subPath: seedData.json
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
@@ -109,7 +110,7 @@
      volumes:
      - name: {{ include "status.fullname" . }}-files
        configMap:
           name: {{ include "status.fullname" . }}-files
           items:
             - key: SeederCommand.php
               path: SeederCommand.php

diff --git a/status/values.yaml b/status/values.yaml
@@ -26,13 +26,7 @@ podAnnotations: {}
 podSecurityContext: {}
   # fsGroup: 2000
 # -- Settings for security context of the container
-securityContext:
-  runAsUser: 1001
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
+runAsUser: 1001
 service:
   # -- Kubernetes Service type
   type: ClusterIP