misc: added helm chart

.github/workflows/release-docker.yaml → .github/workflows/release.yaml

@@ -33,3 +33,19 @@ jobs:
           tags: |
             infisical/infisical-csi-provider:latest
             infisical/infisical-csi-provider:${{ github.ref_name }}
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+
+      - name: Install python
+        uses: actions/setup-python@v4
+
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+
+      - name: Build and push helm package to Cloudsmith
+        run: sh upload-to-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: infisical-csi-provider
+description: A Helm chart for the Infisical CSI provider
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v0.0.3"

helm/templates/NOTES.txt

@@ -0,0 +1,40 @@
+##
+
+-- Infisical CSI Provider Helm Chart --
+
+██╗███╗   ██╗███████╗██╗███████╗██╗ ██████╗ █████╗ ██╗     
+██║████╗  ██║██╔════╝██║██╔════╝██║██╔════╝██╔══██╗██║     
+██║██╔██╗ ██║█████╗  ██║███████╗██║██║     ███████║██║     
+██║██║╚██╗██║██╔══╝  ██║╚════██║██║██║     ██╔══██║██║     
+██║██║ ╚████║██║     ██║███████║██║╚██████╗██║  ██║███████╗
+╚═╝╚═╝  ╚═══╝╚═╝     ╚═╝╚══════╝╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝
+Infisical CSI Provider ({{ .Chart.Version }})
+
+╭―― Thank you for installing Infisical CSI Provider! 👋 ―――――――――――――――――――――――――――――――――――――――――┤
+│
+│   Infisical CSI Provider enables Kubernetes to access secrets stored in Infisical 🔒
+│
+│   Current installation details:
+│   • Namespace         : {{ .Release.Namespace }}
+│   • Name              : {{ .Release.Name }}
+│   • Image             : {{ .Values.image.repository }}:{{ .Values.image.tag }}
+│
+╰――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤
+
+――― Helpful commands to get started 📝 ――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤
+
+→ Check if the CSI provider is running:
+$ kubectl get pods -n {{ .Values.namespace }} -l app={{ .Values.name }}
+
+→ View CSI provider logs:
+$ kubectl logs -n {{ .Values.namespace }} -l app={{ .Values.name }}
+
+→ Get your release status:
+$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+→ Uninstall the provider:
+$ helm uninstall {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――┤
+
+##

helm/templates/daemonset.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: {{ .Values.name | default "infisical-csi-provider" }}
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ .Values.name | default "infisical-csi-provider" }}
+  namespace: {{ .Values.namespace | default "kube-system" }}
+spec:
+  updateStrategy:
+    type: {{ .Values.updateStrategy | default "RollingUpdate" }}
+  selector:
+    matchLabels:
+      app: {{ .Values.name | default "infisical-csi-provider" }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.name | default "infisical-csi-provider" }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.tolerations }}
+      tolerations:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      containers:
+        - name: {{ .Values.name | default "infisical-csi-provider" }}
+          image: {{ .Values.image.repository }}:{{ .Values.image.tag | default "latest" }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | default "Never" }}
+          args:
+            {{- with .Values.args }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: providervol
+              mountPath: {{ .Values.providerVolume.mountPath | default "/provider" }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+      volumes:
+        - name: providervol
+          hostPath:
+            path: {{ .Values.providerVolume.hostPath | default "/etc/kubernetes/secrets-store-csi-providers" }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}

helm/values.yaml

@@ -0,0 +1,64 @@
+# Name of the CSI provider deployment
+name: infisical-csi-provider
+# Namespace where CSI provider will be deployed
+namespace: kube-system
+
+# Container image configuration
+image:
+  repository: infisical/infisical-csi-provider # Image repository name
+  tag: latest # Image tag
+  pullPolicy: IfNotPresent # Pull policy: Always|IfNotPresent|Never
+
+# Infisical provider arguments
+args:
+  - -endpoint=/provider/infisical.sock
+
+# Unix domain socket path for CSI driver communication
+endpoint: /provider/infisical.sock
+
+# Resource limits and requests
+resources:
+  requests:
+    cpu: 50m # Minimum CPU needed
+    memory: 100Mi # Minimum memory needed
+  limits:
+    cpu: 50m # Maximum CPU allowed
+    memory: 100Mi # Maximum memory allowed
+
+# Volume configuration for provider socket
+providerVolume:
+  mountPath: /provider # Container mount path
+  hostPath: /etc/kubernetes/secrets-store-csi-providers # Host path
+
+# Health check for container liveness
+livenessProbe:
+  httpGet:
+    path: /health/ready
+    port: 8080
+    scheme: HTTP
+  failureThreshold: 2 # Number of failures before considered failed
+  initialDelaySeconds: 5 # Wait time before first probe
+  periodSeconds: 5 # Time between probes
+  successThreshold: 1 # Minimum consecutive successes
+  timeoutSeconds: 3 # Probe timeout
+
+# Health check for container readiness
+readinessProbe:
+  httpGet:
+    path: /health/ready
+    port: 8080
+    scheme: HTTP
+  failureThreshold: 2
+  initialDelaySeconds: 5
+  periodSeconds: 5
+  successThreshold: 1
+  timeoutSeconds: 3
+
+# Node selection criteria
+nodeSelector:
+  kubernetes.io/os: linux # Only deploy on Linux nodes
+
+# Optional configurations
+labels: {} # Additional labels for resources
+podLabels: {} # Additional labels for pods
+tolerations: [] # Pod tolerations for node taints

upload-to-cloudsmith.sh

@@ -0,0 +1,7 @@
+cd helm
+helm dependency update
+helm package .
+for i in *.tgz; do
+    [ -f "$i" ] || break
+    cloudsmith push helm --republish infisical/helm-charts "$i"
+done