build: new production ready helm chart (#1224)

* New Helm chart first iteration ready

* Add PgSQL support

* Enable securityContexts and add missing PVC

* Add comments for helm-docs generator

* Fix warning & add template for helm docs generation

* Revert security context, add /tmp volume and djangoSecretKey on backend

* Update appVersion and pgSQL chart dependency

* Fix value format issue

* Disable global securityContext

* Fix issues and move tls option to global

* Fix forgotten value replacement

.gitignore

@@ -16,3 +16,4 @@ caddy_data/
 **/dist/
 **/.meta
 charts/custom-values.yaml
+**/charts/*/charts

charts/ciso-assistant-next/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/ciso-assistant-next/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 16.4.2
+digest: sha256:324a049cebac3214b20fa37981d674ac1b52de900188b094028d55a12f6b2efd
+generated: "2025-01-14T15:00:53.2616265+01:00"

charts/ciso-assistant-next/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: ciso-assistant
+description: A Helm chart for CISO Assistant k8s's deployment
+type: application
+version: 0.1.0
+appVersion: "v2.0.6"
+icon: https://intuitem.com/ciso-assistant.svg
+home: https://intuitem.com
+sources:
+  - https://github.com/intuitem/ciso-assistant-community
+dependencies:
+  - name: postgresql
+    version: "16.4.2"
+    repository: "oci://registry-1.docker.io/bitnamicharts"
+    condition: postgresql.enabled 

charts/ciso-assistant-next/README.md

@@ -0,0 +1,126 @@
+# ciso-assistant
+
+
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.0.6](https://img.shields.io/badge/AppVersion-v2.0.6-informational?style=flat-square) 
+
+A Helm chart for CISO Assistant k8s's deployment
+
+**Homepage:** <https://intuitem.com>
+
+
+
+## Source Code
+
+* <https://github.com/intuitem/ciso-assistant-community>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 16.4.2 |
+
+## Installing the chart
+
+To install the chart, firt get the values.yaml file and customize values.
+
+```
+helm show values oci://ghcr.io/intuitem/ciso-assistant > custom.yaml
+```
+To deploy the release :
+```
+helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f custom.yaml
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| backend.config.databaseType | string | `"sqlite"` | Set the database type (sqlite, pgsql or externalPgsql) # Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section |
+| backend.config.djangoDebug | bool | `false` | Enable Django debug mode |
+| backend.config.djangoSecretKey | string | `"changeme"` | Set Django secret key |
+| backend.config.emailAdmin | string | `"[email protected]"` | Admin email for initial configuration |
+| backend.config.smtp.defaultFrom | string | `"[email protected]"` | Default from email address |
+| backend.config.smtp.primary.host | string | `"primary.cool-mailer.net"` | Primary SMTP hostname |
+| backend.config.smtp.primary.password | string | `"primary_password_here"` | Primary SMTP password |
+| backend.config.smtp.primary.port | int | `587` | Primary SMTP post |
+| backend.config.smtp.primary.useTls | bool | `true` | Enable TLS for primary SMTP |
+| backend.config.smtp.primary.username | string | `"apikey"` | Primary SMTP username |
+| backend.config.smtp.rescue.host | string | `"smtp.secondary.mailer.cloud"` | Rescue SMTP hostname |
+| backend.config.smtp.rescue.password | string | `"rescue_password_here"` | Rescue SMTP hostname |
+| backend.config.smtp.rescue.port | int | `587` | Rescue SMTP hostname |
+| backend.config.smtp.rescue.useTls | bool | `true` | Enable TLS for rescue SMTP |
+| backend.config.smtp.rescue.username | string | `"username"` | Rescue SMTP hostname |
+| backend.containerSecurityContext | object | `{}`  | Toggle and define container-level security context |
+| backend.env | list | `[]` | Environment variables to pass to backend |
+| backend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the backend |
+| backend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the backend |
+| backend.image.repository | string | `"intuitem/ciso-assistant-community/backend"` | Repository to use for the backend |
+| backend.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the backend |
+| backend.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
+| backend.name | string | `"backend"` | Backend name |
+| backend.persistence.localStorage.accessMode | string | `"ReadWriteOnce"` | Local Storage persistant volume accessMode |
+| backend.persistence.localStorage.enabled | bool | `true` | Enable Local Storage persistence |
+| backend.persistence.localStorage.size | string | `"5Gi"` | Local Storage persistant volume size |
+| backend.persistence.localStorage.storageClass | string | `""` | Local Storage persistant volume storageClass |
+| backend.persistence.sqlite.accessMode | string | `"ReadWriteOnce"` | SQLite persistant volume accessMode |
+| backend.persistence.sqlite.enabled | bool | `true` | Enable SQLite persistence Note: only when `backend.config.databaseType` use `sqlite` value |
+| backend.persistence.sqlite.size | string | `"5Gi"` | SQLite persistant volume size |
+| backend.persistence.sqlite.storageClass | string | `""` | SQLite persistant volume storageClass |
+| backend.replicas | int | `1` | The number of backend pods to run |
+| backend.resources | object | `{}` | Resources for the backend |
+| backend.service.annotations | object | `{}` | Backend service annotations |
+| backend.service.labels | object | `{}` | Backend service labels |
+| backend.service.port | int | `80` | Backend service http port |
+| backend.service.portName | string | `"http"` | Backend service port name |
+| externalPgsql.database | string | `"ciso-assistant"` | Database inside an external PostgreSQL to connect |
+| externalPgsql.existingSecret | string | `""` | Secret containing the password of an external PostgreSQL instance to connect # Name of an existing secret resource containing the DB password in a 'password' key |
+| externalPgsql.host | string | `""` | Host of an external PostgreSQL instance to connect |
+| externalPgsql.password | string | `""` | Password of an external PostgreSQL instance to connect |
+| externalPgsql.port | int | `5432` | Port of an external PostgreSQL to connect |
+| externalPgsql.user | string | `"ciso-assistant"` | User of an external PostgreSQL instance to connect |
+| frontend.config.bodySizeLimit | string | `"50M"` | Configure body size limit for uploads in bytes (unit suffix like K/M/G can be used) |
+| frontend.containerSecurityContext | object | `{}`  | Toggle and define container-level security context |
+| frontend.env | list | `[]` | Environment variables to pass to frontend |
+| frontend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the frontend |
+| frontend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the frontend |
+| frontend.image.repository | string | `"intuitem/ciso-assistant-community/frontend"` | Repository to use for the frontend |
+| frontend.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the frontend |
+| frontend.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
+| frontend.name | string | `"frontend"` | Frontend name |
+| frontend.replicas | int | `1` | The number of frontend pods to run |
+| frontend.resources | object | `{}` | Resources for the frontend |
+| frontend.service.annotations | object | `{}` | Frontend service annotations |
+| frontend.service.labels | object | `{}` | Frontend service labels |
+| frontend.service.port | int | `80` | Frontend service http port |
+| frontend.service.portName | string | `"http"` | Frontend service port name |
+| fullnameOverride | string | `""` | String to fully override `"ciso-assistant.fullname"` |
+| global.clusterDomain | string | `"cluster.local"` | Kubernetes cluster domain name |
+| global.commonLabels | object | `{}` | Labels to add to all deployed objects |
+| global.domain | string | `"octopus.foo.bar"` | Default domain used by all components # Used for ingresses, certificates, environnement vars, etc. |
+| global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all CISO Assistant deployments |
+| global.image.registry | string | `"ghcr.io"` | If defined, a registry applied to all CISO Assistant deployments |
+| global.image.tag | string | `""` | Overrides the global CISO Assistant image tag whose default is the chart appVersion |
+| global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry |
+| global.nodeSelector | object | `{}` | Default node selector for all components |
+| global.securityContext | object | `{}`  | Toggle and define pod-level security context |
+| global.tls | bool | `false` | Globally enable TLS (Ingress, URLs, etc.) |
+| global.tolerations | list | `[]` | Default tolerations for all components |
+| ingress.annotations | object | `{}` | Additional ingress annotations |
+| ingress.certificateSecret | object | `{}` | Custom TLS certificate as secret # Note: 'key' and 'certificate' are expected in PEM format |
+| ingress.enabled | bool | `true` | Enable an ingress resource for the CISO Assistant |
+| ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
+| ingress.labels | object | `{}` | Additional ingress labels |
+| ingress.path | string | `"/"` | The path to CISO Assistant |
+| ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
+| nameOverride | string | `"ciso-assistant"` | Provide a name in place of `ciso-assistant` |
+| postgresql.enabled | bool | `false` | Enable to deploy PostgreSQL. |
+| postgresql.global.postgresql.auth.database | string | `"ciso-assistant"` | Database name |
+| postgresql.global.postgresql.auth.password | string | `""` | Database user account password # Note: if not set, it will be dynamically generated |
+| postgresql.global.postgresql.auth.postgresPassword | string | `""` | Super-user postgres account password # Note: if not set, it will be dynamically generated |
+| postgresql.global.postgresql.auth.username | string | `"ciso-assistant"` | Database username |
+| postgresql.primary.persistence.size | string | `"5Gi"` | PostgreSQL persistant volume size (default 8Gi). |
+
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/ciso-assistant-next/README.md.gotmpl

@@ -0,0 +1,30 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## Installing the chart
+
+To install the chart, firt get the values.yaml file and customize values.
+
+```
+helm show values oci://ghcr.io/intuitem/ciso-assistant > custom.yaml
+```
+To deploy the release :
+```
+helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f custom.yaml
+```
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/ciso-assistant-next/templates/_helpers.tpl

@@ -0,0 +1,75 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ciso-assistant.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "ciso-assistant.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ciso-assistant.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/* 
+Define CISO Assistant default tag version.
+*/}}
+{{- define "ciso-assistant.defaultTag" -}}
+{{- default .Chart.AppVersion .Values.global.image.tag -}}
+{{- end -}}
+
+{{/*
+Return valid version label
+*/}}
+{{- define "ciso-assistant.versionLabelValue" -}}
+{{ regexReplaceAll "[^-A-Za-z0-9_.]" (include "ciso-assistant.defaultTag" .) "-" | trunc 63 | trimAll "-" | trimAll "_" | trimAll "." | quote }}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "ciso-assistant.labels" -}}
+helm.sh/chart: {{ include "ciso-assistant.chart" .context }}
+{{ include "ciso-assistant.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
+app.kubernetes.io/managed-by: {{ .context.Release.Service }}
+app.kubernetes.io/version: {{ include "ciso-assistant.versionLabelValue" .context }}
+{{- with .context.Values.global.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ciso-assistant.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ciso-assistant.name" .context }}
+app.kubernetes.io/instance: {{ .context.Release.Name }}
+{{- if .component }}
+app.kubernetes.io/component: {{ .component }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define complete url based on scheme and domain
+*/}}
+{{- define "ciso-assistant.url" -}}
+{{- $scheme := ternary "https" "http" .Values.global.tls -}}
+{{- printf "%s://%s" $scheme .Values.global.domain -}}
+{{- end -}}