From aab1316e90d925c43822c7c1224c1d2fdf299f86 Mon Sep 17 00:00:00 2001 From: jslay-excella <59629491+jslay-excella@users.noreply.github.com> Date: Thu, 26 Jan 2023 14:52:09 -0700 Subject: [PATCH] Initial Commit --- .gitattributes | 1 + .github/ISSUE_TEMPLATE.md | 17 +++ .github/PULL_REQUEST_TEMPLATE.md | 42 ++++++ .github/workflows/lint.yml | 37 +++++ .github/workflows/publish.yml | 33 +++++ .github/workflows/release.yml | 19 +++ .gitignore | 81 +++++++++++ CHANGELOG.md | 18 +++ CODE_OF_CONDUCT.md | 115 +++++++++++++++ CONTRIBUTING.md | 32 +++++ LICENSE | 121 ++++++++++++++++ README.md | 127 +++++++++++++++++ TERMS.md | 52 +++++++ charts/static-site/.helmignore | 23 +++ charts/static-site/Chart.yaml | 29 ++++ charts/static-site/templates/NOTES.txt | 22 +++ charts/static-site/templates/_helpers.tpl | 62 ++++++++ charts/static-site/templates/deployment.yaml | 116 +++++++++++++++ charts/static-site/templates/hpa.yaml | 28 ++++ charts/static-site/templates/ingress.yaml | 61 ++++++++ charts/static-site/templates/mapping.yaml | 14 ++ charts/static-site/templates/service.yaml | 15 ++ .../static-site/templates/serviceaccount.yaml | 12 ++ .../templates/tests/test-connection.yaml | 15 ++ charts/static-site/values.yaml | 134 ++++++++++++++++++ ct.yaml | 4 + 26 files changed, 1230 insertions(+) create mode 100644 .gitattributes create mode 100755 .github/ISSUE_TEMPLATE.md create mode 100755 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/release.yml create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 README.md create mode 100644 TERMS.md create mode 100644 charts/static-site/.helmignore create mode 100644 charts/static-site/Chart.yaml create mode 100644 charts/static-site/templates/NOTES.txt create mode 100644 charts/static-site/templates/_helpers.tpl create mode 100644 charts/static-site/templates/deployment.yaml create mode 100644 charts/static-site/templates/hpa.yaml create mode 100644 charts/static-site/templates/ingress.yaml create mode 100644 charts/static-site/templates/mapping.yaml create mode 100644 charts/static-site/templates/service.yaml create mode 100644 charts/static-site/templates/serviceaccount.yaml create mode 100644 charts/static-site/templates/tests/test-connection.yaml create mode 100644 charts/static-site/values.yaml create mode 100644 ct.yaml diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..3d432e0 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +/CHANGELOG.md merge=union diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100755 index 0000000..63a2ff5 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,17 @@ +Short description explaining the high-level reason for the new issue. + +## Current behavior + + +## Expected behavior + + +## Steps to replicate behavior (include URLs) + +1. + + +## Screenshots + + + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100755 index 0000000..959a27d --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,42 @@ +[Short description explaining the high-level reason for the pull request] + +## Additions + +- + +## Removals + +- + +## Changes + +- + +## Testing + +1. + +## Screenshots + + +## Notes + +- + +## Todos + +- + +## Checklist + +- [ ] PR has an informative and human-readable title +- [ ] Changes are limited to a single goal (no scope creep) +- [ ] Code can be automatically merged (no conflicts) +- [ ] Passes all existing automated tests +- [ ] Placeholder code is flagged / future todos are captured in comments +- [ ] Reviewers requested with the [Reviewers tool](https://help.github.com/articles/requesting-a-pull-request-review/) :arrow_right: + +## Testing checklist + + +### Other diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..1ae2a4e --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,37 @@ +name: helmlint + +on: pull_request + +jobs: + lint-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 1 + - uses: dorny/paths-filter@v2 + id: filter + with: + filters: | + helmlint: + - 'charts/static-site/**.yaml' + - 'charts/static-site/templates/**.tpl' + - name: Set up Helm + if: steps.filter.outputs.helmlint == 'true' + uses: azure/setup-helm@v1 + with: + version: v3.9.2 + + - name: Set up chart-testing + if: steps.filter.outputs.helmlint == 'true' + uses: helm/chart-testing-action@v2.2.1 + + - name: Run chart-testing (lint) + if: steps.filter.outputs.helmlint == 'true' + run: ct lint --config ct.yaml + + - name: Helm Template Test + if: steps.filter.outputs.helmlint == 'true' + run: | + helm template testtemplate charts/static-site diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..7b3ce21 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,33 @@ +name: Publish Helm Chart + +on: + workflow_call: + +jobs: + publish: + name: Publish Helm Chart + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 1 + + - name: Install Helm + run: curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash + + - name: Build Helm Chart + run: helm package ./charts/static-site + + - name: GitHub Container Registry Login + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin + + - name: Publish Helm Chart to GitHub Container Registry + run: | + CHART_NAME=$(echo "${GITHUB_REPOSITORY#*/}" | sed -e 's,.*/\(.*\),\1,') + CHART_VERSION=$(grep 'version:' ./charts/$CHART_NAME/Chart.yaml | tail -n1 | awk '{ print $2}') + # Change all uppercase to lowercase + CHART_NAME=$(echo $CHART_NAME | tr '[A-Z]' '[a-z]') + helm push ${CHART_NAME}-${CHART_VERSION}.tgz oci://ghcr.io/${GITHUB_REPOSITORY%/*} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..36939b2 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,19 @@ +name: Create Release +# Create GitHub release +# Runs on semantic versioned tags only + +on: + push: + tags: + - "*.*.*" + +jobs: + publish: + name: Publish Helm Chart + uses: ./.github/workflows/publish.yml + release: + runs-on: ubuntu-latest + name: Create GitHub Release + steps: + - name: Create GitHub Release + uses: softprops/action-gh-release@v1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b0076fb --- /dev/null +++ b/.gitignore @@ -0,0 +1,81 @@ +# Compiled source # +################### +*.com +*.class +*.dll +*.exe +*.o +*.so +_site/ + +# Packages # +############ +# it's better to unpack these files and commit the raw source +# git has its own built in compression methods +*.7z +*.dmg +*.gz +*.iso +*.jar +*.rar +*.tar +*.zip + +# Logs and databases # +###################### +*.log +*.sql +*.sqlite + +# OS generated files # +###################### +.DS_Store +.DS_Store? +.Spotlight-V100 +.Trashes +Icon? +ehthumbs.db +Thumbs.db + +# Vim swap files # +################## +*.swp + +# Python # +################# +*.pyc +*.egg-info/ +__pycache__/ +*.py[cod] +.env +.python-version + +# pyenv # +######### +.python-version + +# Django # +################# +*.egg-info +.installed.cfg + +# Unit test / coverage reports +################# +htmlcov/ +.tox/ +.coverage +.cache +nosetests.xml +coverage.xml + +# Front-End # +############# +node_modules/ +bower_components/ +.grunt/ +src/vendor/ +dist/ + +# IDE # +####### +.idea/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..3c3195d --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,18 @@ +All notable changes to this project will be documented in this file. +We follow the [Semantic Versioning 2.0.0](http://semver.org/) format. + + +## 0.1.0 - 2023-01-26 +Initial Release + +### Added +- `static-site` Helm Chart with `git`, `wget`, and `s3` capabilities. + +### Deprecated +- Nothing. + +### Removed +- Nothing. + +### Fixed +- Nothing. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..b756621 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,115 @@ +# CFPB Open Source Code of Conduct + +## Introduction + +The [Consumer Financial Protection Bureau](https://www.consumerfinance.gov) (CFPB) is committed to +building a safe, welcoming, harassment-free culture for everyone. We do not merely want an +environment that is free from hostility, we want one that is actively welcoming and inclusive. We +want our team, our workplace culture, and our open source community to reflect and celebrate the +diversity of the people we serve. + +This Code of Conduct summarizes federal anti-harassment law and CFPB policy. + +## Scope + +We expect everyone on the CFPB team, and those contributing to our open source community, to exhibit +these behaviors and abide by applicable federal laws and CFPB policies. In addition, we expect +everyone within CFPB spaces to exhibit these behaviors and refrain from behavior prohibited by +anti-harassment laws and federal policies on harassment. These spaces include: + +- CFPB’s physical offices +- CFPB events and meetings +- All of CFPB’s online forums and virtual collaboration tools, including code repositories + + +## What we strive for + +At the CFPB, we strive to create a welcoming and inclusive culture that empowers people to best protect +the financial interests of all consumers. That kind of atmosphere requires an open exchange of ideas +balanced by thoughtful guidelines. Examples of behavior that contributes to a positive environment +for our open source community include: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience +- Focusing on what is best not just for us as individuals, but for the overall community and public + +## Unacceptable behavior + +To help understand the kinds of behaviors that are illegal or run counter to the culture we seek to +foster, we've listed some actions below that violate federal law and CFPB policy. We've also included +steps to take if you encounter behavior that runs contrary to this policy. + +The CFPB Policy Statement on Equal Employment Opportunity and Workplace Harassment forbids +discrimination or harassment based on: + +- Race +- Color +- Religion +- Sex (including pregnancy, sexual orientation, transgender status, gender identity or expression, gender non-conformity, or sex stereotyping of any kind) +- National origin +- Disability +- Age (40 years or older) +- Genetic information +- Parental status +- Political affiliation +- Marital status +- Uniformed status +- Membership in a labor organization or union activities +- Prior equal employment opportunity (EEO) or whistleblower activity +- Any other factor unrelated to your merit + +The policy also forbids harassing conduct, which includes unwelcome conduct based on any (or a combination of) protected traits or characteristics. Such conduct may take the form of any of the following: + +- Offensive jokes, comments, objects, or pictures +- Questions about a person’s identity (e.g., disability status, gender identity, sexual orientation, national origin, etc.) +- Undue attention +- Ridicule or mockery +- Insults or put-downs +- Touching/physical contact +- Slurs or epithets +- Threats or other forms of intimidation +- Physical or sexual assault + +## Reporting violations + +If you are a CFPB employee, former CFPB employee, or job applicant to CFPB and believe you have been +discriminated against or harassed on the basis of race, color, religion, sex (including pregnancy, +sexual orientation, transgender status, gender identity or expression, gender non-conformity, or sex +stereotyping of any kind), national origin, disability, age (40 years or older), genetic information, +parental status, or retaliated against for prior Equal Employment Opportunity (EEO) activity, contact the CFPB’s Office of Civil Rights. + +CFPB_EEO@consumerfinance.gov + +(202) 435-9EEO +(855) 233-0362 +TTY: (202) 435-9742 + +Office of Civil Rights +Consumer Financial Protection Bureau +1700 G Street, NW +Washington, D.C. 20552 + +For help filing a complaint about discrimination on the basis of marital status, political +affiliation, or any other non-merit factor, or for claims of retaliation for [whistleblower activity](https://www.consumerfinance.gov/office-civil-rights/whistleblowers/), contact the [Office of Special Counsel](https://www.osc.gov/) or the [Merit Systems Protection Board](https://www.mspb.gov/). + +For help filing a complaint about discrimination on the basis of uniformed status, you may contact +the [Veterans’ Employment and Training Service (VETS)](https://www.dol.gov/vets/) at the Department of Labor, the [Merit Systems Protection Board](https://www.mspb.gov/), or the [Office of Special Counsel](https://osc.gov/), depending on the circumstances. + +For help filing a complaint about discrimination on the basis of membership in a labor organization, +you may contact the [Federal Labor Relations Authority](https://flra.gov/) or your union (if applicable). + +### Equal employment opportunity policy + +For more information about the CFPB’s equal employment opportunity (EEO) policies and procedures visit https://www.consumerfinance.gov/office-civil-rights/eeo-policy-and-reports/ + +## Credits + +The CFPB is greatly appreciative of the multiple sources that we drew from to build this Code of Conduct, including: + +- [The Technology Transformation Services (TTS) Code of Conduct](https://18f.gsa.gov/code-of-conduct/) +- [The Contributor Covenant](https://www.contributor-covenant.org/) +- [Code for America Code of Conduct](https://github.com/codeforamerica/codeofconduct) +- [Ada Initiative: HOWTO design a code of conduct for your community](https://adainitiative.org/2014/02/18/howto-design-a-code-of-conduct-for-your-community/) +- [Geek Feminism Code of Conduct](https://geekfeminismdotorg.wordpress.com/about/code-of-conduct/) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..3495919 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,32 @@ +# Guidance on how to contribute + +> All contributions to this project will be released under the CC0 public domain +> dedication. By submitting a pull request or filing a bug, issue, or +> feature request, you are agreeing to comply with this waiver of copyright interest. +> Details can be found in our [TERMS](TERMS.md) and [LICENSE](LICENSE). + + +There are two primary ways to help: + - Using the issue tracker, and + - Changing the code-base. + + +## Using the issue tracker + +Use the issue tracker to suggest feature requests, report bugs, and ask questions. +This is also a great way to connect with the developers of the project as well +as others who are interested in this solution. + +Use the issue tracker to find ways to contribute. Find a bug or a feature, mention in +the issue that you will take on that effort, then follow the _Changing the code-base_ +guidance below. + + +## Changing the code-base + +Generally speaking, you should fork this repository, make changes in your +own fork, and then submit a pull request. All new code should have associated +unit tests that validate implemented features and the presence or lack of defects. +Additionally, the code should follow any stylistic and architectural guidelines +prescribed by the project. In the absence of such guidelines, mimic the styles +and patterns in the existing code-base. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0e259d4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. diff --git a/README.md b/README.md new file mode 100644 index 0000000..8573eb5 --- /dev/null +++ b/README.md @@ -0,0 +1,127 @@ +# Static Site Chart +This chart is used to simplify the deployment +of static sites that are hosted on a Git repository, +URL, or S3 bucket. + + +## How this works + +The Pod has 2 containers, an init container, and the web container (nginx). +The init container will clone/download the specified repository and +extract/copy the static files into an ephemeral directory. +This directory is then mounted to the web container +(nginx `/usr/share/nginx/html`). + + +## Usage +You will need to determine which method you will use to obtain +the static files. + +Method is selected via `init.method`. Valid options are +`git`, `wget`, or `s3`. Default is `git`. + +Refer to [values.yaml](./charts/static-site/values.yaml) for +the full set of overrides, including Ingress and Ambassador +Mapping. + +### Git Value Overrides +The following values are used to drive the cloning of the +Git repository. + +`init.git.repository` - The repository URL to clone + +`init.git.ref` - The ref to checkout on clone (if any) + +`init.git.subPath` - The sub path to root of the static files +(if not the root of the repository) + +```bash +helm upgrade --install --wait \ + --set init.git.repository= \ + --set init.git.ref= --set init.git.subPath= \ + oci://ghcr.io/cfpb/static-site +``` + + +### Wget Value Overrides +The following values are used to drive the downloading of +an archive from a URL, and extracting static root to `/static`. + +`init.wget.url` - The URL to the artifact to download. + +`init.wget.targetFile` - Filename to save the artifact as +(to be used for extraction). This is also accessible for the extraction +command via environment variable `$TARGET_FILE`. Default is `static.tar`. +This file is downloaded to `/tmp/$TARGET_FILE`. + +`init.wget.extractCommad` - The command needed to extract the artifact +and copy static root to `/static`. +Default is `tar xvf /tmp/$TARGET_FILE -C /static`. +Available extraction tools are `tar`, `unzip`, `gunzip`, and more. + +**NOTE:** You will need to escape `$` when using `$TARGET_FILE` in +the extract command to avoid local variable expansion. + +```bash +helm upgrade --install --wait \ + --set init.method=wget --set init.wget.url= \ + --set init.wget.extractCommand="tar xvf /tmp/\$TARGET_FILE -C /static" \ + oci://ghcr.io/cfpb/static-site +``` + +You can even chain commands if you need to extract a subdirectory instead. + +```bash +helm upgrade --install --wait \ + --set init.method=wget --set init.wget.url= \ + --set init.wget.extractCommand="tar xvf /tmp/\$TARGET_FILE -C /tmp/static + && cp -Rfp /tmp/static/subdir/* /static" \ + oci://ghcr.io/cfpb/static-site +``` + + +### AWS S3 Value Overrides +The following values are used to drive the downloading of +an object from an S3 bucket, and extracting static root to `/static`. + +**NOTE:** To use S3, you will need to attach a Service Account that +has the appropriate permissions to access the S3 bucket. This is done +via `serviceAccount.name`. + +`init.s3.bucket` - The bucket name containing the artifact object + +`init.s3.object` - Object path to the static files artifact. + +`init.s3.targetFile` - Filename to save the artifact as +(to be used for extraction). This is also accessible for the extraction +command via environment variable `$TARGET_FILE`. Default is `static.tar`. +This file is downloaded to `/tmp/$TARGET_FILE`. + +`init.s3.extractCommand` - The command needed to extract the artifact +and copy static root to `/static`. +Default is `tar xvf /tmp/$TARGET_FILE -C /static`. +Available extraction tools are `tar`, `unzip`, `gunzip`, and more. + +**NOTE:** You will need to escape `$` when using `$TARGET_FILE` in +the extract command to avoid local variable expansion. + +```bash +helm upgrade --install --wait \ + --set serviceAccount.name= \ + --set init.method=s3 --set init.s3.bucket= \ + --set init.s3.object= \ + --set init.s3.extractCommand="tar xvf /tmp/\$TARGET_FILE -C /static" \ + oci://ghcr.io/cfpb/static-site +``` + +You can even chain commands if you need to extract a subdirectory instead. + +```bash +helm upgrade --install --wait \ + --set serviceAccount.name= \ + --set init.method=s3 --set init.s3.bucket= \ + --set init.s3.object= \ + --set init.s3.extractCommand="tar xvf /tmp/\$TARGET_FILE -C /tmp/static + && cp -Rfp /tmp/static/subdir/* /static" \ + oci://ghcr.io/cfpb/static-site +``` diff --git a/TERMS.md b/TERMS.md new file mode 100644 index 0000000..f64c133 --- /dev/null +++ b/TERMS.md @@ -0,0 +1,52 @@ +As a work of the United States Government, this package (excluding any +exceptions listed below) is in the public domain within the United States. +Additionally, we waive copyright and related rights in the work worldwide +through the [CC0 1.0 Universal public domain dedication][CC0]. + +Software source code previously released under an open source license and then +modified by CFPB staff or its contractors is considered a "joint work" +(see 17 USC § 101); it is partially copyrighted, partially public domain, +and as a whole is protected by the copyrights of the non-government authors and +must be released according to the terms of the original open-source license. +Segments written by CFPB staff, and by contractors who are developing software +on behalf of CFPB are also in the public domain, and copyright and related +rights for that work are waived through the CC0 1.0 Universal dedication. + +For further details, please see the CFPB [Source Code Policy][policy]. + + +## CC0 1.0 Universal Summary + +This is a human-readable summary of the [Legal Code (read the full text)][CC0]. + +### No Copyright + +The person who associated a work with this deed has dedicated the work to +the public domain by waiving all of his or her rights to the work worldwide +under copyright law, including all related and neighboring rights, to the +extent allowed by law. + +You can copy, modify, distribute and perform the work, even for commercial +purposes, all without asking permission. See Other Information below. + +### Other Information + +In no way are the patent or trademark rights of any person affected by CC0, +nor are the rights that other persons may have in the work or in how the +work is used, such as publicity or privacy rights. + +Unless expressly stated otherwise, the person who associated a work with +this deed makes no warranties about the work, and disclaims liability for +all uses of the work, to the fullest extent permitted by applicable law. +When using or citing the work, you should not imply endorsement by the +author or the affirmer. + +[policy]: https://github.com/cfpb/source-code-policy/ +[CC0]: http://creativecommons.org/publicdomain/zero/1.0/legalcode + + +## Exceptions + +_Source code or other assets that are excluded from the TERMS should be listed +here. These may include dependencies that may be licensed differently or are +not in the public domain._ diff --git a/charts/static-site/.helmignore b/charts/static-site/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/static-site/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/static-site/Chart.yaml b/charts/static-site/Chart.yaml new file mode 100644 index 0000000..2190930 --- /dev/null +++ b/charts/static-site/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: static-site +description: A Helm chart for a static site +icon: https://www.consumerfinance.gov/static/icon.svg + +maintainers: + - name: cfpb + email: tech@cfpb.gov + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/charts/static-site/templates/NOTES.txt b/charts/static-site/templates/NOTES.txt new file mode 100644 index 0000000..1fa8941 --- /dev/null +++ b/charts/static-site/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "static-site.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "static-site.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "static-site.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "static-site.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/static-site/templates/_helpers.tpl b/charts/static-site/templates/_helpers.tpl new file mode 100644 index 0000000..bce9d0f --- /dev/null +++ b/charts/static-site/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "static-site.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "static-site.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "static-site.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "static-site.labels" -}} +helm.sh/chart: {{ include "static-site.chart" . }} +{{ include "static-site.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "static-site.selectorLabels" -}} +app.kubernetes.io/name: {{ include "static-site.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "static-site.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "static-site.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/static-site/templates/deployment.yaml b/charts/static-site/templates/deployment.yaml new file mode 100644 index 0000000..9737066 --- /dev/null +++ b/charts/static-site/templates/deployment.yaml @@ -0,0 +1,116 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "static-site.fullname" . }} + labels: + {{- include "static-site.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "static-site.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "static-site.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "static-site.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: init-clone + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- if eq .Values.init.method "git" }} + image: "{{ .Values.init.git.image.repository}}:{{ .Values.init.git.image.tag | default "latest" }}" + imagePullPolicy: {{ .Values.init.git.image.pullPolicy }} + command: + - /bin/ash + args: + - -c + - | + {{- if .Values.init.git.ref }} + git clone --depth 1 -b \ + {{ .Values.init.git.ref }} {{ .Values.init.git.repository }} /tmp/repo \ + {{- else }} + git clone --depth 1 {{ .Values.init.git.repository }} /tmp/repo \ + {{- end }} + && cp -Rfp /tmp/repo/{{ .Values.init.git.subPath | default "" }}/* /static + {{- else if eq .Values.init.method "wget" }} + image: "{{ .Values.init.wget.image.repository }}:{{ .Values.init.wget.image.tag | default "musl" }}" + imagePullPolicy: {{ .Values.init.wget.image.pullPolicy }} + env: + - name: TARGET_FILE + value: {{ .Values.init.wget.targetFile | quote }} + command: + - /bin/ash + args: + - -c + - | + wget -O /tmp/$TARGET_FILE {{ .Values.init.wget.url }} \ + && {{ .Values.init.wget.extractCommand }} + {{- else }} + image: "{{ .Values.init.s3.image.repository }}:{{ .Values.init.s3.image.tag | default "latest" }}" + imagePullPolicy: {{ .Values.init.s3.image.pullPolicy }} + env: + - name: TARGET_FILE + value: {{ .Values.init.s3.targetFile | quote }} + command: + - /bin/bash + args: + - -c + - | + aws s3 cp s3://{{ .Values.init.s3.bucket }}/{{.Values.init.s3.object }} /tmp/$TARGET_FILE \ + && {{ .Values.init.s3.extractCommand }} + {{- end }} + volumeMounts: + - mountPath: /static + name: static + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default "alpine" }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /usr/share/nginx/html + name: static + volumes: + - name: static + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/static-site/templates/hpa.yaml b/charts/static-site/templates/hpa.yaml new file mode 100644 index 0000000..3e84934 --- /dev/null +++ b/charts/static-site/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "static-site.fullname" . }} + labels: + {{- include "static-site.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "static-site.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/static-site/templates/ingress.yaml b/charts/static-site/templates/ingress.yaml new file mode 100644 index 0000000..dc42b3b --- /dev/null +++ b/charts/static-site/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "static-site.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "static-site.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/static-site/templates/mapping.yaml b/charts/static-site/templates/mapping.yaml new file mode 100644 index 0000000..f968dfa --- /dev/null +++ b/charts/static-site/templates/mapping.yaml @@ -0,0 +1,14 @@ +{{- if .Values.ambassador.enabled }} +{{- $fullName := include "static-site.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +apiVersion: {{ .Values.ambassador.apiVersion | default "getambassador.io/v2" }} +kind: Mapping +metadata: + name: {{ $fullName }} + labels: + {{- include "static-site.labels" . | nindent 4 }} +spec: + host: {{ .Values.ambassador.hostname }} + prefix: / + service: {{ $fullName }}:{{ $svcPort }} +{{- end }} diff --git a/charts/static-site/templates/service.yaml b/charts/static-site/templates/service.yaml new file mode 100644 index 0000000..3797679 --- /dev/null +++ b/charts/static-site/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "static-site.fullname" . }} + labels: + {{- include "static-site.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "static-site.selectorLabels" . | nindent 4 }} diff --git a/charts/static-site/templates/serviceaccount.yaml b/charts/static-site/templates/serviceaccount.yaml new file mode 100644 index 0000000..6604ae5 --- /dev/null +++ b/charts/static-site/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "static-site.serviceAccountName" . }} + labels: + {{- include "static-site.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/static-site/templates/tests/test-connection.yaml b/charts/static-site/templates/tests/test-connection.yaml new file mode 100644 index 0000000..597b7db --- /dev/null +++ b/charts/static-site/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "static-site.fullname" . }}-test-connection" + labels: + {{- include "static-site.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "static-site.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/static-site/values.yaml b/charts/static-site/values.yaml new file mode 100644 index 0000000..441bc2a --- /dev/null +++ b/charts/static-site/values.yaml @@ -0,0 +1,134 @@ +# Default values for static-site. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Default tag is `alpine` + tag: "" + +init: + # Clone/copy method. + # git, wget, s3 + method: git + # git options + git: + image: + repository: alpine/git + pullPolicy: IfNotPresent + # Default tag is `latest` + tag: "" + # The repository to clone + repository: "" + # The reference of the repository to clone + ref: "" + # Sub Path of repository to copy if not root + subPath: "" + # wget options + wget: + image: + repository: busybox + pullPolicy: IfNotPresent + # Default tag is `musl` + tag: "" + url: "" + # Filename to save URL as for extraction. Saved under /tmp + # Also gets set to env TARGET_FILE + targetFile: "static.tar" + # Extract command, targeting /static + extractCommand: "tar xvf /tmp/$TARGET_FILE -C /static" + # s3 options + s3: + # You will need to attach a service account with appropriate permissions + # to AWS S3 via serviceAccount.name + image: + repository: amazon/aws-cli + pullPolicy: IfNotPresent + # Default tag is `latest` + tag: "" + bucket: "" + object: "" + # Filename to save object as for extraction. Saved under /tmp + # Also gets set to env TARGET_FILE + targetFile: "static.tar" + # Extract command, targeting /static + extractCommand: "tar xvf /tmp/$TARGET_FILE -C /static" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ambassador: + enabled: false + apiVersion: getambassador.io/v2 + hostname: "" + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/ct.yaml b/ct.yaml new file mode 100644 index 0000000..bef7298 --- /dev/null +++ b/ct.yaml @@ -0,0 +1,4 @@ +helm-extra-args: --timeout 600s +chart-dirs: + - charts/ +target-branch: main