ci: use oci

.drone.yml

@@ -6,16 +6,17 @@ name: default
 trigger:
   event:
   - push
+  - tag
 
 steps:
 - name: release
-    image: cr.grachevko.ru/drone/helm:RELEASE.2023-03-01T13-46-55Z
+  image: cr.grachevko.ru/drone/helm:24
   settings:
+    tag: ${DRONE_TAG}
     username:
       from_secret: HELM_REPO_USERNAME
     password:
       from_secret: HELM_REPO_PASSWORD
   when:
-      branch:
+    event:
-        - master
+    - tag
-        - rc

README.md

@@ -19,7 +19,8 @@ dependencies:
     repository: https://harbor.grachevko.ru/chartrepo/helm
 ```
 
-Once you have defined dependencies, you should run the following command to download this chart into your `charts/` directory:
+Once you have defined dependencies, you should run the following command to download this chart into your `charts/`
+directory:
 
 ```shell
 $ helm dep build
@@ -61,13 +62,15 @@ helm.sh/chart: foo-1.2.3-beta.55_1234
 
 ### `common.fullname`
 
-The `common.fullname` template generates a name suitable for the `name:` field in Kubernetes metadata. It is used like this:
+The `common.fullname` template generates a name suitable for the `name:` field in Kubernetes metadata. It is used like
+this:
 
 ```yaml
 name: { { include "common.fullname" . } }
 ```
 
-This prints the value of `{{ .Release.Name }}-{{ .Chart.Name }}` by default, but can be overridden with `.Values. fullnameOverride`:
+This prints the value of `{{ .Release.Name }}-{{ .Chart.Name }}` by default, but can be overridden
+with `.Values. fullnameOverride`:
 
 ```yaml
 fullnameOverride: some-name
@@ -142,7 +145,8 @@ metadata:
   name: release-name-mychart
 ```
 
-Most of the common templates that define a resource type (e.g. `common.configMap` or `common.cronJob`) use this to generate the metadata, which means they inherit the same `labels` and `name` fields.
+Most of the common templates that define a resource type (e.g. `common.configMap` or `common.cronJob`) use this to
+generate the metadata, which means they inherit the same `labels` and `name` fields.
 
 ### `common.name`
 

starter/templates/deployment.yaml

@@ -24,10 +24,6 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.image.pullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
@@ -37,15 +33,24 @@ spec:
         image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         envFrom:
+          {{- if .Values.existingConfigmap }}
+        - configMapRef:
+            name: {{ .Values.existingConfigmap }}
+          {{- else }}
         - configMapRef:
             name: {{ include "common.fullname" . }}
-          {{- if .Values.extraEnvVarsSecret }}
+          {{- end }}
+          {{- if .Values.existingSecret }}
         - secretRef:
-                name: {{ .Values.extraEnvVarsSecret }}
+            name: {{ .Values.existingSecret }}
           {{- else }}
         - secretRef:
             name: {{ include "common.fullname" . }}
           {{- end }}
+          {{- if .Values.extraEnvVarsSecret }}
+        - secretRef:
+            name: {{ .Values.extraEnvVarsSecret }}
+          {{- end }}
         ports:
         - name: http
           containerPort: 5678

starter/templates/ingress.yaml

@@ -1,18 +1,7 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "common.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -23,9 +12,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.ingress.className }}
-  {{- end }}
   {{- if .Values.ingress.tls }}
   tls:
     {{- range .Values.ingress.tls }}
@@ -45,15 +32,10 @@ spec:
       - path: {{ .path }}
         pathType: {{ default "ImplementationSpecific" .pathType }}
         backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
           service:
             name: {{ $fullName }}
             port:
               number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-              {{- end }}
           {{- end }}
     {{- end }}
 {{- end }}

starter/values.yaml

@@ -12,9 +12,9 @@ extraEnvVarsSecret:
 replicaCount: 1
 
 image:
+  registry: docker.io
   repository: nginx
   pullPolicy: IfNotPresent
-  pullSecrets: []
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
@@ -50,6 +50,11 @@ service:
 
 ingress:
   enabled: false
+  ## @param ingress.ingressClassName IngressClass that will be used to implement the Ingress (Kubernetes 1.18+)
+  ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.
+  ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
+  ##
+  ingressClassName: ""
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"

templates/_metadata.tpl

@@ -4,13 +4,11 @@
 Common labels
 */}}
 {{- define "common.labels" -}}
-app.kubernetes.io/name: {{ include "common.name" . }}
 helm.sh/chart: {{ include "common.chart" . }}
 {{ include "common.selectorLabels" . }}
 {{- with .Chart.AppVersion }}
 app.kubernetes.io/version: {{ . | quote }}
 {{- end }}
-app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 

templates/_secrets.tpl

@@ -87,7 +87,7 @@ The order in which this function returns a secret password:
 {{- $password := "" }}
 {{- $subchart := "" }}
 {{- $chartName := default "" .chartName }}
-{{- $passwordLength := default 10 .length }}
+{{- $passwordLength := default 32 .length }}
 {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
 {{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
 {{- $secretData := (lookup "v1" "Secret" (include "common.namespace" .context) .secret).data }}
@@ -115,6 +115,8 @@ The order in which this function returns a secret password:
     {{- $password = randAscii $passwordLength }}
     {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
     {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
+  {{- else if .hex }}
+    {{- $password = include "common.secrets.randHex" $passwordLength | b64enc | quote }}
   {{- else }}
     {{- $password = randAlphaNum $passwordLength | b64enc | quote }}
   {{- end }}
@@ -122,6 +124,23 @@ The order in which this function returns a secret password:
 {{- printf "%s" $password -}}
 {{- end -}}
 
+{{- /*
+    Returns given number of random Hex characters.
+    - randNumeric 4 | atoi generates a random number in [0, 10^4)
+      This is a range evenly divisble by 16, but even if off by one,
+      that last partial interval offsetting randomness is only 1 part in 625.
+    - mod N 16 maps to the range 0-15
+    - printf "%x" represents a single number 0-15 as a single hex character
+*/}}
+{{- define "common.secrets.randHex" -}}
+    {{- $result := "" }}
+    {{- range $i := until . }}
+        {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }}
+        {{- $result = print $result $rand_hex_char }}
+    {{- end }}
+    {{- $result }}
+{{- end }}
+
 {{/*
 Reuses the value from an existing secret, otherwise sets its value to a default value.