feat: feature yml, helm charts

* added config use envs
* workflow for deploy to fasit

Co-authored-by: Tommy Trøen <[email protected]>

Author: ybelMekk

.github/workflows/main.yml

@@ -0,0 +1,91 @@
+name: Build and deploy
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '*.md'
+      - 'LICENSE.md'
+env:
+  NAME: v13s
+  FEATURE_REPOSITORY: oci://europe-north1-docker.pkg.dev/nais-io/nais/feature
+
+jobs:
+  go_version:
+    outputs:
+      go_version: ${{ steps.go_version.outputs.GO_VERSION }}
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Find Go version
+        id: go_version
+        run: |
+          echo "GO_VERSION=$(grep golang .tool-versions | awk '{print $2}')" >> $GITHUB_OUTPUT
+  tests:
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-24.04
+    needs: go_version
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ needs.go_version.outputs.go_version }}
+          cache-dependency-path: ./go.sum
+
+     # - name: Check for vulnerable dependencies and static code
+      #  run: make check
+
+      - name: Run tests
+        run: make test
+
+  build_and_push:
+    outputs:
+      version: ${{ steps.build-push-sign.outputs.version }}
+    needs:
+      - tests
+    permissions:
+      contents: "read"
+      id-token: "write"
+    name: build and push
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build push v13s image
+        uses: nais/platform-build-push-sign@main
+        id: build-push-sign
+        with:
+          name: ${{ env.NAME }}
+          google_service_account: gh-${{ env.NAME }}
+          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
+          push: true
+
+      - name: Update values.yaml
+        run: |-
+          yq e '.image.tag = "${{ steps.build-push-sign.outputs.version }}"' -i ./charts/values.yaml
+
+      - uses: azure/setup-helm@v4
+        name: "Setup Helm"
+        with:
+          version: "v3.15.1"
+
+      - name: Build Chart
+        run: |-
+          yq e '.version = "${{ steps.build-push-sign.outputs.version }}"' -i charts/Chart.yaml
+          helm package charts
+
+      - name: Push Chart
+        run: |-
+          helm push ${{ env.NAME }}*.tgz ${{ env.FEATURE_REPOSITORY }}
+
+  rollout:
+    needs:
+      - build_and_push
+    runs-on: fasit-deploy
+    permissions:
+      id-token: write
+    steps:
+      - uses: nais/fasit-deploy@v2
+        with:
+          chart: ${{ env.FEATURE_REPOSITORY }}/${{ env.NAME }}
+          version: ${{ needs.build_and_push.outputs.version }}

.tool-versions

@@ -2,3 +2,4 @@ golang 1.23.5
 protoc-gen-go-grpc 1.5.1
 protoc-gen-go 1.36.3
 protoc 29.3
+helm 3.15.1

Dockerfile

@@ -0,0 +1,14 @@
+FROM cgr.dev/chainguard/go:latest AS builder
+ENV GOOS=linux
+ENV CGO_ENABLED=0
+ENV GO111MODULE=on
+RUN go version
+COPY . /src
+WORKDIR /src
+RUN go mod download
+RUN go build -a -installsuffix cgo -o /bin/api cmd/api/main.go
+
+FROM cgr.dev/chainguard/static:latest
+WORKDIR /app
+COPY --from=builder /bin/api /api
+ENTRYPOINT ["/api"]

charts/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: v13s
+icon: https://slsa.dev/images/slsa-dancing-goose-logo.svg
+sources:
+  - https://github.com/nais/v13s/tree/main/charts
+description: v13s is an api for vulnerabilities data across multiple sources
+type: application
+version: 0.1.0

charts/Feature.yaml

@@ -0,0 +1,55 @@
+environmentKinds:
+  - management
+values:
+  
+  image.tag:
+    displayName: Image tag
+    config:
+      type: string
+  
+  dependencytrack.apikey:
+    displayName: dependencytrack API key
+    config:
+      type: string
+    required: true
+  
+  dependencytrack.url:
+    displayName: dependencytrack URL
+    computed:
+      template: "http://dependencytrack-backend:8080"
+    config:
+      type: string
+  
+  database.instance:
+    displayName: Cloud SQL instance name
+    description: The name of the Cloud SQL instance
+    computed:
+      template: |
+        {{ .Env.v13s_db_instance | quote }}
+
+  database.name:
+    displayName: Database name
+    description: The name of the database
+    computed:
+      template: |
+        {{ .Env.v13s_db_name | quote }}
+
+  database.user:
+    displayName: Database username
+    description: The username for the database
+    computed:
+      template: |
+        {{ .Env.v13s_db_user | quote }}
+
+  database.password:
+    displayName: Database password
+    description: The password for the database
+    computed:
+      template: |
+        {{ .Env.v13s_db_password | quote }}
+
+  serviceAccountEmail:
+    displayName: Google service account email
+    computed:
+      template:
+        {{.Env.v13s_serviceaccount_email | quote}}

charts/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "v13s.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dependencytrack.name" -}}
+{{- default "dependencytrack" }}
+{{- end }}
+
+{{/*
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "v13s.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "v13s.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "v13s.labels" -}}
+helm.sh/chart: {{ include "v13s.chart" . }}
+{{ include "v13s.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+{{- define "dependencytrack.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dependencytrack.name" . }}
+app.kubernetes.io/instance: {{ include "dependencytrack.name" . }}-backend
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "v13s.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "v13s.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/templates/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "v13s.fullname" . }}
+  labels:
+    {{- include "v13s.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "v13s.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "v13s.selectorLabels" . | nindent 8 }}
+      annotations:
+        kubectl.kubernetes.io/default-container: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ include "v13s.name" . }}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
+          imagePullPolicy: Always
+          envFrom:
+            - secretRef:
+                name: {{ include "v13s.fullname" . }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          ports:
+            - name: grpc
+              containerPort: 50051
+              protocol: TCP
+            - name: http-metrics
+              containerPort: 8000
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+        - name: cloud-sql-proxy
+          image: {{ .Values.image.cloudsql_proxy }}
+          command:
+            - "/cloud_sql_proxy"
+            - "-log_debug_stdout"
+            - "-instances={{ .Values.database.instance }}=tcp:5432"
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "0.22"

charts/templates/netpol.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "v13s.fullname" . }}
+spec:
+  egress:
+    - ports:
+        - port: 443
+          protocol: TCP
+        - port: 80
+          protocol: TCP
+    - to:
+        - namespaceSelector: { }
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+    - to:
+        - podSelector:
+            matchLabels:
+              {{- include "dependencytrack.selectorLabels" . | nindent 14 }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+    - Egress
+---

charts/templates/sa.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "v13s.name" . }}
+  labels:
+    {{- include "v13s.labels" . | nindent 4 }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ .Values.serviceAccountEmail }}