create a helm chart

Author: cornerman

.envrc

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Automatically sets up your devbox environment whenever you cd into this
+# directory via our direnv integration:
+
+eval "$(devbox generate direnv --print-envrc)"
+
+# check out https://www.jetify.com/docs/devbox/ide_configuration/direnv/
+# for more details

.github/workflows/ci.yaml

@@ -0,0 +1,30 @@
+name: CI
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install devbox
+        uses: jetify-com/devbox-install-action@v0.14.0
+
+      - name: Install project dependencies
+        run: devbox install
+
+      - name: Helm lint
+        run: devbox run lint
+
+      - name: Kind end-to-end test
+        env:
+          CLUSTER_NAME: ci-evict-rollout
+        run: devbox run test
+

.gitignore

@@ -0,0 +1 @@
+.devbox

README.md

@@ -55,7 +55,50 @@ export DRY_RUN=true
 ./evict_to_rollout.sh
 ```
 
-### 3. Deploy as CronJob
+## Deployment Options
 
-See `cronjob.yaml` for the full manifest including RBAC permissions.
+### Helm (recommended)
+
+This repository ships a Helm chart (`chart/evict-to-rollout`) so you can tweak the schedule, annotation selector, and naming without forking the manifest.
+
+```bash
+helm upgrade --install evict-to-rollout \
+  oci://ghcr.io/cornerman/charts/evict-to-rollout \
+  --version 0.1.0 \
+  --namespace kube-system --create-namespace \
+  --set schedule="*/2 * * * *" \
+  --set annotationSelector.key="evict-with-rollout" \
+  --set annotationSelector.value="true"
+```
+
+Key values:
+
+| Value | Description | Default |
+| --- | --- | --- |
+| `schedule` | Cron expression for how often to scan nodes | `*/1 * * * *` |
+| `annotationSelector.key`/`.value` | Annotation pair that marks pods for rollout | `evict-with-rollout` / `true` |
+| `image.repository` / `.tag` | Container image that provides `kubectl` + `jq` | `us.gcr.io/k8s-artifacts-prod/kubectl` / `v1.29.4` |
+| `serviceAccount.create` | Whether to create a dedicated SA | `true` |
+| `rbac.create` | Whether to install ClusterRole + binding | `true` |
+
+See `chart/evict-to-rollout/values.yaml` for the full list.
+
+## Development & Testing
+
+This repo ships a `devbox.json` so everyone (including CI) uses the same versions of `helm`, `kubectl`, `kind`, and `jq`.
+
+```bash
+# Start a dev shell with all tools:
+devbox shell
+
+# Lint the chart:
+devbox run lint
+
+# Run the end-to-end test (requires Docker since it spins up kind):
+devbox run test
+```
+
+The test script (`scripts/test-kind.sh`) creates a 3-node kind cluster, installs the Helm chart, deploys a sample annotated app, cordons a node, runs the controller job manually, and asserts that the deployment was restarted and rescheduled onto a different node.
+
+GitHub Actions mirrors the same flow via `.github/workflows/ci.yaml`, so every PR runs `helm lint` plus the integration test automatically.
 

chart/evict-to-rollout/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: evict-to-rollout
+description: Trigger rollout restarts for annotated workloads before draining nodes
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+keywords:
+  - kubernetes
+  - availability
+  - eviction
+  - pdb
+  - cronjob
+maintainers:
+  - name: Cornerman
+    url: https://github.com/cornerman
+sources:
+  - https://github.com/cornerman/evict-to-rollout
+home: https://github.com/cornerman/evict-to-rollout
+
+

evict_to_rollout.sh …ict-to-rollout/files/evict_to_rollout.shevict_to_rollout.sh renamed to chart/evict-to-rollout/files/evict_to_rollout.sh evict_to_rollout.sh renamed to chart/evict-to-rollout/files/evict_to_rollout.sh

@@ -2,8 +2,8 @@
 set -euo pipefail
 
 # Configuration
-ANNOTATION_KEY="evict-with-rollout"
-ANNOTATION_VALUE="true"
+ANNOTATION_KEY=${ANNOTATION_KEY:-"evict-with-rollout"}
+ANNOTATION_VALUE=${ANNOTATION_VALUE:-"true"}
 DRY_RUN=${DRY_RUN:-false} # Set to true to print actions without executing
 
 log() {
@@ -116,3 +116,5 @@ for NODE in $NODES; do
 done
 
 log "Done."
+
+

chart/evict-to-rollout/templates/NOTES.txt

@@ -0,0 +1,11 @@
+To verify your installation:
+  1. Check the CronJob status:
+     kubectl get cronjob {{ include "evict-to-rollout.fullname" . }} -n {{ .Release.Namespace }}
+  2. Inspect the latest job/pod logs:
+     kubectl logs job/$(kubectl get jobs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[-1:].metadata.name}') -n {{ .Release.Namespace }}
+
+To trigger a dry run manually:
+  kubectl create job --from=cronjob/{{ include "evict-to-rollout.fullname" . }} evict-to-rollout-debug -n {{ .Release.Namespace }} \
+    --dry-run=client -o yaml | kubectl apply -f -
+
+

chart/evict-to-rollout/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "evict-to-rollout.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "evict-to-rollout.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "evict-to-rollout.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- if .Values.serviceAccount.name -}}
+{{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-sa" (include "evict-to-rollout.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- else -}}
+{{- .Values.serviceAccount.name | default "default" -}}
+{{- end -}}
+{{- end -}}
+
+

chart/evict-to-rollout/templates/clusterrole.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ printf "%s-role" (include "evict-to-rollout.fullname" .) | trunc 63 | trimSuffix "-" }}
+  labels:
+    app.kubernetes.io/name: {{ include "evict-to-rollout.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch"]
+{{- end }}
+
+

chart/evict-to-rollout/templates/clusterrolebinding.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ printf "%s-binding" (include "evict-to-rollout.fullname" .) | trunc 63 | trimSuffix "-" }}
+  labels:
+    app.kubernetes.io/name: {{ include "evict-to-rollout.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "evict-to-rollout.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ printf "%s-role" (include "evict-to-rollout.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+