create a helm chart and build docker image

Author: cornerman

.envrc

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Automatically sets up your devbox environment whenever you cd into this
+# directory via our direnv integration:
+
+eval "$(devbox generate direnv --print-envrc)"
+
+# check out https://www.jetify.com/docs/devbox/ide_configuration/direnv/
+# for more details

.github/workflows/ci.yaml

@@ -0,0 +1,126 @@
+name: CI
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["*"]
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      is_release: ${{ steps.version.outputs.is_release }}
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine version
+        id: version
+        run: |
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            RAW="${GITHUB_REF#refs/tags/}"
+            VERSION="${RAW#v}"
+            IS_RELEASE="true"
+          else
+            LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "0.0.0")
+            LAST_TAG="${LAST_TAG#v}"
+            VERSION="${LAST_TAG}-sha.${GITHUB_SHA::7}"
+            IS_RELEASE="false"
+          fi
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "is_release=${IS_RELEASE}" >> "$GITHUB_OUTPUT"
+
+      - name: Install devbox
+        uses: jetify-com/devbox-install-action@v0.14.0
+
+      - name: Install project dependencies
+        run: devbox install
+
+      - name: Helm lint
+        run: devbox run lint
+
+      - name: Kind end-to-end test
+        env:
+          CLUSTER_NAME: ci-evict-rollout
+        run: devbox run test
+
+  publish-image:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push kubectl+jq image
+        env:
+          IMAGE_BASE: ghcr.io/${{ github.repository }}/kubectl-jq
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          IMAGE_BASE=$(echo "${IMAGE_BASE}" | tr '[:upper:]' '[:lower:]')
+          docker buildx build \
+            -f Dockerfile.kubectl-jq \
+            --platform linux/amd64,linux/arm64 \
+            -t "${IMAGE_BASE}:${VERSION}" \
+            -t "${IMAGE_BASE}:latest" \
+            --push .
+
+  publish-chart:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.4
+
+      - name: Update Chart metadata
+        env:
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          sed -i -E "s/^version:.*/version: ${VERSION}/" chart/evict-to-rollout/Chart.yaml
+          sed -i -E "s/^appVersion:.*/appVersion: \"${VERSION}\"/" chart/evict-to-rollout/Chart.yaml
+
+      - name: Login to GHCR for Helm
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | \
+            helm registry login ghcr.io \
+              --username "${{ github.actor }}" \
+              --password-stdin
+
+      - name: Package and push Helm chart
+        run: |
+          mkdir -p dist
+          helm package chart/evict-to-rollout --destination dist
+          VERSION=$(awk '/^version:/ {print $2}' chart/evict-to-rollout/Chart.yaml | tr -d '"')
+          REPO=$(echo "${GITHUB_REPOSITORY}" | tr '[:upper:]' '[:lower:]')
+          helm push "dist/evict-to-rollout-${VERSION}.tgz" "oci://ghcr.io/${REPO}"
+

.gitignore

@@ -0,0 +1 @@
+.devbox

Dockerfile.kubectl-jq

@@ -0,0 +1,18 @@
+# syntax=docker/dockerfile:1.6
+
+FROM alpine:3.20
+
+ARG KUBECTL_VERSION=v1.30.2
+ARG TARGETARCH
+
+RUN apk add --no-cache bash curl jq ca-certificates \
+ && case "${TARGETARCH:-amd64}" in \
+      amd64|x86_64) ARCH=amd64 ;; \
+      arm64|aarch64) ARCH=arm64 ;; \
+      *) echo "Unsupported architecture: ${TARGETARCH}" && exit 1 ;; \
+    esac \
+ && curl -fsSLo /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl" \
+ && chmod +x /usr/local/bin/kubectl
+
+ENTRYPOINT ["/bin/bash"]
+

README.md

@@ -55,7 +55,77 @@ export DRY_RUN=true
 ./evict_to_rollout.sh
 ```
 
-### 3. Deploy as CronJob
+## Deployment Options
 
-See `cronjob.yaml` for the full manifest including RBAC permissions.
+### Helm (recommended)
+
+This repository ships a Helm chart (`chart/evict-to-rollout`) so you can tweak the schedule, annotation selector, and naming without forking the manifest.
+
+```bash
+helm upgrade --install evict-to-rollout \
+  oci://ghcr.io/hivemindtechnologies/evict-to-rollout \
+  --version 0.1.0 \
+  --namespace kube-system --create-namespace \
+  --set schedule="*/2 * * * *" \
+  --set annotationSelector.key="evict-with-rollout" \
+  --set annotationSelector.value="true"
+```
+
+Key values:
+
+| Value | Description | Default |
+| --- | --- | --- |
+| `schedule` | Cron expression for how often to scan nodes | `*/1 * * * *` |
+| `annotationSelector.key`/`.value` | Annotation pair that marks pods for rollout | `evict-with-rollout` / `true` |
+| `image.repository` / `.tag` | Container image that provides `kubectl` + `jq` | `ghcr.io/hivemindtechnologies/evict-to-rollout/kubectl-jq` / *(empty = use chart `appVersion`)* |
+| `serviceAccount.create` | Whether to create a dedicated SA | `true` |
+| `rbac.create` | Whether to install ClusterRole + binding | `true` |
+
+See `chart/evict-to-rollout/values.yaml` for the full list.
+
+## Development & Testing
+
+This repo ships a `devbox.json` so everyone (including CI) uses the same versions of `helm`, `kubectl`, `kind`, and `jq`.
+
+```bash
+# Start a dev shell with all tools:
+devbox shell
+
+# Lint the chart:
+devbox run lint
+
+# Run the end-to-end test (requires Docker since it spins up kind):
+devbox run test
+```
+
+The test script (`scripts/test-kind.sh`) creates a 3-node kind cluster, installs the Helm chart, deploys a sample annotated app, cordons a node, runs the controller job manually, and asserts that the deployment was restarted and rescheduled onto a different node.
+
+GitHub Actions mirrors the same flow via `.github/workflows/ci.yaml`:
+
+- on every PR, it runs `helm lint` and the kind-based integration test.
+- on pushes to `main`, it additionally publishes:
+  - the multi-arch `kubectl-jq` image tagged as `latest` and `${LAST_TAG}-sha.${GITHUB_SHA::7}`
+  - a Helm chart tagged as `${LAST_TAG}-sha.${GITHUB_SHA::7}` to `oci://ghcr.io/hivemindtechnologies/evict-to-rollout`
+- on git tag pushes (e.g. `v0.2.0`), the same workflow publishes **stable** artifacts tagged with the release version
+
+### Building the controller image
+
+The CronJob runs a tiny Alpine image containing `kubectl`, `jq`, `bash`, and CA certificates. Build it (multi-arch) and push to GHCR with:
+
+```bash
+docker buildx build \
+  -f Dockerfile.kubectl-jq \
+  --platform linux/amd64,linux/arm64 \
+  -t ghcr.io/hivemindtechnologies/evict-to-rollout/kubectl-jq:latest \
+  --push .
+```
+### Release workflow
+
+The CI pipeline keeps versions in sync automatically:
+
+- For pushes to `main`, it reads the most recent git tag (or `0.0.0` if none exists) and publishes snapshot artifacts tagged as `<last-tag>-sha.<short-sha>`.
+- For pushes to annotated tags (e.g. `v0.3.0`), it strips the `v` prefix and publishes both the Docker image and the Helm chart with the exact release version.
+- The pipeline patches `chart/evict-to-rollout/Chart.yaml` on the fly so that `version` and `appVersion` match the artifact tag, and the default image tag in the chart inherits from `appVersion`.
+
+For local testing the kind script (`devbox run test`) builds the image and loads it directly into the cluster, so no registry push is required.
 

chart/evict-to-rollout/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: evict-to-rollout
+description: Trigger rollout restarts for annotated workloads before draining nodes
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+keywords:
+  - kubernetes
+  - availability
+  - eviction
+  - pdb
+  - cronjob
+maintainers:
+  - name: Hivemind Technologies
+    url: https://github.com/HivemindTechnologies
+sources:
+  - https://github.com/HivemindTechnologies/evict-to-rollout
+home: https://github.com/HivemindTechnologies/evict-to-rollout
+
+

evict_to_rollout.sh …ict-to-rollout/files/evict_to_rollout.shevict_to_rollout.sh renamed to chart/evict-to-rollout/files/evict_to_rollout.sh evict_to_rollout.sh renamed to chart/evict-to-rollout/files/evict_to_rollout.sh

@@ -2,8 +2,8 @@
 set -euo pipefail
 
 # Configuration
-ANNOTATION_KEY="evict-with-rollout"
-ANNOTATION_VALUE="true"
+ANNOTATION_KEY=${ANNOTATION_KEY:-"evict-with-rollout"}
+ANNOTATION_VALUE=${ANNOTATION_VALUE:-"true"}
 DRY_RUN=${DRY_RUN:-false} # Set to true to print actions without executing
 
 log() {
@@ -116,3 +116,5 @@ for NODE in $NODES; do
 done
 
 log "Done."
+
+

chart/evict-to-rollout/templates/NOTES.txt

@@ -0,0 +1,11 @@
+To verify your installation:
+  1. Check the CronJob status:
+     kubectl get cronjob {{ include "evict-to-rollout.fullname" . }} -n {{ .Release.Namespace }}
+  2. Inspect the latest job/pod logs:
+     kubectl logs job/$(kubectl get jobs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[-1:].metadata.name}') -n {{ .Release.Namespace }}
+
+To trigger a dry run manually:
+  kubectl create job --from=cronjob/{{ include "evict-to-rollout.fullname" . }} evict-to-rollout-debug -n {{ .Release.Namespace }} \
+    --dry-run=client -o yaml | kubectl apply -f -
+
+

chart/evict-to-rollout/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "evict-to-rollout.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "evict-to-rollout.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "evict-to-rollout.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- if .Values.serviceAccount.name -}}
+{{- .Values.serviceAccount.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-sa" (include "evict-to-rollout.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- else -}}
+{{- .Values.serviceAccount.name | default "default" -}}
+{{- end -}}
+{{- end -}}
+
+

chart/evict-to-rollout/templates/clusterrole.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ printf "%s-role" (include "evict-to-rollout.fullname" .) | trunc 63 | trimSuffix "-" }}
+  labels:
+    app.kubernetes.io/name: {{ include "evict-to-rollout.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get", "list"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch"]
+{{- end }}
+
+