Add helm chart linting and snapshot testing

.github/workflows/build-push-artifacts.yaml

@@ -67,7 +67,6 @@ jobs:
           push: true
           tags: ${{ steps.image-meta.outputs.tags }}
           labels: ${{ steps.image-meta.outputs.labels }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
 
   build_push_chart:
     name: Build and push Helm chart

.github/workflows/helm-lint.yaml

@@ -0,0 +1,48 @@
+# NOTE: This workflow can be run locally using https://github.com/nektos/act with:
+# act -W .github/workflows/helm-lint.yaml workflow_call -s GITHUB_TOKEN=$(gh auth token)
+name: Helm Lint
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: The Git ref under test.
+        required: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.15.3
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2
+
+      - name: Run chart-testing (lint)
+        run: |-
+          ct lint \
+            --target-branch ${{ github.event.repository.default_branch }} \
+            --charts chart/ \
+            --validate-maintainers=false
+
+        # Dependency build required for reloader
+        # Additional schemas required for cert-manager
+      - name: Run template validation
+        run: |-
+          helm dependency build && helm template foo chart \
+            | docker run -i --rm ghcr.io/yannh/kubeconform:latest \
+            -schema-location default \
+            -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
+            --strict --summary
+
+      - name: Run manifest snapshot test
+        run: docker run -i --rm -v $(pwd):/apps helmunittest/helm-unittest chart

.github/workflows/test-pr.yaml

@@ -24,6 +24,12 @@ jobs:
     with:
       ref: ${{ github.event.pull_request.head.sha }}
 
+  # Run the chart linting on every PR, even from external repos
+  lint:
+    uses: ./.github/workflows/lint.yaml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+
   # This job exists so that PRs from outside the main repo are rejected
   fail_on_remote:
     runs-on: ubuntu-latest
@@ -68,7 +74,7 @@ jobs:
       - name: Run Azimuth tests
         uses: azimuth-cloud/azimuth-config/.github/actions/test@devel
 
-      # Tear down the environment
+      # Tear down the environment
       - name: Destroy Azimuth
         uses: azimuth-cloud/azimuth-config/.github/actions/destroy@devel
         if: ${{ always() }}

CONTRIBUTING.md

@@ -0,0 +1,22 @@
+# Contributing
+
+We welcome contributions and suggestions for improvements to this code base.
+Please check for relevant issues and PRs before opening a new one of your own.
+
+## Making a contribution
+
+### Helm template snapshots
+
+The CI in this repository uses the Helm
+[unittest](https://github.com/helm-unittest/helm-unittest) plugin's
+snapshotting functionality to check PRs for changes to the templated manifests.
+Therefore, if your PR makes changes to the manifest templates or values, you
+will need to update the saved snapshots to allow your changes to pass the
+automated tests. The easiest way to do this is to run the helm unittest command
+inside a docker container from the repo root.
+
+```
+docker run -i --rm -v $(pwd):/apps helmunittest/helm-unittest chart -u
+```
+
+where the `-u` option is used to update the existing snapshots.

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:jammy as helm
+FROM ubuntu:jammy AS helm
 
 RUN apt-get update && \
     apt-get install -y curl && \
@@ -66,22 +66,22 @@ RUN /venv/bin/pip install -e /app
 FROM ubuntu:jammy
 
 # Don't buffer stdout and stderr as it breaks realtime logging
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONUNBUFFERED=1
 
 # Make httpx use the system trust roots
 # By default, this means we use the CAs from the ca-certificates package
-ENV SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
 
 # Tell Helm to use /tmp for mutable data
-ENV HELM_CACHE_HOME /tmp/helm/cache
-ENV HELM_CONFIG_HOME /tmp/helm/config
-ENV HELM_DATA_HOME /tmp/helm/data
+ENV HELM_CACHE_HOME=/tmp/helm/cache
+ENV HELM_CONFIG_HOME=/tmp/helm/config
+ENV HELM_DATA_HOME=/tmp/helm/data
 
 # Create the user that will be used to run the app
-ENV APP_UID 1001
-ENV APP_GID 1001
-ENV APP_USER app
-ENV APP_GROUP app
+ENV APP_UID=1001
+ENV APP_GID=1001
+ENV APP_USER=app
+ENV APP_GROUP=app
 RUN groupadd --gid $APP_GID $APP_GROUP && \
     useradd \
       --no-create-home \

chart/.helmignore

@@ -21,3 +21,5 @@
 .idea/
 *.tmproj
 .vscode/
+# Helm unit-test files
+tests/