azimuth-cloud · JohnGarbutt · May 23, 2025 · May 13, 2025 · May 23, 2025
@@ -0,0 +1,44 @@
+# NOTE: This workflow can be run locally using https://github.com/nektos/act with:
+# act -W .github/workflows/helm-lint.yaml workflow_call -s GITHUB_TOKEN=$(gh auth token)
+name: Helm Lint
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        description: The Git ref under test.
+        required: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.15.3
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2
+
+      - name: Run chart-testing (lint)
+        run: |-
+          ct lint \
+            --target-branch ${{ github.event.repository.default_branch }} \
+            --charts chart/ \
+            --validate-maintainers=false
+
+      - name: Run template validation
+        run: |-
+          helm template foo chart \
+            | docker run -i --rm ghcr.io/yannh/kubeconform:latest \
+            --strict --summary
+
+      - name: Run manifest snapshot test
+        run: docker run -i --rm -v $(pwd):/apps helmunittest/helm-unittest chart
@@ -31,6 +31,12 @@ jobs:
     with:
       ref: ${{ github.event.pull_request.head.sha }}
 
+  # Run the chart linting on every PR, even from external repos
+  lint:
+    uses: ./.github/workflows/lint.yaml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+
   # This job exists so that PRs from outside the main repo are rejected
   fail_on_remote:
     runs-on: ubuntu-latest

@@ -21,3 +21,5 @@
 .idea/
 *.tmproj
 .vscode/
+# Helm unit-test files
+tests/
@@ -0,0 +1,129 @@
+templated manifests should match snapshot:
+  1: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: cluster-api-janitor-openstack
+        app.kubernetes.io/version: main
+        helm.sh/chart: cluster-api-janitor-openstack-0.1.0
+      name: release-name-cluster-api-janitor-openstack
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - namespaces
+        verbs:
+          - list
+          - watch
+      - apiGroups:
+          - ""
+          - events.k8s.io
+        resources:
+          - events
+        verbs:
+          - create
+      - apiGroups:
+          - ""
+        resources:
+          - secrets
+        verbs:
+          - get
+          - delete
+      - apiGroups:
+          - infrastructure.cluster.x-k8s.io
+        resources:
+          - openstackclusters
+        verbs:
+          - list
+          - get
+          - watch
+          - patch
+      - apiGroups:
+          - apiextensions.k8s.io
+        resources:
+          - customresourcedefinitions
+        verbs:
+          - list
+          - get
+          - watch
+  2: |
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: cluster-api-janitor-openstack
+        app.kubernetes.io/version: main
+        helm.sh/chart: cluster-api-janitor-openstack-0.1.0
+      name: release-name-cluster-api-janitor-openstack
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: release-name-cluster-api-janitor-openstack
+    subjects:
+      - kind: ServiceAccount
+        name: release-name-cluster-api-janitor-openstack
+        namespace: NAMESPACE
+  3: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: cluster-api-janitor-openstack
+        app.kubernetes.io/version: main
+        helm.sh/chart: cluster-api-janitor-openstack-0.1.0
+      name: release-name-cluster-api-janitor-openstack
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: cluster-api-janitor-openstack
+      strategy:
+        type: Recreate
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: cluster-api-janitor-openstack
+        spec:
+          containers:
+            - env:
+                - name: CAPI_JANITOR_DEFAULT_VOLUMES_POLICY
+                  value: delete
+              image: ghcr.io/azimuth-cloud/cluster-api-janitor-openstack:main
+              imagePullPolicy: IfNotPresent
+              name: operator
+              resources: {}
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+              volumeMounts:
+                - mountPath: /tmp
+                  name: tmp
+          securityContext:
+            runAsNonRoot: true
+          serviceAccountName: release-name-cluster-api-janitor-openstack
+          volumes:
+            - emptyDir: {}
+              name: tmp
+  4: |
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: cluster-api-janitor-openstack
+        app.kubernetes.io/version: main
+        helm.sh/chart: cluster-api-janitor-openstack-0.1.0
+      name: release-name-cluster-api-janitor-openstack
@@ -0,0 +1,7 @@
+# To update manifest snapshots run helm unittest plugin with -u option:
+# docker run -i --rm -v $(pwd):/apps helmunittest/helm-unittest -u chart
+suite: Manifest snapshot tests
+tests:
+  - it: templated manifests should match snapshot
+    asserts:
+      - matchSnapshot: {}