Merge pull request #2036 from diggerhq/feat/helm-charts-here

Feat/helm charts here

Author: ZIJ

.github/workflows/helm-release.yml

@@ -0,0 +1,32 @@
+name: Release Helm Charts
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm-charts/**'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Login to GitHub Container Registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Package and push chart
+        run: |
+          cd helm-charts/digger-backend
+          helm package .
+          helm push digger-backend-*.tgz oci://ghcr.io/diggerhq/helm-charts

.github/workflows/helm-test.yml

@@ -0,0 +1,29 @@
+name: Test Helm Charts
+
+on:
+  pull_request:
+    paths:
+      - 'helm-charts/**'
+      - '.github/workflows/helm-test.yml'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Install helm-unittest
+        run: |
+          helm plugin install https://github.com/helm-unittest/helm-unittest.git
+
+      - name: Lint chart
+        run: |
+          helm lint helm-charts/digger-backend
+
+      - name: Run unit tests
+        run: |
+          helm unittest helm-charts/digger-backend

helm-charts/CLAUDE.md

@@ -0,0 +1,80 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This subdirectory contains the official Helm charts for Digger, an open-source CI/CD tool for Terraform. Currently maintains one chart: `digger-backend`.
+
+## Common Development Commands
+
+```bash
+# Install Helm unittest plugin (required for testing)
+helm plugin install https://github.com/quintush/helm-unittest
+
+# Run unit tests for the chart
+helm unittest digger-backend/
+
+# Lint the chart
+helm lint digger-backend/
+
+# Test template rendering with specific values
+helm template digger-backend ./digger-backend/ -f custom-values.yaml
+
+# Install the chart locally
+helm install digger-backend ./digger-backend/
+
+# Upgrade a release
+helm upgrade digger-backend ./digger-backend/
+```
+
+## Architecture and Structure
+
+### Chart Organization
+- `digger-backend/` - Main Helm chart directory
+  - `templates/` - Kubernetes resource templates
+  - `tests/` - Helm unit tests using helm-unittest framework
+  - `values.yaml` - Default configuration values
+  - `Chart.yaml` - Chart metadata and dependencies
+
+### Key Templates
+- `backend-deployment.yaml` - Main Digger backend deployment
+- `digger-secret.yaml` - Manages GitHub App credentials and database configuration
+- `postgres-statefulset.yaml` - Optional PostgreSQL for testing (enabled via `postgres.enabled`)
+- `backend-ingress.yaml` - Ingress configuration (enabled by default)
+
+### CI/CD Workflows
+- **Pull Request Testing**: Automatically runs `helm unittest` on PR changes
+- **Release Process**: On merge to main, runs linting, testing, and publishes to GitHub Pages
+
+### Important Configuration Patterns
+
+1. **Secret Management**: The chart supports both direct values and references to existing secrets:
+   ```yaml
+   # Direct values
+   secrets:
+     githubAppID: "12345"
+   
+   # Or reference existing secret
+   existingSecret: "my-existing-secret"
+   ```
+
+2. **Database Configuration**: Can use external PostgreSQL or deploy test instance:
+   ```yaml
+   # External database
+   postgres:
+     enabled: false
+   secrets:
+     databaseURL: "postgresql://..."
+   
+   # Test database
+   postgres:
+     enabled: true
+   ```
+
+3. **Resource Configuration**: Supports standard Kubernetes resource patterns (limits, requests, nodeSelector, tolerations, affinity)
+
+### Testing Strategy
+- Unit tests in `digger-backend/tests/` verify template rendering
+- Tests use helm-unittest framework with snapshot testing
+- CI automatically runs tests on PRs and before releases

helm-charts/README.md

@@ -0,0 +1,70 @@
+<img width="1470" alt="digger-opensource-gitops-banner" src="https://github.com/diggerhq/digger/assets/1280498/7fb44db3-38ca-4021-8714-87a2f1a14982">
+
+CI/CD for Terraform is [tricky](https://itnext.io/pains-in-terraform-collaboration-249a56b4534e). To make life easier, specialised CI systems aka [TACOS](https://itnext.io/spice-up-your-infrastructure-as-code-with-tacos-1a9c179e0783) exist - Terraform Cloud, Spacelift, Atlantis, etc.
+
+But why have 2 CI systems? Why not reuse the async jobs infrastructure with compute, orchestration, logs, etc of your existing CI?
+
+Digger runs terraform natively in your CI. This is:
+
+- Secure, because cloud access secrets aren't shared with a third-party
+- Cost-effective, because you are not paying for additional compute just to run your terraform
+
+## Differences Compared to Atlantis
+
+- No need to host and maintain a server
+- Secure by design
+- Scalable compute with jobs isolation
+- Role-based access control via OPA
+- Read more about differences with Atlantis in our blog post
+​
+## Compared to Terraform Cloud and other TACOs
+
+- Open source
+- No duplication of the CI/CD stack
+- Secrets not shared with a third party
+​
+## Support for other CI’s
+
+We are currently designing Digger to be Multi-CI, so that in addition to GitHub Actions, you can run Terraform/OpenTofu within other CI’s such as Gitlab CI, Azure DevOps, Bitbucket, TeamCity, Circle CI and Jenkins, while still having the option to orchestrate jobs using Digger’s Orchestrator Backend.
+
+Read more in this [blog](https://blog.digger.dev/how-we-are-designing-digger-to-support-multiple-ci-systems/), and please share your requirement on [Slack](https://bit.ly/diggercommunity) if you require support for other CI’s. Your feedback/insight would help us a lot as this feature is in active development.
+
+
+
+# Digger Backend Helm Chart
+
+## Installation steps
+
+The installation must be executed in two steps, as explaned in the [Digger official documentation](https://docs.digger.dev/self-host/deploy-docker-compose#create-github-app):
+
+1. Install the `digger-backend` helm chart from https://diggerhq.github.io/helm-charts/, leaving empty all the data related to the GitHub App
+2. Go to `your_digger_hostname/github/setup` to install and configure the GitHub App
+3. Configure in the helm values or in the external secret all the data related to the new GitHub app and upgrade the helm installation to reload the Digger application with the new configuration
+
+## Configuration Details
+
+To configure the Digger backend deployment with the Helm chart, you'll need to set several values in the `values.yaml` file. Below are the key configurations to consider:
+
+- `digger.image.repository`: The Docker image repository for the Digger backend (e.g., `registry.digger.dev/diggerhq/digger_backend`).
+- `digger.image.tag`: The specific version tag of the Docker image to deploy (e.g., `"v0.4.2"`).
+
+- `digger.service.type`: The type of Kubernetes service to create, such as `ClusterIP`, `NodePort`, or `LoadBalancer`.
+- `digger.service.port`: The port number that the service will expose (e.g., `3000`).
+
+- `digger.ingress.enabled`: Set to `true` to create an Ingress for the service.
+- `digger.annotations`: Add the needed annotations based on your ingress controller configuration.
+- `digger.ingress.host`: The hostname to use for the Ingress resource (e.g., `digger-backend.test`).
+- `digger.ingress.path`: The path for the Ingress resource (e.g., `/`).
+- `digger.ingress.className`: the classname to use for ingress (only considered for kuberetes >= 1.18)
+- `digger.ingress.tls.secretName`: The name of the TLS secret to use for Ingress encryption (e.g., `digger-backend-tls`).
+
+- `digger.secret.*`: Various secrets needed for the application, such as `HTTP_BASIC_AUTH_PASSWORD` and `BEARER_AUTH_TOKEN`. You can provide them directly or reference an existing Kubernetes secret by setting `useExistingSecret` to `true` and specifying `existingSecretName`.
+
+- `digger.postgres.*`: If you're using an external Postgres database, configure the `user`, `database`, and `host` accordingly. Ensure you provide the `password` either directly or through an existing secret in the `secret.*` section.
+
+Remember to replace placeholders and default values with your specific, sensitive information before deploying the chart. For example, it's essential to generate a strong `bearerAuthToken` and `postgresPassword` rather than using the defaults for security reasons.
+
+You can also deploy a PostgreSQL database ONLY FOR TEST PURPOSES configuring the `postgres.*` section:
+
+- `postgres.enabled`: Set to `true` if you want to deploy a postgres database
+- `postgres.secret.*`: As for the digger secret, you can pass the `postgres` user password directly or through an existing secret

helm-charts/digger-backend/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+tests/

helm-charts/digger-backend/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: digger-backend
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.12
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v0.6.106"

helm-charts/digger-backend/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "digger-backend.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "digger-backend.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "digger-backend.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "digger-backend.labels" -}}
+helm.sh/chart: {{ include "digger-backend.chart" . }}
+{{ include "digger-backend.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "digger-backend.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "digger-backend.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

helm-charts/digger-backend/templates/backend-deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "digger-backend.fullname" . }}-web
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "digger-backend.name" . }}-web
+  template:
+    metadata:
+      labels:
+        app: {{ include "digger-backend.name" . }}-web
+    spec:
+      {{- if $.Values.digger.nodeSelector }}
+      nodeSelector:
+        {{- toYaml $.Values.digger.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if $.Values.digger.tolerations }}
+        tolerations:
+        {{- toYaml $.Values.digger.tolerations | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: web
+        image: "{{ .Values.digger.image.repository }}:{{ .Values.digger.image.tag }}"
+        ports:
+        - containerPort: 3000
+        livenessProbe:
+          {{ .Values.digger.livenessProbe | toYaml | indent 10 | trim }}
+        startupProbe:
+          {{ .Values.digger.startupProbe | toYaml | indent 10 | trim }}
+        envFrom:
+        - secretRef:
+        {{- if not .Values.digger.secret.useExistingSecret }}
+            name: {{ include "digger-backend.fullname" . }}-secret
+        {{- else }}
+            name: {{ .Values.digger.secret.existingSecretName }}
+        {{- end }}
+        {{- with .Values.digger.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        env:
+        - name: POSTGRES_PASSWORD
+        {{- if  and .Values.postgres.enabled .Values.postgres.secret.useExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.postgres.secret.existingSecretName }}
+              key: postgres-password
+        {{- else if .Values.digger.postgres.existingSecretName }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.digger.postgres.existingSecretName }}
+              key: {{ .Values.digger.postgres.existingSecretKey }}
+        {{- else }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "digger-backend.fullname" . }}-postgres-secret
+              key: postgres-password
+        {{- end }}
+        - name: HTTP_BASIC_AUTH
+          value: "1"
+        - name: DATABASE_URL
+        {{- if .Values.postgres.enabled }}
+          value: "postgres://postgres:$(POSTGRES_PASSWORD)@{{ include "digger-backend.fullname" . }}-postgres:5432/postgres?sslmode={{ .Values.postgres.sslmode }}"
+        {{- else }}
+          {{- $pg := .Values.digger.postgres }}
+          value: "postgres://{{ $pg.user }}:$(POSTGRES_PASSWORD)@{{ $pg.host }}:{{ $pg.port }}/{{ $pg.database }}?sslmode={{ $pg.sslmode }}"
+        {{- end }}
+        - name: ALLOW_DIRTY
+          value: "{{ .Values.digger.postgres.allow_dirty }}"
+        - name: DIGGER_LOG_LEVEL
+          value: {{ .Values.digger.logLevel | quote }}
+        {{- with .Values.digger.customEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}