chore(helm): add ci lint and optional resources

Author: haasonsaas

.github/workflows/ci.yml

@@ -9,6 +9,27 @@ env:
   UV_LINK_MODE: copy
 
 jobs:
+  helm:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+
+      - name: Helm lint
+        run: make helm-lint
+
+      - name: Helm template (defaults)
+        run: make helm-template
+
+      - name: Helm template (external Redis)
+        run: >
+          helm template provenance charts/provenance
+          --set redis.enabled=false
+          --set env.PROVENANCE_REDIS_URL='redis://external-redis:6379/0'
+
   test:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -1,4 +1,5 @@
 .PHONY: setup test compile run docs dashboard clickhouse-up
+.PHONY: helm-lint helm-template helm-package
 
 setup:
 	uv sync --all-extras
@@ -22,3 +23,13 @@ clickhouse-up:
 	docker run --rm -p 8123:8123 -p 9000:9000 \
 		-v $(PWD)/infrastructure/clickhouse/schema.sql:/docker-entrypoint-initdb.d/schema.sql \
 		clickhouse/clickhouse-server:latest
+
+helm-lint:
+	helm lint charts/provenance
+
+helm-template:
+	helm template provenance charts/provenance
+
+helm-package:
+	mkdir -p dist/charts
+	helm package charts/provenance --destination dist/charts

charts/provenance/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: provenance
-version: 0.2.0
+version: 0.3.0
 appVersion: "0.1.0"
 description: Helm chart for Provenance & Risk Analytics service
 type: application

charts/provenance/README.md

@@ -36,6 +36,9 @@ Common overrides:
 | `ingress.*` | Ingress configuration (class, hosts, TLS) | Disabled |
 | `redis.enabled` | Deploy bundled Redis | `true` |
 | `redis.persistence.enabled` | Provision PVC for Redis data | `false` |
+| `serviceMonitor.enabled` | Emit a ServiceMonitor for Prometheus Operator | `false` |
+| `pdb.enabled` | Create PodDisruptionBudget for API pods | `false` |
+| `networkPolicy.enabled` | Restrict pod ingress/egress with NetworkPolicy | `false` |
 
 See [`values.yaml`](values.yaml) for the full catalog (node selectors, tolerations, OTEL knobs, extra volumes, etc.).
 
@@ -44,3 +47,26 @@ See [`values.yaml`](values.yaml) for the full catalog (node selectors, toleratio
 - When enabling Redis persistence, ensure an appropriate storage class exists.
 - Provide signing keys and API tokens via `extraEnvFrom` referencing Kubernetes Secrets.
 - Enable autoscaling by toggling `autoscaling.enabled` and configuring min/max replicas and CPU utilization targets.
+
+## Packaging & Publishing
+
+Package the chart locally:
+
+```bash
+make helm-package
+# outputs dist/charts/provenance-<version>.tgz
+```
+
+To publish via GitHub Pages or an OCI registry:
+
+```bash
+helm package charts/provenance --destination dist/charts
+helm repo index dist/charts --url https://example.com/charts
+```
+
+Or push to an OCI registry:
+
+```bash
+helm package charts/provenance
+helm push provenance-<version>.tgz oci://ghcr.io/your-org/charts
+```

charts/provenance/templates/networkpolicy.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "provenance.fullname" . }}
+  labels:
+    {{- include "provenance.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "provenance.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    {{- range .Values.networkPolicy.policyTypes }}
+    - {{ . }}
+    {{- end }}
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
+  {{- end }}
+  {{- if .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .Values.networkPolicy.egress | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/provenance/templates/pdb.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.pdb.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "provenance.fullname" . }}
+  labels:
+    {{- include "provenance.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+  {{- else }}
+  minAvailable: {{ .Values.pdb.minAvailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "provenance.selectorLabels" . | nindent 6 }}
+{{- end }}

charts/provenance/templates/servicemonitor.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "provenance.fullname" . }}
+  labels:
+    {{- include "provenance.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "provenance.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: http
+      path: {{ .Values.serviceMonitor.path }}
+      interval: {{ .Values.serviceMonitor.interval }}
+      {{- if .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+      {{- end }}
+      scheme: {{ .Values.serviceMonitor.scheme }}
+      {{- with .Values.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
+{{- end }}

charts/provenance/values.yaml

@@ -94,3 +94,35 @@ ingress:
         - path: /
           pathType: Prefix
   tls: []
+
+serviceMonitor:
+  enabled: false
+  namespace: ""
+  labels: {}
+  annotations: {}
+  interval: 30s
+  scrapeTimeout: ""
+  path: /metrics
+  scheme: http
+  tlsConfig: {}
+  metricRelabelings: []
+  relabelings: []
+
+pdb:
+  enabled: false
+  minAvailable: 1
+  maxUnavailable: ""
+
+networkPolicy:
+  enabled: false
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+      ports:
+        - protocol: TCP
+          port: 8000
+  egress:
+    - {}

docs/deployment-guide.md

@@ -129,6 +129,13 @@ spec:
 - Expose the API via an ingress controller (NGINX, Traefik, ALB).
 - Terminate TLS at the ingress or use a service mesh (Linkerd, Istio). Ensure `PROVENANCE_SERVICE_BASE_URL` matches the external HTTPS endpoint.
 
+### Helm Packaging & Release
+
+- Run `make helm-lint` and `make helm-template` (or rely on CI) before cutting releases.
+- Package the chart with `make helm-package`; artifacts land in `dist/charts/provenance-<version>.tgz`.
+- Publish to GitHub Pages (`helm repo index dist/charts --url ...`) or push to an OCI registry (`helm push provenance-<version>.tgz oci://ghcr.io/<org>/charts`).
+- Remember to bump `charts/provenance/Chart.yaml` when chart features change.
+
 ## Scaling Considerations
 
 - **Detector Throughput** – Detector execution happens synchronously per request. Increase pod count to parallelize analyses, or shard workflows by repo/team. Monitoring request latency via Prometheus helps identify bottlenecks.