This repository contains Helm charts and CI/CD automation for deploying services at the Canadian Astronomy Data Centre (CADC), including the CANFAR Science Platform.
The repository implements a fully automated release and deployment pipeline:
- Helm Charts - Kubernetes deployments for platform services (
helm/applications/) and shared libraries (helm/common/) - Automated Releases - Release-Please manages semantic versioning and changelogs for each chart independently
- Secure Publishing - Helm charts are published to OCI registries with keyless signing (Sigstore/Cosign) and build attestations
- Dependency Management - Renovate automatically updates dependencies, container images, and chart
appVersionfields - Documentation - Comprehensive operational guides and runbooks for platform operators
This section is automatically generated. Do not edit manually.
| Chart | Description |
|---|---|
| base | A Helm chart to install base components of the CANFAR Science Platform |
| science-portal | A Helm chart for Science Portal Next.js application |
| cavern | A Helm chart to install the VOSpace User Storage API (Cavern) |
| posixmapper | A Helm chart to install the UID/GID POSIX Mapper |
| scienceportal | A Helm chart to install the Science Portal UI |
| skaha | A Helm chart to install the Skaha web service of the CANFAR Science Platform |
| sshd | An SSHD service with SSSD to get users from LDAP |
| storageui | A Helm chart to install the User Storage UI |
| utils | A library Helm chart for common tasks |
| common | A Library Helm Chart for grouping common logic between charts. This chart is not deployable. |
Charts are managed via .release-please-manifest.json for automated versioning and releases.
Helm charts are signed using keyless signing with Sigstore and Cosign with Rekor transparency logs and GitHub Attestations for build provenance.
To verify a chart, at oci://images.opencadc.org/platform/skaha:1.2.3, run:
# Install Cosign
brew install cosign
# Set experimental mode for keyless verification
export COSIGN_EXPERIMENTAL=1
cosign verify --certificate-identity-regexp="https://github.com/opencadc/deployments" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" images.opencadc.org/platform/skaha:1.2.3To verify the provenance of where the chart came from, e.g. the build pipeline, environment variables, etc., run:
gh auth login
gh attestation verify oci://images.opencadc.org/platform/skaha:1.2.3 --owner opencadcTo add a new Helm chart to the repository:
# Create chart directory
mkdir -p helm/applications/<chart-name>
cd helm/applications/<chart-name>
# Initialize chart
helm create . --starter <starter-chart> # or manually create Chart.yaml, values.yaml, templates/Add the Renovate marker comment before appVersion to enable automatic version updates:
# Chart.yaml
apiVersion: v2
name: my-chart
description: "Description of my chart"
type: application
version: 0.1.0
# renovate: image=<registry>/<repository>/<image-name>
appVersion: "1.0.0"Example:
# renovate: image=images.opencadc.org/platform/my-service
appVersion: "1.0.0"This enables Renovate to automatically update appVersion when the container image version changes.
Create a README.md.gotmpl template for auto-generated documentation:
{{ template "chart.header" . }}
{{ template "chart.description" . }}
| Chart | AppVersion | Type |
|:-----:|:----------:|:----:|
|{{ template "chart.version" . }}<!-- x-release-please-version --> | {{ template "chart.appVersion" . }} | {{ template "chart.type" . }} |
{{ template "chart.homepageLine" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
The <!-- x-release-please-version --> comment is required for Release-Please to update the version in the generated README.md.
Add the chart to .release-please-manifest.json:
{
"helm/applications/<chart-name>": "0.1.0"
}# From repository root
uv run pre-commit run --all-filesgit add helm/applications/<chart-name>
git add .release-please-manifest.json
git commit -m "feat(helm): add <chart-name> chart"
git push origin <branch-name>Once merged, Release-Please will automatically:
- Create a release PR when changes are detected
- Generate/update CHANGELOG.md
- Publish the chart to the OCI registry with keyless signing
- Create GitHub releases with build attestations