feat: initial commit

Author: netanelC

.github/workflows/build-and-push-helm.yaml

@@ -0,0 +1,64 @@
+name: Build and Push Helm Chart
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  push-helm-package:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v5
+
+      - name: Derive domain, chart name and chart version from release
+        id: chart_metadata
+        env:
+          # The release tag that triggered this workflow, e.g. "infra-jenkins-v5.8.63"
+          TAG_NAME: ${{ github.event.release.tag_name }}
+        run: |
+          set -euo pipefail
+
+          # Expect tag format: <chart-name>-v<version>
+          [[ "$TAG_NAME" =~ ^([a-zA-Z0-9._-]+)-v?([0-9][0-9A-Za-z.+-]*)$ ]]
+          CHART_NAME="${BASH_REMATCH[1]}"
+          CHART_VERSION="${BASH_REMATCH[2]}"
+
+          # Extract domain from Chart.yaml annotations
+          DOMAIN=$(yq e -r '.annotations.domain' "$CHART_NAME/Chart.yaml")
+
+          # Expose values to later steps
+          {
+            echo "chart_name=$CHART_NAME"
+            echo "version=$CHART_VERSION"
+            echo "domain=$DOMAIN"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Push Chart to ACR
+        uses: appany/[email protected]
+        with:
+          name: ${{ steps.chart_metadata.outputs.chart_name }}
+          repository: helm/${{ steps.chart_metadata.outputs.domain }}
+          tag: ${{ steps.chart_metadata.outputs.version }}
+          path: ./${{ steps.chart_metadata.outputs.chart_name }}
+          registry: ${{ secrets.ACR_URL }}
+          registry_username: ${{ secrets.ACR_PUSH_USER }}
+          registry_password: ${{ secrets.ACR_PUSH_TOKEN }}
+          update_dependencies: 'true' # Defaults to false
+
+      - name: Update Helm Package in artifacts.json
+        uses: MapColonies/shared-workflows/actions/update-artifacts-file@update-artifacts-file-v1
+        with:
+          domain: ${{ steps.chart_metadata.outputs.domain }}
+          type: helm
+          artifact_name: ${{ steps.chart_metadata.outputs.chart_name }}
+          artifact_tag: ${{ steps.chart_metadata.outputs.version }}
+          registry: ${{ secrets.ACR_URL }}
+          github_token: ${{ secrets.GH_PAT }}

.github/workflows/release-please.yaml

@@ -0,0 +1,12 @@
+name: Release shared-workflows
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@v4

.gitignore

@@ -0,0 +1,3 @@
+*.tgz
+node_modules
+Chart.lock

.release-please-manifest.json

@@ -0,0 +1 @@
+{}

core-stack/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: infra-core-stack
+description: A Helm chart for deploying MinIO, Redis, and PostgreSQL
+annotations:
+  domain: infra
+version: 0.1.0
+dependencies:
+  - name: minio
+    version: 14.7.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: minio.enabled
+  - name: redis
+    version: 18.5.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
+  - name: postgresql
+    version: 13.1.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled
+  - name: elasticsearch
+    version: 21.3.0
+    repository: https://charts.bitnami.com/bitnami
+    condition: elasticsearch.enabled

core-stack/templates/minio-lb-service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio-lb
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{ include "common-labels-and-annotations.serviceLabels" . | nindent 4 }}
+  annotations:
+    {{ include "common-labels-and-annotations.serviceAnnotations" . | nindent 4 }}
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: "minio"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+
+  ports:
+    - protocol: TCP
+      port: {{ .Values.minio.service.port }}
+      targetPort: {{ .Values.minio.service.targetPort }}

core-stack/values.yaml

@@ -0,0 +1,128 @@
+global:
+
+minio:
+  enabled: true
+  auth:
+    rootUser: minio
+    rootPassword: minio123
+  persistence:
+    size: 10Gi
+  resources:
+    limits:
+      cpu: 1
+      memory: 2Gi
+    requests:
+      cpu: 500m
+      memory: 1Gi
+  service:
+    port: 9001
+    targetPort: 9001
+  commonLabels:
+    mapcolonies.io/environment: "production"
+    mapcolonies.io/component: "infrastructure"
+    mapcolonies.io/part-of: "core-stack"
+    mapcolonies.io/owner: "infra" 
+
+redis:
+  enabled: true
+  metrics:
+    enabled: true
+    containerSecurityContext:
+      enabled: false
+      runAsUser: 1000870000
+  architecture: standalone
+  auth:
+    enabled: true
+    password: password
+  commonConfiguration: |-
+    # Enable AOF https:redis.io/topics/persistence#append-only-file
+    appendonly no
+    protected-mode no
+    # Disable RDB https, AOF persistence already enabled.
+    save ""
+  debug: false
+  image:
+    registry: docker.io
+    repository: bitnami/redis
+    tag: 7.2.1
+  commonLabels:
+    mapcolonies.io/environment: "production"
+    mapcolonies.io/component: "infrastructure"
+    mapcolonies.io/part-of: "core-stack"
+    mapcolonies.io/owner: "infra" 
+  master:
+    configuration: |
+      maxmemory 5gb
+      maxmemory-policy allkeys-lfu
+    containerSecurityContext:
+      enabled: false
+      runAsUser: 1000870000
+    count: 1
+    disableCommands:
+      - FLUSHALL
+    kind: StatefulSet
+    persistence:
+      accessModes:
+        - ReadWriteOnce
+      enabled: false
+      size: 1Gi
+    podLabels:
+      app: redis
+      role: master
+    podSecurityContext:
+      enabled: false
+      fsGroup: 1000870000
+    resources:
+      limits:
+        cpu: 0.5
+        memory: 5.5Gi
+      requests:
+        cpu: 0.125
+        memory: 5.5Gi
+    pullPolicy: Always
+    serviceAccount:
+      create: false
+
+elasticsearch:
+  enabled: true
+  image:
+    tag: 8.16.1-debian-12-r1
+
+  commonLabels:
+    mapcolonies.io/environment: "production"
+    mapcolonies.io/component: "infrastructure"
+    mapcolonies.io/part-of: "core-stack"
+    mapcolonies.io/owner: "infra" 
+
+  master:
+    containerSecurityContext:
+      enabled: false
+    podSecurityContext:
+      enabled: false
+
+  coordinating:
+    containerSecurityContext:
+      enabled: false
+    podSecurityContext:
+      enabled: false
+
+  data:
+    containerSecurityContext:
+      enabled: false
+    podSecurityContext:
+      enabled: false
+
+  ingest:
+    containerSecurityContext:
+      enabled: false
+    podSecurityContext:
+      enabled: false
+
+  extraEnvVars:
+  - name: ELASTIC_USERNAME
+    value: elastic
+  - name: ELASTIC_PASSWORD
+    value: adminpassword
+
+  sysctlImage:
+    enabled: false

gatekeeper-constraints/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: gatekeeper-constraints
+description: Deploy Gatekeeper ConstraintTemplates and Constraints
+type: application
+version: 0.1.0

gatekeeper-constraints/README.md

@@ -0,0 +1,36 @@
+# gatekeeper-constraints
+
+Helm chart for Gatekeeper rules that make sure Pods have the right **labels** and **annotations**.
+
+## ⚙️ What it does
+
+- ✅ Checks Pods for required labels and annotations  
+- ⚠️ Runs in **WARN (audit-only)** mode by default (shows violations, doesn’t block deploys)  
+- 🔧 Fully configurable in `values.yaml`  
+
+## 🛠️ Checks
+Fully configurable in `values.yaml`  
+
+**Annotations**
+- `prometheus.io/path`
+- `prometheus.io/port`
+- `prometheus.io/scrape`
+
+**Labels**
+- `app.kubernetes.io/name`
+- `app.kubernetes.io/instance`
+- `app.kubernetes.io/version`
+- `app.kubernetes.io/managed-by`
+- `mapcolonies.io/part-of`
+- `mapcolonies.io/owner`
+- `mapcolonies.io/environment`
+- `mapcolonies.io/component`
+
+## 🔍 See Violations
+
+- In the **OCP console** → open the `Constraint` resource under the `CustomResourceDefinitions` tab.
+- Or via CLI:
+  ```bash
+  kubectl get K8sRequiredLabels.require-pod-labels -o yaml
+  kubectl get K8sRequiredAnnotations.require-pod-annotations -o yaml
+  ```

gatekeeper-constraints/templates/constraint-k8srequiredannotations.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.constraints.k8sRequiredAnnotations.enabled }}
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredAnnotations
+metadata:
+  name: require-pod-annotations
+spec:
+  enforcementAction: {{ .Values.constraints.k8sRequiredAnnotations.enforcementAction | quote }}
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    {{- if .Values.namespaces }}
+    namespaces:
+      {{ toYaml .Values.namespaces | nindent 6 }}
+    {{- end }}
+  parameters:
+    annotations:
+{{- with .Values.constraints.k8sRequiredAnnotations.annotations }}
+{{ toYaml . | nindent 6 }}
+{{- end }}
+{{- end }}