feat: create helm chart for zarf-agent

Signed-off-by: Jeff Rescignano <jeffr@defenseunicorns.com>

Author: JeffResc

packages/zarf-agent/agent-values.yaml

@@ -0,0 +1,42 @@
+serviceAccount:
+  name: zarf
+
+clusterRole:
+  name: service-viewer
+
+clusterRoleBinding:
+  name: service-viewer-binding
+
+role:
+  name: zarf-agent
+
+roleBinding:
+  name: zarf-agent-binding
+
+secret:
+  name: agent-hook-tls
+  tlsCrt: "###ZARF_AGENT_CRT###"
+  tlsKey: "###ZARF_AGENT_KEY###"
+
+service:
+  name: agent-hook
+
+deployment:
+  name: agent-hook
+  replicaCount: 2
+
+image:
+  repository: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###"
+  tag: "###ZARF_CONST_AGENT_IMAGE_TAG###"
+  pullSecret: private-registry
+
+resources:
+  requests:
+    memory: "32Mi"
+    cpu: "100m"
+  limits:
+    memory: "128Mi"
+    cpu: "500m"
+
+affinity: {}
+tolerations: []

packages/zarf-agent/chart/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+description: Zarf agent
+name: zarf-agent
+version: 1.0.0
+
+maintainers:
+  - name: The Zarf Authors
+    url: https://zarf.dev

packages/zarf-agent/chart/templates/clusterrole.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.clusterRole.name }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list

packages/zarf-agent/chart/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.clusterRoleBinding.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.clusterRole.name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.name }}
+    namespace: {{ .Release.Namespace }}

packages/zarf-agent/manifests/deployment.yaml renamed to packages/zarf-agent/chart/templates/deployment.yaml

@@ -1,36 +1,36 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: agent-hook
-  namespace: zarf
+  name: {{ .Values.deployment.name }}
+  namespace: {{ .Release.Namespace }}
   labels:
     app: agent-hook
 spec:
-  replicas: 2
+  replicas: {{ .Values.deployment.replicaCount }}
   selector:
     matchLabels:
       app: agent-hook
   template:
     metadata:
       labels:
         app: agent-hook
-        # Don't mutate this pod, that would be sad times
         zarf.dev/agent: ignore
     spec:
       imagePullSecrets:
-        - name: private-registry
+        - name: {{ .Values.image.pullSecret }}
       priorityClassName: system-node-critical
-      serviceAccountName: zarf
-      # Security context to comply with restricted PSS
+      serviceAccountName: {{ .Values.serviceAccount.name }}
       securityContext:
         runAsUser: 65532
         fsGroup: 65532
         runAsGroup: 65532
         seccompProfile:
           type: "RuntimeDefault"
+      affinity: {{- toYaml .Values.affinity | nindent 8 }}
+      tolerations: {{- toYaml .Values.tolerations | nindent 8 }}
       containers:
         - name: server
-          image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet:
@@ -47,25 +47,23 @@ spec:
               drop: ["ALL"]
           resources:
             requests:
-              memory: "32Mi"
-              cpu: "100m"
+              memory: {{ .Values.resources.requests.memory }}
+              cpu: {{ .Values.resources.requests.cpu }}
             limits:
-              memory: "128Mi"
-              cpu: "500m"
+              memory: {{ .Values.resources.limits.memory }}
+              cpu: {{ .Values.resources.limits.cpu }}
           volumeMounts:
             - name: tls-certs
               mountPath: /etc/certs
               readOnly: true
-            # Required for OpenShift to mount k9s vendored directories
             - name: config
               mountPath: /.config
             - name: xdg
               mountPath: /etc/xdg
       volumes:
         - name: tls-certs
           secret:
-            secretName: agent-hook-tls
-        # Required for OpenShift to mount k9s vendored directories
+            secretName: {{ .Values.secret.name }}
         - name: config
           emptyDir: {}
         - name: xdg

packages/zarf-agent/chart/templates/role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.role.name }}
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get

packages/zarf-agent/chart/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.roleBinding.name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.role.name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.name }}
+    namespace: {{ .Release.Namespace }}

packages/zarf-agent/chart/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secret.name }}
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.secret.tlsCrt | quote }}
+  tls.key: {{ .Values.secret.tlsKey | quote }}

packages/zarf-agent/manifests/service.yaml renamed to packages/zarf-agent/chart/templates/service.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: agent-hook
-  namespace: zarf
+  name: {{ .Values.service.name }}
+  namespace: {{ .Release.Namespace }}
 spec:
   selector:
     app: agent-hook

packages/zarf-agent/chart/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}

packages/zarf-agent/manifests/webhook.yaml renamed to packages/zarf-agent/chart/templates/webhook.yaml

@@ -30,8 +30,8 @@ webhooks:
           operator: DoesNotExist
     clientConfig:
       service:
-        name: agent-hook
-        namespace: zarf
+        name: {{ .Values.service.name }}
+        namespace: {{ .Release.Namespace }}
         path: "/mutate/pod"
       caBundle: "###ZARF_AGENT_CA###"
     rules:
@@ -73,8 +73,8 @@ webhooks:
             - "ignore"
     clientConfig:
       service:
-        name: agent-hook
-        namespace: zarf
+        name: {{ .Values.service.name }}
+        namespace: {{ .Release.Namespace }}
         path: "/mutate/flux-ocirepository"
       caBundle: "###ZARF_AGENT_CA###"
     rules:
@@ -115,8 +115,8 @@ webhooks:
             - "ignore"
     clientConfig:
       service:
-        name: agent-hook
-        namespace: zarf
+        name: {{ .Values.service.name }}
+        namespace: {{ .Release.Namespace }}
         path: "/mutate/flux-helmrepository"
       caBundle: "###ZARF_AGENT_CA###"
     rules:
@@ -159,8 +159,8 @@ webhooks:
             - "ignore"
     clientConfig:
       service:
-        name: agent-hook
-        namespace: zarf
+        name: {{ .Values.service.name }}
+        namespace: {{ .Release.Namespace }}
         path: "/mutate/flux-gitrepository"
       caBundle: "###ZARF_AGENT_CA###"
     rules:
@@ -203,8 +203,8 @@ webhooks:
             - "ignore"
     clientConfig:
       service:
-        name: agent-hook
-        namespace: zarf
+        name: {{ .Values.service.name }}
+        namespace: {{ .Release.Namespace }}
         path: "/mutate/argocd-application"
       caBundle: "###ZARF_AGENT_CA###"
     rules:
@@ -249,8 +249,8 @@ webhooks:
             - repository
     clientConfig:
       service:
-        name: agent-hook
-        namespace: zarf
+        name: {{ .Values.service.name }}
+        namespace: {{ .Release.Namespace }}
         path: "/mutate/argocd-repository"
       caBundle: "###ZARF_AGENT_CA###"
     rules:

packages/zarf-agent/manifests/clusterrole.yaml

@@ -19,19 +19,14 @@ components:
     required: true
     images:
       - "###ZARF_PKG_TMPL_AGENT_IMAGE_DOMAIN######ZARF_PKG_TMPL_AGENT_IMAGE###:###ZARF_PKG_TMPL_AGENT_IMAGE_TAG###"
-    manifests:
+    charts:
       - name: zarf-agent
+        releaseName: zarf-agent
+        localPath: chart
+        version: 1.0.0
         namespace: zarf
-        files:
-          - manifests/service.yaml
-          - manifests/secret.yaml
-          - manifests/deployment.yaml
-          - manifests/webhook.yaml
-          - manifests/role.yaml
-          - manifests/rolebinding.yaml
-          - manifests/clusterrole.yaml
-          - manifests/clusterrolebinding.yaml
-          - manifests/serviceaccount.yaml
+        valuesFiles:
+          - agent-values.yaml
     actions:
       onCreate:
         before: