Kargo applied some changes

.github/actions/promtool/action.yml

@@ -0,0 +1,14 @@
+name: Promtool
+
+inputs:
+  args:
+    description: Arguments to pass to promtool (as a single string)
+    required: true
+
+runs:
+  using: docker
+  image: docker://prom/prometheus
+  entrypoint: /bin/sh
+  args:
+    - -c
+    - promtool ${{ inputs.args }}

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/ci.yml

@@ -0,0 +1,88 @@
+name: linting
+on: [push]
+jobs:
+  chart-testing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+          show-progress: false
+
+      - uses: azure/setup-helm@v3
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2
+        with:
+          version: v3.8.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yml
+
+      - name: Helm template
+        run: |
+          mkdir helm-dist
+          for c in charts/*; do
+            helm template "$(basename "$c")" "$c" --output-dir helm-dist
+          done
+
+      - name: Read Kubernetes version from /kubernetes_version
+        run: "grep KUBERNETES_VERSION kubernetes_version >> $GITHUB_ENV"
+
+      - name: kubeconform
+        uses: docker://ghcr.io/yannh/kubeconform:latest-alpine
+        with:
+          entrypoint: /kubeconform
+          args: >
+            -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+            -schema-location default
+            -schema-location
+            "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
+            -summary
+            helm-dist
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38  # 2.0.0
+        env:
+          SHELLCHECK_OPTS: -xP SCRIPTDIR
+
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - run: yamllint --version && yamllint -f github .
+
+  promcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: Run promtool checks
+        uses: ./.github/actions/promtool
+        with:
+          args: >
+            check rules $(find charts/monitoring-config/rules -name *.yaml -not -name *_tests.yaml)
+
+  promtest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: Run promtool tests
+        uses: ./.github/actions/promtool
+        with:
+          args: test rules charts/monitoring-config/rules/*_tests.yaml

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+# See /README.md#versioned-vs-unversioned-charts.
+name: Release versioned charts
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  release:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main
+          fetch-depth: 0
+          show-progress: false
+          sparse-checkout: |
+            charts/argo-bootstrap
+            charts/ingress-class
+            charts/cluster-secret-store
+            charts/cluster-secrets
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_SKIP_EXISTING: "true"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/sqlfluff.yml

@@ -0,0 +1,21 @@
+name: sqlfluff
+on:
+  push:
+    paths:
+      - charts/db-backup/scripts/*.sql
+      - charts/db-backup/.sqlfluff
+      - .github/workflows/sqlfluff.yml
+jobs:
+  sqlfluff:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: charts/db-backup/requirements.txt
+      - run: pip install -r charts/db-backup/requirements.txt
+      - run: sqlfluff lint

.gitignore

@@ -0,0 +1,6 @@
+# See https://git-scm.com/docs/gitignore#_pattern_format
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile ~/.gitignore_global
+helm-dist

.yamllint

@@ -0,0 +1,15 @@
+extends: default
+
+ignore: |
+  charts/*/templates/
+
+rules:
+  comments-indentation: disable
+  document-start: disable
+  key-duplicates:
+    forbid-duplicated-merge-keys: true
+  line-length:
+    max: 100
+    allow-non-breakable-words: true
+  truthy:
+    check-keys: false  # GitHub Actions uses `on` as a key :(

LICENCE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright © 2021-2023 Crown Copyright (Government Digital Service)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,112 @@
+# GOV.UK Helm Charts
+
+## Getting started
+
+See [Helm's documentation](https://helm.sh/docs) to get started with Helm.
+
+See the [GOV.UK Kubernetes cluster
+docs](https://govuk-kubernetes-cluster-user-docs.publishing.service.gov.uk/)
+for an introduction to the cluster or ask [#govuk-platform-engineering] in
+Slack.
+
+## Versioned vs unversioned charts
+
+Most of the charts in this repository are designed to be deployed via [Argo
+CD](https://argo-cd.readthedocs.io/en/stable/) rather than by `helm install`.
+For these charts, we don't use `Chart.Version` or Helm's packaging system.
+
+A few charts are still installed via `helm install` ([via
+Terraform](https://github.com/search?q=repo%3Aalphagov%2Fgovuk-infrastructure+path%3Aterraform%2Fdeployments%2Fcluster-services+alphagov.github.io)).
+Those charts are [automatically packaged and
+pushed](https://github.com/alphagov/govuk-helm-charts/blob/main/.github/workflows/release.yml)
+to our Helm repository when a change to `Chart.Version` is merged.
+
+## Local development
+
+### Prerequisites
+
+1. Install Helm and [yq](https://github.com/mikefarah/yq#yq)
+
+    ```sh
+    brew install helm yq
+    ```
+
+1. Clone the repository
+
+    ```sh
+    git clone [email protected]:alphagov/govuk-helm-charts.git
+    ```
+
+1. Configure git hooks
+
+    ```sh
+    cd govuk-helm-charts &&
+    git config core.hooksPath git-hooks
+    ```
+
+### Installing an application chart without Argo CD
+
+```sh
+cd charts/app-config
+
+ENVIRONMENT=integration
+APP=content-publisher
+helm install $USER-${APP?} ../generic-govuk-app --values <(
+  helm template . --values values-${ENVIRONMENT}.yaml |
+  yq e '.|select(.metadata.name=="'$APP'").spec.source.helm.values'
+) --set sentry.enabled=false --set rails.createKeyBaseSecret=false
+```
+
+You can inspect the final template output by running `helm template` instead of
+`helm install`.
+
+### Chart repository
+
+Some of the charts in this git repository are published via GitHub Actions to a
+chart repository hosted on GitHub Pages.
+
+To add the chart repo to Helm:
+
+```sh
+helm repo add govuk-helm-charts https://alphagov.github.io/govuk-helm-charts/
+```
+
+You can then run `helm search repo <alias>` to see the charts.
+`helm repo update` retrieves the latest versions of the packages.
+
+## Schemas
+
+We have several Custom Resource Definitions (CRDs) installed in our Kubernetes clusters, and referenced by the Helm charts
+in this repository.
+
+We use [kubeconform] to validate our Kubernetes manifests against schemas for
+those resources. This helps us ensure that our Helm charts are correct.
+
+`kubeconform` runs in a GitHub Action as a pre-merge check and can also be run
+locally.
+
+You can run the validation tests locally by installing `kubeconform` and running
+
+```shell
+mkdir helm-dist
+for c in charts/*; do
+  helm template "$(basename "$c")" "$c" --output-dir helm-dist
+done
+
+kubeconform -schema-location default \
+-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" \
+-summary helm-dist
+```
+
+[kubeconform]: https://github.com/yannh/kubeconform
+
+## Team
+
+[GOV.UK Platform Engineering](https://github.com/orgs/alphagov/teams/gov-uk-platform-engineering) team looks after this repo. If you're inside GDS, you can find us in [#govuk-platform-engineering] or view our [kanban board](https://trello.com/b/u4FCzm53/).
+
+## Licence
+
+[MIT License](LICENCE)
+
+
+[#govuk-platform-engineering]: https://gds.slack.com/channels/govuk-platform-engineering

charts/app-config/.helmignore

@@ -0,0 +1 @@
+/ci/

charts/app-config/Chart.yaml

@@ -0,0 +1,6 @@
+# https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/
+# https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/
+apiVersion: v2
+name: app-config
+description: Configuration of apps managed by ArgoCD.
+version: 1.0.0

charts/app-config/README.md

@@ -0,0 +1,23 @@
+# Application configuration Helm chart
+
+The `app-config` chart defines the `Application` resources which determine
+which Helm charts ArgoCD continuously deploys into the cluster, the Helm values
+which are passed into those charts and other configuration relating to the
+GOV.UK apps to be deployed into the cluster.
+
+App configuration belongs in this chart if it is:
+
+ - common to several GOV.UK applications.
+ - app-specific but not able to be put in the app's own chart, for example
+   because the app uses the `generic-govuk-app` chart.
+
+This includes:
+
+ - the `govuk-apps-env` ConfigMap, which contains environment variables common
+   to most GOV.UK apps.
+ - `ExternalSecrets` mappings for AWS secrets for apps which don't have their own charts.
+
+## Configuration which belongs elsewhere
+
+ExternalSecrets for base cluster services belong in
+[../cluster-secrets](../cluster-secrets).

charts/app-config/ci/integration-values.yaml

@@ -0,0 +1 @@
+../values-integration.yaml

charts/app-config/ci/production-values.yaml

@@ -0,0 +1 @@
+../values-production.yaml

charts/app-config/ci/staging-values.yaml

@@ -0,0 +1 @@
+../values-staging.yaml

charts/app-config/helm-versions/integration

@@ -0,0 +1,7 @@
+# $repo_url $chart_name: "$chart_version"
+https://kubernetes-sigs.github.io/aws-ebs-csi-driver aws-ebs-csi-driver: "2.27.0"
+https://kubernetes.github.io/autoscaler cluster-autoscaler: "9.35.0"
+https://charts.dexidp.io dex: "0.16.0"
+https://charts.bitnami.com/bitnami external-dns: "6.33.0"
+https://charts.external-secrets.io external-secrets: "0.9.13"
+https://stakater.github.io/stakater-charts reloader: "1.0.67"

charts/app-config/helm-versions/production

@@ -0,0 +1,7 @@
+# $repo_url $chart_name: "$chart_version"
+https://kubernetes-sigs.github.io/aws-ebs-csi-driver aws-ebs-csi-driver: "2.27.0"
+https://kubernetes.github.io/autoscaler cluster-autoscaler: "9.35.0"
+https://charts.dexidp.io dex: "0.16.0"
+https://charts.bitnami.com/bitnami external-dns: "6.33.0"
+https://charts.external-secrets.io external-secrets: "0.9.13"
+https://stakater.github.io/stakater-charts reloader: "1.0.67"

charts/app-config/helm-versions/staging

@@ -0,0 +1,7 @@
+# $repo_url $chart_name: "$chart_version"
+https://kubernetes-sigs.github.io/aws-ebs-csi-driver aws-ebs-csi-driver: "2.27.0"
+https://kubernetes.github.io/autoscaler cluster-autoscaler: "9.35.0"
+https://charts.dexidp.io dex: "0.16.0"
+https://charts.bitnami.com/bitnami external-dns: "6.33.0"
+https://charts.external-secrets.io external-secrets: "0.9.13"
+https://stakater.github.io/stakater-charts reloader: "1.0.67"