feat: Powerpipe (#43)

Author: amartingarcia

.github/updatecli/helm-appversion.yaml

@@ -10,21 +10,19 @@ sources:
         pattern: ">=v2.0.0"
 conditions: {}
 targets:
-  appVersion:
-    name: bump appVersion
+  imageTag:
+    name: bump steampipe image tag in values.yaml
     kind: helmchart
     spec:
       name: charts/steampipe
-      file: Chart.yaml
-      key: $.appVersion
+      file: values.yaml
+      key: $.image.tag
     sourceid: steampipe
-  chartVersion:
-    name: bump chart version
+  appVersion:
+    name: bump appVersion in Chart.yaml (informational reference)
     kind: helmchart
     spec:
       name: charts/steampipe
       file: Chart.yaml
-      key: $.version
+      key: $.appVersion
     sourceid: steampipe
-    transformers:
-      - trimprefix: "v"

.github/updatecli/helm-powerpipe-tag.yaml

@@ -0,0 +1,22 @@
+sources:
+  powerpipe:
+    kind: githubrelease
+    spec:
+      owner: "devops-ia"
+      repository: "powerpipe"
+      token: {{ requiredEnv "GITHUB_TOKEN" }}
+      versionFilter:
+        kind: semver
+        pattern: ">=v1.0.0"
+conditions: {}
+targets:
+  powerpipeTag:
+    name: bump powerpipe image tag in values.yaml
+    kind: helmchart
+    spec:
+      name: charts/steampipe
+      file: values.yaml
+      key: $.powerpipe.image.tag
+    sourceid: powerpipe
+    transformers:
+      - addprefix: "v"

charts/steampipe/Chart.yaml

@@ -1,12 +1,13 @@
 apiVersion: v2
 name: steampipe
-description: A Helm chart for Kubernetes to deploy Steampipe
+description: A Helm chart for Kubernetes to deploy Steampipe and optionally Powerpipe
 type: application
 version: 2.4.1
 appVersion: v2.4.1
 home: https://github.com/devops-ia/helm-steampipe
 sources:
   - https://github.com/devops-ia/steampipe
+  - https://github.com/devops-ia/powerpipe
   - https://github.com/devops-ia/helm-steampipe
 maintainers:
   - name: amartingarcia
@@ -15,6 +16,9 @@ maintainers:
     email: hello@ialejandro.rocks
 keywords:
   - steampipe
+  - powerpipe
   - sql
   - cloud
   - devops
+  - dashboards
+  - compliance

charts/steampipe/README.md

@@ -247,6 +247,57 @@ Steampipe exposes a standard PostgreSQL interface. Point any Postgres datasource
 | Password | value of `STEAMPIPE_DATABASE_PASSWORD`        |
 | SSL Mode | `disable` (within cluster)                    |
 
+### 7 — Steampipe + Powerpipe full stack
+
+Deploy both Steampipe (data backend) and Powerpipe (dashboard) in a single Helm release:
+
+```yaml
+# Steampipe — expose PostgreSQL endpoint
+bbdd:
+  enabled: true
+  serviceType: ClusterIP
+
+env:
+  - name: STEAMPIPE_DATABASE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: steampipe-password
+        key: password
+
+initContainer:
+  plugins:
+    - aws
+
+extraVolumes:
+  - name: aws-credentials
+    secret:
+      secretName: aws-credentials
+extraVolumeMount:
+  - name: aws-credentials
+    mountPath: /home/steampipe/.steampipe/config/aws.spc
+    subPath: aws.spc
+    readOnly: true
+
+# Powerpipe — dashboard on port 9033
+powerpipe:
+  enabled: true
+  # Connection string to Steampipe (use release name + -psql suffix)
+  database: "postgresql://steampipe:your-stable-password@my-release-steampipe-psql:9193/steampipe"
+  initContainer:
+    mods:
+      - "github.com/turbot/steampipe-mod-aws-compliance"
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - host: powerpipe.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+```
+
+Access the Powerpipe dashboard at `http://powerpipe.example.com` once the mods are installed.
+
 ---
 
 ## Environment Variables Reference
@@ -446,7 +497,7 @@ env:
 
 | Change | Migration action |
 |--------|-----------------|
-| `powerpipe.*` removed | Powerpipe is now a separate Helm chart. Remove `powerpipe.*` from values. |
+| `powerpipe.*` removed in v4.0.0, re-added in v4.1.0+ | If upgrading from v3.x to v4.0.0, remove `powerpipe.*`. From v4.1.0+ you can use `powerpipe.enabled: true`. |
 | `oauth2Proxy.*` / `oauth2-proxy` sub-chart removed | Manage authentication externally. Remove `oauth2Proxy.*` from values. |
 | `extraConfig.*` removed | Use `extraVolumes` + `extraVolumeMount` with standard Kubernetes Secrets/ConfigMaps instead. |
 | `dashboard.*` removed | Already removed in v2. If still present, remove. |
@@ -550,6 +601,34 @@ helm show values steampipe/steampipe
 | podAnnotations | object | `{}` | Pod annotations |
 | podLabels | object | `{}` | Pod labels |
 | podSecurityContext | object | `{"fsGroup":9193,"runAsGroup":0,"runAsUser":9193}` | Privilege and access control settings for a Pod or Container Steampipe runs as UID=9193, GID=0 (root group for OpenShift compatibility) |
+| powerpipe | object | `{"affinity":{},"database":"","deploymentAnnotations":{},"enabled":false,"env":[],"envFrom":[],"extraContainers":[],"extraVolumeMount":[],"extraVolumes":[],"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/devops-ia/powerpipe","tag":"v1.5.1"},"ingress":{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"powerpipe.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]},"initContainer":{"extraInitVolumeMount":[],"image":{"pullPolicy":"IfNotPresent"},"mods":[],"resources":{},"securityContext":{"runAsNonRoot":true,"runAsUser":9193}},"livenessProbe":{},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{"fsGroup":9193,"runAsGroup":0,"runAsUser":9193},"readinessProbe":{},"replicaCount":1,"resources":{},"securityContext":{"runAsNonRoot":true,"runAsUser":9193},"service":{"annotations":{},"port":9033,"type":"ClusterIP"},"startupProbe":{},"tolerations":[],"topologySpreadConstraints":[]}` | Powerpipe configuration (optional component) Powerpipe provides dashboards and compliance benchmarks that connect to Steampipe as their database. Requires Steampipe to be running with bbdd.enabled=true to accept connections. Ref: https://powerpipe.io/docs |
+| powerpipe.affinity | object | `{}` | Affinity for pod assignment |
+| powerpipe.database | string | `""` | Powerpipe database connection string (required) Must point to a running Steampipe PostgreSQL endpoint. Example: "postgresql://steampipe:<password>@<release-name>-steampipe-psql:9193/steampipe" If set, POWERPIPE_DATABASE is injected automatically as an env var. If empty, set it yourself via env/envFrom using a Kubernetes Secret. |
+| powerpipe.deploymentAnnotations | object | `{}` | Deployment annotations |
+| powerpipe.enabled | bool | `false` | Enable Powerpipe deployment |
+| powerpipe.env | list | `[]` | Environment variables for the Powerpipe container Ref: https://powerpipe.io/docs/reference/env-vars/overview |
+| powerpipe.envFrom | list | `[]` | Variables from file |
+| powerpipe.extraContainers | list | `[]` | Extra containers to add to the Powerpipe pod |
+| powerpipe.extraVolumeMount | list | `[]` | Mount extra volumes |
+| powerpipe.extraVolumes | list | `[]` | Reference volumes |
+| powerpipe.image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/devops-ia/powerpipe","tag":"v1.5.1"}` | Image registry |
+| powerpipe.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"powerpipe.local","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}],"tls":[]}` | Ingress configuration for the Powerpipe dashboard Unlike Steampipe, Powerpipe exposes HTTP — a standard Kubernetes Ingress works here. |
+| powerpipe.initContainer | object | `{"extraInitVolumeMount":[],"image":{"pullPolicy":"IfNotPresent"},"mods":[],"resources":{},"securityContext":{"runAsNonRoot":true,"runAsUser":9193}}` | Configure initContainer for Powerpipe mods The init container installs Powerpipe mods before the main container starts. It uses the same image (repository + tag) as the main Powerpipe container. Ref: https://hub.steampipe.io/mods |
+| powerpipe.initContainer.mods | list | `[]` | Powerpipe mods to install Example: "github.com/turbot/steampipe-mod-aws-compliance" |
+| powerpipe.initContainer.resources | object | `{}` | The resources limits and requested |
+| powerpipe.livenessProbe | object | `{}` | Configure liveness probe |
+| powerpipe.nodeSelector | object | `{}` | Node labels for pod assignment |
+| powerpipe.podAnnotations | object | `{}` | Pod annotations |
+| powerpipe.podLabels | object | `{}` | Pod labels |
+| powerpipe.podSecurityContext | object | `{"fsGroup":9193,"runAsGroup":0,"runAsUser":9193}` | Privilege and access control settings for the Powerpipe pod Powerpipe uses UID=9193, GID=0 (same as Steampipe, OpenShift compatible) |
+| powerpipe.readinessProbe | object | `{}` | Configure readinessProbe |
+| powerpipe.replicaCount | int | `1` | Number of replicas |
+| powerpipe.resources | object | `{}` | The resources limits and requested |
+| powerpipe.securityContext | object | `{"runAsNonRoot":true,"runAsUser":9193}` | Privilege and access control settings for the Powerpipe container |
+| powerpipe.service | object | `{"annotations":{},"port":9033,"type":"ClusterIP"}` | Service configuration for the Powerpipe dashboard Powerpipe exposes an HTTP dashboard (not TCP/PostgreSQL), so standard Ingress works fine. |
+| powerpipe.startupProbe | object | `{}` | Configure startupProbe |
+| powerpipe.tolerations | list | `[]` | Tolerations for pod assignment |
+| powerpipe.topologySpreadConstraints | list | `[]` | Topology spread constraints for pod assignment |
 | readinessProbe | object | `{}` | Configure readinessProbe Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
 | replicaCount | int | `1` | Number of replicas |
 | resources | object | `{}` | The resources limits and requested |

charts/steampipe/README.md.gotmpl

@@ -244,6 +244,57 @@ Steampipe exposes a standard PostgreSQL interface. Point any Postgres datasource
 | Password | value of `STEAMPIPE_DATABASE_PASSWORD`        |
 | SSL Mode | `disable` (within cluster)                    |
 
+### 7 — Steampipe + Powerpipe full stack
+
+Deploy both Steampipe (data backend) and Powerpipe (dashboard) in a single Helm release:
+
+```yaml
+# Steampipe — expose PostgreSQL endpoint
+bbdd:
+  enabled: true
+  serviceType: ClusterIP
+
+env:
+  - name: STEAMPIPE_DATABASE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: steampipe-password
+        key: password
+
+initContainer:
+  plugins:
+    - aws
+
+extraVolumes:
+  - name: aws-credentials
+    secret:
+      secretName: aws-credentials
+extraVolumeMount:
+  - name: aws-credentials
+    mountPath: /home/steampipe/.steampipe/config/aws.spc
+    subPath: aws.spc
+    readOnly: true
+
+# Powerpipe — dashboard on port 9033
+powerpipe:
+  enabled: true
+  # Connection string to Steampipe (use release name + -psql suffix)
+  database: "postgresql://steampipe:your-stable-password@my-release-steampipe-psql:9193/steampipe"
+  initContainer:
+    mods:
+      - "github.com/turbot/steampipe-mod-aws-compliance"
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - host: powerpipe.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+```
+
+Access the Powerpipe dashboard at `http://powerpipe.example.com` once the mods are installed.
+
 ---
 
 ## Environment Variables Reference
@@ -443,7 +494,7 @@ env:
 
 | Change | Migration action |
 |--------|-----------------|
-| `powerpipe.*` removed | Powerpipe is now a separate Helm chart. Remove `powerpipe.*` from values. |
+| `powerpipe.*` removed in v4.0.0, re-added in v4.1.0+ | If upgrading from v3.x to v4.0.0, remove `powerpipe.*`. From v4.1.0+ you can use `powerpipe.enabled: true`. |
 | `oauth2Proxy.*` / `oauth2-proxy` sub-chart removed | Manage authentication externally. Remove `oauth2Proxy.*` from values. |
 | `extraConfig.*` removed | Use `extraVolumes` + `extraVolumeMount` with standard Kubernetes Secrets/ConfigMaps instead. |
 | `dashboard.*` removed | Already removed in v2. If still present, remove. |

charts/steampipe/ci/values-powerpipe.yaml

@@ -0,0 +1,10 @@
+# -- CI values: Powerpipe enabled with mods
+powerpipe:
+  enabled: true
+  database: "postgresql://steampipe:test@release-name-steampipe-psql:9193/steampipe"
+  initContainer:
+    mods:
+      - "github.com/turbot/steampipe-mod-kubernetes-compliance"
+
+bbdd:
+  enabled: true

charts/steampipe/templates/NOTES.txt

@@ -36,3 +36,33 @@ The Steampipe endpoint is exposed at:
 {{- end }}
 
 {{- end }}
+
+{{- if .Values.powerpipe.enabled }}
+
+─────────────────────────────────────────
+Powerpipe dashboard is also deployed.
+
+{{- if .Values.powerpipe.ingress.enabled }}
+
+Access the dashboard at:
+{{- range $host := .Values.powerpipe.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.powerpipe.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+
+{{- else }}
+
+Access the dashboard via port-forward:
+   kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "steampipe.powerpipe.fullname" . }} 9033:9033
+   open http://localhost:9033
+
+{{- end }}
+
+{{- if not .Values.powerpipe.database }}
+⚠  POWERPIPE_DATABASE is not set. Powerpipe will not be able to query data.
+   Set powerpipe.database to your Steampipe connection string, for example:
+   postgresql://steampipe:<password>@{{ include "steampipe.fullname" . }}-psql:9193/steampipe
+{{- end }}
+
+{{- end }}

charts/steampipe/templates/_helpers.tpl

@@ -61,3 +61,30 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Fully qualified name for Powerpipe resources.
+*/}}
+{{- define "steampipe.powerpipe.fullname" -}}
+{{- printf "%s-powerpipe" (include "steampipe.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Selector labels for Powerpipe resources.
+*/}}
+{{- define "steampipe.powerpipe.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "steampipe.name" . }}-powerpipe
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Labels for Powerpipe resources (includes chart + version metadata).
+*/}}
+{{- define "steampipe.powerpipe.labels" -}}
+helm.sh/chart: {{ include "steampipe.chart" . }}
+{{ include "steampipe.powerpipe.selectorLabels" . }}
+{{- if .Values.powerpipe.image.tag }}
+app.kubernetes.io/version: {{ .Values.powerpipe.image.tag | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+

charts/steampipe/templates/deployment.yaml

@@ -28,7 +28,7 @@ spec:
       {{- if .Values.initContainer.plugins }}
       initContainers:
         - name: init
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.initContainer.image.pullPolicy }}
           securityContext:
             {{- toYaml .Values.initContainer.securityContext | nindent 12 }}
@@ -56,7 +56,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if .Values.command }}
           command:

charts/steampipe/templates/powerpipe-configmap-mods.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.powerpipe.enabled .Values.powerpipe.initContainer.mods }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "steampipe.powerpipe.fullname" . }}-scripts
+  labels:
+    {{- include "steampipe.powerpipe.labels" . | nindent 4 }}
+data:
+  init.sh: |-
+    set -e
+{{- with .Values.powerpipe.initContainer.mods }}
+    echo "Powerpipe - Install Mods"
+    {{- range $key, $value := . }}
+    powerpipe mod install {{ $value }}
+    {{- end }}
+{{- end }}
+{{- end }}