feat: Refactor helm chart (#37)

Author: amartingarcia

.github/copilot-instructions.md

@@ -0,0 +1,56 @@
+# Copilot Instructions — helm-steampipe
+
+## Build, Lint, and Test
+
+```bash
+# Lint the chart
+helm lint charts/steampipe/
+
+# Lint with chart-testing (uses .github/ct.yaml config)
+ct lint --config .github/ct.yaml
+
+# Dry-run install (validates templates render without a cluster)
+helm install steampipe charts/steampipe/ --dry-run --debug
+
+# Dry-run a specific CI values file (there are 5 in charts/steampipe/ci/)
+helm install steampipe charts/steampipe/ --dry-run --debug -f charts/steampipe/ci/values-bbdd.yaml
+
+# Run helm-unittest tests
+helm unittest charts/steampipe/
+
+# Regenerate charts/steampipe/README.md from the .gotmpl template
+helm-docs --chart-search-root=charts/steampipe
+
+# Run pre-commit hooks (helmlint + helm-docs + markdown-toc + whitespace)
+pre-commit run --all-files
+```
+
+Unit tests live in `charts/steampipe/tests/*_test.yaml`. Run `helm unittest charts/steampipe/` to execute them. Validation is also done via `helm lint`, `ct lint`, and dry-run installs against the CI values files.
+
+## Architecture
+
+This is a **single Helm chart** (`charts/steampipe/`) that deploys Steampipe as a persistent PostgreSQL-compatible service on Kubernetes (port 9193). There are no optional companion components (Powerpipe and oauth2-proxy were removed in v4.0.0 and are separate charts).
+
+### Pod lifecycle
+
+1. **Init container** installs plugins declared in `initContainer.plugins[]` via a ConfigMap-mounted shell script (`configmap-init-scripts.yaml`). Plugins live in an `emptyDir` — reinstalled on every pod start. **The init container uses the same image as the main container** — no separate image.
+2. **Main container** runs `steampipe service start` with `--foreground` and optional `--database-listen`/`--database-port` flags.
+3. **Service** (`<fullname>-psql`) is only created when `bbdd.enabled: true`.
+
+### Steampipe v2 constraints
+
+- Steampipe runs as UID 9193, GID 0 (OpenShift compatible).
+- Image: `ghcr.io/devops-ia/steampipe` (not `ghcr.io/turbot/steampipe`).
+- `appVersion` is bumped automatically by updatecli (`.github/updatecli/helm-appversion.yaml`) monitoring `devops-ia/steampipe` releases.
+
+## Key Conventions
+
+- **Commit messages** follow [Conventional Commits](https://www.conventionalcommits.org/). Releases are cut by semantic-release via `package.json`.
+- **Chart README** (`charts/steampipe/README.md`) is **auto-generated** — never edit it directly. Edit `charts/steampipe/README.md.gotmpl` instead and run `helm-docs`.
+- **CI values files** in `charts/steampipe/ci/` are used by `ct lint`/`ct install` for matrix testing. Name them `values-<scenario>.yaml`.
+- **Values schema** (`values.schema.json`) must stay in sync with `values.yaml` — Helm validates values against it at install time.
+- **Version bumps** for `appVersion` are handled by updatecli (`.github/updatecli/helm-appversion.yaml`). Don't bump manually.
+- **Template naming**: Steampipe resources use `steampipe.fullname`. The PostgreSQL service always appends `-psql`.
+- **Plugin configs** (`.spc` files) are mounted from Secrets or ConfigMaps into `/home/steampipe/.steampipe/config/` via `extraVolumes`/`extraVolumeMount`.
+- **CLI drift detection**: A workflow (`.github/workflows/helm-snapshot-check.yml`) posts a PR comment comparing `cli-snapshot.json` from `devops-ia/steampipe` at the old and new appVersions when `Chart.yaml` changes on a PR.
+

.github/ct.yaml

@@ -1,7 +1,7 @@
 # See https://github.com/helm/chart-testing#configuration
 all: true
 chart-dirs:
-  - ./
+  - charts
 chart-repos:
   - oauth2-proxy=https://oauth2-proxy.github.io/manifests/
 check-version-increment: true

.github/dependabot.yml

@@ -20,3 +20,20 @@ updates:
     rebase-strategy: auto
     pull-request-branch-name:
       separator: "-"
+
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 5
+    labels:
+      - enhancement
+      - dependency-management
+    assignees:
+      - devops-ia/devops-ia
+    commit-message:
+      prefix: chore
+      include: scope
+    rebase-strategy: auto
+    pull-request-branch-name:
+      separator: "-"

.github/scripts/compare_snapshots.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+"""Compare two Steampipe CLI snapshots and emit a Markdown diff report."""
+
+import argparse
+import json
+import sys
+
+
+def load(path):
+    with open(path) as f:
+        return json.load(f)
+
+
+def diff_list(label, old, new):
+    old_set = set(old or [])
+    new_set = set(new or [])
+    added = sorted(new_set - old_set)
+    removed = sorted(old_set - new_set)
+    lines = []
+    if added or removed:
+        lines.append(f"#### {label}")
+        for item in added:
+            lines.append(f"- ✅ `{item}` *(added)*")
+        for item in removed:
+            lines.append(f"- ❌ `{item}` *(removed)*")
+    return lines
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("old", help="Path to old snapshot JSON")
+    parser.add_argument("new", help="Path to new snapshot JSON")
+    parser.add_argument("--output-md", required=True, help="Output Markdown file path")
+    args = parser.parse_args()
+
+    try:
+        old = load(args.old)
+    except Exception as e:
+        old = {}
+        print(f"Warning: could not load old snapshot: {e}", file=sys.stderr)
+
+    try:
+        new = load(args.new)
+    except Exception as e:
+        print(f"Error: could not load new snapshot: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    sections = []
+
+    sections += diff_list("Subcommands", old.get("subcommands"), new.get("subcommands"))
+    sections += diff_list("`service` flags", old.get("service_start_flags"), new.get("service_start_flags"))
+    sections += diff_list("`query` flags", old.get("query_flags"), new.get("query_flags"))
+    sections += diff_list("`plugin` flags", old.get("plugin_flags"), new.get("plugin_flags"))
+    sections += diff_list("Environment variables", old.get("env_vars"), new.get("env_vars"))
+
+    hash_fields = ["help_text_hash", "service_help_hash", "query_help_hash"]
+    hash_changes = []
+    for field in hash_fields:
+        old_val = old.get(field, "")
+        new_val = new.get(field, "")
+        if old_val != new_val:
+            hash_changes.append(f"- `{field}`: `{old_val}` → `{new_val}`")
+
+    if hash_changes:
+        sections.append("#### Help text hashes")
+        sections += hash_changes
+
+    old_ver = old.get("version", "unknown")
+    new_ver = new.get("version", "unknown")
+
+    with open(args.output_md, "w") as f:
+        if sections:
+            f.write(f"<details>\n<summary>CLI changes between <code>{old_ver}</code> and <code>{new_ver}</code></summary>\n\n")
+            f.write("\n".join(sections))
+            f.write("\n\n</details>\n")
+            print(f"Changes found between {old_ver} and {new_ver}")
+            sys.exit(1)
+        else:
+            f.write(f"No CLI changes detected between `{old_ver}` and `{new_ver}`.\n")
+            print(f"No changes between {old_ver} and {new_ver}")
+            sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

.github/updatecli/helm-appversion.yaml

@@ -2,18 +2,20 @@ sources:
   steampipe:
     kind: githubrelease
     spec:
-      owner: "turbot"
+      owner: "devops-ia"
       repository: "steampipe"
       token: {{ requiredEnv "GITHUB_TOKEN" }}
       versionFilter:
         kind: semver
-    transformers:
-      - trimprefix: "v"
+        pattern: ">=v2.0.0"
 conditions: {}
 targets:
   chartVersion:
     name: bump appversion
-    kind: yaml
+    kind: helmchart
     spec:
-      file: charts/Chart.yaml
+      name: charts/steampipe
+      file: Chart.yaml
       key: $.appVersion
+      versionincrement: patch
+    sourceid: steampipe