Add Helm chart for deployment-tracker (#62)

* add helm chart

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* set default version to 0.0.0

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* Update deploy/charts/deployment-tracker/templates/clusterrole.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add Helm template validation for mutually exclusive namespace flags (#65)

* Initial plan

* Add template-time validation for mutually exclusive namespace flags

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/deployment-tracker/sessions/ab6214f1-4681-454f-b5de-7d0caa1a9cc9

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

* Update deploy/charts/deployment-tracker/templates/_helpers.tpl

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* remove required value warning in notes

Signed-off-by: Brian DeHamer <bdehamer@github.com>

---------

Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

Author: 3 people

.github/workflows/build.yml

@@ -46,3 +46,20 @@ jobs:
       - name: Test
         run: |
           make integration-test
+
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Helm
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+      - name: Lint chart
+        run: helm lint deploy/charts/deployment-tracker --set config.org=test --set config.logicalEnvironment=test --set config.cluster=test
+      - name: Validate chart rendering
+        run: helm template test deploy/charts/deployment-tracker --set config.org=test --set config.logicalEnvironment=test --set config.cluster=test > /dev/null

.github/workflows/release.yaml

@@ -8,6 +8,10 @@ on:
 permissions:
   contents: read
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   release:
     name: Build and Release OCI Image
@@ -53,6 +57,28 @@ jobs:
       - name: Attest build provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
-          subject-name: ghcr.io/github/artifact-attestations-opa-provider
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
+
+      - name: Set up Helm
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+
+      - name: Update chart version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          sed -i "s/^version:.*/version: ${VERSION}/" deploy/charts/deployment-tracker/Chart.yaml
+          sed -i "s/^appVersion:.*/appVersion: \"${VERSION}\"/" deploy/charts/deployment-tracker/Chart.yaml
+
+      - name: Package Helm chart
+        run: helm package deploy/charts/deployment-tracker
+
+      - name: Log in to GHCR for Helm
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | \
+          helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push Helm chart to GHCR
+        run: |
+          helm push deployment-tracker-*.tgz \
+            oci://ghcr.io/${{ github.repository_owner }}/charts

deploy/charts/deployment-tracker/.helmignore

@@ -0,0 +1,13 @@
+# Patterns to ignore when building packages.
+.DS_Store
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+.git
+.gitignore
+.project
+.idea
+*.tmproj
+.vscode

deploy/charts/deployment-tracker/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: deployment-tracker
+description: A Kubernetes controller that monitors pod lifecycles and uploads deployment records to GitHub's artifact metadata API
+type: application
+version: 0.0.0
+appVersion: "0.0.0"
+kubeVersion: ">= 1.19.0-0"
+keywords:
+  - kubernetes
+  - deployment-tracker
+  - github
+  - artifact-attestations
+  - supply-chain-security
+home: https://github.com/github/deployment-tracker
+maintainers:
+  - name: GitHub Package Security
+    url: https://github.com/github

deploy/charts/deployment-tracker/README.md

@@ -0,0 +1,173 @@
+# deployment-tracker Helm Chart
+
+A Helm chart for deploying the deployment-tracker Kubernetes controller, which
+monitors pod lifecycles and uploads deployment records to GitHub's artifact
+metadata API.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.8+
+- A GitHub organization with
+  [Artifact Attestations](https://docs.github.com/en/actions/concepts/security/artifact-attestations)
+  enabled
+- An API token or GitHub App for authentication
+
+## Installation
+
+### Install from OCI registry
+
+```bash
+helm install deployment-tracker \
+  oci://ghcr.io/github/charts/deployment-tracker \
+  --namespace deployment-tracker \
+  --create-namespace \
+  --set config.org=my-org \
+  --set config.logicalEnvironment=production \
+  --set config.cluster=my-cluster \
+  --set auth.apiTokenSecret=my-api-token-secret
+```
+
+### Install from local source
+
+```bash
+helm install deployment-tracker ./deploy/charts/deployment-tracker \
+  --namespace deployment-tracker \
+  --create-namespace \
+  -f my-values.yaml
+```
+
+## Required Values
+
+The following values **must** be set for the controller to function:
+
+| Value | Description |
+|-------|-------------|
+| `config.org` | GitHub organization name |
+| `config.logicalEnvironment` | Logical environment name (e.g., `production`, `staging`) |
+| `config.cluster` | Kubernetes cluster name |
+
+At least one authentication method must be configured (see
+[Authentication](#authentication)).
+
+## Configuration
+
+### Controller Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `config.org` | GitHub organization name | `""` (required) |
+| `config.logicalEnvironment` | Logical environment name | `""` (required) |
+| `config.cluster` | Cluster name | `""` (required) |
+| `config.physicalEnvironment` | Physical environment name | `""` |
+| `config.baseUrl` | API base URL | `api.github.com` |
+| `config.dnTemplate` | Deployment name template | `{{namespace}}/{{deploymentName}}/{{containerName}}` |
+| `config.namespace` | Namespace to monitor (empty for all) | `""` |
+| `config.excludeNamespaces` | Namespaces to exclude (comma-separated) | `""` |
+| `config.workers` | Number of worker goroutines | `2` |
+| `config.metricsPort` | Port for Prometheus metrics | `9090` |
+
+### Image Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `image.repository` | Container image repository | `ghcr.io/github/deployment-tracker` |
+| `image.tag` | Container image tag | Chart `appVersion` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `imagePullSecrets` | Image pull secrets | `[]` |
+
+### Authentication
+
+The controller supports two authentication methods: API token and GitHub App.
+
+#### API Token
+
+```yaml
+# Option 1: Inline token (not recommended for production)
+auth:
+  apiToken: "ghp_xxxxxxxxxxxx"
+
+# Option 2: Reference to an existing Secret (recommended)
+auth:
+  apiTokenSecret: "my-api-token-secret"
+```
+
+When using `apiTokenSecret`, the Secret must have a key named `token`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-api-token-secret
+type: Opaque
+stringData:
+  token: "ghp_xxxxxxxxxxxx"
+```
+
+#### GitHub App
+
+```yaml
+# Option 1: Inline private key
+auth:
+  githubApp:
+    appId: "12345"
+    installId: "67890"
+    privateKey: "<base64-encoded-private-key>"
+
+# Option 2: Reference to an existing Secret (recommended)
+auth:
+  githubApp:
+    appId: "12345"
+    installId: "67890"
+    privateKeySecret: "my-github-app-secret"
+```
+
+When using `privateKeySecret`, the Secret must have a key named `private-key`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-github-app-secret
+type: Opaque
+stringData:
+  private-key: "<base64-encoded-private-key>"
+```
+
+### Resources and Security
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `replicaCount` | Number of controller replicas | `1` |
+| `resources.requests.cpu` | CPU request | `100m` |
+| `resources.requests.memory` | Memory request | `1024Mi` |
+| `resources.limits.cpu` | CPU limit | `200m` |
+| `resources.limits.memory` | Memory limit | `2048Mi` |
+| `securityContext` | Container security context | Hardened (see values.yaml) |
+| `readinessProbe` | Readiness probe configuration | HTTP GET /metrics:9090 |
+| `lifecycle` | Lifecycle hooks | preStop sleep 5s |
+
+### Service and Networking
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `service.enabled` | Create a Service for metrics | `true` |
+| `service.type` | Service type | `ClusterIP` |
+| `service.port` | Service port | `9090` |
+| `nodeSelector` | Node selector | `{}` |
+| `tolerations` | Tolerations | `[]` |
+| `affinity` | Affinity rules | `{}` |
+
+### Service Account
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `serviceAccount.create` | Create a ServiceAccount | `true` |
+| `serviceAccount.name` | ServiceAccount name | Generated from fullname |
+| `serviceAccount.annotations` | ServiceAccount annotations | `{}` |
+
+## Uninstalling
+
+```bash
+helm uninstall deployment-tracker -n deployment-tracker
+```

deploy/charts/deployment-tracker/templates/NOTES.txt

@@ -0,0 +1,21 @@
+deployment-tracker has been installed.
+
+1. Check the deployment status:
+
+   kubectl get deployment {{ include "deployment-tracker.fullname" . }} -n {{ .Release.Namespace }}
+
+2. Check the controller pods:
+
+   kubectl get pods -n {{ .Release.Namespace }} -l "{{ include "deployment-tracker.selectorLabels" . | replace "\n" "," }}"
+
+3. View controller logs:
+
+   kubectl logs -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "deployment-tracker.name" . }}" -f
+
+{{- if .Values.service.enabled }}
+
+4. Access Prometheus metrics:
+
+   kubectl port-forward -n {{ .Release.Namespace }} svc/{{ include "deployment-tracker.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }}
+   curl http://localhost:{{ .Values.service.port }}/metrics
+{{- end }}

deploy/charts/deployment-tracker/templates/_helpers.tpl

@@ -0,0 +1,60 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "deployment-tracker.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "deployment-tracker.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "deployment-tracker.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels.
+*/}}
+{{- define "deployment-tracker.labels" -}}
+helm.sh/chart: {{ include "deployment-tracker.chart" . }}
+{{ include "deployment-tracker.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels.
+*/}}
+{{- define "deployment-tracker.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "deployment-tracker.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use.
+*/}}
+{{- define "deployment-tracker.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "deployment-tracker.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- required "serviceAccount.name must be set when serviceAccount.create is false" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

deploy/charts/deployment-tracker/templates/clusterrole.yaml

@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "deployment-tracker.fullname" . }}
+  labels:
+    {{- include "deployment-tracker.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get

deploy/charts/deployment-tracker/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "deployment-tracker.fullname" . }}
+  labels:
+    {{- include "deployment-tracker.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "deployment-tracker.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "deployment-tracker.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}