feat: add helm chart

.github/configs/cr.yaml

@@ -0,0 +1,2 @@
+## Reference: https://github.com/helm/chart-releaser
+index-path: "./index.yaml"

.github/configs/ct-install.yaml

@@ -0,0 +1,13 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+# Don't add the 'debug' attribute, otherwise the workflow won't work anymore
+# Only Used for the CT Lint Stage
+remote: origin
+target-branch: master
+chart-dirs:
+  - deploy/helm
+helm-extra-args: "--timeout 600s"
+validate-chart-schema: false
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

.github/configs/ct-lint.yaml

@@ -0,0 +1,13 @@
+## Reference: https://github.com/helm/chart-testing/blob/master/doc/ct_lint-and-install.md
+# Don't add the 'debug' attribute, otherwise the workflow won't work anymore
+# Only Used for the CT Lint Stage
+remote: origin
+target-branch: master
+chart-dirs:
+  - deploy/helm
+helm-extra-args: "--timeout 600s"
+validate-chart-schema: false
+validate-maintainers: true
+validate-yaml: true
+exclude-deprecated: true
+excluded-charts: []

.github/configs/lintconf.yaml

@@ -0,0 +1,42 @@
+---
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: -1
+    max-spaces-inside-empty: -1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments:
+    require-starting-space: true
+    min-spaces-from-content: 1
+  document-end: disable
+  document-start: disable # No --- to start a file
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    spaces: consistent
+    indent-sequences: whatever # - list indentation will handle both indentation and without
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable # Lines can be any length
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  truthy:
+    level: warning

.github/workflows/chart-lint-and-test.yml

@@ -0,0 +1,75 @@
+name: ct-linting-and-testing
+on:
+  pull_request:
+    paths:
+      - deploy/helm/**
+
+permissions: read-all
+
+jobs:
+  chart-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # tag=v3.4
+        with:
+          version: v3.6.3
+
+      - name: Set up python
+        uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # tag=v4.3.0
+        with:
+          python-version: 3.7
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=0.8.0
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          scan-ref: 'deploy/helm/pulumi-operator'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@312e093a1892bd801f026f1090904ee8e460b9b6 # v2.1.34
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # tag=v2.3.1
+
+      - name: List changed charts
+        id: list-changed
+        run: |
+          ## If executed with debug this won't work anymore.
+          changed=$(ct --config ./.github/configs/ct-lint.yaml list-changed)
+          charts=$(echo "$changed" | tr '\n' ' ' | xargs)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+            echo "::set-output name=changed_charts::$charts"
+          fi
+
+      - name: Run Artifact Hub lint
+        run: |
+          curl -s https://api.github.com/repos/artifacthub/hub/releases/latest | grep -E 'browser_download_url' | grep linux_amd64.tar.gz\" | grep -Eo 'https://[^\"]*' | xargs wget -O - | tar -xz
+          ./ah lint -p deploy/helm/pulumi-operator || exit 1
+          rm -f ./ah
+
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml
+
+      - name: Create kind cluster
+        uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07 # tag=v1.4.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        run: ct install --config ./.github/configs/ct-lint.yaml
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/chart-publish.yaml

@@ -0,0 +1,79 @@
+---
+name: chart-publish
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "deploy/helm/**"
+env:
+  HELM_DOCS_VERSION: "1.11.0"
+
+permissions: read-all
+
+jobs:
+  publish:
+    permissions:
+      contents: write # for helm/chart-releaser-action to push chart release and create a release
+      packages: write # for helm/chart-releaser-action to push chart release and create a release
+      id-token: write # for helm/chart-releaser-action to push chart release and create a release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # tag=v3.4
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: install helm-docs
+        run: |
+          cd /tmp
+          wget https://github.com/norwoodj/helm-docs/releases/download/v${{env.HELM_DOCS_VERSION}}/helm-docs_${{env.HELM_DOCS_VERSION}}_Linux_x86_64.tar.gz
+          tar -xvf helm-docs_${{env.HELM_DOCS_VERSION}}_Linux_x86_64.tar.gz
+          sudo mv helm-docs /usr/local/sbin
+
+      - name: run helm-docs
+        run: |
+          helm-docs -t README.md.gotmpl -o README.md -b for-the-badge
+
+      - name: Login to GHCR
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
+        with:
+          registry: ghcr.io
+          username: ${ GITHUB_REPOSITORY_OWNER }
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Artifact Hub lint
+        run: |
+          curl -s https://api.github.com/repos/artifacthub/hub/releases/latest | grep -E 'browser_download_url' | grep linux_amd64.tar.gz\" | grep -Eo 'https://[^\"]*' | xargs wget -O - | tar -xz
+          ./ah lint -p deploy/helm/pulumi-operator || exit 1
+          rm -f ./ah
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # tag=v1.4.1
+        with:
+          config: "./.github/configs/cr.yaml"
+          charts_dir: "deploy/helm"
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
+      - name: Push chart to GHCR
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" oci://ghcr.io/pulumi/charts > .digest
+            cosign sign $(cat .digest | awk -F "[, ]+" '/Pushed/{print $NF}')
+          done          

Makefile

@@ -75,4 +75,8 @@ version:
 dep-tidy:
 	go mod tidy
 
+.PHONY: changelog
+changelog:
+	go run github.com/aaronfriel/go-change@v0.1.2 create
+
 .PHONY: build build-static codegen generate-crds install-crds generate-k8s test version dep-tidy build-image push-image push-image-latest deploy prep-spec

changelog/config.yaml

@@ -0,0 +1,19 @@
+types:
+  feat: "Features"
+  fix: "Bug Fixes"
+  chore: "Miscellaneous"
+scopes:
+  auto: [dotnet, go, java, nodejs, python, yaml]
+  backend: [filestate, service]
+  build: []
+  ci: [helm]
+  cli: [about, config, display, engine, import, new, plugin, package, state]
+  components: [dotnet, go, java, nodejs, python, yaml]
+  docs: []
+  engine: []
+  pkg: [testing]
+  programgen: [dotnet, go, java, nodejs, python, yaml]
+  protobuf: []
+  sdk: [dotnet, go, java, nodejs, python, yaml]
+  sdkgen: [dotnet, go, java, nodejs, python, yaml]
+  yaml: []

changelog/pending/20221202--ci-helm--add-helm-chart-support.yaml

@@ -0,0 +1,4 @@
+changes:
+- type: feat
+  scope: ci/helm
+  description: add Helm chart support

deploy/helm/pulumi-operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/helm/pulumi-operator/Chart.yaml

@@ -0,0 +1,38 @@
+apiVersion: v2
+name: pulumi-kubernetes-operator
+description: A Helm chart for the Pulumi Kubernetes Operator
+home: https://pulumi.com
+sources:
+  - https://github.com/pulumi/pulumi-kubernetes-operator
+
+icon: https://www.pulumi.com/logos/brand/twitter-card.png
+
+type: application
+
+version: 0.1.0
+appVersion: "1.10.1"
+
+keywords:
+  - pulumi
+  - kubernetes
+  - operator
+
+maintainers:
+  - name: dirien
+    email: engin@pulumi.com
+    url: https://pulumi.com
+
+annotations:
+  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/changes: |
+    - initial release
+  artifacthub.io/images: |
+    - name: pulumi-kubernetes-operator
+      image: docker.io/pulumi-kubernetes-operator:v1.10.1
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/links: |
+    - name: website
+      url: https://pulumi.com
+  artifacthub.io/maintainers: |
+    - name: dirien
+      email: engin@pulumi.com