feat: Add an ArgoCD Application chart to replace AppSets

.github/workflows/argocd-understack-release.yaml

@@ -0,0 +1,85 @@
+---
+name: argocd-understack release
+
+on:
+  push:
+    tags:
+      - "argocd-understack-v*.*.*"
+  workflow_dispatch:
+    inputs:
+      chart_version:
+        description: "Chart version to release (e.g., 0.1.0)"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.18.4
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Extract version from tag or input
+        id: version
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            VERSION="${{ inputs.chart_version }}"
+          else
+            VERSION=${GITHUB_REF#refs/tags/argocd-understack-v}
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Helm lint
+        run: |
+          helm lint charts/argocd-understack --strict
+
+      - name: Package chart
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          helm package charts/argocd-understack --version "$VERSION"
+
+      - name: Login to GitHub Container Registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push chart to GHCR
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          CHART_PACKAGE="argocd-understack-${VERSION}.tgz"
+
+          if [[ ! -f "$CHART_PACKAGE" ]]; then
+            echo "::error::Chart package $CHART_PACKAGE not found"
+            ls -la *.tgz
+            exit 1
+          fi
+
+          helm push "$CHART_PACKAGE" oci://ghcr.io/${{ github.repository }}
+
+          echo "::notice::Chart pushed to oci://ghcr.io/${{ github.repository }}/argocd-understack:${VERSION}"
+
+      - name: Sign chart with Cosign
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          cosign sign --yes ghcr.io/${{ github.repository }}/argocd-understack:${VERSION}
+
+          echo "::notice::Chart signed with keyless signature"
+
+      - name: Logout from GHCR
+        if: always()
+        run: |
+          helm registry logout ghcr.io

.github/workflows/helm-chart-test.yaml

@@ -0,0 +1,71 @@
+---
+name: Helm Chart Testing
+
+on:
+  pull_request:
+    paths:
+      - "charts/**"
+      - ".github/workflows/helm-chart-test.yaml"
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/**"
+  merge_group:
+    types: [checks_requested]
+  workflow_dispatch:
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.18.4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --chart-dirs charts --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+
+            # Set individual output variables for each changed chart
+            for chart in $changed; do
+              chart_name=$(basename "$chart")
+              echo "$chart_name=true" >> "$GITHUB_OUTPUT"
+              echo "Changed: $chart_name"
+            done
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --chart-dirs charts --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: helm/kind-action@v1
+
+      - name: Install ArgoCD
+        if: steps.list-changed.outputs.argocd-understack == 'true'
+        run: |
+          ./bootstrap/argocd.sh
+
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.argocd-understack == 'true'
+        run: helm install testsite charts/argocd-understack --namespace argocd --values charts/argocd-understack/ci/example.yaml

.gitignore

@@ -1,6 +1,3 @@
-# where helm charts will get downloaded by kustomize
-/charts/
-
 # un-encrypted secrets
 /secret-*.yaml
 # sealed secrets

.typos.toml

@@ -19,6 +19,9 @@ extend-exclude = [
 extend-ignore-identifiers-re = [
     "ironic_retrive_*",
 ]
+extend-ignore-re = [
+    "chartVersion:.*",
+]
 
 [default.extend-words]
 # Don't correct "HPE"

bootstrap/argocd.sh

@@ -10,8 +10,10 @@ argocd_rev=$(cat "${thisdir}/../apps/appsets/argocd/appset-argocd.yaml" | yq -r
 helm repo add argo "${argocd_repo}"
 helm repo update argo
 
-helm template argo-cd argo-cd \
+kubectl create ns argocd
+
+helm template argo/argo-cd \
   --version "${argocd_rev}" \
-  --create-namespace \
+  --namespace argocd \
   -f "${thisdir}/../components/argocd/values.yaml" \
   | kubectl -n argocd apply -f -

charts/argocd-understack/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/argocd-understack/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: argocd-understack
+description: ArgoCD Application definitions for UnderStack
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+maintainers:
+  - name: rackerlabs

charts/argocd-understack/ci/example.yaml

@@ -0,0 +1,2 @@
+---
+deploy_url: https://github.com/example/example

charts/argocd-understack/templates/_helpers.tpl

@@ -0,0 +1,99 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "understack.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "understack.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "understack.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "understack.labels" -}}
+helm.sh/chart: {{ include "understack.chart" . }}
+{{ include "understack.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "understack.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "understack.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "understack.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "understack.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create a valid ArgoCD Application name
+*/}}
+{{- define "understack.argocdAppName" -}}
+{{- $root := index . 0 }}
+{{- $appName := index . 1 }}
+{{- printf "%s-%s" $root.Release.Name $appName }}
+{{- end }}
+
+{{/*
+Get the UnderStack repository URL
+*/}}
+{{- define "understack.understack_url" -}}
+{{- .Values.understack_url }}
+{{- end }}
+
+{{/*
+Get the UnderStack repository git reference
+*/}}
+{{- define "understack.understack_ref" -}}
+{{- .Values.understack_ref }}
+{{- end }}
+
+{{/*
+Get the deployment repository URL
+*/}}
+{{- define "understack.deploy_url" -}}
+{{- required "deploy_url is required. Please set it in your values file" .Values.deploy_url }}
+{{- end }}
+
+{{/*
+Get the deployment repository git reference
+*/}}
+{{- define "understack.deploy_ref" -}}
+{{- .Values.deploy_ref }}
+{{- end }}

charts/argocd-understack/templates/application-openstack.yaml.tpl

@@ -0,0 +1,49 @@
+{{- range $appName, $app := .Values.site.openstack.apps }}
+{{- if $app.enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name $appName }}
+  {{/*
+  {{- with $app.wave }}
+  annotations:
+    argocd.argoproj.io/sync-wave: {{ quote . }}
+  {{- end }}
+  */}}
+spec:
+  destination:
+    namespace: openstack
+    server: https://kubernetes.default.svc
+  project: understack
+  sources:
+  - repoURL: {{ $.Values.site.openstack.repoUrl }}
+    targetRevision: {{ $app.chartVersion }}
+    chart: {{ $appName }}
+    helm:
+      ignoreMissingValueFiles: true
+      releaseName: {{ $appName }}
+      valueFiles:
+      - $understack/components/images-openstack.yaml
+      - $understack/components/{{ $appName }}/values.yaml
+      - $deploy/{{ $.Release.Name }}/manifests/secret-openstack.yaml
+      - $deploy/{{ $.Release.Name }}/manifests/images-openstack.yaml
+      - $deploy/{{ $.Release.Name }}/helm-configs/{{ $appName }}.yaml
+  - path: components/{{ $appName }}/
+    ref: understack
+    repoURL: {{ include "understack.understack_url" $ }}
+    targetRevision: {{ include "understack.understack_ref" $ }}
+  - path: {{ $.Release.Name }}/manifests/{{ $appName }}
+    ref: deploy
+    repoURL: {{ include "understack.deploy_url" $ }}
+    targetRevision: {{ include "understack.deploy_ref" $ }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - ServerSideApply=false
+    - RespectIgnoreDifferences=true
+    - ApplyOutOfSyncOnly=true
+{{- end }}
+{{- end }}