DBP-1011-add-workflows-for-chart (#1)

Add workflows for chart publishing:
On push to branch
On PR (kics check)
On tag 
Add README and license.

.github/workflows/check-helm-kics-on-pr.yaml

@@ -0,0 +1,13 @@
+name: Kics check on PR
+on:
+  pull_request:
+      branches:
+        - main
+
+jobs:
+  scan_pr:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@7
+    permissions:
+      contents: read
+    with: 
+      chart_path: "."

.github/workflows/helm-chart-release-on-push-status.yaml

@@ -0,0 +1,26 @@
+name: Release Status Chart on branch
+on:
+  push:
+    branches-ignore:
+      - 'main'
+    paths:
+      - 'status/**'
+
+concurrency:
+  group: chart-release
+
+jobs:
+  scan:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@7
+    permissions:
+      contents: read
+    with: 
+      chart_path: "."
+  release_helm:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7
+    secrets: inherit
+    with:
+      chart_path: "."
+      chart_name: status
+      helm_chart_version_generation: ticket_from_branch_timestamp
+      image_tag_generation: chart_yaml

.github/workflows/helm-chart-release-on-tag.yaml

@@ -0,0 +1,38 @@
+name: Release Charts on Tag
+on:
+  push:
+    tags:
+      - '.+-[0-9]+.[0-9]+.[0-9]+'
+
+concurrency:
+  group: chart-release
+
+jobs:
+  get_tag:
+    runs-on: ubuntu-latest
+    outputs:
+      chart: ${{ steps.nameTag.outputs.chart }}
+      version: ${{ steps.nameTag.outputs.version }}
+    steps:
+      - name: Filter Tag name
+        uses: olegtarasov/[email protected]
+        id: nameTag
+        with:
+          tagRegex: "(?<chart>.+?)-(?<version>[0-9]+.[0-9]+.[0-9]+)"
+
+  scan:
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@7
+    permissions:
+      contents: read
+    with: 
+      chart_path: "."
+  release_helm:
+    needs: get_tag
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/chart-release.yaml@7
+    secrets: inherit
+    with:
+      chart_path: "."
+      chart_name: ${{ needs.get_tag.outputs.chart }}
+      helm_chart_version_generation: specified
+      helm_chart_version: ${{ needs.get_tag.outputs.version }}
+      image_tag_generation: chart_yaml

README.md

@@ -0,0 +1,4 @@
+# helm-charts
+
+This is the place for reusable helm charts.
+They are published in the [helm-charts-registry](https://github.com/dBildungsplattform/helm-charts-registry) repository when pushing on a branch (Version 0.0.0-\<ticket>-\<timestamp>) or when adding a tag in the format \<chart name>-X.X.X.

status/Chart.yaml

@@ -12,10 +12,7 @@ description: A Helm chart for Kubernetes
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.2
+version: 0.0.0 # Managed by Tagging
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

status/templates/deployment.yaml

@@ -34,7 +34,8 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            allowPrivilegeEscalation: false
+            runAsUser: {{ .Values.runAsUser }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           lifecycle:

status/values.yaml

@@ -26,13 +26,7 @@ podAnnotations: {}
 podSecurityContext: {}
   # fsGroup: 2000
 # -- Settings for security context of the container
-securityContext:
-  runAsUser: 1001
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
+runAsUser: 1001
 service:
   # -- Kubernetes Service type
   type: ClusterIP