add first draft helm docs

.github/ct.yaml

@@ -0,0 +1,3 @@
+helm-extra-args: --timeout 600
+check-version-increment: true
+debug: true

.github/workflows/main.yml

@@ -56,3 +56,12 @@ jobs:
 
       - name: Runs all tests
         run: make test
+
+      - name: Run chart-testing (lint)
+        uses: helm/chart-testing-action@main
+        with:
+          command: lint
+          config: .github/ct.yaml
+
+      - name: Runs helm docs
+        run: make helm-docs

Makefile

@@ -1,4 +1,5 @@
 GOLANGCI_VERSION = 1.59.1
+HELM_DOCS_VERSION = 1.14.2
 LICENCES_IGNORE_LIST = $(shell cat licenses/licenses-ignore-list.txt)
 
 VERSION ?= 0.0.1
@@ -37,6 +38,13 @@ $(GOLANGCI_LINT):
 lint: $(GOLANGCI_LINT) download
 	$(GOLANGCI_LINT) run -v
 
+HELM_DOCS = bin/helm-docs
+$(HELM_DOCS):
+	GOBIN=$(PWD)/bin go install github.com/norwoodj/helm-docs/cmd/helm-docs@v$(HELM_DOCS_VERSION)
+
+helm-docs: $(HELM_DOCS)
+	$(HELM_DOCS)
+
 out:
 	@mkdir -pv "$(@)"
 

deploy/stackit/README.md

@@ -0,0 +1,39 @@
+# stackit-cert-manager-webhook
+
+![Version: 0.3.0-alpha1](https://img.shields.io/badge/Version-0.3.0--alpha1-informational?style=flat-square) ![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| certManager | object | `{"namespace":"cert-manager","serviceAccountName":"cert-manager"}` | Meta information of the cert-manager itself. |
+| certManager.namespace | string | `"cert-manager"` | namespace where the webhook should be installed. Cert-Manager and the webhook should be in the same namespace. |
+| certManager.serviceAccountName | string | `"cert-manager"` | service account name for the cert-manager. |
+| fullnameOverride | string | `""` | Fullname override of the webhook. |
+| groupName | string | `"acme.stackit.de"` | The GroupName here is used to identify your company or business unit that created this webhook. Therefore, it should be acme.stackit.de. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/stackitcloud/stackit-cert-manager-webhook","tag":"latest"}` | Image information for the webhook. |
+| image.pullPolicy | string | `"IfNotPresent"` | pull policy of the image. |
+| image.repository | string | `"ghcr.io/stackitcloud/stackit-cert-manager-webhook"` | repository of the image. |
+| image.tag | string | `"latest"` | tag of the image. |
+| nameOverride | string | `""` | Webhook configuration. |
+| nodeSelector | object | `{}` | Node selector for the webhook. |
+| podSecurityContext.runAsGroup | int | `1000` |  |
+| podSecurityContext.runAsNonRoot | bool | `true` |  |
+| podSecurityContext.runAsUser | int | `1000` |  |
+| replicaCount | int | `1` | Replicas for the webhook. Since it is a stateless application server that sends requests you can increase the number as you want. Most of the time however, 1 replica is enough. |
+| resources | object | `{}` | Kubernetes resources for the webhook. Usually limits.cpu=100m, limits.memory=128Mi, requests.cpu=100m, requests.memory=128Mi is enough for the webhook. |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| service | object | `{"port":443,"type":"ClusterIP"}` | Configuration for the webhook service. |
+| service.port | int | `443` | port of the service. |
+| service.type | string | `"ClusterIP"` | type of the service. |
+| stackitSaAuthentication | object | `{"enabled":false,"fileName":"sa.json","mountPath":"/var/run/secrets/stackit","secretName":"stackit-sa-authentication"}` | Configuration for the stackit service account keys. |
+| stackitSaAuthentication.enabled | bool | `false` | enabled flag for the stackit service account keys. |
+| stackitSaAuthentication.fileName | string | `"sa.json"` | key of the service account key in the secret. Which will be later be used to load in keys in the pod as well. |
+| stackitSaAuthentication.mountPath | string | `"/var/run/secrets/stackit"` | Path where the secret will be mounted in the pod. |
+| stackitSaAuthentication.secretName | string | `"stackit-sa-authentication"` | secret where the service account key is stored. Should be in the same namespace as the webhook since it will be mounted into the pod. |
+| tolerations | list | `[]` | Tolerations for the webhook. |
+

deploy/stackit/values.yaml

@@ -6,33 +6,53 @@
 # solve the DNS01 challenge.
 # This group name should be **unique**, hence using your own company's domain
 # here is recommended.
+# -- The GroupName here is used to identify your company or business unit that created this webhook. Therefore, it should be acme.stackit.de.
 groupName: acme.stackit.de
 
+# -- Replicas for the webhook. Since it is a stateless application server that sends requests you can increase the number as you want. Most of the time however, 1 replica is enough.
 replicaCount: 1
 
+# -- Meta information of the cert-manager itself.
 certManager:
+  # -- namespace where the webhook should be installed. Cert-Manager and the webhook should be in the same namespace.
   namespace: cert-manager
+  # -- service account name for the cert-manager.
   serviceAccountName: cert-manager
 
+# -- Image information for the webhook.
 image:
+  # -- repository of the image.
   repository: ghcr.io/stackitcloud/stackit-cert-manager-webhook
+  # -- tag of the image.
   tag: latest
+  # -- pull policy of the image.
   pullPolicy: IfNotPresent
 
+# -- Webhook configuration.
 nameOverride: ""
+# -- Fullname override of the webhook.
 fullnameOverride: ""
 
+# -- Configuration for the stackit service account keys.
 stackitSaAuthentication:
+  # -- enabled flag for the stackit service account keys.
   enabled: false
+  # -- secret where the service account key is stored. Should be in the same namespace as the webhook since it will be mounted into the pod.
   secretName: stackit-sa-authentication
+  # -- key of the service account key in the secret. Which will be later be used to load in keys in the pod as well.
   fileName: sa.json
+  # -- Path where the secret will be mounted in the pod.
   mountPath: /var/run/secrets/stackit
 
+# -- Configuration for the webhook service.
 service:
+  # -- type of the service.
   type: ClusterIP
+  # -- port of the service.
   port: 443
 
-resources: {}
+# -- Kubernetes resources for the webhook. Usually limits.cpu=100m, limits.memory=128Mi, requests.cpu=100m, requests.memory=128Mi is enough for the webhook.
+resources: { }
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -41,19 +61,21 @@ resources: {}
   #  cpu: 100m
   #  memory: 128Mi
   # requests:
-  #  cpu: 100m
+#  cpu: 100m
 #  memory: 128Mi
 
-nodeSelector: {}
+# -- Node selector for the webhook.
+nodeSelector: { }
 
-tolerations: []
+# -- Tolerations for the webhook.
+tolerations: [ ]
 
-affinity: {}
+affinity: { }
 
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
-    drop: ["ALL"]
+    drop: [ "ALL" ]
 
 podSecurityContext:
   runAsGroup: 1000