EOEPCA Helm Charts Development Repository

EOEPCA Reference Implementation - Helm Charts Development Repository
Repository Index »
View Demo · Report Bug · Request Feature

Table of Contents

• Table of Contents
• Getting Started
• Development process
  • Steps to develop
  • Security scanning
• Issues
• License
• Contact
• Acknowledgements

Getting Started

To use the eoepca helm chart repository, just add the repo update it an install packages as usual

$ helm repo add eoepca-dev https://eoepca.github.io/helm-charts-dev/
$ helm repo update
$ helm install test eoepca-dev/cheese

Development process

This helm chart repository is used following the example at https://helm.sh/docs/topics/chart_repository/#github-pages-example it uses the chart releaser (cr) https://helm.sh/docs/howto/chart_releaser_action/ in a github action to create the packages and update the repository index automatically. When a a change is detected in one of the charts at charts/ folder it creates a new package and add it to the index, this means that every time a change is made, the version needs to be increased.

Steps to develop

• Point your test enviroment to https://eoepca.github.io/helm-charts-dev/
• Create your own branch to introduce new changes
• Increase the version of the package
• Merge it with develop branch, this will create a new package/release on https://eoepca.github.io/helm-charts-dev/ that your test enviroment can install
• If the test is succesfull and you want to release the package/release to production merge it on the main branch, this will trigger and automated action and it will be released in https://eoepca.github.io/helm-charts/

Security scanning

Trivy scans the Helm charts for vulnerable configuration and you can see the results at https://github.com/EOEPCA/helm-charts-dev/security/code-scanning.

To run scans locally use a command such as trivy config --config trivy-config.yaml --output /dev/stdout --format table charts. The scan will use the charts with their default config.

Typically you should:

• Ensure all image versions can be updated by users via config and are not hard-coded or defaulted to latest.
• Add a securityContext for every pod with allowPrivilegeEscalation=false, runAsNonRoot=true and readOnlyRootFilesystem=true.
• Use only well-known 'trusted' registries as listed in trivy-config-data.yaml. For docker.io you may need to explicitly specify it, eg docker.io/library/alpine:tag and not just alpine:tag.

Issues

See the open issues for a list of proposed features (and known issues).

License

The EOEPCA SYSTEM is distributed under the European Space Agency - ESA Software Community Licence Permissive – v2.4. See LICENSE for more information.

Building-blocks and their sub-components are individually licensed. See their respective source repositories for details.

Contact

Project Link: Project Home (https://eoepca.github.io/)

Acknowledgements

• README.md is based on this template by Othneil Drew.