restructure configuration and autogenerate values list

.drone.star

@@ -13,7 +13,7 @@ config = {
 }
 
 def main(ctx):
-    return linting(ctx)
+    return linting(ctx) + documentation(ctx) + checkStarlark()
 
 def linting(ctx):
     pipelines = []
@@ -69,7 +69,6 @@ def linting(ctx):
         "trigger": {
             "ref": [
                 "refs/pull/**",
-                "refs/tags/**",
             ],
         },
     }
@@ -80,3 +79,77 @@ def linting(ctx):
     pipelines.append(result)
 
     return pipelines
+
+def documentation(ctx):
+    result = {
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "documentation",
+        "steps": [
+            {
+                "name": "helm-docs",
+                "image": "jnorwood/helm-docs:v1.11.0",
+                "entrypoint": [
+                    "/usr/bin/helm-docs",
+                ],
+            },
+            {
+                "name": "check-unchanged",
+                "image": "owncloudci/alpine",
+                "commands": [
+                    "git diff --exit-code",
+                ],
+            },
+        ],
+        "depends_on": [],
+        "trigger": {
+            "ref": [
+                "refs/pull/**",
+            ],
+        },
+    }
+
+    for branch in config["branches"]:
+        result["trigger"]["ref"].append("refs/heads/%s" % branch)
+
+    return [result]
+
+def checkStarlark():
+    result = {
+        "kind": "pipeline",
+        "type": "docker",
+        "name": "check-starlark",
+        "steps": [
+            {
+                "name": "format-check-starlark",
+                "image": "owncloudci/bazel-buildifier:latest",
+                "commands": [
+                    "buildifier --mode=check .drone.star",
+                ],
+            },
+            {
+                "name": "show-diff",
+                "image": "owncloudci/bazel-buildifier:latest",
+                "commands": [
+                    "buildifier --mode=fix .drone.star",
+                    "git diff",
+                ],
+                "when": {
+                    "status": [
+                        "failure",
+                    ],
+                },
+            },
+        ],
+        "depends_on": [],
+        "trigger": {
+            "ref": [
+                "refs/pull/**",
+            ],
+        },
+    }
+
+    for branch in config["branches"]:
+        result["trigger"]["ref"].append("refs/heads/%s" % branch)
+
+    return [result]

.gitignore

@@ -7,3 +7,4 @@
 helmfile.yaml
 .drone.yml
 ocis-ci-templated.yaml
+deployments/*

.helmdocsignore

@@ -1 +1 @@
-charts/ocis
+deployments

charts/ocis/Chart.yaml

@@ -1,15 +1,15 @@
 apiVersion: v2
 name: ocis
-description: Helm charts for ownCloud Infinite Scale (oCIS).
+description: ownCloud Infinite Scale (oCIS) Helm chart
 keywords:
   - owncloud
   - ocis
 maintainers:
   - name: ownCloud GmbH
     email: [email protected]
-    url: owncloud.com
+    url: https://owncloud.com
 type: application
-version: 0.1.0
+version: 0.0.0
 appVersion: 2.0.0-beta.4
 kubeVersion: "~1.20.0 || ~1.21.0 || ~1.22.0 || ~1.23.0 || ~1.24.0" # if this changes, also kubernetesVersions in .drone.star needs to be changed
 sources:

charts/ocis/README.md.gotmpl

@@ -0,0 +1,276 @@
+
+[comment]: # (DONT EDIT THIS FILE, it is autogenerated. Instead you need to edit README.md.gotmpl)
+
+# {{ template "chart.description" . }}
+{{ template "chart.badgesSection" . }}
+
+Installs [ownCloud Infinite Scale](http://owncloud.dev/ocis).
+
+{{ template "chart.deprecationWarning" . }}
+
+## Requirements
+
+Currently we're supporting following Kubernetes versions (and their patch releases).
+We are not testing the Helm chart on all versions, but ensure API compatibility by running manifest validation for the supported versions.
+
+{{ template "chart.kubeVersion" . }}
+
+{{/* This Helm chart is using following external Helm charts: */}}
+
+{{/* template "chart.requirementsTable" . */}}
+
+## Helm chart Repository
+
+This chart is still in an experimental phase, and it has not yet been published on a Helm chart repository.
+
+[//]: # (```console)
+[//]: # (helm repo add ocis https://owncloud.dev/ocis/helm-charts)
+[//]: # (helm repo update)
+[//]: # (```)
+
+## Installing the chart
+
+[//]: # (To install the chart with the release name `my-release`:)
+
+[//]: # (```console)
+[//]: # (helm install my-release ocis/ocis)
+[//]: # (```)
+
+To install the chart with the release name `my-release`:
+
+* clone this git repository
+* run `helm install my-release ./charts/ocis` from the root of this git repository
+
+## Uninstalling the chart
+
+To uninstall/delete the my-release deployment:
+
+```console
+helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Upgrading an existing Release to a new major version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+### Supported oCIS versions
+
+This chart only supports following oCIS versions:
+
+* 2.0.0-beta.4
+
+## Configuration
+
+{{ template "chart.valuesTable" . }}
+
+### Secrets
+
+oCIS needs some secrets to work.
+We decided against creating them automagically for you, because Helm does not support one-off generation of secrets out of the box.
+Also oCIS needs to have some certificates, which should have an expiry and therefore need a certificate rotation from time to time.
+This is also not supported by Helm.
+
+These reasons add up and as a result the responsibility fore these secrets (and there lifecycle) lies at the operator, you.
+
+We'll give you all information, you need to generate and maintain these secrets.
+
+Following example shows you how the secrets need to look like and how you can generate them.
+The example assumes, that you don't change the `secretRefs`.
+Each secret data entry holds a description on how to generate it or find the right value.
+
+You can apply the secrets manually or include them in the `extraResources`.
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jwt-secret
+type: Opaque
+data:
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  jwt-secret: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-bind-secrets
+type: Opaque
+data:
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  reva-ldap-bind-password: XXXXXXXXXXXXX
+
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  idp-ldap-bind-password: XXXXXXXXXXXXX
+
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  graph-ldap-bind-password: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-ca
+type: Opaque
+data:
+  # how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
+  # example generation commands:
+  #  - `openssl genrsa -out ldap-ca.key 4096`
+  #  - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
+  #  - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
+  ldap-ca.crt: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-cert
+type: Opaque
+data:
+  # how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
+  # example generation commands:
+  #  - `openssl genrsa -out ldap.key 4096`
+  #  - `cat ldap.key | base64 | tr -d '\n' && echo`
+  ldap.key: XXXXXXXXXXXXX
+
+  # how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
+  # example generation commands:
+  #  - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
+  #  - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
+  #  - `cat ldap.crt | base64 | tr -d '\n' && echo`
+  ldap.crt: XXXXXXXXXXXXX
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: machine-auth-api-key
+type: Opaque
+data:
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  machine-auth-api-key: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-system
+type: Opaque
+data:
+  # how to generate: base64 encode a UUID V4
+  # example generation command: `cat /proc/sys/kernel/random/uuid | tr -d '\n' | base64`
+  user-id: XXXXXXXXXXXXX
+
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  api-key: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-system-jwt-secret
+type: Opaque
+data:
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  storage-system-jwt-secret: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: transfer-secret
+type: Opaque
+data:
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  transfer-secret: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admin-user
+type: Opaque
+data:
+  # how to generate: base64 encode a UUID V4
+  # example generation command: `cat /proc/sys/kernel/random/uuid | tr -d '\n' | base64`
+  user-id: XXXXXXXXXXXXX
+
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[a-zA-Z0-9],.' < /dev/urandom | fold -w 50 | head -n 1 | tr -d '\n' | base64`
+  password: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: idp-secrets
+type: Opaque
+data:
+  # how to generate: base64 encode a random 32 byte string (mixed characters)
+  # example generation command: `openssl rand 32 | base64`
+  encryption.key: XXXXXXXXXXXXX
+
+  # how to generate: base64 encode a private key (eg. RSA, ensure that you use reasonable long key size)
+  # example generation command: `openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 2> /dev/null | base64 | tr -d '\n'`
+  private-key.pem: XXXXXXXXXXXXX
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: thumbnails-transfer-secret
+type: Opaque
+data:
+  # how to generate: base64 encode a random string (reasonable long and mixed characters)
+  # example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
+  thumbnails-transfer-secret: XXXXXXXXXXXXX
+```
+
+### Example with NGINX ingress and certificate issued by cert-manager
+
+To make this work you need to have NGINX ingress and cert-manager installed in your cluster.
+
+```yaml
+  externalDomain: ocis.owncloud.test
+
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/issuer: "ocis-certificate-issuer"
+    tls:
+      - hosts:
+        - ocis.owncloud.test
+        secretName: ocis-tls-certificate
+
+  extraResources:
+    - |
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: ocis-certificate-issuer
+        namespace: ocis-namespace
+      spec:
+        acme:
+          server: https://acme-v02.api.letsencrypt.org/directory
+          email: [email protected]
+          privateKeySecretRef:
+            name: ocis-certificate-issuer
+          solvers:
+          - http01:
+              ingress:
+                class: nginx
+```