Include support for separate secret keys for pass and user

.github/workflows/bump_chart.py

@@ -0,0 +1,44 @@
+import sys
+import re
+
+if len(sys.argv) < 2 or sys.argv[1] == '':
+    raise 'Chart.yaml path should be passed as first argument'
+
+new_app_version=''
+if len(sys.argv) >= 3 and sys.argv[2] != '':
+    print(f'New appVersion: {sys.argv[2]}')
+    new_app_version=sys.argv[2]
+
+chart_yaml_path=sys.argv[1]
+
+with open(chart_yaml_path, 'r') as chart_file:
+    chart_yaml = chart_file.read()
+
+updated_yaml = chart_yaml
+
+# Auto bump version patch.
+match = re.search(r'version:\s*(.+)', chart_yaml)
+if match:
+    current_version = match.group(1)
+    print(f'Current version: {current_version}')
+
+    parts = current_version.split('.')
+    current_major = parts[0]
+    current_minor = parts[1]
+    new_patch = int(parts[2])+1
+    new_version = f'{current_major}.{current_minor}.{new_patch}'
+    updated_yaml = updated_yaml.replace(current_version, new_version)
+    print(f'Updated version: {new_version}')
+
+# Update appVersion.
+if new_app_version != '':
+    match = re.search(r'appVersion:\s*(.+)', chart_yaml)
+    if match:
+        current_app_version = match.group(1)
+        print(f'Current appVersion: {current_app_version}')
+
+        updated_yaml = updated_yaml.replace(current_app_version, f'"{new_app_version}"')
+        print(f'Updated appVersion: "{new_app_version}"')
+
+with open(chart_yaml_path, 'w') as chart_file:
+    chart_file.write(updated_yaml)

.github/workflows/helm-lint.yaml

@@ -0,0 +1,22 @@
+name: Lint Charts
+
+on: pull_request
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+
+      - name: Scan repo with kube-linter
+        uses: stackrox/[email protected]
+        with:
+          directory: charts
+          format: plain
+          version: v0.6.7

.github/workflows/publish-chart-in-cast.yaml

@@ -0,0 +1,132 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+  release:
+    types:
+      - published
+  pull_request:
+    branches:
+      - main
+
+env:
+  CR_CONFIGFILE: "${{ github.workspace }}/cr.yaml"
+  CR_INDEX_PATH: "${{ github.workspace }}/.cr-index"
+  CR_PACKAGE_PATH: "${{ github.workspace }}/.cr-release-packages"
+  CR_TOOL_PATH: "${{ github.workspace }}/.cr-tool"
+  CHART_PATH: "${{ github.workspace }}/charts/temporal"
+
+jobs:
+  build:
+    name: Publish Helm Chart in castai/helm-charts
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Checkout helm-charts
+        if: ${{ github.event_name == 'release' }}
+        # The cr tool only works if the target repository is already checked out
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          repository: castai/helm-charts
+          path: castai-helm-charts
+          token: ${{ secrets.HELM_CHARTS_REPO_TOKEN }}
+
+      - name: Configure Git for helm-charts
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          cd castai-helm-charts
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        if: ${{ github.event_name == 'release' }}
+        uses: azure/[email protected]
+        id: install
+
+      - name: Install CR tool
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          mkdir "${CR_TOOL_PATH}"
+          mkdir "${CR_PACKAGE_PATH}"
+          mkdir "${CR_INDEX_PATH}"
+          curl -sSLo cr.tar.gz "https://github.com/helm/chart-releaser/releases/download/v1.6.1/chart-releaser_1.6.1_linux_amd64.tar.gz"
+          tar -xzf cr.tar.gz -C "${CR_TOOL_PATH}"
+          rm -f cr.tar.gz
+
+      - name: Bump chart version
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          echo "Release tag is ${{env.RELEASE_TAG}}"
+          python ./.github/workflows/bump_chart.py ${CHART_PATH}/Chart.yaml ${{env.RELEASE_TAG}}
+
+      - name: Parse Chart.yaml
+        if: ${{ github.event_name == 'release' }}
+        id: parse-chart
+        run: |
+          description=$(yq ".description" < ${CHART_PATH}/Chart.yaml)
+          name=$(yq ".name" < ${CHART_PATH}/Chart.yaml)
+          version=$(yq ".version" < ${CHART_PATH}/Chart.yaml)
+          echo "chartpath=${CHART_PATH}" >> $GITHUB_OUTPUT
+          echo "desc=${description}" >> $GITHUB_OUTPUT
+          echo "tagname=${name}-${version}" >> $GITHUB_OUTPUT
+          echo "packagename=${name}-${version}" >> $GITHUB_OUTPUT
+      - name: Create helm package
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          "${CR_TOOL_PATH}/cr" package "${{ steps.parse-chart.outputs.chartpath }}" --config "${CR_CONFIGFILE}" --package-path "${CR_PACKAGE_PATH}"
+          echo "Result of chart package:"
+          ls -l "${CR_PACKAGE_PATH}"
+          git status
+
+      - name: Make helm charts github release
+        if: ${{ github.event_name == 'release' }}
+        uses: softprops/[email protected]
+        with:
+          body: |
+            ${{ steps.parse-chart.outputs.desc }}
+            Source commit: https://github.com/${{ github.repository }}/commit/${{ github.sha }}
+          files: |
+            ${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz
+            ${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz.prov
+          repository: castai/helm-charts
+          tag_name: ${{ steps.parse-chart.outputs.tagname }}
+          token: ${{ secrets.HELM_CHARTS_REPO_TOKEN }}
+
+      - name: Update helm repo index.yaml
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          cd helm-charts
+          "${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${{ secrets.HELM_CHARTS_REPO_TOKEN }}" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}" --push
+
+      - name: Commit Chart.yaml changes
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          git status
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+          git add charts/temporal/Chart.yaml
+          git stash 
+          git fetch
+          git checkout main
+          git stash pop
+          git add charts/temporal/Chart.yaml
+          git commit -m "[Release] Update Chart.yaml"
+          git push
+
+      - name: Sync chart with helm-charts github
+        if: ${{ github.event_name == 'release' }}
+        run: |
+          cd helm-charts
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+          git checkout main
+          mkdir -p ./charts/temporal
+          cp -r ${CHART_PATH}/* ./charts/temporal
+          git add charts/temporal
+          git commit -m "Update Temporal chart to ${{env.RELEASE_TAG}}"
+          git push

charts/temporal/templates/_admintools-env.yaml

@@ -15,12 +15,15 @@
 - name: CASSANDRA_KEYSPACE
   value: {{ $driverConfig.keyspace }}
 - name: CASSANDRA_USER
-  value: {{ $driverConfig.user }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.secretName" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKeyUser" (list $global $store) }}
 - name: CASSANDRA_PASSWORD
   valueFrom:
     secretKeyRef:
       name: {{ include "temporal.persistence.secretName" (list $global $store) }}
-      key: {{ include "temporal.persistence.secretKey" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKeyPassword" (list $global $store) }}
   {{- with $driverConfig.tls }}
 - name: CASSANDRA_ENABLE_TLS
   value: {{ .enabled | quote }}
@@ -43,12 +46,15 @@
 - name: SQL_DATABASE
   value: {{ include "temporal.persistence.sql.database" (list $global $store) }}
 - name: SQL_USER
-  value: {{ $driverConfig.user }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.secretName" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKeyUser" (list $global $store) }}
 - name: SQL_PASSWORD
   valueFrom:
     secretKeyRef:
       name: {{ include "temporal.persistence.secretName" (list $global $store) }}
-      key: {{ include "temporal.persistence.secretKey" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKeyPassword" (list $global $store) }}
   {{- with $driverConfig.connectAttributes }}
 - name: SQL_CONNECT_ATTRIBUTES
   value: {{ include "temporal.persistence.sql.connectAttributes" (list $global $store) | quote }}
@@ -83,12 +89,15 @@
 - name: ES_PORT
   value: {{ $driverConfig.port | quote }}
 - name: ES_USER
-  value: {{ $driverConfig.username | quote }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.secretName" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKeyUser" (list $global $store) }}
 - name: ES_PWD
   valueFrom:
     secretKeyRef:
       name: {{ include "temporal.persistence.secretName" (list $global $store) }}
-      key: {{ include "temporal.persistence.secretKey" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKeyPassword" (list $global $store) }}
 - name: ES_VERSION
   value: {{ $driverConfig.version }}
 - name: ES_VISIBILITY_INDEX