From f3ed89a0f699ffc95aa37ef019585e20162a7030 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Wed, 20 Oct 2021 23:52:00 +0200
Subject: [PATCH 01/25] Add simple K8S/K3S deployment

---
 k8s/infracheck.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 k8s/infracheck.yaml

diff --git a/k8s/infracheck.yaml b/k8s/infracheck.yaml
new file mode 100644
index 0000000..e61c56f
--- /dev/null
+++ b/k8s/infracheck.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: infracheck
+
+---
+apiVersion: v1
+kind: Deployment
+metadata:
+    name: infracheck
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: infracheck
+    template:
+        metadata:
+            labels:
+                app: infracheck
+        spec:
+            containers:
+                - name: app
+                  image: quay.io/riotkit/infracheck:v2.1.2
+                  ports:
+                      - containerPort: 8000

From 654b842f219806a1f7f7df2960273c20c095cb95 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Wed, 20 Oct 2021 23:55:42 +0200
Subject: [PATCH 02/25] Add namespace

---
 k8s/infracheck.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/k8s/infracheck.yaml b/k8s/infracheck.yaml
index e61c56f..e7b2115 100644
--- a/k8s/infracheck.yaml
+++ b/k8s/infracheck.yaml
@@ -9,6 +9,7 @@ apiVersion: v1
 kind: Deployment
 metadata:
     name: infracheck
+    namespace: infracheck
 spec:
     replicas: 1
     selector:

From c9bbbddf351b1161e00f977ddb8bd224bb2029fb Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Wed, 20 Oct 2021 23:59:29 +0200
Subject: [PATCH 03/25] Refactor

---
 k8s/{infracheck.yaml => deployment.yaml} | 6 ------
 k8s/namespace.yaml                       | 5 +++++
 2 files changed, 5 insertions(+), 6 deletions(-)
 rename k8s/{infracheck.yaml => deployment.yaml} (87%)
 create mode 100644 k8s/namespace.yaml

diff --git a/k8s/infracheck.yaml b/k8s/deployment.yaml
similarity index 87%
rename from k8s/infracheck.yaml
rename to k8s/deployment.yaml
index e7b2115..a497a55 100644
--- a/k8s/infracheck.yaml
+++ b/k8s/deployment.yaml
@@ -1,9 +1,3 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-    name: infracheck
-
 ---
 apiVersion: v1
 kind: Deployment
diff --git a/k8s/namespace.yaml b/k8s/namespace.yaml
new file mode 100644
index 0000000..606d004
--- /dev/null
+++ b/k8s/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: infracheck

From e7c22d15e2b8b280cf602ef90c60e72cadf63388 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Thu, 21 Oct 2021 00:03:48 +0200
Subject: [PATCH 04/25] Refactor

---
 k8s/deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index a497a55..8bd6694 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
     name: infracheck

From 33d0f256b7b817112dfdae05d93bcb086a9c9e6b Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Thu, 21 Oct 2021 00:05:08 +0200
Subject: [PATCH 05/25] Fix version

---
 k8s/deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 8bd6694..ab6362d 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -16,6 +16,6 @@ spec:
         spec:
             containers:
                 - name: app
-                  image: quay.io/riotkit/infracheck:v2.1.2
+                  image: quay.io/riotkit/infracheck:v2.1.2-x86_64
                   ports:
                       - containerPort: 8000

From 9cde4d68edbd95b04ca4f5c42bdfdf4a0bfa0c1b Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Thu, 21 Oct 2021 00:11:30 +0200
Subject: [PATCH 06/25] Add network config

---
 k8s/network.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 k8s/network.yaml

diff --git a/k8s/network.yaml b/k8s/network.yaml
new file mode 100644
index 0000000..2f7383a
--- /dev/null
+++ b/k8s/network.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+    name: infracheck-http
+    namespace: infracheck
+spec:
+    selector:
+        app: infracheck
+    ports:
+        - protocol: TCP
+          port: 80
+          targetPort: 8000
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+    name: infracheck
+    namespace: infracheck
+spec:
+    entryPoints:
+        - websecure
+    routes:
+        - kind: Rule
+          match: Host(`health.wolnosciowiec.org`)
+          priority: 10
+          services:
+              - name: infracheck-http
+                port: 80
+    tls:
+        certResolver: default
+        options: {}

From d65403252e230fb504d2069850a70ccbfa2d6f94 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Mon, 8 Nov 2021 08:27:03 +0100
Subject: [PATCH 07/25] WIP Helm Chart

---
 k8s/Chart.yaml                   | 12 +++++++++++
 k8s/deployment.yaml              | 21 -------------------
 k8s/namespace.yaml               |  5 -----
 k8s/templates/NOTES.txt          |  1 +
 k8s/templates/configmap.yaml     | 22 ++++++++++++++++++++
 k8s/templates/deployment.yaml    | 35 ++++++++++++++++++++++++++++++++
 k8s/{ => templates}/network.yaml | 14 ++++++-------
 k8s/values.yaml                  | 28 +++++++++++++++++++++++++
 8 files changed, 105 insertions(+), 33 deletions(-)
 create mode 100644 k8s/Chart.yaml
 delete mode 100644 k8s/deployment.yaml
 delete mode 100644 k8s/namespace.yaml
 create mode 100644 k8s/templates/NOTES.txt
 create mode 100644 k8s/templates/configmap.yaml
 create mode 100644 k8s/templates/deployment.yaml
 rename k8s/{ => templates}/network.yaml (63%)
 create mode 100644 k8s/values.yaml

diff --git a/k8s/Chart.yaml b/k8s/Chart.yaml
new file mode 100644
index 0000000..a3d80b4
--- /dev/null
+++ b/k8s/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+type: application
+name: infracheck
+version: 0.0.1
+appVersion: 2.1.2
+description: Incredibly elastic and lightweight health check endpoint to cover ANY CASE, including infrastructure as well as applications
+home: https://github.com/riotkit-org/infracheck
+sources:
+    - https://github.com/riotkit-org/infracheck
+maintainers:
+    - name: Riotkit
+      email: riotkit@riseup.net
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
deleted file mode 100644
index ab6362d..0000000
--- a/k8s/deployment.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-    name: infracheck
-    namespace: infracheck
-spec:
-    replicas: 1
-    selector:
-        matchLabels:
-            app: infracheck
-    template:
-        metadata:
-            labels:
-                app: infracheck
-        spec:
-            containers:
-                - name: app
-                  image: quay.io/riotkit/infracheck:v2.1.2-x86_64
-                  ports:
-                      - containerPort: 8000
diff --git a/k8s/namespace.yaml b/k8s/namespace.yaml
deleted file mode 100644
index 606d004..0000000
--- a/k8s/namespace.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-    name: infracheck
diff --git a/k8s/templates/NOTES.txt b/k8s/templates/NOTES.txt
new file mode 100644
index 0000000..76d6d2d
--- /dev/null
+++ b/k8s/templates/NOTES.txt
@@ -0,0 +1 @@
+Infracheck installed.
diff --git a/k8s/templates/configmap.yaml b/k8s/templates/configmap.yaml
new file mode 100644
index 0000000..294c0e7
--- /dev/null
+++ b/k8s/templates/configmap.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: {{ .Release.Name }}-scripts
+data:
+    {{- range $k, $v := .Values.checks.scripts }}
+    {{ $k }}: |
+{{ $v | indent 8 }}
+    {{ end }}
+
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: {{ .Release.Name }}-configs
+data:
+    {{- range $k, $v := .Values.checks.configured }}
+    {{ $k }}: |
+{{ $v | indent 8 }}
+    {{ end }}
diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
new file mode 100644
index 0000000..1cd50f8
--- /dev/null
+++ b/k8s/templates/deployment.yaml
@@ -0,0 +1,35 @@
+# todo: support annotations and other things required for Vault, support taints and node selector
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: {{ .Release.Name }}
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: {{ .Release.Name }}
+    template:
+        metadata:
+            labels:
+                app: {{ .Release.Name }}
+        spec:
+            volumes:
+                - name: scripts
+                  configMap:
+                      name: {{ .Release.Name }}-scripts
+                - name: configs
+                  configMap:
+                      name: {{ .Release.Name }}-configs
+
+            containers:
+                - name: app
+                  image: {{ .Values.deployment.image }}:{{ .Values.deployment.version }}
+                  ports:
+                      - containerPort: 8000
+                  volumeMounts:
+                      - name: scripts
+                        mountPath: /data/checks
+                      - name: configs
+                        mountPath: /data/configured
diff --git a/k8s/network.yaml b/k8s/templates/network.yaml
similarity index 63%
rename from k8s/network.yaml
rename to k8s/templates/network.yaml
index 2f7383a..a3f1c5d 100644
--- a/k8s/network.yaml
+++ b/k8s/templates/network.yaml
@@ -2,32 +2,32 @@
 apiVersion: v1
 kind: Service
 metadata:
-    name: infracheck-http
-    namespace: infracheck
+    name: {{ .Release.Name }}-http
 spec:
     selector:
-        app: infracheck
+        app: {{ .Release.Name }}
     ports:
         - protocol: TCP
           port: 80
           targetPort: 8000
 
+{{ if .Values.ingress.enabled }}
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-    name: infracheck
-    namespace: infracheck
+    name: {{ .Release.Name }}
 spec:
     entryPoints:
         - websecure
     routes:
         - kind: Rule
-          match: Host(`health.wolnosciowiec.org`)
+          match: Host(`{{ .Values.ingress.host }}`)
           priority: 10
           services:
-              - name: infracheck-http
+              - name: {{ .Release.Name }}-http
                 port: 80
     tls:
         certResolver: default
         options: {}
+{{ end }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
new file mode 100644
index 0000000..de04125
--- /dev/null
+++ b/k8s/values.yaml
@@ -0,0 +1,28 @@
+deployment:
+    image: quay.io/riotkit/infracheck
+    version: v2.1.2-x86_64
+
+ingress:
+    enabled: true
+    host: health.example.org
+
+checks:
+    scripts:
+        hello.sh: |
+            #!/bin/bash
+
+            echo "Hello! This is an example check, you can write your own 'check' scripts that takes parameters from JSON and environment variables"
+            echo "The word is: ${WORD}"
+            env
+
+            exit 0
+
+    configured:
+        disk-space: |
+              {
+                  "type": "disk-space",
+                  "input": {
+                      "dir": "/",
+                      "min_req_space": "6"
+                  }
+              }

From f43468b2c7cb1641c7a4230f92d1d4ff4343a843 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Tue, 9 Nov 2021 06:24:16 +0100
Subject: [PATCH 08/25] [#39] Parametrize common values

---
 k8s/templates/_helpers.tpl    |  7 ++++++
 k8s/templates/deployment.yaml | 45 +++++++++++++++++++++++++++++++++--
 k8s/values.yaml               |  9 +++++++
 3 files changed, 59 insertions(+), 2 deletions(-)
 create mode 100644 k8s/templates/_helpers.tpl

diff --git a/k8s/templates/_helpers.tpl b/k8s/templates/_helpers.tpl
new file mode 100644
index 0000000..370c87b
--- /dev/null
+++ b/k8s/templates/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "infracheck.appName" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "infracheck.chartName" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index 1cd50f8..a5627d5 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -1,12 +1,24 @@
 # todo: support annotations and other things required for Vault, support taints and node selector
+# todo: sqlite3 database (cache) volume
 
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
     name: {{ .Release.Name }}
+    labels:
+        helm.sh/chart: {{ include "infracheck.chartName" . }}
+        app.kubernetes.io/name: {{ include "infracheck.appName" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        {{- if .Chart.AppVersion }}
+        app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+        {{- end }}
+        {{- if .Values.deployment.labels }}
+    {{ toYaml .Values.deployment.labels | indent 4 }}
+        {{- end }}
 spec:
-    replicas: 1
+    replicas: {{ .Values.deployment.replicas }}
     selector:
         matchLabels:
             app: {{ .Release.Name }}
@@ -15,6 +27,15 @@ spec:
             labels:
                 app: {{ .Release.Name }}
         spec:
+            {{- with .Values.deployment.imagePullSecrets }}
+            imagePullSecrets:
+                {{- toYaml . | nindent 16 }}
+            {{- end }}
+
+            {{- with .Values.deployment.podSecurityContext }}
+            securityContext:
+                {{- toYaml . | nindent 16 }}
+            {{- end }}
             volumes:
                 - name: scripts
                   configMap:
@@ -23,9 +44,22 @@ spec:
                   configMap:
                       name: {{ .Release.Name }}-configs
 
+            {{- with .Values.deployment.nodeSelector }}
+            nodeSelector:
+                {{- toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.deployment.affinity }}
+            affinity:
+                {{- toYaml . | nindent 16 }}
+             {{- end }}
+            {{- with .Values.deployment.tolerations }}
+            tolerations:
+                {{- toYaml . | nindent 16 }}
+            {{- end }}
+
             containers:
                 - name: app
-                  image: {{ .Values.deployment.image }}:{{ .Values.deployment.version }}
+                  image: {{ .Values.deployment.image }}:v{{ .Chart.AppVersion }}-x86_64
                   ports:
                       - containerPort: 8000
                   volumeMounts:
@@ -33,3 +67,10 @@ spec:
                         mountPath: /data/checks
                       - name: configs
                         mountPath: /data/configured
+                  {{- with .Values.deployment.environment }}
+                  env:
+                      {{- range $key, $val := . }}
+                      - name: {{ $key }}
+                        value: {{ $val | quote }}
+                      {{- end }}
+                  {{ end }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
index de04125..c55760f 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -1,6 +1,15 @@
 deployment:
     image: quay.io/riotkit/infracheck
     version: v2.1.2-x86_64
+    replicas: 1
+    imagePullSecrets: []
+    podSecurityContext: {}
+    environment:
+        AUTHORS: https://github.com/riotkit-org
+    labels: {}
+    nodeSelector: {}
+    affinity: {}
+    tolerations: []
 
 ingress:
     enabled: true

From 8ac713a24b3128cea9debaab05c0f9193680c8e0 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Tue, 9 Nov 2021 07:40:51 +0100
Subject: [PATCH 09/25] [#39] Parametrize common values

---
 k8s/templates/deployment.yaml | 14 ++++++++++++--
 k8s/values.yaml               |  9 +++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index a5627d5..652e377 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -21,11 +21,19 @@ spec:
     replicas: {{ .Values.deployment.replicas }}
     selector:
         matchLabels:
-            app: {{ .Release.Name }}
+            app.kubernetes.io/name: {{ .Release.Name }}
     template:
         metadata:
             labels:
-                app: {{ .Release.Name }}
+                app.kubernetes.io/name: {{ .Release.Name }}
+                {{- if .Values.deployment.labels }}
+                {{ toYaml .Values.deployment.labels | indent 16 }}
+                {{- end }}
+
+            {{- with .Values.deployment.annotations }}
+            annotations:
+                {{ toYaml . | indent 20 }}
+            {{ end }}
         spec:
             {{- with .Values.deployment.imagePullSecrets }}
             imagePullSecrets:
@@ -74,3 +82,5 @@ spec:
                         value: {{ $val | quote }}
                       {{- end }}
                   {{ end }}
+                  resources:
+                      {{- toYaml .Values.deployment.resources | nindent 22 }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
index c55760f..2be521f 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -10,6 +10,15 @@ deployment:
     nodeSelector: {}
     affinity: {}
     tolerations: []
+    annotations: {}
+    resources:
+        requests:
+            memory: "128Mi"
+            cpu: "0"
+        limits:
+            memory: "512Mi"
+            cpu: "4"
+
 
 ingress:
     enabled: true

From 925ff5412d451aa54471165be3a7f185e9a82966 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Tue, 9 Nov 2021 23:07:32 +0100
Subject: [PATCH 10/25] [#39] Fix: `error validating data:
 ValidationError(IngressRoute.spec.tls.options): missing required field "name"
 in us.containo.traefik.v1alpha1.IngressRoute.spec.tls.options`

---
 k8s/templates/network.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/k8s/templates/network.yaml b/k8s/templates/network.yaml
index a3f1c5d..c11f429 100644
--- a/k8s/templates/network.yaml
+++ b/k8s/templates/network.yaml
@@ -29,5 +29,4 @@ spec:
                 port: 80
     tls:
         certResolver: default
-        options: {}
 {{ end }}

From 54b8a47e21025b7f58303d1434a36032973f4a45 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Tue, 9 Nov 2021 23:45:26 +0100
Subject: [PATCH 11/25] [#39] Add 80 port

---
 k8s/templates/network.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/k8s/templates/network.yaml b/k8s/templates/network.yaml
index c11f429..feac635 100644
--- a/k8s/templates/network.yaml
+++ b/k8s/templates/network.yaml
@@ -20,6 +20,7 @@ metadata:
 spec:
     entryPoints:
         - websecure
+        - web
     routes:
         - kind: Rule
           match: Host(`{{ .Values.ingress.host }}`)

From 6da30b5d88e67cdd6765b53c8279abb5b5a15ac9 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Wed, 10 Nov 2021 06:51:02 +0100
Subject: [PATCH 12/25] [#39] Fix labels selector

---
 k8s/templates/deployment.yaml | 6 ++++--
 k8s/templates/network.yaml    | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index 652e377..2869e4c 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -21,11 +21,13 @@ spec:
     replicas: {{ .Values.deployment.replicas }}
     selector:
         matchLabels:
-            app.kubernetes.io/name: {{ .Release.Name }}
+            app.kubernetes.io/instance: {{ .Release.Name }}
+            app.kubernetes.io/name: {{ include "infracheck.appName" . }}
     template:
         metadata:
             labels:
-                app.kubernetes.io/name: {{ .Release.Name }}
+                app.kubernetes.io/instance: {{ .Release.Name }}
+                app.kubernetes.io/name: {{ include "infracheck.appName" . }}
                 {{- if .Values.deployment.labels }}
                 {{ toYaml .Values.deployment.labels | indent 16 }}
                 {{- end }}
diff --git a/k8s/templates/network.yaml b/k8s/templates/network.yaml
index feac635..fb5ad06 100644
--- a/k8s/templates/network.yaml
+++ b/k8s/templates/network.yaml
@@ -4,8 +4,9 @@ kind: Service
 metadata:
     name: {{ .Release.Name }}-http
 spec:
+    type: ClusterIP
     selector:
-        app: {{ .Release.Name }}
+        app.kubernetes.io/name: {{ .Release.Name }}
     ports:
         - protocol: TCP
           port: 80

From 216f60aeb7982a28dffd03cbdc6eea19e1a01033 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Wed, 10 Nov 2021 07:14:28 +0100
Subject: [PATCH 13/25] [#39] Make deployment depend on configmap

---
 k8s/templates/deployment.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index 2869e4c..94c0b84 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -1,4 +1,3 @@
-# todo: support annotations and other things required for Vault, support taints and node selector
 # todo: sqlite3 database (cache) volume
 
 ---
@@ -32,8 +31,9 @@ spec:
                 {{ toYaml .Values.deployment.labels | indent 16 }}
                 {{- end }}
 
-            {{- with .Values.deployment.annotations }}
             annotations:
+                checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+            {{- with .Values.deployment.annotations }}
                 {{ toYaml . | indent 20 }}
             {{ end }}
         spec:

From 9a9a7319c7162cd12b9ef7c94f1012d19221b8be Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Wed, 10 Nov 2021 07:14:50 +0100
Subject: [PATCH 14/25] [#39] Fix - files were mounted without extensions, so
 Infracheck didn't find them

---
 k8s/templates/configmap.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/templates/configmap.yaml b/k8s/templates/configmap.yaml
index 294c0e7..edcd9ab 100644
--- a/k8s/templates/configmap.yaml
+++ b/k8s/templates/configmap.yaml
@@ -17,6 +17,6 @@ metadata:
     name: {{ .Release.Name }}-configs
 data:
     {{- range $k, $v := .Values.checks.configured }}
-    {{ $k }}: |
+    {{ $k }}.json: |
 {{ $v | indent 8 }}
     {{ end }}

From 3d851c25053c23fe6ee3078de3729d54cec828e3 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Thu, 11 Nov 2021 12:26:41 +0100
Subject: [PATCH 15/25] [#39] Do not enforce "disk-space" check by default

---
 k8s/values.yaml | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/k8s/values.yaml b/k8s/values.yaml
index 2be521f..460e3a9 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -26,6 +26,14 @@ ingress:
 
 checks:
     scripts:
+        # example - later use it in field "type".
+        #
+        # {
+        #     "type": "hello.sh",
+        #     "input": {
+        #         "word": "Cheese"
+        #     }
+        # }
         hello.sh: |
             #!/bin/bash
 
@@ -35,12 +43,12 @@ checks:
 
             exit 0
 
-    configured:
-        disk-space: |
-              {
-                  "type": "disk-space",
-                  "input": {
-                      "dir": "/",
-                      "min_req_space": "6"
-                  }
-              }
+    configured: {}
+#        disk-space: |
+#              {
+#                  "type": "disk-space",
+#                  "input": {
+#                      "dir": "/",
+#                      "min_req_space": "6"
+#                  }
+#              }

From 2435bd9bc2dc3f73033c650faaabf9b1a2dcce8b Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Thu, 11 Nov 2021 12:33:16 +0100
Subject: [PATCH 16/25] [#39] Added configurable settings

---
 k8s/templates/deployment.yaml | 8 +++++++-
 k8s/values.yaml               | 4 ++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index 94c0b84..c39c23e 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -77,8 +77,14 @@ spec:
                         mountPath: /data/checks
                       - name: configs
                         mountPath: /data/configured
-                  {{- with .Values.deployment.environment }}
                   env:
+                      - name: REFRESH_TIME
+                        value: "{{ .Values.settings.refresh_time }}"
+                      - name: WAIT_TIME
+                        value: "{{ .Values.settings.wait_time }}"
+                      - name: CHECK_TIMEOUT
+                        value: "{{ .Values.settings.check_timeout }}"
+                  {{- with .Values.deployment.environment }}
                       {{- range $key, $val := . }}
                       - name: {{ $key }}
                         value: {{ $val | quote }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
index 460e3a9..a1cdeb2 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -19,6 +19,10 @@ deployment:
             memory: "512Mi"
             cpu: "4"
 
+settings:
+    refresh_time: "300"  # interval between refreshing all checks
+    wait_time: "0"       # time in seconds between two checks are running
+    check_timeout: "120" # timeout on every check
 
 ingress:
     enabled: true

From ba4b98652e171733d052ba8e2b132da0d2462f89 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Thu, 11 Nov 2021 12:37:53 +0100
Subject: [PATCH 17/25] [#39] Add Helm actions to CI

---
 .github/workflows/test-and-release.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/test-and-release.yaml b/.github/workflows/test-and-release.yaml
index 2d95426..75e03a0 100644
--- a/.github/workflows/test-and-release.yaml
+++ b/.github/workflows/test-and-release.yaml
@@ -16,6 +16,16 @@ jobs:
             - name: Install dependencies
               run: "pip install -r ./requirements.txt && pip install -r ./requirements-dev.txt && sudo apt-get install whois sshpass"
 
+            - name: Lint Helm
+              uses: WyriHaximus/github-action-helm3@v2
+              with:
+                  exec: helm lint ./k8s
+
+            - name: Render Helm
+              uses: WyriHaximus/github-action-helm3@v2
+              with:
+                  exec: "cd k8s && helm template ./ --debug"
+
             - name: Install project via setuptools
               run: "rkd :install"
 

From 5a25a98416adc673218994dd48c2f01c19af3ff7 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Fri, 12 Nov 2021 07:35:45 +0100
Subject: [PATCH 18/25] [#39] Add support for privileged mode

---
 .rkd/makefile.yaml            |  5 +++++
 k8s/templates/deployment.yaml | 26 ++++++++++++++++++++++++++
 k8s/values.yaml               |  5 +++++
 3 files changed, 36 insertions(+)

diff --git a/.rkd/makefile.yaml b/.rkd/makefile.yaml
index 2f3e1e9..c061a68 100644
--- a/.rkd/makefile.yaml
+++ b/.rkd/makefile.yaml
@@ -23,6 +23,11 @@ tasks:
             - pip install -r ./requirements.txt
             - python3 ./setup.py install
 
+    :compile:helm:
+        description: Checks if Helm Chart compiles
+        steps:
+            - cd k8s && helm template ./  --debug
+
     :image:
         description: Build a docker image
         arguments:
diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index c39c23e..fc6921a 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -53,6 +53,20 @@ spec:
                 - name: configs
                   configMap:
                       name: {{ .Release.Name }}-configs
+            {{- if .Values.deployment.allowHostSystemPaths }}
+                - name: sysfs
+                  hostPath:
+                      path: /sys
+                      type: Directory
+                - name: dev
+                  hostPath:
+                      path: /dev
+                      type: Directory
+                - name: proc
+                  hostPath:
+                      path: /proc
+                      type: Directory
+            {{- end }}
 
             {{- with .Values.deployment.nodeSelector }}
             nodeSelector:
@@ -77,6 +91,14 @@ spec:
                         mountPath: /data/checks
                       - name: configs
                         mountPath: /data/configured
+                      {{- if .Values.deployment.allowHostSystemPaths }}
+                      - name: sysfs
+                        mountPath: /sys
+                      - name: dev
+                        mountPath: /dev
+                      - name: proc
+                        mountPath: /proc-host
+                      {{- end }}
                   env:
                       - name: REFRESH_TIME
                         value: "{{ .Values.settings.refresh_time }}"
@@ -92,3 +114,7 @@ spec:
                   {{ end }}
                   resources:
                       {{- toYaml .Values.deployment.resources | nindent 22 }}
+                  securityContext:
+                    {{- if .Values.deployment.isPrivileged }}
+                      privileged: true
+                    {{- end }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
index a1cdeb2..061fe50 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -19,6 +19,11 @@ deployment:
             memory: "512Mi"
             cpu: "4"
 
+    # You can turn off any of those for security reasons. This gives at least read-only access to host devices, kernel
+    # and host process data for monitoring purposes.
+    allowHostSystemPaths: true
+    isPrivileged: true
+
 settings:
     refresh_time: "300"  # interval between refreshing all checks
     wait_time: "0"       # time in seconds between two checks are running

From 7db357042a8be8ca0c691833dc4981b371cbfe93 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Fri, 12 Nov 2021 23:07:36 +0100
Subject: [PATCH 19/25] [#39] Add support for obligatory --server-path-prefix

---
 k8s/templates/deployment.yaml | 1 +
 k8s/values.yaml               | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index fc6921a..077fe8e 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -86,6 +86,7 @@ spec:
                   image: {{ .Values.deployment.image }}:v{{ .Chart.AppVersion }}-x86_64
                   ports:
                       - containerPort: 8000
+                  command: ["--server-path-prefix", "{{ .Values.settings.secret_code }}", "--log-level", "{{ .Values.settings.log_level }}"]
                   volumeMounts:
                       - name: scripts
                         mountPath: /data/checks
diff --git a/k8s/values.yaml b/k8s/values.yaml
index 061fe50..c31b209 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -28,6 +28,8 @@ settings:
     refresh_time: "300"  # interval between refreshing all checks
     wait_time: "0"       # time in seconds between two checks are running
     check_timeout: "120" # timeout on every check
+    secret_code: "change-me-please"
+    log_level: "info"
 
 ingress:
     enabled: true

From bd3ea31be89712f0ffdf262d7dfd02d262d529f3 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Fri, 12 Nov 2021 23:39:34 +0100
Subject: [PATCH 20/25] [#39] Add support for PVC

---
 k8s/templates/deployment.yaml |  9 +++++++++
 k8s/templates/volume.yaml     | 17 +++++++++++++++++
 k8s/values.yaml               | 17 ++++++++++++-----
 3 files changed, 38 insertions(+), 5 deletions(-)
 create mode 100644 k8s/templates/volume.yaml

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index 077fe8e..63cca6a 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -66,6 +66,11 @@ spec:
                   hostPath:
                       path: /proc
                       type: Directory
+                {{- if .Values.dbVolume.enabled }}
+                - name: database
+                  persistentVolumeClaim:
+                      claimName: {{ .Release.Name }}-database
+                {{- end }}
             {{- end }}
 
             {{- with .Values.deployment.nodeSelector }}
@@ -100,6 +105,10 @@ spec:
                       - name: proc
                         mountPath: /proc-host
                       {{- end }}
+                      {{- if .Values.dbVolume.enabled }}
+                      - name: database
+                        mountPath: /database
+                      {{- end }}
                   env:
                       - name: REFRESH_TIME
                         value: "{{ .Values.settings.refresh_time }}"
diff --git a/k8s/templates/volume.yaml b/k8s/templates/volume.yaml
new file mode 100644
index 0000000..d158a5c
--- /dev/null
+++ b/k8s/templates/volume.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.dbVolume.enabled }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+    name: {{ .Release.Name }}-database
+spec:
+    storageClassName: "{{ .Values.dbVolume.storageClassName }}"
+    {{- with .Values.dbVolume.volumeName }}
+    volumeName: "{{ . }}"
+    {{- end }}
+    accessModes:
+        - {{ .Values.dbVolume.accessMode}}
+    resources:
+        requests:
+            storage: {{ .Values.dbVolume.requests }}
+{{ end }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
index c31b209..a9ec3d4 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -25,11 +25,18 @@ deployment:
     isPrivileged: true
 
 settings:
-    refresh_time: "300"  # interval between refreshing all checks
-    wait_time: "0"       # time in seconds between two checks are running
-    check_timeout: "120" # timeout on every check
-    secret_code: "change-me-please"
-    log_level: "info"
+    refresh_time: "300"              # interval between refreshing all checks
+    wait_time: "0"                   # time in seconds between two checks are running
+    check_timeout: "120"             # timeout on every check
+    secret_code: "change-me-please"  # --server-path-prefix
+    log_level: "info"                # --log-level
+
+dbVolume:
+    enabled: true
+    storageClassName: ""
+    #volumeName: ""
+    requests: 15Mi
+    accessMode: ReadWriteOncePod
 
 ingress:
     enabled: true

From 7f50d5b8b9cefc0b36585cdde9e8409a64203e5f Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Fri, 12 Nov 2021 23:39:46 +0100
Subject: [PATCH 21/25] [#39] Remove todo

---
 k8s/templates/deployment.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index 63cca6a..dbaf04a 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -1,5 +1,3 @@
-# todo: sqlite3 database (cache) volume
-
 ---
 apiVersion: apps/v1
 kind: Deployment

From bdcc6d6698790094a830fd42d32283803488ed23 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Sat, 13 Nov 2021 14:29:01 +0100
Subject: [PATCH 22/25] [#39] Added configuredStr

---
 k8s/templates/configmap.yaml | 1 +
 k8s/values.yaml              | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/k8s/templates/configmap.yaml b/k8s/templates/configmap.yaml
index edcd9ab..0b667c7 100644
--- a/k8s/templates/configmap.yaml
+++ b/k8s/templates/configmap.yaml
@@ -20,3 +20,4 @@ data:
     {{ $k }}.json: |
 {{ $v | indent 8 }}
     {{ end }}
+{{ .Values.checks.configuredStr | indent 8 }}
diff --git a/k8s/values.yaml b/k8s/values.yaml
index a9ec3d4..ab21fcf 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -70,3 +70,5 @@ checks:
 #                      "min_req_space": "6"
 #                  }
 #              }
+    # raw string to be pasted into ConfigMap
+    configuredStr: ""

From 4b1e58c91b1977d1826d0be1046f2e556a49b700 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Sat, 13 Nov 2021 14:32:27 +0100
Subject: [PATCH 23/25] [#39] Fix compatibility with older Kubernetes API

---
 k8s/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/values.yaml b/k8s/values.yaml
index ab21fcf..b36bf12 100644
--- a/k8s/values.yaml
+++ b/k8s/values.yaml
@@ -36,7 +36,7 @@ dbVolume:
     storageClassName: ""
     #volumeName: ""
     requests: 15Mi
-    accessMode: ReadWriteOncePod
+    accessMode: ReadWriteOnce
 
 ingress:
     enabled: true

From 67174e287a7c63895064e789db2886ecac620a37 Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Sat, 13 Nov 2021 14:40:09 +0100
Subject: [PATCH 24/25] [#39] Fix command

---
 k8s/templates/deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index dbaf04a..dcd4fb5 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -89,7 +89,7 @@ spec:
                   image: {{ .Values.deployment.image }}:v{{ .Chart.AppVersion }}-x86_64
                   ports:
                       - containerPort: 8000
-                  command: ["--server-path-prefix", "{{ .Values.settings.secret_code }}", "--log-level", "{{ .Values.settings.log_level }}"]
+                  args: ["--server-path-prefix", "{{ .Values.settings.secret_code }}", "--log-level", "{{ .Values.settings.log_level }}"]
                   volumeMounts:
                       - name: scripts
                         mountPath: /data/checks

From e489f6026a66b044639e8adea2ce762acbc1c66a Mon Sep 17 00:00:00 2001
From: Andrew Johnson <blackandred@users.noreply.github.com>
Date: Sat, 13 Nov 2021 14:47:48 +0100
Subject: [PATCH 25/25] [#39] Fix command

---
 k8s/templates/deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/templates/deployment.yaml b/k8s/templates/deployment.yaml
index dcd4fb5..25a3876 100644
--- a/k8s/templates/deployment.yaml
+++ b/k8s/templates/deployment.yaml
@@ -89,7 +89,7 @@ spec:
                   image: {{ .Values.deployment.image }}:v{{ .Chart.AppVersion }}-x86_64
                   ports:
                       - containerPort: 8000
-                  args: ["--server-path-prefix", "{{ .Values.settings.secret_code }}", "--log-level", "{{ .Values.settings.log_level }}"]
+                  args: ["--server-path-prefix", "/{{ .Values.settings.secret_code }}", "--log-level", "{{ .Values.settings.log_level }}"]
                   volumeMounts:
                       - name: scripts
                         mountPath: /data/checks