Jules/align helm release workflow (#21 )

* ci: Align Helm dependency setup in release workflow Adds missing Helm dependency setup steps (repo add, dependency build) to the release workflow, mirroring the CI workflow. This ensures that dependencies are correctly handled during linting and packaging in the release process. * refactor: Scope exporter RBAC to namespace for least privilege Changed the exporter's ClusterRole and ClusterRoleBinding to a namespaced Role and RoleBinding. This modification ensures that the exporter, by default, only has permissions to get, list, and watch pods within its own installation namespace. This aligns with the default behavior of IPERF_SERVER_NAMESPACE, which also defaults to the pod's own namespace, thereby adhering more strictly to the principle of least privilege. Verified with `helm template` that the Role and RoleBinding are correctly created within the release namespace. --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
ci: Align Helm dependency setup in release workflow (#20 )
2026-03-08 05:22:35 +00:00 · 2025-07-02 12:57:00 +05:30 · 2025-07-02 11:56:38 +05:30
4 changed files with 33 additions and 11 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,6 +22,15 @@ jobs:
        with:
          version: v3.10.0

+      - name: Add Helm repositories
+        run: |
+          helm repo add bjw-s https://bjw-s-labs.github.io/helm-charts/ --force-update
+          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts --force-update
+          helm repo update
+
+      - name: Build Helm chart dependencies
+        run: helm dependency build ./charts/iperf3-monitor
+
      - name: Helm Lint
        run: helm lint ./charts/iperf3-monitor

@@ -86,6 +95,15 @@ jobs:
          sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq &&\
          sudo chmod +x /usr/bin/yq

+      - name: Add Helm repositories
+        run: |
+          helm repo add bjw-s https://bjw-s-labs.github.io/helm-charts/ --force-update
+          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts --force-update
+          helm repo update
+
+      - name: Build Helm chart dependencies
+        run: helm dependency build ./charts/iperf3-monitor
+
      - name: Set Chart Version from Tag
        run: |
          VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
--- a/charts/iperf3-monitor/templates/rbac.yaml
+++ b/charts/iperf3-monitor/templates/rbac.yaml
@@ -7,9 +7,10 @@ metadata:
    {{- include "iperf3-monitor.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  name: {{ include "iperf3-monitor.fullname" . }}-role
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "iperf3-monitor.labels" . | nindent 4 }}
 rules:
@@ -18,9 +19,10 @@ rules:
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
  name: {{ include "iperf3-monitor.fullname" . }}-rb
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "iperf3-monitor.labels" . | nindent 4 }}
 subjects:
@@ -28,7 +30,7 @@ subjects:
    name: {{ include "iperf3-monitor.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: ClusterRole
+  kind: Role # Changed from ClusterRole
  name: {{ include "iperf3-monitor.fullname" . }}-role
  apiGroup: rbac.authorization.k8s.io
 {{- end -}}
--- a/charts/iperf3-monitor/templates/service.yaml
+++ b/charts/iperf3-monitor/templates/service.yaml
@@ -11,7 +11,7 @@ spec:
    {{- include "iperf3-monitor.selectorLabels" . | nindent 4 }}
    app.kubernetes.io/component: exporter
  ports:
-    - name: metrics
-      port: {{ .Values.service.port }}
-      targetPort: {{ .Values.service.targetPort }}
-      protocol: TCP
+    - name: metrics # Assuming 'metrics' is the intended name, aligns with values structure
+      port: {{ .Values.service.main.ports.metrics.port }}
+      targetPort: {{ .Values.service.main.ports.metrics.targetPort }}
+      protocol: {{ .Values.service.main.ports.metrics.protocol | default "TCP" }}
--- a/charts/iperf3-monitor/values.yaml
+++ b/charts/iperf3-monitor/values.yaml
@@ -86,13 +86,15 @@ controllers:
          #       key: mykey

        # -- Ports for the exporter container.
+        # Expected by Kubernetes and bjw-s common library as a list of objects.
        ports:
-          metrics: # Name of the port, will be used in Service definition
+          - name: metrics # Name of the port, referenced by Service's targetPort
            # -- Port number for the metrics endpoint on the container.
-            port: 9876 # Default, should match service.targetPort
+            containerPort: 9876
            # -- Protocol for the metrics port.
-            protocol: TCP # Common library defaults to TCP if not specified.
-            enabled: true # This port is enabled
+            protocol: TCP
+            # -- Whether this port definition is enabled. Specific to bjw-s common library.
+            enabled: true

        # -- CPU and memory resource requests and limits for the exporter container.
        resources: