feat(charts): add rhoso-apps helm chart and ci

Add Helm chart for Argo CD Applications (templates, values,
values.schema.json), and a path-filtered GitHub Actions workflow
(lint, template, package) with a TODO for publishing release
artifacts.

Refs: https://redhat.atlassian.net/browse/OSPRH-27658

AI-Assist: Cursor; model=Composer-2; mode=agent; origin=cursor
Made-with: Cursor

Author: cjeanner

.github/workflows/helm-chart.yml

@@ -0,0 +1,72 @@
+---
+# Validate charts/rhoso-apps: lint (incl. values.schema.json), helm-unittest,
+# kubeconform on rendered CRs, package.
+# TODO: When release process is defined, persist and publish the chart artifact
+# (rhoso-apps-<version>.tgz from `helm package`)—e.g. GitHub Release asset, Helm
+# HTTP repo, or OCI registry—for downloadable installs.
+name: helm-chart
+permissions:
+  contents: read
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "charts/**"
+      - ".github/workflows/helm-chart.yml"
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/**"
+      - ".github/workflows/helm-chart.yml"
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    env:
+      # Pin tool versions (kubeconform: https://github.com/yannh/kubeconform/releases)
+      KUBECONFORM_VERSION: v0.6.7
+      # helm-unittest plugin: https://github.com/helm-unittest/helm-unittest/releases
+      HELM_UNITTEST_VERSION: "0.7.0"
+      # Kubernetes OpenAPI for built-in kinds; Argo Application uses Datree CRDs-catalog.
+      KUBERNETES_SCHEMA_VERSION: "1.29.0"
+    defaults:
+      run:
+        working-directory: charts/rhoso-apps
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.3
+
+      - name: Install helm-unittest plugin
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}"
+
+      - name: Install kubeconform
+        run: |
+          set -euo pipefail
+          mkdir -p "${HOME}/.local/bin"
+          curl -sSL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" | tar xz -C /tmp
+          mv /tmp/kubeconform "${HOME}/.local/bin/kubeconform"
+          echo "${HOME}/.local/bin" >> "${GITHUB_PATH}"
+
+      - name: Helm lint
+        run: helm lint . -f values.yaml
+
+      - name: Helm unittest
+        run: helm unittest .
+
+      - name: Helm template (kubeconform)
+        run: |
+          set -euo pipefail
+          helm template rhoso-apps-test . -f values.yaml | kubeconform -summary \
+            -kubernetes-version "${KUBERNETES_SCHEMA_VERSION}" \
+            -schema-location default \
+            -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
+
+      # Produces rhoso-apps-*.tgz; publishing is TODO until release workflow exists (see file header).
+      - name: Helm package
+        run: helm package .

.yamllint.yml

@@ -5,6 +5,8 @@ ignore:
   - '*.env'
   - '*.txt'
   - '*.sh'
+  # Helm templates are not valid YAML until rendered (Go templating).
+  - 'charts/**/templates/**'
 
 rules:
   line-length:

charts/rhoso-apps/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# helm-unittest suites (not part of the packaged chart)
+tests/

charts/rhoso-apps/Chart.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v2
+name: rhoso-apps
+description: Create and manage argocd applications to deploy RHOSO
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "18.0.17"

charts/rhoso-apps/templates/_helpers.tpl

@@ -0,0 +1,86 @@
+{{/*
+Namespace for Argo CD Application CRs (metadata.namespace).
+Pass root context ($) from inside range.
+*/}}
+{{- define "rhoso-apps.applicationNamespace" -}}
+{{- default "openshift-gitops" .Values.applicationNamespace | quote -}}
+{{- end }}
+
+{{/*
+Default Kubernetes API server URL for spec.destination.server.
+Pass root context ($) from inside range.
+*/}}
+{{- define "rhoso-apps.destinationServer" -}}
+{{- default "https://kubernetes.default.svc" .Values.destinationServer | quote -}}
+{{- end }}
+
+{{/*
+Argo CD AppProject name; empty string in values maps to "default".
+Pass dict with key "app" (per-application values map).
+*/}}
+{{- define "rhoso-apps.argocdProject" -}}
+{{- $app := .app -}}
+{{- default "default" $app.project | quote -}}
+{{- end }}
+
+{{/*
+Repository path under spec.source.path.
+*/}}
+{{- define "rhoso-apps.sourcePath" -}}
+{{- $app := .app -}}
+{{- default "." $app.path | quote -}}
+{{- end }}
+
+{{/*
+Git revision, branch, or tag for spec.source.targetRevision.
+*/}}
+{{- define "rhoso-apps.targetRevision" -}}
+{{- $app := .app -}}
+{{- default "HEAD" $app.targetRevision | quote -}}
+{{- end }}
+
+{{/*
+Optional spec.source.kustomize (Argo CD Kustomize overrides).
+Pass dict with key "app" (per-application values map). Omitted if unset, non-map, or empty map.
+*/}}
+{{- define "rhoso-apps.sourceKustomize" -}}
+{{- $app := .app -}}
+{{- $k := $app.kustomize | default dict }}
+{{- if not (kindIs "map" $k) }}
+{{- $k = dict }}
+{{- end }}
+{{- if not (empty $k) }}
+    kustomize:
+{{ toYaml $k | nindent 6 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Merge syncPolicy map with optional syncOptions; emit spec.syncPolicy block or nothing.
+Pass dict with key "app" (per-application values map).
+*/}}
+{{- define "rhoso-apps.syncPolicySpec" -}}
+{{- $app := .app -}}
+{{- $merged := $app.syncPolicy | default dict }}
+{{- if not (kindIs "map" $merged) }}
+{{- $merged = dict }}
+{{- end }}
+{{- if and $app.syncOptions (not (empty $app.syncOptions)) }}
+{{- $merged = merge $merged (dict "syncOptions" $app.syncOptions) }}
+{{- end }}
+{{- if not (empty $merged) }}
+  syncPolicy:
+{{ toYaml $merged | indent 4 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Argo CD Application metadata.finalizers (resources finalizer: background vs foreground).
+Omitted finalizers default to background deletion.
+Pass dict with key "app" (per-application values map).
+*/}}
+{{- define "rhoso-apps.applicationFinalizers" -}}
+{{- $app := .app -}}
+{{- $f := default (list "resources-finalizer.argocd.argoproj.io/background") $app.finalizers }}
+{{- toYaml $f -}}
+{{- end }}

charts/rhoso-apps/templates/application.yaml

@@ -0,0 +1,24 @@
+{{- range $name, $app := .Values.applications }}
+{{- if $app.enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ $name }}
+  namespace: {{ include "rhoso-apps.applicationNamespace" $ }}
+  finalizers:
+{{- include "rhoso-apps.applicationFinalizers" (dict "app" $app) | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/sync-wave: {{ $app.syncWave | quote }}
+spec:
+  project: {{ include "rhoso-apps.argocdProject" (dict "app" $app) }}
+  source:
+    repoURL: {{ $app.repoURL | quote }}
+    path: {{ include "rhoso-apps.sourcePath" (dict "app" $app) }}
+    targetRevision: {{ include "rhoso-apps.targetRevision" (dict "app" $app) }}
+{{ include "rhoso-apps.sourceKustomize" (dict "app" $app) }}
+  destination:
+    server: {{ include "rhoso-apps.destinationServer" $ }}
+{{ include "rhoso-apps.syncPolicySpec" (dict "app" $app) }}
+{{- end }}
+{{- end }}

charts/rhoso-apps/tests/application_test.yaml

@@ -0,0 +1,148 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: rhoso-apps application template
+templates:
+  - application.yaml
+tests:
+  # Helm merges values; we cannot replace the whole applications map from tests.
+  # Assert on one real Application from values.yaml via documentSelector.
+  - it: renders openstack-controlplane Application from default values
+    values:
+      - ../values.yaml
+    documentSelector:
+      path: metadata.name
+      value: openstack-controlplane
+    asserts:
+      - isKind:
+          of: Application
+      - equal:
+          path: apiVersion
+          value: argoproj.io/v1alpha1
+      - equal:
+          path: metadata.name
+          value: openstack-controlplane
+      - equal:
+          path: metadata.namespace
+          value: openshift-gitops
+      - equal:
+          path: metadata.finalizers[0]
+          value: resources-finalizer.argocd.argoproj.io/foreground
+      - equal:
+          path: metadata.annotations["argocd.argoproj.io/sync-wave"]
+          value: "10"
+      - equal:
+          path: spec.project
+          value: default
+      - equal:
+          path: spec.source.repoURL
+          value: https://github.com/openstack-k8s-operators/gitops
+      - equal:
+          path: spec.source.path
+          value: examples/controlplane
+      - equal:
+          path: spec.source.targetRevision
+          value: v0.1.0
+      - equal:
+          path: spec.destination.server
+          value: https://kubernetes.default.svc
+      - equal:
+          path: spec.syncPolicy.syncOptions[0]
+          value: Prune=true
+
+  - it: renders operator-dependencies with default background finalizer
+    values:
+      - ../values.yaml
+    documentSelector:
+      path: metadata.name
+      value: operator-dependencies
+    asserts:
+      - equal:
+          path: metadata.finalizers[0]
+          value: resources-finalizer.argocd.argoproj.io/background
+
+  - it: omits spec.source.kustomize when not set in values
+    values:
+      - ../values.yaml
+    documentSelector:
+      path: metadata.name
+      value: operator-dependencies
+    asserts:
+      - notExists:
+          path: spec.source.kustomize
+
+  - it: renders spec.source.kustomize when applications entry sets kustomize
+    set:
+      applicationNamespace: openshift-gitops
+      destinationServer: https://kubernetes.default.svc
+      applications:
+        kustom-test:
+          enabled: true
+          repoURL: https://github.com/example/repo
+          path: examples/foo
+          targetRevision: main
+          syncWave: "0"
+          syncOptions:
+            - Prune=true
+          kustomize:
+            namePrefix: dev-
+            components:
+              - https://github.com/example/components/overlay
+    documentSelector:
+      path: metadata.name
+      value: kustom-test
+    asserts:
+      - equal:
+          path: spec.source.kustomize.namePrefix
+          value: dev-
+      - equal:
+          path: spec.source.kustomize.components[0]
+          value: https://github.com/example/components/overlay
+
+  - it: fails values schema when repoURL is missing
+    set:
+      applicationNamespace: openshift-gitops
+      destinationServer: https://kubernetes.default.svc
+      applications:
+        bad:
+          enabled: true
+          path: "."
+          targetRevision: main
+          syncWave: "0"
+          syncOptions: []
+    asserts:
+      - failedTemplate:
+          errorPattern: repoURL
+
+  - it: fails values schema when destinationServer is not an https URI
+    set:
+      applicationNamespace: openshift-gitops
+      destinationServer: http://insecure.example
+      applications:
+        a:
+          enabled: true
+          repoURL: https://github.com/example/repo
+          path: "."
+          targetRevision: main
+          syncWave: "0"
+          syncOptions: []
+    asserts:
+      - failedTemplate:
+          errorPattern: destinationServer
+
+  - it: fails values schema when finalizer is not allowed
+    set:
+      applicationNamespace: openshift-gitops
+      destinationServer: https://kubernetes.default.svc
+      applications:
+        bad:
+          enabled: true
+          repoURL: https://github.com/example/repo
+          path: "."
+          targetRevision: main
+          syncWave: "0"
+          syncOptions: []
+          finalizers:
+            - resources-finalizer.argocd.argoproj.io/invalid
+    asserts:
+      - failedTemplate:
+          errorPattern: finalizers