From 22fb591dec098d6c9a7793913c3fe227f9eb7ed9 Mon Sep 17 00:00:00 2001 From: chenbishop Date: Mon, 17 Nov 2025 12:22:13 +0000 Subject: [PATCH 01/10] 1.18.1 pre-release --- README.md | 8 +++++--- charts/kasm/Chart.yaml | 18 +++++++++--------- charts/kasm/README.md | 20 +++++++++++--------- charts/kasm/values.schema.json | 14 +++++++------- charts/kasm/values.yaml | 14 +++++++------- docs/kasm-upgrade.md | 6 +++--- docs/template-files/db-backup.yaml | 6 +++--- docs/template-files/db-upload.yaml | 4 ++-- 8 files changed, 47 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 8913043..0f74437 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # Kasm on Kubernetes (Helm Chart) -![Version: 1.1180.0](https://img.shields.io/badge/Version-1.1180.0-informational?style=flat-square) ![AppVersion: 1.18.0](https://img.shields.io/badge/AppVersion-1.18.0-informational?style=flat-square) +![Version: 1.1181.0](https://img.shields.io/badge/Version-1.1181.0-informational?style=flat-square) ![AppVersion: 1.18.1](https://img.shields.io/badge/AppVersion-1.18.1-informational?style=flat-square) -> ⚠️ **This Helm chart is not intended for production use.** +> ⚠️ **This Helm chart is currently under technical Preview. Potential users should be advised that it is suitable for demo and evaluation purposes.** > For advanced configurations, see the [Chart README](./charts/kasm/README.md). ## Overview @@ -10,6 +10,8 @@ This Helm chart enables you to deploy [Kasm Workspaces](https://kasm.com/) in Kubernetes with minimal friction. For more detailed information or procedures for upgrading your Kasm Kubernetes deployment, refer to our **[additional documentation](./docs)**. +> Important: The [Kasm agent](https://docs.kasm.com/docs/install/multi_server_install#install-agent-server-roles) is not included in this Helm chart. It must be installed separately on a VM or bare-metal server. A Kasm session cannot be started without a running agent. + ## Quickstart Get up and running in just a few steps! @@ -92,7 +94,7 @@ After deployment, get your connection details and credentials: ## Upgrades & Versioning - **Branching:** - This repo maintains a release branch matching each Kasm Workspaces version (e.g., `release/1.18.0`). + This repo maintains a release branch matching each Kasm Workspaces version (e.g., `release/1.18.1`). Use the matching branch for your Kasm deployment version. - **Development:** Use the default `develop` branch for developer previews. diff --git a/charts/kasm/Chart.yaml b/charts/kasm/Chart.yaml index d44640b..d950fc7 100644 --- a/charts/kasm/Chart.yaml +++ b/charts/kasm/Chart.yaml @@ -2,21 +2,21 @@ annotations: category: Virtual Desktop images: | - name: kasm-api - image: kasmweb/api:develop + image: kasmweb/api:1.18.1 - name: kasm-manager - image: kasmweb/manager:develop + image: kasmweb/manager:1.18.1 - name: kasm-db - image: kasmweb/postgres:develop + image: kasmweb/postgres:1.18.1 - name: kasm-proxy - image: kasmweb/proxy:develop + image: kasmweb/proxy:1.18.1 - name: kasm-guac - image: kasmweb/kasm-guac:develop + image: kasmweb/kasm-guac:1.18.1 - name: rdp-gateway - image: kasmweb/rdp-gateway:develop + image: kasmweb/rdp-gateway:1.18.1 - name: rdp-gateway - image: kasmweb/rdp-https-gateway:develop + image: kasmweb/rdp-https-gateway:1.18.1 apiVersion: v2 -appVersion: develop +appVersion: 1.18.1 name: kasm description: Kasm is a platform specializing in providing secure browser-based workspaces for a wide range of applications and industries. Its main goal is to provide isolated and secure environments that can be accessed via web browsers, ensuring that users can perform tasks without risking the security of their local systems. icon: https://kasm-static-content.s3.amazonaws.com/icons/kasm-logo-small.png @@ -28,4 +28,4 @@ keywords: maintainers: - name: Kasm Technologies, Inc. url: https://github.com/kasmtech/kasm-helm -version: 1.1180.0-develop +version: 1.1181.0 diff --git a/charts/kasm/README.md b/charts/kasm/README.md index eedc26f..0c44d43 100644 --- a/charts/kasm/README.md +++ b/charts/kasm/README.md @@ -1,9 +1,11 @@ # Kasm on Kubernetes -![Version: 1.1180.0](https://img.shields.io/badge/Version-1.1180.0-informational?style=flat-square) ![AppVersion: 1.18.0](https://img.shields.io/badge/AppVersion-1.18.0-informational?style=flat-square) +![Version: 1.1181.0](https://img.shields.io/badge/Version-1.1181.0-informational?style=flat-square) ![AppVersion: 1.18.1](https://img.shields.io/badge/AppVersion-1.18.1-informational?style=flat-square) Kasm is a platform specializing in providing secure browser-based workspaces for a wide range of applications and industries. Its main goal is to provide isolated and secure environments that can be accessed via web browsers, ensuring that users can perform tasks without risking the security of their local systems. +> Important: The [Kasm agent](https://docs.kasm.com/docs/install/multi_server_install#install-agent-server-roles) is not included in this Helm chart. It must be installed separately on a VM or bare-metal server. A Kasm session cannot be started without a running agent. + **Homepage:** ## Maintainers @@ -363,7 +365,7 @@ object 
 repository: kasmweb/postgres
-tag: 1.18.0
+tag: 1.18.1
@@ -617,7 +619,7 @@ object 
 repository: kasmweb/proxy
-tag: 1.18.0
+tag: 1.18.1
@@ -674,7 +676,7 @@ object 
 repository: kasmweb/api
-tag: 1.18.0
+tag: 1.18.1
@@ -731,7 +733,7 @@ object 
 repository: kasmweb/manager
-tag: 1.18.0
+tag: 1.18.1
@@ -788,7 +790,7 @@ object 
 repository: kasmweb/kasm-guac
-tag: 1.18.0
+tag: 1.18.1
@@ -859,7 +861,7 @@ object 
 repository: kasmweb/rdp-gateway
-tag: 1.18.0
+tag: 1.18.1
@@ -930,7 +932,7 @@ object 
 repository: kasmweb/rdp-https-gateway
-tag: 1.18.0
+tag: 1.18.1
@@ -1001,7 +1003,7 @@ object 
 repository: kasmweb/share
-tag: 1.18.0
+tag: 1.18.1
diff --git a/charts/kasm/values.schema.json b/charts/kasm/values.schema.json index a3653ee..0e7b9c3 100644 --- a/charts/kasm/values.schema.json +++ b/charts/kasm/values.schema.json @@ -202,7 +202,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } @@ -263,7 +263,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } @@ -318,7 +318,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } @@ -373,7 +373,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } @@ -434,7 +434,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } @@ -495,7 +495,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } @@ -560,7 +560,7 @@ "type": "string" }, "tag": { - "default": "1.18.0", + "default": "1.18.1", "title": "tag", "type": "string" } diff --git a/charts/kasm/values.yaml b/charts/kasm/values.yaml index 1578cee..d509297 100644 --- a/charts/kasm/values.yaml +++ b/charts/kasm/values.yaml @@ -177,7 +177,7 @@ database: # image: repository: kasmweb/postgres - tag: develop + tag: 1.18.1 # Configure the Storage for the Kasm DB StatefulSet # storage: @@ -263,7 +263,7 @@ components: # image: repository: kasmweb/proxy - tag: develop + tag: 1.18.1 # components.proxy.annotations -- Custom annotations to add to the Kasm Proxy Deployment annotations: {} # components.proxy.resources -- Manually configure the Kasm Proxy Deployment resources. This overrides the pre-defined `deploymentSize` values. @@ -278,7 +278,7 @@ components: # image: repository: kasmweb/api - tag: develop + tag: 1.18.1 # components.api.annotations -- Custom annotations to add to the Kasm api Deployment annotations: {} # components.api.resources -- Manually configure the Kasm api Deployment resources. This overrides the pre-defined `deploymentSize` values. @@ -293,7 +293,7 @@ components: # image: repository: kasmweb/manager - tag: develop + tag: 1.18.1 # components.manager.annotations -- Custom annotations to add to the Kasm Manager Deployment annotations: {} # components.manager.resources -- Manually configure the Kasm Manager Deployment resources. This overrides the pre-defined `deploymentSize` values. @@ -308,7 +308,7 @@ components: # image: repository: kasmweb/kasm-guac - tag: develop + tag: 1.18.1 # components.guac.enabled -- Use this setting to enable/disable deployment of the Kasm Guacamole web RDP service - # [Kasm Guac Service](https://docs.kasm.com/docs/guide/connection_proxies#guacamole-guac). # @@ -327,7 +327,7 @@ components: # image: repository: kasmweb/rdp-gateway - tag: develop + tag: 1.18.1 # components.rdpGateway.enabled -- Use this setting to enable/disable deployment of the Kasm RDP Gateway service - # [Kasm RDP Gateway](https://docs.kasm.com/docs/guide/connection_proxies#rdp-gateway). # @@ -346,7 +346,7 @@ components: # image: repository: kasmweb/rdp-https-gateway - tag: develop + tag: 1.18.1 # components.rdpHttpsGateway.enabled -- Use this setting to enable/disable deployment of the Kasm RDP HTTPS Gateway service. # This service allows users to use native RDP clients via HTTPS connections rather than exposing 3389 - # [Kasm RDP HTTPS Gateway](https://docs.kasm.com/docs/guide/connection_proxies#rdp-https-gateway. diff --git a/docs/kasm-upgrade.md b/docs/kasm-upgrade.md index 2889368..39180de 100644 --- a/docs/kasm-upgrade.md +++ b/docs/kasm-upgrade.md @@ -14,9 +14,9 @@ This guide walks you through safely **upgrading your Kasm deployment on Kubernet | Scenario | Use This Section | |------------------------------------------------------------|-------------------------------------------------------------------| -| Upgrade legacy `kasm-single-zone` chart 1.17.0 -> 1.1180.0 | [Upgrade Legacy Helm Deployment](legacy-helm-chart-upgrade.md) | -| Upgrade new `kasm` chart 1.1170.0 -> 1.1180.0 | [Upgrade Existing Helm Deployment](new-helm-chart-upgrade.md) | -| Migrate VM deployment → K8s (v1.1180.0/latest) | [Migrate from VM to Kubernetes](vm-to-kubernetes.md) | +| Upgrade legacy `kasm-single-zone` chart 1.17.0 -> 1.1181.0 | [Upgrade Legacy Helm Deployment](legacy-helm-chart-upgrade.md) | +| Upgrade new `kasm` chart 1.1170.0 -> 1.1181.0 | [Upgrade Existing Helm Deployment](new-helm-chart-upgrade.md) | +| Migrate VM deployment → K8s (v1.1181.0/latest) | [Migrate from VM to Kubernetes](vm-to-kubernetes.md) | ### Assumptions: --- diff --git a/docs/template-files/db-backup.yaml b/docs/template-files/db-backup.yaml index ea24306..678cb35 100644 --- a/docs/template-files/db-backup.yaml +++ b/docs/template-files/db-backup.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: OnFailure initContainers: - name: db-is-ready - image: kasmweb/api:1.18.0 + image: kasmweb/api:1.18.1 imagePullPolicy: IfNotPresent env: - name: POSTGRES_HOST @@ -29,7 +29,7 @@ spec: - | while ! pg_isready -h ${POSTGRES_HOST} -p ${POSTGRES_PORT} -t 10; do echo "Waiting for DB..."; sleep 5; done - name: kasm-old-db-backup-set-perms - image: kasmweb/api:1.18.0 + image: kasmweb/api:1.18.1 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -47,7 +47,7 @@ spec: mountPath: /data/kasm-db-dump containers: - name: kasm-old-db-backup-container - image: kasmweb/api:1.18.0 + image: kasmweb/api:1.18.1 imagePullPolicy: IfNotPresent env: - name: POSTGRES_HOST diff --git a/docs/template-files/db-upload.yaml b/docs/template-files/db-upload.yaml index 506c4e6..dce177f 100644 --- a/docs/template-files/db-upload.yaml +++ b/docs/template-files/db-upload.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: OnFailure initContainers: - name: kasm-old-db-upload-set-perms - image: kasmweb/api:1.18.0 + image: kasmweb/api:1.18.1 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -33,7 +33,7 @@ spec: mountPath: /data/kasm-db-dump containers: - name: kasm-old-db-upload-container - image: kasmweb/api:1.18.0 + image: kasmweb/api:1.18.1 imagePullPolicy: IfNotPresent command: - "/bin/bash" From 0159136fcd7eee6475c501669253fa07e0401c9b Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Wed, 29 Apr 2026 12:32:06 +0200 Subject: [PATCH 02/10] feat: add Helm chart repository support (HTTP + OCI) - Add GitHub Actions workflow for automated chart releases via GitHub Pages - Add OCI registry publishing to ghcr.io with Sigstore attestations - Add chart linting and validation workflow for PRs - Add Dependabot for automated GitHub Actions updates - Update README with three installation methods (OCI, HTTP, clone) - Add SECURITY.md for vulnerability reporting - Add CHANGELOG.md following Keep a Changelog format - Add ct.yaml for chart-testing configuration - Add CODEOWNERS for code ownership Addresses issue #22 All actions pinned to SHA for security: - actions/checkout@v6.0.2 - azure/setup-helm@v5.0.0 - helm/chart-releaser-action@v1.7.0 - helm/chart-testing-action@v2.8.0 - actions/setup-python@v6.2.0 - actions/attest@v4.1.0 --- .github/CODEOWNERS | 5 +++ .github/dependabot.yml | 13 +++++++ .github/workflows/chart-test.yml | 44 ++++++++++++++++++++++++ .github/workflows/helm-release.yml | 55 ++++++++++++++++++++++++++++++ .github/workflows/oci-publish.yml | 50 +++++++++++++++++++++++++++ .gitignore | 11 ++++++ CHANGELOG.md | 28 +++++++++++++++ README.md | 26 +++++++++++++- SECURITY.md | 39 +++++++++++++++++++++ ct.yaml | 4 +++ 10 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/chart-test.yml create mode 100644 .github/workflows/helm-release.yml create mode 100644 .github/workflows/oci-publish.yml create mode 100644 CHANGELOG.md create mode 100644 SECURITY.md create mode 100644 ct.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..b7aba4a --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# Code owners for the Kasm Helm chart +# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +/charts/ @kasmtech +/.github/workflows/ @kasmtech \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..10d484b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "ci" + include: "scope" \ No newline at end of file diff --git a/.github/workflows/chart-test.yml b/.github/workflows/chart-test.yml new file mode 100644 index 0000000..7f545f2 --- /dev/null +++ b/.github/workflows/chart-test.yml @@ -0,0 +1,44 @@ +name: Chart Lint and Test + +on: + pull_request: + paths: + - 'charts/**' + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + + - name: Install Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: '3.12' + + - name: Install chart-testing + uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0 + + - name: Run chart-testing (lint) + run: ct lint --charts charts/kasm --check-version-increment=false + + validate: + runs-on: ubuntu-latest + needs: lint + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install Helm + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + + - name: Validate chart + run: | + helm lint charts/kasm + helm template test-release charts/kasm --debug > /dev/null \ No newline at end of file diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml new file mode 100644 index 0000000..55e84a1 --- /dev/null +++ b/.github/workflows/helm-release.yml @@ -0,0 +1,55 @@ +name: Release Charts + +on: + push: + branches: + - develop + - 'release/**' + paths: + - 'charts/**/Chart.yaml' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: write + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Install Helm + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + + - name: Lint Chart + run: helm lint charts/kasm + + release: + runs-on: ubuntu-latest + needs: lint + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + CR_SKIP_EXISTING: "true" \ No newline at end of file diff --git a/.github/workflows/oci-publish.yml b/.github/workflows/oci-publish.yml new file mode 100644 index 0000000..910cdf9 --- /dev/null +++ b/.github/workflows/oci-publish.yml @@ -0,0 +1,50 @@ +name: Publish Chart to OCI + +on: + release: + types: [published] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + packages: write + id-token: write + attestations: write + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install Helm + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + + - name: Login to GHCR + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin + + - name: Package Chart + run: | + helm package charts/kasm --destination ./dist + echo "CHART_FILE=$(ls dist/*.tgz)" >> $GITHUB_ENV + + - name: Push Chart to GHCR + id: push + run: | + PUSH_OUTPUT=$(helm push ${{ env.CHART_FILE }} oci://ghcr.io/${{ github.repository_owner }} 2>&1) + echo "$PUSH_OUTPUT" + DIGEST=$(echo "$PUSH_OUTPUT" | grep 'Digest:' | awk '{print $2}') + echo "digest=$DIGEST" >> $GITHUB_OUTPUT + + - name: Generate Artifact Attestation + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-name: ghcr.io/${{ github.repository_owner }}/kasm + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.gitignore b/.gitignore index 64eefbc..cdf20dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,14 @@ ## Ignore cert files *.key *.crt + +## Ignore Helm chart artifacts +*.tgz +dist/ +docs/*.tgz + +## Ignore IDE files +.idea/ +.vscode/ +*.swp +*.swo diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..678a008 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,28 @@ +# Changelog + +All notable changes to the Kasm Helm Chart will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +### Added +- GitHub Actions workflow for automated Helm chart releases via GitHub Pages +- GitHub Actions workflow for OCI registry publishing to ghcr.io +- GitHub Actions workflow for chart linting and validation on PRs +- Dependabot configuration for automated GitHub Actions updates +- CODEOWNERS file for code ownership tracking +- SECURITY.md for security policy and vulnerability reporting +- Chart-testing configuration (ct.yaml) +- Artifact attestations for OCI charts using Sigstore + +### Changed +- README.md updated with three installation methods (OCI, HTTP, clone) +- Improved .gitignore to exclude chart artifacts and IDE files + +## [1.1181.0] - 2024-XX-XX + +### Added +- Initial Helm chart release +- Support for Kasm Workspaces 1.18.1 \ No newline at end of file diff --git a/README.md b/README.md index 0f74437..4c858e5 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,31 @@ For more detailed information or procedures for upgrading your Kasm Kubernetes d ## Quickstart -Get up and running in just a few steps! +### Option 1: Using OCI Registry (Recommended for Production) + +> **Note:** OCI charts are published on GitHub releases. This method provides better security with signed artifacts. + +```bash +helm install kasm oci://ghcr.io/kasmtech/kasm \ + --namespace {namespace} --create-namespace \ + --set publicAddr="kasm.contoso.com" \ + --set certificate.secretName="" +``` + +### Option 2: Using Helm Repository + +> **Note:** This requires GitHub Pages to be enabled for this repository. If not available, use Option 3. + +```bash +helm repo add kasm https://kasmtech.github.io/kasm-helm +helm repo update +helm install kasm kasm/kasm \ + --namespace {namespace} --create-namespace \ + --set publicAddr="kasm.contoso.com" \ + --set certificate.secretName="" +``` + +### Option 3: Cloning the Repository 1. **Clone the Helm Chart Repository:** ```bash diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4db2695 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,39 @@ +# Security Policy + +## Reporting a Vulnerability + +We take the security of Kasm Workspaces seriously. If you believe you have found a security vulnerability, please report it to us through coordinated disclosure. + +### How to Report + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Kasm security team: + +- Email: security@kasm.com +- GitHub Security Advisory: Use the [Security Advisories](https://github.com/kasmtech/kasm-helm/security/advisories) feature + +### What to Include + +Please include the following information in your report: + +- Type of vulnerability +- Full path of source file(s) related to the vulnerability +- Steps to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the vulnerability + +### Response Timeline + +- We will acknowledge your report within 48 hours +- We will provide a detailed response within 7 days +- We will keep you informed of our progress throughout the process + +### Safe Harbor + +We support safe harbor for security researchers who: +- Make a good faith effort to avoid privacy violations and destruction of data +- Only interact with accounts you own or with explicit permission +- Do not access or exfiltrate data beyond what is necessary to demonstrate the vulnerability + +Thank you for helping keep Kasm and our users safe! \ No newline at end of file diff --git a/ct.yaml b/ct.yaml new file mode 100644 index 0000000..2ce0f50 --- /dev/null +++ b/ct.yaml @@ -0,0 +1,4 @@ +chart-dirs: + - charts +target-branch: develop +validate-maintainers: false \ No newline at end of file From b48805d51990760c8a0e6187fac5f0e24d45cfbc Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Wed, 29 Apr 2026 12:39:43 +0200 Subject: [PATCH 03/10] chore: bump chart version to trigger CI --- charts/kasm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kasm/Chart.yaml b/charts/kasm/Chart.yaml index d950fc7..af799e8 100644 --- a/charts/kasm/Chart.yaml +++ b/charts/kasm/Chart.yaml @@ -28,4 +28,4 @@ keywords: maintainers: - name: Kasm Technologies, Inc. url: https://github.com/kasmtech/kasm-helm -version: 1.1181.0 +version: 1.1181.1 From 56bebf1035eb8bc53409c4a9a988179fc85152cc Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Wed, 29 Apr 2026 12:44:48 +0200 Subject: [PATCH 04/10] chore: bump chart version to 1.1181.2 --- charts/kasm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kasm/Chart.yaml b/charts/kasm/Chart.yaml index af799e8..2301a30 100644 --- a/charts/kasm/Chart.yaml +++ b/charts/kasm/Chart.yaml @@ -28,4 +28,4 @@ keywords: maintainers: - name: Kasm Technologies, Inc. url: https://github.com/kasmtech/kasm-helm -version: 1.1181.1 +version: 1.1181.2 From 1b633a99a9b9dec34e88d51889f8a86860c7e71c Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Wed, 29 Apr 2026 12:53:47 +0200 Subject: [PATCH 05/10] fix: simplify OCI workflow and add GitHub Pages setup docs - Remove artifact attestation (GITHUB_TOKEN cannot sign on ghcr.io) - Add GitHub Pages setup instructions in README - Clarify prerequisites for Helm repository option --- .github/workflows/oci-publish.yml | 21 ++------------------- README.md | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 20 deletions(-) diff --git a/.github/workflows/oci-publish.yml b/.github/workflows/oci-publish.yml index 910cdf9..fb6c469 100644 --- a/.github/workflows/oci-publish.yml +++ b/.github/workflows/oci-publish.yml @@ -12,8 +12,6 @@ concurrency: permissions: contents: read packages: write - id-token: write - attestations: write jobs: publish: @@ -29,22 +27,7 @@ jobs: run: | echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin - - name: Package Chart + - name: Package and Push Chart run: | helm package charts/kasm --destination ./dist - echo "CHART_FILE=$(ls dist/*.tgz)" >> $GITHUB_ENV - - - name: Push Chart to GHCR - id: push - run: | - PUSH_OUTPUT=$(helm push ${{ env.CHART_FILE }} oci://ghcr.io/${{ github.repository_owner }} 2>&1) - echo "$PUSH_OUTPUT" - DIGEST=$(echo "$PUSH_OUTPUT" | grep 'Digest:' | awk '{print $2}') - echo "digest=$DIGEST" >> $GITHUB_OUTPUT - - - name: Generate Artifact Attestation - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 - with: - subject-name: ghcr.io/${{ github.repository_owner }}/kasm - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true \ No newline at end of file + helm push dist/*.tgz oci://ghcr.io/${{ github.repository_owner }} \ No newline at end of file diff --git a/README.md b/README.md index 4c858e5..8bb056f 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ helm install kasm oci://ghcr.io/kasmtech/kasm \ ### Option 2: Using Helm Repository -> **Note:** This requires GitHub Pages to be enabled for this repository. If not available, use Option 3. +> **Note:** Requires GitHub Pages enabled on `gh-pages` branch. See [Setup Instructions](#github-pages-setup) below. ```bash helm repo add kasm https://kasmtech.github.io/kasm-helm @@ -132,6 +132,19 @@ After deployment, get your connection details and credentials: --- +## GitHub Pages Setup + +To enable the Helm repository (Option 2), GitHub Pages must be configured: + +1. Go to **Settings** → **Pages** +2. Set **Source** to `gh-pages` branch +3. Set **Folder** to `/ (root)` +4. Click **Save** + +The `gh-pages` branch is automatically created and maintained by the CI workflow when charts are released. + +--- + ## Troubleshooting - It may take several minutes for pods to be ready after install. From d38982ff6474849f14d22b45bbf434c302fea967 Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Wed, 29 Apr 2026 13:07:13 +0200 Subject: [PATCH 06/10] fix: align workflows with upstream branching strategy - Trigger on 'release/**' branches (upstream default: release/1.18.1) - Auto-create gh-pages branch if missing (no manual setup needed) - OCI triggers on push to release/** (upstream has 0 GitHub releases) - Remove extras not requested in issue #22 (SECURITY.md, CHANGELOG.md, CODEOWNERS, dependabot) - Reorder README: HTTP repo first (primary solution for issue #22) - Revert Chart.yaml to original version 1.1181.0 --- .github/CODEOWNERS | 5 ---- .github/dependabot.yml | 13 ---------- .github/workflows/helm-release.yml | 30 +++++++++++------------ .github/workflows/oci-publish.yml | 9 ++++--- CHANGELOG.md | 28 --------------------- README.md | 16 ++++++------ SECURITY.md | 39 ------------------------------ 7 files changed, 27 insertions(+), 113 deletions(-) delete mode 100644 .github/CODEOWNERS delete mode 100644 .github/dependabot.yml delete mode 100644 CHANGELOG.md delete mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS deleted file mode 100644 index b7aba4a..0000000 --- a/.github/CODEOWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# Code owners for the Kasm Helm chart -# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners - -/charts/ @kasmtech -/.github/workflows/ @kasmtech \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 10d484b..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,13 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - open-pull-requests-limit: 5 - labels: - - "dependencies" - - "github-actions" - commit-message: - prefix: "ci" - include: "scope" \ No newline at end of file diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 55e84a1..3819b93 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -3,7 +3,6 @@ name: Release Charts on: push: branches: - - develop - 'release/**' paths: - 'charts/**/Chart.yaml' @@ -17,29 +16,28 @@ permissions: contents: write jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - - - name: Install Helm - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - - - name: Lint Chart - run: helm lint charts/kasm - release: runs-on: ubuntu-latest - needs: lint steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + - name: Setup gh-pages branch + run: | + if ! git ls-remote --heads origin gh-pages >/dev/null 2>&1; then + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + git checkout --orphan gh-pages + git rm -rf . + printf 'apiVersion: v1\nentries: {}\n' > index.yaml + git add index.yaml + git commit -m "Initialize Helm repository" + git push origin gh-pages + git checkout - + fi + - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" diff --git a/.github/workflows/oci-publish.yml b/.github/workflows/oci-publish.yml index fb6c469..9c1cd71 100644 --- a/.github/workflows/oci-publish.yml +++ b/.github/workflows/oci-publish.yml @@ -1,8 +1,11 @@ name: Publish Chart to OCI on: - release: - types: [published] + push: + branches: + - 'release/**' + paths: + - 'charts/**/Chart.yaml' workflow_dispatch: concurrency: @@ -27,7 +30,7 @@ jobs: run: | echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin - - name: Package and Push Chart + - name: Package and Push run: | helm package charts/kasm --destination ./dist helm push dist/*.tgz oci://ghcr.io/${{ github.repository_owner }} \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 678a008..0000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,28 +0,0 @@ -# Changelog - -All notable changes to the Kasm Helm Chart will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -## [Unreleased] - -### Added -- GitHub Actions workflow for automated Helm chart releases via GitHub Pages -- GitHub Actions workflow for OCI registry publishing to ghcr.io -- GitHub Actions workflow for chart linting and validation on PRs -- Dependabot configuration for automated GitHub Actions updates -- CODEOWNERS file for code ownership tracking -- SECURITY.md for security policy and vulnerability reporting -- Chart-testing configuration (ct.yaml) -- Artifact attestations for OCI charts using Sigstore - -### Changed -- README.md updated with three installation methods (OCI, HTTP, clone) -- Improved .gitignore to exclude chart artifacts and IDE files - -## [1.1181.0] - 2024-XX-XX - -### Added -- Initial Helm chart release -- Support for Kasm Workspaces 1.18.1 \ No newline at end of file diff --git a/README.md b/README.md index 8bb056f..efe5104 100644 --- a/README.md +++ b/README.md @@ -14,25 +14,23 @@ For more detailed information or procedures for upgrading your Kasm Kubernetes d ## Quickstart -### Option 1: Using OCI Registry (Recommended for Production) - -> **Note:** OCI charts are published on GitHub releases. This method provides better security with signed artifacts. +### Option 1: Using Helm Repository ```bash -helm install kasm oci://ghcr.io/kasmtech/kasm \ +helm repo add kasm https://kasmtech.github.io/kasm-helm +helm repo update +helm install kasm kasm/kasm \ --namespace {namespace} --create-namespace \ --set publicAddr="kasm.contoso.com" \ --set certificate.secretName="" ``` -### Option 2: Using Helm Repository +> **Note:** Requires GitHub Pages enabled. See [Setup Instructions](#github-pages-setup) below. -> **Note:** Requires GitHub Pages enabled on `gh-pages` branch. See [Setup Instructions](#github-pages-setup) below. +### Option 2: Using OCI Registry ```bash -helm repo add kasm https://kasmtech.github.io/kasm-helm -helm repo update -helm install kasm kasm/kasm \ +helm install kasm oci://ghcr.io/kasmtech/kasm \ --namespace {namespace} --create-namespace \ --set publicAddr="kasm.contoso.com" \ --set certificate.secretName="" diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 4db2695..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,39 +0,0 @@ -# Security Policy - -## Reporting a Vulnerability - -We take the security of Kasm Workspaces seriously. If you believe you have found a security vulnerability, please report it to us through coordinated disclosure. - -### How to Report - -**Please do not report security vulnerabilities through public GitHub issues.** - -Instead, please report them to the Kasm security team: - -- Email: security@kasm.com -- GitHub Security Advisory: Use the [Security Advisories](https://github.com/kasmtech/kasm-helm/security/advisories) feature - -### What to Include - -Please include the following information in your report: - -- Type of vulnerability -- Full path of source file(s) related to the vulnerability -- Steps to reproduce the issue -- Proof-of-concept or exploit code (if possible) -- Impact of the vulnerability - -### Response Timeline - -- We will acknowledge your report within 48 hours -- We will provide a detailed response within 7 days -- We will keep you informed of our progress throughout the process - -### Safe Harbor - -We support safe harbor for security researchers who: -- Make a good faith effort to avoid privacy violations and destruction of data -- Only interact with accounts you own or with explicit permission -- Do not access or exfiltrate data beyond what is necessary to demonstrate the vulnerability - -Thank you for helping keep Kasm and our users safe! \ No newline at end of file From 86c40b2f09d555a43cf454373a65f3b48ea5d3ef Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Wed, 29 Apr 2026 13:19:21 +0200 Subject: [PATCH 07/10] chore: bump chart version to trigger CI test --- charts/kasm/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kasm/Chart.yaml b/charts/kasm/Chart.yaml index 2301a30..96993f4 100644 --- a/charts/kasm/Chart.yaml +++ b/charts/kasm/Chart.yaml @@ -28,4 +28,4 @@ keywords: maintainers: - name: Kasm Technologies, Inc. url: https://github.com/kasmtech/kasm-helm -version: 1.1181.2 +version: 1.1181.3 From 788c3b9b1904d5d98157f1a796ce26b15b58243c Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Thu, 30 Apr 2026 23:50:03 +0200 Subject: [PATCH 08/10] feat: add OCI push to ghcr.io alongside GitHub releases --- .github/workflows/helm-release.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 3819b93..096c33b 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -46,6 +46,18 @@ jobs: - name: Install Helm uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 + - name: Login to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a1b7dda937da443f5a9c3d5 # v3.4.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Package and Push Helm Chart to OCI + run: | + helm package charts/kasm --version $(grep "version:" charts/kasm/Chart.yaml | awk '{print $2}') + helm push kasm-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts + - name: Run chart-releaser uses: helm/chart-releaser-action@a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0 env: From f3002f020f496f63f4d0a595d72f23cf1f1de2aa Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Thu, 30 Apr 2026 23:52:39 +0200 Subject: [PATCH 09/10] fix: use correct docker/login-action v4.1.0 SHA hash --- .github/workflows/helm-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 096c33b..5bbe3a2 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -47,7 +47,7 @@ jobs: uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a1b7dda937da443f5a9c3d5 # v3.4.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} From 25b9d03949e1e671e7abbd5f0a32e688f7f78921 Mon Sep 17 00:00:00 2001 From: delta-whiplash Date: Thu, 30 Apr 2026 23:53:57 +0200 Subject: [PATCH 10/10] fix: add packages:write permission for OCI push --- .github/workflows/helm-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 5bbe3a2..e070e68 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -14,6 +14,7 @@ concurrency: permissions: contents: write + packages: write jobs: release: