Helm Chart for HNC installation

[mochizuki875]

What type of PR is this?:

/kind feature

What this PR does / why we need it:

Provide HNC installation method via Helm.

Previously, it was disccussed in #46 and #62.
However, the problem that how to keep the chart up-to-date with changes in the config directory has not been resolved.
In this PR, I've added a mechanism to auto generate chart from manifest file generated from config directory using kustomize.

How to use:

Clone this repository.

$ git clone https://github.com/mochizuki875/hierarchical-namespaces.git -b feature_hnc_helm

Set environment variables.
They will be actually set in release process.

$ export HNC_REGISTRY=gcr.io/k8s-staging-multitenancy
$ export HNC_IMG_NAME=hnc-manager
$ export HNC_IMG_TAG=<HNC Version, eg v1.1.0>

Generate chart.

$ make charts

Install chart.
You can do any setting in charts/hnc/values.yaml before installation.
eg: setting hncExcludeNamespaces, enable HRQ, etc.

$ cd charts/hnc
$ helm install hnc ./.  --create-namespace -n hnc-system

Tested:

E2E tests has passed.

Related:

#46
#62

Special notes for your reviewer:

Packaging and publishing to chart repository are not included.
In many cases, charts are placed in gh-pages branch and published as Helm repository using GitHub Pages.

eg:
https://github.com/prometheus-community/helm-charts/tree/gh-pages

Onece gh-pages branch is created add published as GitHub Pages, I think we can include these process in cloudbuild.yaml.

[mochizuki875]

/cc @adrianludwin

[rjbez17]

So sorry, I started a review and got side tracked. Here are a few inital thoughts, I'll find some time soon to give it a closer look. I'm traveling the next few weeks so apologize in advanced.

[rjbez17]

Copy Paste from makefile: I wouldn't expect yq to live in the CURDIR. Maybe add some logic like this instead?

[mochizuki875]

@rjbez17
I may not have understood your comment sufficiently...
update-helm.sh wil be called from Makefile via make charts and yq will be installed in ${CURDIR}/bin before execution update-helm.sh.
Therefore, isn't it expected that yq exists in ${CURDIR}/bin?

hierarchical-namespaces/Makefile

Lines 501 to 505 in b2ccf30

	.PHONY: yq
	yq: ## Download yq locally if necessary.
	@GOBIN=${CURDIR}/bin GO111MODULE=on go install github.com/mikefarah/yq/v4@v4.34.1
	charts: yq manifests

[rjbez17]

This is a much safer way to achieve this (ROOTDIR or REPODIR is more descriptive I think):

ROOTDIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../"

[rjbez17]

If you change this to @rm -rf charts/hnc/crds/* you can avoid the mkdir command following it

[rjbez17]

Same here

[rjbez17]

/ok-to-test

[mochizuki875]

Thanks @rjbez17 !
I've addressed all feedback except one.

[rjbez17]

Is there a reason we don't just hardcode these in _helpers.tpl since the aren't supposed to be overriden?

[mochizuki875]

@rjbez17
As you say, I think it good to hardcode them.
So I've fixed that.

[rjbez17]

Sorry for the delay here. Finally found some time to pull the branch and play with the templating. The ONLY thing left that I can find is can you please make:

hrq:
  enabled: false

true by default?

Building the manifests (make manifests) shows we are enabling by default there and this would keep us inline. Thanks again for all the work here, I really appreciate it.

apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -789,21 +214,20 @@
     spec:
       containers:
       - args:
+        - --excluded-namespace=hnc-system
+        - --excluded-namespace=kube-system
+        - --excluded-namespace=kube-public
+        - --excluded-namespace=kube-node-lease
         - --webhook-server-port=9443
         - --metrics-addr=:8080
         - --max-reconciles=10
         - --apiserver-qps-throttle=50
-        - --excluded-namespace=kube-system
-        - --excluded-namespace=kube-public
-        - --excluded-namespace=hnc-system
-        - --excluded-namespace=kube-node-lease
         - --nopropagation-label=cattle.io/creator=norman
         - --enable-internal-cert-management
         - --cert-restart-on-secret-refresh
-        - --enable-hrq

[mochizuki875]

@rjbez17
I recognize HRQ is beta status and not enabled by default(default.yaml) at v1.1.0.
As beta feature, it is enabled in hrq.yaml.
https://github.com/kubernetes-sigs/hierarchical-namespaces/releases/tag/v1.1.0

Of course, it's ok to set hrq.enabled: true as helm default value, should we do it?

[rjbez17]

@rjbez17 I recognize HRQ is beta status and not enabled by default(default.yaml) at v1.1.0. As beta feature, it is enabled in hrq.yaml. https://github.com/kubernetes-sigs/hierarchical-namespaces/releases/tag/v1.1.0

Of course, it's ok to set hrq.enabled: true as helm default value, should we do it?

Yeah, I was on the fence with it, but it seems that current manifest generation turns it on by default so I was thinking we'd do the same. We can keep at as false for now since it is an easy change for users to override it on.

[rjbez17]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mochizuki875, rjbez17

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rjbez17]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mochizuki875]

@rjbez17 Thanks for your reviews and approve!

[mjozefcz]

Thanks guys, I'm really looking forward to see this helm chart as artefact hosted on github pages!