feat: builds helm chart (#137)

* builds helm chart

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* Revert change to release manifest

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fix: CVE-2022-32149

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* defining flags

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* defining flags

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* defining flags

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* updated chart name

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* updated for tar compatibility and other PR comments

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* switched to generated certificates and issuers

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* switched to generated certificates and issuers

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fixed initial chart impl

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fix: CVE-2022-32149

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* Update release-please.yml

Switching to use release-please comment

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* updated from PR feedback

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* Update chart/Chart.yaml

Co-authored-by: Skye Gill <gill.skye95@gmail.com>
Signed-off-by: Alex Jones <alex.jones@canonical.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fix: CVE-2022-32149

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fix: CVE-2022-32149

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* Revert change to release manifest

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fix: CVE-2022-32149

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* fixup: add misc files to release-plz config

Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* merging changes

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* updated readme

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: Todd Baert <toddbaert@gmail.com>
Signed-off-by: Alex Jones <alex.jones@canonical.com>
Co-authored-by: Todd Baert <toddbaert@gmail.com>
Co-authored-by: Skye Gill <gill.skye95@gmail.com>

.github/workflows/release-please.yml

@@ -97,6 +97,7 @@ jobs:
             make update-flagd
             go mod tidy
             make controller-gen
+            make helm-package
             IMG=ghcr.io/open-feature/open-feature-operator:${{ needs.release-please.outputs.release_tag_name }} make release-manifests
 
         - uses: anchore/sbom-action@v0
@@ -109,3 +110,4 @@ jobs:
               config/webhook/certificate.yaml
               config/rendered/release.yaml
               config/samples/end-to-end.yaml
+

.gitignore

@@ -1,3 +1,5 @@
+charts
+.tar.gz
 config/manager/manager.yaml
 config/manager/kustomization.yaml
 schemas

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.2.6"
+  ".": "0.2.5"
 }

Makefile

@@ -3,6 +3,7 @@
 IMG ?= controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 FLAGD_VERSION=v0.2.5
+CHART_VERSION=v0.2.6# x-release-please-version
 ENVTEST_K8S_VERSION = 1.23
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
@@ -132,6 +133,7 @@ $(LOCALBIN):
 ## Tool Binaries
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
+HELM ?= $(LOCALBIN)/HELM
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
@@ -142,6 +144,7 @@ KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/k
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
 $(KUSTOMIZE): $(LOCALBIN)
+	[ -e "$(KUSTOMIZE)" ] && rm -rf "$(KUSTOMIZE)" || true
 	curl -s $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN)
 
 .PHONY: controller-gen
@@ -153,3 +156,23 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+
+OSARCH=$(shell ./hack/get-os.sh)
+HELM = $(shell pwd)/bin/$(OSARCH)/helm
+HELM_INSTALLER ?= "https://get.helm.sh/helm-v3.10.1-$(OSARCH).tar.gz"
+.PHONY: helm
+helm: $(HELM) ## Download helm locally if necessary.
+$(HELM): $(LOCALBIN)
+	[ -e "$(HELM)" ] && rm -rf "$(HELM)" || true
+	cd $(LOCALBIN) && curl -s $(HELM_INSTALLER) | tar -xzf - -C $(LOCALBIN)
+
+HELMIFY = $(shell pwd)/bin/helmify
+helmify:
+	GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@v0.3.7
+
+generate-helm: manifests kustomize helmify
+	$(KUSTOMIZE) build config/default | $(HELMIFY) chart
+
+helm-package: helm generate-helm
+	$(HELM) package chart --version $(CHART_VERSION)
+	mkdir -p charts && mv ofo-*.tgz charts

README.md

@@ -19,15 +19,23 @@ _Requires [cert manager](https://cert-manager.io/docs/installation/kubernetes/)
 
 ```
 kubectl create namespace open-feature-operator-system
-kubectl apply -f https://github.com/open-feature/open-feature-operator/releases/download/v0.2.6/certificate.yaml
 kubectl apply -f https://github.com/open-feature/open-feature-operator/releases/download/v0.2.6/release.yaml
 ```
 
 <!---x-release-please-end-->
 
+
+## Deploy the helm chart
+
+```
+git clone https://github.com/open-feature/open-feature-operator.git
+cd chart
+helm upgrade ofo . --install -n open-feature-operator-system
+```
+
+
 ### Release contents
 
-- `certificate.yaml` holds the cert-manager manifests used to authorize requests between components.
 - `release.yaml` contains the configuration of:
   - `FeatureFlagConfiguration` `CustomResourceDefinition` (custom type that holds the configured state of feature flags).
   - Standard kubernetes primitives (e.g. namespace, accounts, roles, bindings, configmaps).

chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: ofo
+description: A feature flag operator for Kubernetes
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v0.2.6" # x-release-please-version

chart/templates/_helpers.tpl

@@ -0,0 +1,57 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{/*
+Common labels
+*/}}
+{{- define "chart.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+{{/*
+Selector labels
+*/}}
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -0,0 +1,89 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "chart.fullname" . }}-controller-manager
+  labels:
+  {{- include "chart.labels" . | nindent 4 }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chart.fullname" . }}-controller-manager
+  labels:
+    control-plane: controller-manager
+  {{- include "chart.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.controllerManager.replicas }}
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+    {{- include "chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+      {{- include "chart.selectorLabels" . | nindent 8 }}
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      containers:
+      - args:
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=127.0.0.1:8080
+        - --leader-elect
+        command:
+        - /manager
+        env:
+        - name: FLAGD_VERSION
+          value: INPUT_FLAGD_VERSION
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
+          | default .Chart.AppVersion }}
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10
+          }}
+        securityContext:
+          allowPrivilegeEscalation: false
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      - args:
+        - --secure-listen-address=0.0.0.0:8443
+        - --upstream=http://127.0.0.1:8080/
+        - --logtostderr=true
+        - --v=0
+        image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag
+          | default .Chart.AppVersion }}
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+        resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
+          10 }}
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: {{ include "chart.fullname" . }}-controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert