Move to a helm-based configuration

This does not remove the kustomize config, but instead puts a helm chart
into the repo, that should give very close (but not identical) results.

* Adds a new chart: helm/olmv1/
  - standard
  - experimental
  - openshift
  - cert-manager
  - e2e
  - tilt
* Adds "values" files in helm/
* Adds helm executable to .bingo/
* Updates documents int docs/drafts/
* Update tests in tests/
* Update `make manifests` to use helm chart
  - Update the checked-in manifests
  - Use a tool like `dyff` to properly diff the manifests
* Pull RBAC and WebHook config out of the goland code
  - controller-tools is not longer used to generate RBAC/Wehbooks
  - These resources are not part of the helm chart
  - The CRDs are still generated via kubebuilder

Significant changes to the resulting manifests are listed in the RFC.

Signed-off-by: Todd Short <[email protected]>

Author: tmshort

.bingo/Variables.mk

@@ -53,6 +53,12 @@ $(GORELEASER): $(BINGO_DIR)/goreleaser.mod
 	@echo "(re)installing $(GOBIN)/goreleaser-v1.26.2"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=goreleaser.mod -o=$(GOBIN)/goreleaser-v1.26.2 "github.com/goreleaser/goreleaser"
 
+HELM := $(GOBIN)/helm-v3.18.4
+$(HELM): $(BINGO_DIR)/helm.mod
+	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
+	@echo "(re)installing $(GOBIN)/helm-v3.18.4"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=helm.mod -o=$(GOBIN)/helm-v3.18.4 "helm.sh/helm/v3/cmd/helm"
+
 KIND := $(GOBIN)/kind-v0.29.0
 $(KIND): $(BINGO_DIR)/kind.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.

.bingo/helm.mod

@@ -0,0 +1,5 @@
+module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
+
+go 1.24.3
+
+require helm.sh/helm/v3 v3.18.4 // cmd/helm

.bingo/helm.sum

@@ -20,6 +20,8 @@ GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.1.6"
 
 GORELEASER="${GOBIN}/goreleaser-v1.26.2"
 
+HELM="${GOBIN}/helm-v3.18.4"
+
 KIND="${GOBIN}/kind-v0.29.0"
 
 KUSTOMIZE="${GOBIN}/kustomize-v5.6.0"

.bingo/variables.env

@@ -150,4 +150,4 @@ def deploy_repo(data, tags="", debug=True):
         local_port = repo['starting_debug_port']
         build_binary(reponame, repo['binary'], repo['deps'], repo['image'], tags, debug)
         k8s_resource(repo['deployment'], port_forwards=['{}:30000'.format(local_port)])
-    process_yaml(kustomize(data['yaml']))
+    process_yaml(helm('helm/olmv1', name="olmv1", values=[data['yaml']]))

.tilt-support

@@ -140,30 +140,21 @@ tidy:
 	go mod tidy
 
 .PHONY: manifests
-KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac
-KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook
-KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac
+KUSTOMIZE_CATD_RBAC_DIR := helm/olmv1/base/catalogd/rbac
+KUSTOMIZE_CATD_WEBHOOKS_DIR := helm/olmv1/base/catalogd/webhook
+KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac
 # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files
 # So we have to generate them together and then move them into place
-manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
+manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	# Generate CRDs via our own generator
 	hack/tools/update-crds.sh
-	# Generate the remaining operator-controller standard manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
-	# Generate the remaining operator-controller experimental manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
-	# Generate the remaining catalogd standard manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard
-	# Generate the remaining catalogd experimental manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental
 	# Generate manifests stored in source-control
 	mkdir -p $(MANIFEST_HOME)
-	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST)
-	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_E2E_OVERLAY) > $(STANDARD_E2E_MANIFEST)
-	$(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_OVERLAY) > $(EXPERIMENTAL_MANIFEST)
-	$(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY) > $(EXPERIMENTAL_E2E_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml > $(STANDARD_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/tilt.yaml > /dev/null
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -285,7 +276,7 @@ test-experimental-e2e: run-internal image-registry prometheus experimental-e2e e
 .PHONY: prometheus
 prometheus: PROMETHEUS_NAMESPACE := olmv1-system
 prometheus: PROMETHEUS_VERSION := v0.83.0
-prometheus: #EXHELP Deploy Prometheus into specified namespace
+prometheus: $(KUSTOMIZE) #EXHELP Deploy Prometheus into specified namespace
 	./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE) $(VERSION)
 
 .PHONY: test-extension-developer-e2e

Makefile

@@ -17,7 +17,7 @@ olmv1 = {
             'starting_debug_port': 30000,
         },
     },
-    'yaml': 'config/overlays/tilt-local-dev',
+    'yaml': 'helm/tilt.yaml',
 }
 
 deploy_repo(olmv1, '-tags containers_image_openpgp')

Tiltfile

@@ -19,8 +19,8 @@ NetworkPolicy is implemented for both catalogd and operator-controller component
 
 Each component has a dedicated NetworkPolicy that applies to its respective pod through label selectors:
 
-* For catalogd: `control-plane=catalogd-controller-manager`
-* For operator-controller: `control-plane=operator-controller-controller-manager`
+* For catalogd: `app.kubernetes.io/name=catalogd`
+* For operator-controller: `app.kubernetes.io/name=operator-controller`
 
 ### Catalogd NetworkPolicy
 
@@ -78,10 +78,10 @@ If you encounter network connectivity issues after deploying OLMv1, consider the
 
 ```bash
 # Verify catalogd pod labels
-kubectl get pods -n olmv1-system --selector=control-plane=catalogd-controller-manager
+kubectl get pods -n olmv1-system --selector=apps.kubernetes.io/name=catalogd
 
 # Verify operator-controller pod labels
-kubectl get pods -n olmv1-system --selector=control-plane=operator-controller-controller-manager
+kubectl get pods -n olmv1-system --selector=apps.kubernetes.io/name=operator-controller
 
 # Compare with actual pod names
 kubectl get pods -n olmv1-system | grep -E 'catalogd|operator-controller'

docs/draft/api-reference/network-policies.md

@@ -226,7 +226,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   labels:
-    control-plane: operator-controller-controller-manager
+    apps.kubernetes.io/name: operator-controller
   name: controller-manager-metrics-monitor
   namespace: olmv1-system
 spec:
@@ -251,7 +251,7 @@ spec:
           key: tls.key
   selector:
     matchLabels:
-      control-plane: operator-controller-controller-manager
+      apps.kubernetes.io/name: operator-controller
 EOF
 ```
 
@@ -268,7 +268,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   labels:
-    control-plane: catalogd-controller-manager
+    apps.kubernetes.io/name: catalogd
   name: catalogd-metrics-monitor
   namespace: olmv1-system
 spec:
@@ -298,4 +298,4 @@ EOF
 ```
 
 [prometheus-operator]: https://github.com/prometheus-operator/kube-prometheus
-[rbac-k8s-docs]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+[rbac-k8s-docs]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

docs/draft/howto/consuming-metrics.md

@@ -24,7 +24,7 @@ To enable the Helm Chart support feature gate, you need to patch the `operator-c
 2.  **Wait for the controller manager pods to be ready:**
 
     ```bash
-    $ kubectl -n olmv1-system wait --for condition=ready pods -l control-plane=operator-controller-controller-manager
+    $ kubectl -n olmv1-system wait --for condition=ready pods -l apps.kubernetes.io/name=operator-controller
     ```
 
 Once the above wait condition is met, the `HelmChartSupport` feature gate should be enabled in operator controller.