Add helm charts for kubelb (#80)

* Generate CRD for helm chart Signed-off-by: Waleed Malik <[email protected]> * Update kustomize configs Signed-off-by: Waleed Malik <[email protected]> * Add helm chart for kubelb-manager Signed-off-by: Waleed Malik <[email protected]> * Ignore chart.lock Signed-off-by: Waleed Malik <[email protected]> * Add helm chart for kubelb CCM Signed-off-by: Waleed Malik <[email protected]> * Add documentation for helm charts Signed-off-by: Waleed Malik <[email protected]> * Add CI job to publish helm charts Signed-off-by: Waleed Malik <[email protected]> * Remove CI job to publish helm charts Signed-off-by: Waleed Malik <[email protected]> * Update helm charts Signed-off-by: Waleed Malik <[email protected]> * Simplify installation process Signed-off-by: Waleed Malik <[email protected]> * Finalize helm charts Signed-off-by: Waleed Malik <[email protected]> * Ignore charts in linting Signed-off-by: Waleed Malik <[email protected]> * Fix chart bumping Signed-off-by: Waleed Malik <[email protected]> * Exclude charts from boilerplate verification Signed-off-by: Waleed Malik <[email protected]> * Fix indentation Signed-off-by: Waleed Malik <[email protected]> * Automate helm docs generation Signed-off-by: Waleed Malik <[email protected]> * Fix indentation for kubelb-manager chart Signed-off-by: Waleed Malik <[email protected]> * Minor fixes Signed-off-by: Waleed Malik <[email protected]> * Handle feedback Signed-off-by: Waleed Malik <[email protected]> --------- Signed-off-by: Waleed Malik <[email protected]>
kubermatic · Oct 9, 2023 · 97a36de · 97a36de
1 parent d97a67f
commit 97a36de
Show file tree

Hide file tree

Showing 42 changed files with 1,751 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,6 @@ _build
 .local
 .DS_Store
 /bin
-cover.out
+cover.out
+charts/*/Chart.lock
+kubelb-*.tgz
diff --git a/.yamllint.conf b/.yamllint.conf
@@ -10,4 +10,5 @@ ignore: |
     config
     dev
     vendor
-    .golangci.yml
+    .golangci.yml
+    charts/*
diff --git a/Makefile b/Makefile
@@ -27,6 +27,12 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+# SED is used to allow the Makefile to be used on both Linux and macOS.
+SED ?= sed
+ifeq ($(shell uname), Darwin)
+	SED = gsed
+endif
+
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
 SHELL = /usr/bin/env bash -o pipefail
@@ -59,6 +65,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 	$(CONTROLLER_GEN) crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	$(CONTROLLER_GEN) rbac:roleName=kubelb-ccm paths="./pkg/controllers/ccm/..." output:artifacts:config=config/ccm/rbac
 	$(CONTROLLER_GEN) rbac:roleName=kubelb paths="./pkg/controllers/kubelb/..." output:artifacts:config=config/kubelb/rbac
+	$(CONTROLLER_GEN) crd webhook paths="./..." output:crd:artifacts:config=charts/kubelb-manager/crds
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -198,3 +205,23 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+
+HELM_DOCS ?= $(LOCALBIN)/helm-docs
+
+.PHONY: helm-docs
+helm-docs: $(HELM_DOCS) ## Download helm-docs locally if necessary.
+$(HELM_DOCS): $(LOCALBIN)
+	test -s $(LOCALBIN)/helm-docs || GOBIN=$(LOCALBIN) go install github.com/norwoodj/helm-docs/cmd/[email protected]
+
+generate-helm-docs: helm-docs
+	$(LOCALBIN)/helm-docs charts/
+
+.PHONY: bump-chart
+bump-chart:
+	$(SED) -i "s/^version:.*/version: $(IMAGE_TAG)/" charts/*/Chart.yaml
+	$(SED) -i "s/^appVersion:.*/appVersion: $(IMAGE_TAG)/" charts/*/Chart.yaml
+	$(SED) -i "s/tag:.*/tag: $(IMAGE_TAG)/" charts/*/values.yaml
+
+.PHONY: release-charts helm-docs generate-helm-docs
+release-charts: bump-chart
+	CHART_VERSION=$(IMAGE_TAG) ./hack/release-helm-charts.sh
diff --git a/charts/kubelb-ccm/.helmignore b/charts/kubelb-ccm/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/kubelb-ccm/Chart.yaml b/charts/kubelb-ccm/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+name: kubelb-ccm
+description: Helm chart for KubeLB CCM
+type: application
+maintainers:
+  - name: Kubermatic
+    email: [email protected]
+
+# Helm chart Version.
+version: v1.0.0-beta.0
+# Application version to be deployed.
+appVersion: v1.0.0-beta.0
diff --git a/charts/kubelb-ccm/README.md b/charts/kubelb-ccm/README.md
@@ -0,0 +1,83 @@
+# kubelb-ccm
+
+Helm chart for KubeLB CCM. This is used to deploy the KubeLB CCM to a Kubernetes cluster. The CCM is responsible for propagating the load balancer configurations to the management cluster.
+
+![Version: v1.0.0-beta.0](https://img.shields.io/badge/Version-v1.0.0--beta.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0-beta.0](https://img.shields.io/badge/AppVersion-v1.0.0--beta.0-informational?style=flat-square)
+
+## Installing the chart
+
+### Pre-requisites
+
+* Create a namespace `kubelb` for the CCM to be deployed in.
+* Create imagePullSecrets for the chart to pull the image from the registry.
+* The agent expects a `Secret` with a kubeconf file named `kubelb` to access the load balancer cluster. To create such run: `kubectl --namespace kubelb create secret generic kubelb-cluster --from-file=<path to kubelb kubeconf file>`. The name of secret cant be overriden using `.Values.kubelb.clusterSecretName`
+* Update the `tenantName` in the values.yaml to a unique identifier for the tenant. This is used to identify the tenant in the manager cluster. This can be any unique string that follows [lower case RFC 1123](https://www.rfc-editor.org/rfc/rfc1123).
+
+At this point a minimal values.yaml should look like this:
+
+```yaml
+imagePullSecrets:
+  - name: <imagePullSecretName>
+kubelb:
+    clusterSecretName: kubelb-cluster
+    tenantName: <unique-identifier-for-tenant>
+```
+
+### Install helm chart
+
+Now, we can install the helm chart:
+
+```sh
+helm registry login quay.io --username ${REGISTRY_USER} --password ${REGISTRY_PASSWORD}
+helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm --version=v1.0.0-beta.0 --untardir "kubelb-ccm" --untar
+## Create and update values.yaml with the required values.
+helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| autoscaling.enabled | bool | `false` |  |
+| autoscaling.maxReplicas | int | `10` |  |
+| autoscaling.minReplicas | int | `1` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| autoscaling.targetMemoryUtilizationPercentage | int | `80` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
+| fullnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"quay.io/kubermatic/kubelb-manager-ee"` |  |
+| image.tag | string | `"v1.0.0-beta.0"` |  |
+| imagePullSecrets | list | `[]` |  |
+| kubelb.clusterSecretName | string | `"kubelb-cluster"` |  |
+| kubelb.enableLeaderElection | bool | `true` |  |
+| kubelb.nodeAddressType | string | `"InternalIP"` |  |
+| kubelb.tenantName | string | `nil` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
+| podSecurityContext.runAsNonRoot | bool | `true` |  |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| rbac.allowLeaderElectionRole | bool | `true` |  |
+| rbac.allowMetricsReaderRole | bool | `true` |  |
+| rbac.allowProxyRole | bool | `true` |  |
+| rbac.enabled | bool | `true` |  |
+| replicaCount | int | `1` |  |
+| resources.limits.cpu | string | `"100m"` |  |
+| resources.limits.memory | string | `"128Mi"` |  |
+| resources.requests.cpu | string | `"100m"` |  |
+| resources.requests.memory | string | `"128Mi"` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.runAsUser | int | `65532` |  |
+| service.port | int | `8443` |  |
+| service.protocol | string | `"TCP"` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| serviceMonitor.enabled | bool | `false` |  |
+| tolerations | list | `[]` |  |
diff --git a/charts/kubelb-ccm/README.md.gotmpl b/charts/kubelb-ccm/README.md.gotmpl
@@ -0,0 +1,39 @@
+# kubelb-ccm
+
+Helm chart for KubeLB CCM. This is used to deploy the KubeLB CCM to a Kubernetes cluster. The CCM is responsible for propagating the load balancer configurations to the management cluster.
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+## Installing the chart
+
+### Pre-requisites
+
+* Create a namespace `kubelb` for the CCM to be deployed in.
+* Create imagePullSecrets for the chart to pull the image from the registry.
+* The agent expects a `Secret` with a kubeconf file named `kubelb` to access the load balancer cluster. To create such run: `kubectl --namespace kubelb create secret generic kubelb-cluster --from-file=<path to kubelb kubeconf file>`. The name of secret cant be overriden using `.Values.kubelb.clusterSecretName`
+* Update the `tenantName` in the values.yaml to a unique identifier for the tenant. This is used to identify the tenant in the manager cluster. This can be any unique string that follows [lower case RFC 1123](https://www.rfc-editor.org/rfc/rfc1123).
+
+At this point a minimal values.yaml should look like this:
+
+```yaml
+imagePullSecrets:
+  - name: <imagePullSecretName>
+kubelb:
+    clusterSecretName: kubelb-cluster
+    tenantName: <unique-identifier-for-tenant>
+```
+
+### Install helm chart
+
+Now, we can install the helm chart:
+
+```sh
+helm registry login quay.io --username ${REGISTRY_USER} --password ${REGISTRY_PASSWORD}
+helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm --version=v1.0.0-beta.0 --untardir "kubelb-ccm" --untar
+## Create and update values.yaml with the required values.
+helm install kubelb-ccm kubelb-ccm --namespace kubelb -f values.yaml
+```
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
diff --git a/charts/kubelb-ccm/templates/_helpers.tpl b/charts/kubelb-ccm/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubelb-ccm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubelb-ccm.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubelb-ccm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubelb-ccm.labels" -}}
+helm.sh/chart: {{ include "kubelb-ccm.chart" . }}
+{{ include "kubelb-ccm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubelb-ccm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubelb-ccm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubelb-ccm.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kubelb-ccm.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/kubelb-ccm/templates/clusterrole.yaml b/charts/kubelb-ccm/templates/clusterrole.yaml
@@ -0,0 +1,67 @@
+
+{{- if .Values.rbac.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubelb-ccm.fullname" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+{{- if .Values.rbac.allowProxyRole }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubelb-ccm.fullname" . }}-proxy
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+{{- end }}
+---
+{{- if .Values.rbac.allowMetricsReaderRole }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubelb-ccm.fullname" . }}-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+{{- end }}
+{{- end }}