charts: Add helm charts for Inspektor Gadget

[mqasimsarfraz]

This PR introduces helm charts for Inspektor Gadget. The idea is to have a single source of truth for deploy command as helm charts to avoid running into issues in future. The current approach will reuse the CRDs in both installation workflows. In case of manifest, helm will be source of truth and helm generated manifest is used as base (deploy.yaml) for deploy command. In terms of versioning, I want to start with 1:1 versioning between chart version and app version since it is simple and recommend in the start and app version will used for container image tag unless specified.

For publishing we will setup a index like here using helm repo index ... but pointing to charts in our release assets. I want this change to go in and then automate that step.

Related: #414

Testing done

$ make minikube-start
$ make -C charts APP_VERSION=latest install
NAME: gadget
LAST DEPLOYED: Fri Jun  2 17:31:35 2023
NAMESPACE: gadget
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Inspektor Gadget latest installed successfully!

For usage details, visit https://www.inspektor-gadget.io
$ kubectl get pods -n gadget
NAME           READY   STATUS    RESTARTS   AGE
gadget-nsrx2   1/1     Running   0          2m30s

You can verify the charts using:

$ make -C charts [build/package]
$ ls -la charts/bin/gadget
...
-rw-rw-r-- 1 qasim qasim  529 Jun  2 17:04 Chart.yaml
drwxrwxr-x 2 qasim qasim 4096 Jun  2 17:04 crds
-rw-rw-r-- 1 qasim qasim  358 Jun  2 17:04 .helmignore
-rw-r--r-- 1 root  root  2887 Jun  2 17:04 README.md
-rw-rw-r-- 1 qasim qasim 1549 Jun  2 17:04 README.md.gotmpl
drwxrwxr-x 2 qasim qasim 4096 Jun  2 17:04 templates
-rw-rw-r-- 1 qasim qasim 1173 Jun  2 17:04 values.yaml

Ensuring no regression in deploy.yaml

# deploy IG on minikube via 'main'
$ git checkout main
$ make kubectl-gadget
$ ./kubectl-gadget deploy
$ git checkout qasim/helm-charts
$ cat pkg/resources/manifests/*.yaml | kubectl diff -f -
...

Todo

• Add a test in CI that generated manifest has no changes.
• Add a step in release job to publish helm package.
• Add an action to publish charts index to charts repository (possibly inspektor-gadget/charts). [Post Merge]
• Verify helm charts are available on https://artifacthub.io with generated documentation [Post Merge]

[invidian]

I'm not very familiar with charts publishing process, so I did not review this part of the PR, but manifests etc looks good. Left some questions/suggestions.

[invidian]

jnorwood/helm-docs:v1.11.0 could also be in a variable in case an override is needed.

[mqasimsarfraz]

Done.

[invidian]

Maybe namespace could be a variable as well? Is it supported to deploy IG in other namespaces?

[mqasimsarfraz]

IG daemonset itself might be fine in different namespace but the client kubectl-gadget expects the pod to be in gadget namespace so perhaps we keep this way. @mauriciovasquezbernal do you have any thoughts on this?

[invidian]

If that's the case, perhaps all resources should have this namespace hardcoded then? As installing in other namespace will result in broken scenario.

[mqasimsarfraz]

all resources should have this namespace hardcoded then?

Good Point, I refactored the templates to use hardcored "gadget" namespace.

[invidian]

I think this manifest is not necessary. IIRC Helm will complain if target namespace does not exist and --create-namespace flag is not specified.

[mqasimsarfraz]

I removed it. This was a workaround for helm template not adding namespace in the generated manifest :( but makes sense to move this out of charts.

[invidian]

Maybe it would make sense to use helm upgrade --install + kubectl apply for CRDs (as helm upgrade does not update CRDs) to be able to iterate on chart when developing it? install is not idempotent.

[mqasimsarfraz]

Great. Thanks for a suggestion. The flow is much better now!

[mqasimsarfraz]

@invidian Thank you so much for the review!

[mqasimsarfraz]

Done.

[mqasimsarfraz]

Great. Thanks for a suggestion. The flow is much better now!

[mqasimsarfraz]

IG daemonset itself might be fine in different namespace but the client kubectl-gadget expects the pod to be in gadget namespace so perhaps we keep this way. @mauriciovasquezbernal do you have any thoughts on this?

[mqasimsarfraz]

I removed it. This was a workaround for helm template not adding namespace in the generated manifest :( but makes sense to move this out of charts.

[invidian]

Great idea for still using a template for the namespace in case this changes in the future!

[eiffel-fl]

I watched your presentation about it and it seems cool.
I nonetheless need to gain more knowledge about helm to test it and then give an approval.

[eiffel-fl]

Suggested change

	kubectl apply -f $(CHART_DIR)/crds
	kubectl apply -f $(CHART_DIR)/crds/*

?
Same for below.

[eiffel-fl]

Is it OK to change the order of the stuff there?
Wouldn't it be possible for the deploy to fail if B is defined before A while needing A?

[mqasimsarfraz]

In general, It might be problem like if namespace is moved in the end we will run into errors. But here we only swap ClusterRole and Role which aren't related so should be fine. Helm decide to order them like that as mentioned in this section.

[mauriciovasquezbernal]

Some comments. I'm a bit worried about the handling of the latest version.

I was on this branch, I did:

$ make -C charts/ install 
...
Inspektor Gadget 0.17.0 installed successfully 

That was surprising as I was expecting the current version to be installed. Is that the expected version to install the last release?

[mauriciovasquezbernal]

We already have a script to get the tag: tools/image-tag. It has some additional logic to take the name of the branch into consideration. Should we use it here too?

Btw, if I'm on main and I run make template it'll use the latest version instead of latest as tag. Is that the desired behaviour?

[mqasimsarfraz]

Thanks for the feedback. I wasn't too sure about it. I was trying to have 1:1 versioning between chart version and appVersion and that is making it confusing. Chart Version is suppose to be semver and hence tools/image-tag won't work for it so I used on my own way of handling it. But I agree we should use tools/image-tag for appVersion this should make the behavior exactly like deploy command.

[mauriciovasquezbernal]

How do other folks handle the chart version of the "latest" app? Or they aren't charts available for "latest" apps?

[mqasimsarfraz]

Most of the charts are living outside so they perhaps don't care about latest. Having said that, one can have dev versions (1.0.0-dev) for both chart/app and use --set image.tag=$IMAGE_TAG (e.g cilium) installation and worry about versioning only for releases. What we did now should work fine but in case it gets confusing we can rework it in future?

[mauriciovasquezbernal]

Shouldn't it be done the other way around? This is how we do this in the deploy command

inspektor-gadget/cmd/kubectl-gadget/undeploy.go

Line 136 in a627182

// 2. remove crd

Also, what happens to the traces CR?: they need the operator to be running to be able to remove it, otherwise the finalizer will never let them be removed. In the undeploy command we have some logic to handle this

inspektor-gadget/cmd/kubectl-gadget/undeploy.go

Line 88 in a627182

// 1. remove traces

I agree we can just simply say it's the user's responsibility to delete them before if this is difficult to handle.

[mauriciovasquezbernal]

:( this is too bad as users will have to handle additional commands manually.

According to helm/helm#8668 (comment):

If you're chart doesn't install custom resources just the CRDs... you can put the CRDs right into the templates directory.

That seems to be our case. Perhaps we can investigate more to see if we can improve this. Anyway, I'll agree this an improvement and not a blocker for this PR.

[mauriciovasquezbernal]

I think it's ready to go! Thanks for handling this!

[mauriciovasquezbernal]

Would it make sense to use something like 0.9999.0 to avoid any kind of confusion between app and chart version? (Don't hesitate to say not if it doesn't make sense at all)

[mqasimsarfraz]

Done.

[mqasimsarfraz]

Thanks for all the reviews! :)