feat: create an helm overlay (#697)

.github/actions/deploy-klt-on-cluster/action.yml

@@ -57,7 +57,8 @@ runs:
       run: |
         sed -i 's/imagePullPolicy: Always/imagePullPolicy: Never/g' ~/download/artifacts/keptn-lifecycle-operator-manifest-test/release.yaml
         sed -i 's/ghcr.keptn.sh\/keptn\/functions-runtime:.*/localhost:5000\/keptn\/functions-runtime:${{ inputs.functions_runtime_tag }}/g' ~/download/artifacts/keptn-lifecycle-operator-manifest-test/release.yaml
-        kubectl apply -f ~/download/artifacts/keptn-cert-manager-manifest-test
+        kubectl create namespace keptn-lifecycle-toolkit-system
+        kubectl apply -f ~/download/artifacts/klt-cert-manager-manifest-test
         kubectl rollout status deployment klt-cert-manager -n keptn-lifecycle-toolkit-system -w
         kubectl apply -f ~/download/artifacts/keptn-lifecycle-operator-manifest-test
         kubectl apply -f ~/download/artifacts/scheduler-manifest-test

.github/workflows/CI.yaml

@@ -68,7 +68,7 @@ jobs:
             folder: "operator/"
           - name: "scheduler"
             folder: "scheduler/"
-          - name: "keptn-cert-manager"
+          - name: "klt-cert-manager"
             folder: "klt-cert-manager/"
     steps:
       - name: Check out code
@@ -109,7 +109,7 @@ jobs:
             folder: "scheduler/"
           - name: "functions-runtime"
             folder: "functions-runtime/"
-          - name: "keptn-cert-manager"
+          - name: "klt-cert-manager"
             folder: "klt-cert-manager/"
     steps:
       - name: Check out code
@@ -215,7 +215,7 @@ jobs:
             folder: "scheduler/"
           - name: "functions-runtime"
             folder: "functions-runtime/"
-          - name: "keptn-cert-manager"
+          - name: "klt-cert-manager"
             folder: "klt-cert-manager/"
     permissions:
       packages: write # Needed for pushing images to the registry
@@ -261,7 +261,7 @@ jobs:
           cache-to: type=gha,scope=${{ github.ref_name }}-${{ matrix.config.name }}
 
       - name: Install controller-gen
-        if: matrix.config.name == 'keptn-lifecycle-operator' || matrix.config.name == 'keptn-cert-manager'
+        if: matrix.config.name == 'keptn-lifecycle-operator' || matrix.config.name == 'klt-cert-manager'
         working-directory: ./${{ matrix.config.folder }}
         run: make controller-gen
 

.gitignore

@@ -1,3 +1,5 @@
+bin/
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -24,7 +26,7 @@ kubeconfig
 manifests/
 /scheduler/config/rendered/release.yaml
 /operator/config/rendered/release.yaml
-
+/klt-cert-manager/config/rendered/release.yaml
 # macOS
 .DS_Store
 

Makefile

@@ -2,13 +2,28 @@
 
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
 CERT_MANAGER_VERSION ?= v1.11.0
-TAG ?= "$(shell date +%Y%m%d%s)"
-TAG := $(TAG)
+# renovate: datasource=github-tags depName=kubernetes-sigs/kustomize
+KUSTOMIZE_VERSION?=v4.5.7
+# renovate: datasource=github-tags depName=helm/helm
+HELM_VERSION ?= v3.10.2
+CHART_VERSION = v0.5.0 # x-release-please-version
+
 
 # RELEASE_REGISTRY is the container registry to push
 # into.
 RELEASE_REGISTRY?=ghcr.io/keptn
 ARCH?=amd64
+TAG ?= "$(shell date +%Y%m%d%s)"
+TAG := $(TAG)
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+## Tool Binaries
+KUSTOMIZE ?= $(LOCALBIN)/kustomize
+
 
 .PHONY: integration-test #these tests should run on a real cluster!
 integration-test:
@@ -22,6 +37,30 @@ integration-test-local:
 cleanup-manifests:
 	rm -rf manifests
 
+KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
+.PHONY: kustomize
+kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
+$(KUSTOMIZE): $(LOCALBIN)
+	test -s $(LOCALBIN)/kustomize || { curl -s $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); }
+
+.PHONY: release-helm-manifests
+release-helm-manifests: kustomize
+	echo "building helm overlay"
+	$(KUSTOMIZE) build ./helm/overlay > ./helm/chart/templates/rendered.yaml
+
+.PHONY: helm-package
+helm-package: build-release-manifests release-helm-manifests
+	cd ./helm && helm package ./chart
+	cd ./helm && mv keptn-lifecycle-toolkit-*.tgz ./chart/charts
+
+.PHONY: build-release-manifests
+build-release-manifests:
+	$(MAKE) -C operator generate
+	$(MAKE) -C klt-cert-manager generate
+	$(MAKE) -C operator release-helm-manifests RELEASE_REGISTRY=$(RELEASE_REGISTRY) TAG=$(TAG) ARCH=$(ARCH)
+	$(MAKE) -C scheduler release-manifests RELEASE_REGISTRY=$(RELEASE_REGISTRY) TAG=$(TAG) ARCH=$(ARCH)
+	$(MAKE) -C klt-cert-manager release-manifests RELEASE_REGISTRY=$(RELEASE_REGISTRY) TAG=$(TAG) ARCH=$(ARCH)
+
 .PHONY: build-deploy-operator
 build-deploy-operator:
 	$(MAKE) -C operator release-local.$(ARCH) RELEASE_REGISTRY=$(RELEASE_REGISTRY) TAG=$(TAG)
@@ -46,7 +85,5 @@ build-deploy-certmanager:
 	kubectl create namespace keptn-lifecycle-toolkit-system --dry-run=client -o yaml | kubectl apply -f -
 	kubectl apply -f klt-cert-manager/config/rendered/release.yaml
 
-
-
 .PHONY: build-deploy-dev-environment
 build-deploy-dev-environment: build-deploy-certmanager build-deploy-operator build-deploy-scheduler

helm/.gitignore

@@ -0,0 +1,3 @@
+*.tgz
+chart/templates/rendered.yaml
+chart/crds/*.yaml

helm/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/chart/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: keptn-lifecycle-toolkit
+description: A Helm chart for Keptn Lifecycle Toolkit, a set of tools to enable cloud-native application lifecycle management
+
+type: application
+
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.5.0" # x-release-please-version

helm/chart/values.yaml

@@ -0,0 +1,4 @@
+## @section OpenTelemetry
+otelCollector:
+  ## @param otelCollector.url Sets the URL for the open telemetry collector
+  url: "otel-collector:4317"

helm/overlay/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+# import the default deployment as the base
+bases:
+  - ../../operator/config/default/base
+  - ../../klt-cert-manager/config/default
+  - ../../scheduler/manifests/install
+# replace the default namespace with {{ include "chart.namespace" . }}
+# .Release.Namespace has not been used so that a custom _helpers.tpl file can maintain the expected behaviour of
+# helm install -n
+namespace: "{{ .Release.Namespace }}"
+patchesStrategicMerge:
+  - patches/patch_deployment.yaml

helm/overlay/patches/patch_deployment.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          env:
+            - name: OTEL_COLLECTOR_URL
+              value: "{{ .Values.otelCollector.url }}"
+
+
+#---
+#apiVersion: apps/v1 #example patch for certmanager
+#kind: Deployment
+#metadata:
+#  name: cert-manager
+#  namespace: system
+#spec:
+#  template:
+#    spec:
+#      containers:
+#        - name: manager
+#          env:
+#            - name: NEW_ENV_VAR
+#              value: "{{ .Values.myNewEnvVar }}"
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keptn-scheduler
+  namespace: keptn-lifecycle-toolkit-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: keptn-scheduler
+          env:
+            - name: OTEL_COLLECTOR_URL
+              value: "{{ .Values.otelCollector.url }}"
+

klt-cert-manager/Makefile

@@ -1,13 +1,13 @@
 
 # Image URL to use all building/pushing image targets
-IMG ?= klc-certmanager:latest
+IMG ?= klt-cert-manager:latest
 # RELEASE_REGISTRY is the container registry to push into.
 RELEASE_REGISTRY?=ghcr.io/keptn
 RELEASE_TIME=$(shell date +%Y%m%d%s)
 BUILD_TIME=$(shell date -u "+%F_%T")
 RELEASE_VERSION?=$(RELEASE_TIME)-v0.24.3#$(shell git describe --tags --match "v*")
 TAG?=latest
-RELEASE_IMAGE:=keptn-cert-manager:$(TAG)
+RELEASE_IMAGE:=klt-cert-manager:$(TAG)
 
 ARCHS = amd64 arm64
 COMMONENVVAR=GOOS=$(shell uname -s | tr A-Z a-z)

klt-cert-manager/config/manager/manager.yaml

@@ -1,16 +1,4 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    control-plane: klt-cert-manager
-    app.kubernetes.io/name: namespace
-    app.kubernetes.io/instance: system
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: klt-cert-manager
-    app.kubernetes.io/part-of: klt-cert-manager
-    app.kubernetes.io/managed-by: kustomize
-  name: system
----
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -47,6 +35,11 @@ spec:
         - --leader-elect
         image: controller:latest
         name: manager
+        env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

klt-cert-manager/controllers/keptnwebhookcontroller/certificate_secret_test.go

@@ -26,7 +26,7 @@ func TestSetSecretFromReader(t *testing.T) {
 	t.Run(`fill with empty secret if secret does not exist`, func(t *testing.T) {
 		fakeclient := fake.NewClient()
 		certSecret := newCertificateSecret(fakeclient)
-		err := certSecret.setSecretFromReader(context.TODO(), namespace, testr.New(t))
+		err := certSecret.setSecretFromReader(context.TODO(), testnamespace, testr.New(t))
 
 		assert.NoError(t, err)
 		assert.False(t, certSecret.existsInCluster)
@@ -37,7 +37,7 @@ func TestSetSecretFromReader(t *testing.T) {
 		fakeclient := fake.NewClient(
 			createTestSecret(t, createInvalidTestCertData(t)))
 		certSecret := newCertificateSecret(fakeclient)
-		err := certSecret.setSecretFromReader(context.TODO(), namespace, testr.New(t))
+		err := certSecret.setSecretFromReader(context.TODO(), testnamespace, testr.New(t))
 
 		assert.NoError(t, err)
 		assert.True(t, certSecret.existsInCluster)
@@ -135,7 +135,7 @@ func TestCreateOrUpdateIfNecessary(t *testing.T) {
 		certSecret.secret = &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      buildSecretName(),
-				Namespace: namespace,
+				Namespace: testnamespace,
 			},
 		}
 		certSecret.certificates = &Certs{
@@ -147,7 +147,7 @@ func TestCreateOrUpdateIfNecessary(t *testing.T) {
 		assert.NoError(t, err)
 
 		newSecret := corev1.Secret{}
-		err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: buildSecretName(), Namespace: namespace}, &newSecret)
+		err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: buildSecretName(), Namespace: testnamespace}, &newSecret)
 
 		assert.NoError(t, err)
 		assert.NotNil(t, newSecret)
@@ -159,7 +159,7 @@ func TestCreateOrUpdateIfNecessary(t *testing.T) {
 		certSecret.secret = &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      buildSecretName(),
-				Namespace: namespace,
+				Namespace: testnamespace,
 			},
 		}
 		certSecret.certificates = &Certs{
@@ -171,7 +171,7 @@ func TestCreateOrUpdateIfNecessary(t *testing.T) {
 		require.NoError(t, err)
 
 		newSecret := corev1.Secret{}
-		err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: buildSecretName(), Namespace: namespace}, &newSecret)
+		err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: buildSecretName(), Namespace: testnamespace}, &newSecret)
 
 		require.NoError(t, err)
 		require.NotNil(t, newSecret)
@@ -184,7 +184,7 @@ func TestCreateOrUpdateIfNecessary(t *testing.T) {
 
 		assert.NoError(t, err)
 
-		err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: buildSecretName(), Namespace: namespace}, &newSecret)
+		err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: buildSecretName(), Namespace: testnamespace}, &newSecret)
 
 		assert.NoError(t, err)
 		assert.NotNil(t, newSecret)

klt-cert-manager/controllers/keptnwebhookcontroller/config.go

@@ -17,7 +17,6 @@ const (
 	crdGroup                   = "lifecycle.keptn.sh"
 	certificatesSecretEmptyErr = "certificates secret is empty"
 	couldNotUpdateCRDErr       = "could not update crd config"
-	namespace                  = "keptn-lifecycle-toolkit-system"
 )
 
 var keptnCRD = schema.GroupVersionResource{Group: "lifecycle.keptn.sh"}

klt-cert-manager/controllers/keptnwebhookcontroller/keptnwebhookcertificate_controller.go

@@ -25,6 +25,7 @@ type KeptnWebhookCertificateReconciler struct {
 	Scheme        *runtime.Scheme
 	CancelMgrFunc context.CancelFunc
 	Log           logr.Logger
+	Namespace     string
 }
 
 //clusterrole
@@ -92,20 +93,20 @@ func (r *KeptnWebhookCertificateReconciler) Reconcile(ctx context.Context, reque
 func (r *KeptnWebhookCertificateReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&appsv1.Deployment{}).
-		WithEventFilter(eventfilter.ForObjectNameAndNamespace(DeploymentName, namespace)).
+		WithEventFilter(eventfilter.ForObjectNameAndNamespace(DeploymentName, r.Namespace)).
 		Owns(&corev1.Secret{}).
 		Complete(r)
 
 }
 
 func (r *KeptnWebhookCertificateReconciler) setCertificates(ctx context.Context, certSecret *certificateSecret) error {
-	err := certSecret.setSecretFromReader(ctx, namespace, r.Log)
+	err := certSecret.setSecretFromReader(ctx, r.Namespace, r.Log)
 	if err != nil {
 		r.Log.Error(err, "could not get secret")
 		return err
 	}
 
-	err = certSecret.setCertificates(namespace)
+	err = certSecret.setCertificates(r.Namespace)
 	if err != nil {
 		r.Log.Error(err, "could not validate certificate")
 		return err