Add Helm chart

.cr.yaml

@@ -0,0 +1,4 @@
+# This file is the config file for helm/chart-releaser
+owner: cybozu-go
+git-repo: accurate
+release-name-template: "{{ .Name }}-chart-v{{ .Version }}"

.github/workflows/helm-release.yaml

@@ -0,0 +1,30 @@
+name: Release Charts
+
+on: workflow_dispatch
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      # Add depending repository for helm to avoid the error below.
+      # `Error: no repository definition for https://charts.jetstack.io`
+      # see: https://github.com/helm/chart-releaser-action/issues/74
+      - name: Add cert-manager repo for helm
+        run: helm repo add cert-manager https://charts.jetstack.io
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          config: .cr.yaml
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/helm.yaml

@@ -0,0 +1,57 @@
+name: Lint and Test Charts
+
+on:
+  pull_request:
+    paths:
+      - "charts/**"
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-18.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Setup helm-docs
+        run: |
+          HELM_DOCS_VERSION="1.5.0"
+          OS=$(uname)
+          curl -L -sS https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_${OS}_x86_64.tar.gz \
+            | tar zx -C /tmp
+          sudo mv /tmp/helm-docs /usr/local/bin
+
+      - name: Run helm-docs
+        run: helm-docs && git diff --no-patch --exit-code
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config ct.yaml
+
+      - name: Create kind cluster
+        uses: helm/[email protected]
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Apply cert-manager
+        run: |
+          kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.yaml
+          kubectl -n cert-manager wait --for=condition=available --timeout=180s --all deployments
+
+      - name: Run chart-testing (install)
+        run: ct install --config ct.yaml

.gitignore

@@ -21,3 +21,6 @@
 
 # Generated files
 /docs/book
+
+# Ignore dependency charts
+charts/*/charts

Makefile

@@ -1,7 +1,8 @@
 # Tool versions
 CTRL_TOOLS_VERSION=0.6.1
 CTRL_RUNTIME_VERSION := $(shell awk '/sigs.k8s.io\/controller-runtime/ {print substr($$2, 2)}' go.mod)
-KUSTOMIZE_VERSION = 4.1.3
+HELM_VERSION = 3.6.3
+HELM_DOCS_VERSION = 1.5.0
 CRD_TO_MARKDOWN_VERSION = 0.0.3
 MDBOOK_VERSION = 0.4.10
 
@@ -92,7 +93,7 @@ build:
 	GOBIN=$(shell pwd)/bin go install ./cmd/...
 
 .PHONY: release-build
-release-build: kustomize
+release-build:
 	rm -rf build
 	mkdir -p build
 	$(MAKE) kubectl-accurate GOOS=windows GOARCH=amd64 SUFFIX=.exe
@@ -120,14 +121,22 @@ $(SETUP_ENVTEST):
 	# see https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest
 	GOBIN=$(shell pwd)/bin go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
 
-KUSTOMIZE := $(shell pwd)/bin/kustomize
-.PHONY: kustomize
-kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
+HELM := $(shell pwd)/bin/helm
+.PHONY: helm
+helm: $(HELM) ## Download helm locally if necessary.
 
-$(KUSTOMIZE):
-	mkdir -p bin
-	curl -fsL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv$(KUSTOMIZE_VERSION)/kustomize_v$(KUSTOMIZE_VERSION)_linux_amd64.tar.gz | \
-	tar -C bin -xzf -
+$(HELM):
+	mkdir -p $(BIN_DIR)
+	curl -L -sS https://get.helm.sh/helm-v$(HELM_VERSION)-linux-amd64.tar.gz \
+	  | tar xvz -C $(BIN_DIR) --strip-components 1 linux-amd64/helm
+
+HELM_DOCS := $(shell pwd)/bin/helm-docs
+.PHONY: helm-docs
+helm-docs: $(HELM_DOCS) ## Download helm-docs locally if necessary.
+
+$(HELM_DOCS):
+	mkdir -p $(BIN_DIR)
+	GOBIN=$(BIN_DIR) go install github.com/norwoodj/helm-docs/cmd/helm-docs@v$(HELM_DOCS_VERSION)
 
 CRD_TO_MARKDOWN := $(shell pwd)/bin/crd-to-markdown
 .PHONY: crd-to-markdown

charts/accurate/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/accurate/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: accurate
+description: Accurate is a Kubernetes controller for soft multi-tenancy environments.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: 0.1.0

charts/accurate/MIGRATION.md

@@ -0,0 +1,100 @@
+# Migrate from kustomize to Helm
+
+This document describes the steps to migrate from kustomize to Helm.
+
+## Install Helm chart
+
+There is no significant difference between the manifests installed by kusomize and those installed by Helm.
+
+If a resource with the same name already exists in the Cluster, Helm will not be able to create the resource.
+
+```console
+$ helm repo add accurate https://cybozu-go.github.io/accurate/
+$ helm repo update
+$ helm install --namespace accurate accurate accurate/accurate
+Error: rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "accurate-controller-manager" in namespace "accurate" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "accurate"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "accurate"
+```
+
+Before installing Helm chart, you need to manually delete the resources.
+
+```console
+$ helm template --namespace accurate accurate accurate/accurate | kubectl delete -f -
+serviceaccount "accurate-controller-manager" deleted
+clusterrole.rbac.authorization.k8s.io "accurate-manager-role" deleted
+clusterrole.rbac.authorization.k8s.io "accurate-subnamespace-editor-role" deleted
+clusterrole.rbac.authorization.k8s.io "accurate-subnamespace-viewer-role" deleted
+clusterrolebinding.rbac.authorization.k8s.io "accurate-manager-admin" deleted
+clusterrolebinding.rbac.authorization.k8s.io "accurate-manager-rolebinding" deleted
+role.rbac.authorization.k8s.io "accurate-leader-election-role" deleted
+rolebinding.rbac.authorization.k8s.io "accurate-leader-election-rolebinding" deleted
+service "accurate-webhook-service" deleted
+deployment.apps "accurate-controller-manager" deleted
+certificate.cert-manager.io "accurate-serving-cert" deleted
+issuer.cert-manager.io "accurate-selfsigned-issuer" deleted
+mutatingwebhookconfiguration.admissionregistration.k8s.io "accurate-mutating-webhook-configuration" deleted
+validatingwebhookconfiguration.admissionregistration.k8s.io "accurate-validating-webhook-configuration" deleted
+Error from server (NotFound): error when deleting "STDIN": configmaps "accurate-config" not found # This is because the ConfigMap created by ConfigMapGeneraor will be suffixed. There is no problem to ignore it.
+```
+
+Then install Helm chart again.
+
+```console
+$ helm install --namespace accurate accurate accurate/accurate
+NAME: accurate
+LAST DEPLOYED: Fri Aug 20 10:12:03 2021
+NAMESPACE: accurate
+STATUS: deployed
+REVISION: 1
+TEST SUITE: None
+```
+
+### Release Name
+
+| Template | Release Name | Output |
+| -------- | ------------ | ------ |
+| `{{ template "accurate.fullname" . }}-controller-manager` | foo | **foo-accurate-controller-manager** |
+| `{{ template "accurate.fullname" . }}-controller-manager` | accurate | **accurate-controller-manager** |
+| `{{ template "accurate.fullname" . }}-controller-manager` | bar-accurate | **bar-accurate-controller-manager** |
+| `{{ template "accurate.fullname" . }}-controller-manager` | accurate-baz | **accurate-baz-controller-manager** |
+
+## Configuration
+
+Helm uses the values file to configure Accurate config file.
+
+```yaml
+controller:
+  config:
+    # controller.config.labelKeys -- Labels to be propagated to sub-namespaces.
+    # It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
+    ## https://pkg.go.dev/path#Match
+    labelKeys: []
+    # - team
+
+    # controller.config.annotationKeys -- Annotations to be propagated to sub-namespaces.
+    # It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
+    ## https://pkg.go.dev/path#Match
+    annotationKeys: []
+    # An example to propagate an annotation for MetalLB
+    # https://metallb.universe.tf/usage/#requesting-specific-ips
+    # - metallb.universe.tf/address-pool
+
+    # controller.config.watches -- List of GVK for namespace-scoped resources that can be propagated.
+    # Any namespace-scoped resource is allowed.
+    watches:
+      - group: rbac.authorization.k8s.io
+        version: v1
+        kind: Role
+      - group: rbac.authorization.k8s.io
+        version: v1
+        kind: RoleBinding
+      - version: v1
+        kind: Secret
+```
+
+The values file can be specified with the `-f` option when you install Helm chart.
+
+```console
+$ helm install --create-namespace --namespace accurate accurate accurate/accurate -f values.yaml
+```
+
+There are several other configurable items besides the Accurate config file. See [README.md](./README.md) for details.