fix(helm): sync CRDs and fix helm-generate post-processing

.github/workflows/build.yml

@@ -109,6 +109,25 @@ jobs:
       - name: Helm template
         run: make helm-template > /dev/null
 
+      - name: Verify Helm chart is in sync with kustomize
+        run: |
+          # Regenerate Helm chart from base kustomize CRDs
+          make helm-generate
+          # Fail if regeneration produced any changes
+          if ! git diff --quiet; then
+            echo "::error::Helm chart is out of sync with kustomize CRDs"
+            echo ""
+            echo "The Helm chart in dist/chart/ was generated from config/crd/ but has drifted."
+            echo "Run this locally to fix:"
+            echo ""
+            echo "  make helm-generate"
+            echo ""
+            echo "Then commit the changes."
+            echo ""
+            git diff --stat
+            exit 1
+          fi
+
       - name: Assert no diff
         run: |
           git diff --exit-code

Makefile

@@ -174,8 +174,13 @@ CHART_DIR ?= dist/chart
 CHART_NAME ?= team-operator
 
 .PHONY: helm-generate
-helm-generate: manifests ## Regenerate Helm chart from kustomize
-	kubebuilder edit --plugins=helm.kubebuilder.io/v1-alpha
+helm-generate: manifests kubebuilder ## Regenerate Helm chart from kustomize
+	$(KUBEBUILDER) edit --plugins=helm.kubebuilder.io/v1-alpha
+	# Fix generated files that kubebuilder doesn't template correctly
+	$(SED) -i 's/team-operator-metrics-service/{{ .Values.controllerManager.serviceAccountName }}-metrics-service/g' dist/chart/templates/certmanager/certificate.yaml
+	$(SED) -i 's/team-operator-controller-manager-metrics-service/{{ .Values.controllerManager.serviceAccountName }}-metrics-service/g' dist/chart/templates/metrics/metrics-service.yaml
+	# Remove kubebuilder-generated test workflow - we use our own CI workflows
+	rm -f .github/workflows/test-chart.yml
 
 .PHONY: helm-lint
 helm-lint: ## Lint the Helm chart
@@ -206,6 +211,7 @@ $(LOCALBIN):
 	mkdir -p $(LOCALBIN)
 
 ## Tool Binaries
+KUBEBUILDER ?= $(LOCALBIN)/kubebuilder
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 APPLYCONFIGURATION_GEN ?= $(LOCALBIN)/applyconfiguration-gen
@@ -216,6 +222,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 KUBE_CODEGEN ?= $(LOCALBIN)/kube_codegen.sh
 
 ## Tool Versions
+KUBEBUILDER_VERSION ?= v4.5.1
 KUSTOMIZE_VERSION ?= v3.8.7
 CONTROLLER_TOOLS_VERSION ?= v0.17.0
 KUBE_CODEGEN_VERSION ?= v0.30.1
@@ -242,6 +249,15 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
 
+.PHONY: kubebuilder
+kubebuilder: $(KUBEBUILDER) ## Download kubebuilder locally if necessary.
+$(KUBEBUILDER): $(LOCALBIN)
+	@if ! test -s $(LOCALBIN)/kubebuilder || ! $(LOCALBIN)/kubebuilder version | grep -q $(KUBEBUILDER_VERSION); then \
+		OS=$$(go env GOOS) && ARCH=$$(go env GOARCH) && \
+		curl -sSL -o $(LOCALBIN)/kubebuilder "https://github.com/kubernetes-sigs/kubebuilder/releases/download/$(KUBEBUILDER_VERSION)/kubebuilder_$${OS}_$${ARCH}" && \
+		chmod +x $(LOCALBIN)/kubebuilder; \
+	fi
+
 .PHONY: kube-codgen
 kube-codegen: $(LOCALBIN)
 	test -s $(LOCALBIN)/kube_codegen.sh || \

config/rbac/kustomization.yaml

@@ -15,7 +15,8 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+# Auth proxy disabled - metrics service is defined in dist/chart/templates/metrics/
+# - auth_proxy_service.yaml
+# - auth_proxy_role.yaml
+# - auth_proxy_role_binding.yaml
+# - auth_proxy_client_clusterrole.yaml

dist/chart/templates/certmanager/certificate.yaml

@@ -3,10 +3,6 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-{{- if .Values.resourcePolicy.keep }}
-  annotations:
-    helm.sh/resource-policy: keep
-{{- end }}
   labels:
     {{- include "chart.labels" . | nindent 4 }}
   name: selfsigned-issuer
@@ -19,10 +15,10 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-{{- if .Values.resourcePolicy.keep }}
   annotations:
-    helm.sh/resource-policy: keep
-{{- end }}
+    {{- if .Values.crd.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
   name: serving-cert
   namespace: {{ .Release.Namespace }}
   labels:
@@ -43,10 +39,10 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-{{- if .Values.resourcePolicy.keep }}
   annotations:
-    helm.sh/resource-policy: keep
-{{- end }}
+    {{- if .Values.crd.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
   labels:
     {{- include "chart.labels" . | nindent 4 }}
   name: metrics-certs
@@ -55,7 +51,7 @@ spec:
   dnsNames:
     - team-operator.{{ .Release.Namespace }}.svc
     - team-operator.{{ .Release.Namespace }}.svc.cluster.local
-    - team-operator-controller-manager-metrics-service.{{ .Release.Namespace }}.svc
+    - {{ .Values.controllerManager.serviceAccountName }}-metrics-service.{{ .Release.Namespace }}.svc
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer