feat!: migrate Helm chart from helm/v1-alpha to helm/v2-alpha

.gitignore

@@ -19,6 +19,7 @@ profile.cov
 
 # Build artifacts
 bin/
+dist/install.yaml
 
 # Dependency directories (remove the comment below to include it)
 # vendor/

Makefile

@@ -220,25 +220,31 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
 test-kustomize: manifests kustomize
 	$(KUSTOMIZE) build config/default
 
+.PHONY: build-installer
+build-installer: manifests kustomize ## Generate dist/install.yaml from kustomize
+	mkdir -p dist
+	$(KUSTOMIZE) build config/default > dist/install.yaml
+
 ##@ Helm
 
 CHART_DIR ?= dist/chart
 CHART_NAME ?= team-operator
 
 .PHONY: helm-generate
-helm-generate: manifests kubebuilder ## Regenerate Helm chart from kustomize
-	$(KUBEBUILDER) edit --plugins=helm.kubebuilder.io/v1-alpha
-	# Fix generated files that kubebuilder doesn't template correctly
-	$(SED) -i 's/team-operator-metrics-service/{{ .Values.controllerManager.serviceAccountName }}-metrics-service/g' dist/chart/templates/certmanager/certificate.yaml
-	$(SED) -i 's/team-operator-controller-manager-metrics-service/{{ .Values.controllerManager.serviceAccountName }}-metrics-service/g' dist/chart/templates/metrics/metrics-service.yaml
-	# Fix RoleBinding namespace to use watchNamespace value
-	$(SED) -i '/kind: RoleBinding/,/roleRef:/{s/namespace: posit-team/namespace: {{ .Values.watchNamespace }}/}' dist/chart/templates/rbac/role_binding.yaml
-	# Remove duplicate metrics service that kubebuilder generates - we already have one in dist/chart/templates/metrics/
-	# This was causing "services 'team-operator-controller-manager-metrics-service' already exists" errors
-	# The correct metrics service is gated on .Values.metrics.enable, not .Values.rbac.enable
-	rm -f dist/chart/templates/rbac/auth_proxy_service.yaml
+helm-generate: build-installer kubebuilder ## Regenerate Helm chart from kustomize
+	# Backup Chart.yaml and README.md from git (they will be overwritten by the plugin)
+	@git show HEAD:dist/chart/Chart.yaml > /tmp/Chart.yaml.bak 2>/dev/null || true
+	@git show HEAD:dist/chart/README.md > /tmp/README.md.bak 2>/dev/null || true
+	$(KUBEBUILDER) edit --plugins=helm/v2-alpha
+	# Restore backed up files
+	@if [ -f /tmp/Chart.yaml.bak ]; then mv /tmp/Chart.yaml.bak dist/chart/Chart.yaml; fi
+	@if [ -f /tmp/README.md.bak ]; then mv /tmp/README.md.bak dist/chart/README.md; fi
 	# Remove kubebuilder-generated test workflow - we use our own CI workflows
 	rm -f .github/workflows/test-chart.yml
+	# Remove build artifact that should not be committed
+	rm -f dist/install.yaml
+	# Apply customizations that v2-alpha plugin overwrites
+	SED=$(SED) ./hack/helm-post-generate.sh
 
 .PHONY: helm-lint
 helm-lint: ## Lint the Helm chart
@@ -248,15 +254,22 @@ helm-lint: ## Lint the Helm chart
 helm-template: ## Render Helm templates locally
 	helm template $(CHART_NAME) $(CHART_DIR)
 
+.PHONY: helm-test-certmanager
+helm-test-certmanager: ## Verify cert-manager volumes render correctly
+	@echo "Testing cert-manager volume mounts..."
+	@helm template test $(CHART_DIR) --set certManager.enable=true | \
+		grep -q "mountPath: /tmp/k8s-webhook-server/serving-certs" || \
+		(echo "ERROR: cert-manager volumeMounts not rendered!" && exit 1)
+	@helm template test $(CHART_DIR) --set certManager.enable=true | \
+		grep -q "webhook-server-cert" || \
+		(echo "ERROR: cert-manager volumes not rendered!" && exit 1)
+	@echo "cert-manager volumes OK"
+
 .PHONY: helm-install
 helm-install: ## Install operator via Helm
 	helm upgrade --install $(CHART_NAME) $(CHART_DIR) \
 		--namespace posit-team-system --create-namespace
 
-.PHONY: helm-uninstall
-helm-uninstall: ## Uninstall the Helm release
-	helm uninstall $(CHART_NAME) --namespace posit-team-system
-
 .PHONY: helm-package
 helm-package: ## Package the Helm chart as .tar.gz
 	helm package $(CHART_DIR) -d dist/
@@ -280,7 +293,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 KUBE_CODEGEN ?= $(LOCALBIN)/kube_codegen.sh
 
 ## Tool Versions
-KUBEBUILDER_VERSION ?= v4.5.1
+KUBEBUILDER_VERSION ?= v4.12.0
 KUSTOMIZE_VERSION ?= v3.8.7
 CONTROLLER_TOOLS_VERSION ?= v0.17.0
 KUBE_CODEGEN_VERSION ?= v0.30.1
@@ -414,3 +427,50 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+##@ Helm Deployment
+
+## Helm binary to use for deploying the chart
+HELM ?= helm
+## Namespace to deploy the Helm release
+HELM_NAMESPACE ?= posit-team-system
+## Name of the Helm release
+HELM_RELEASE ?= team-operator
+## Path to the Helm chart directory
+HELM_CHART_DIR ?= dist/chart
+## Additional arguments to pass to helm commands
+HELM_EXTRA_ARGS ?=
+
+.PHONY: install-helm
+install-helm: ## Install the latest version of Helm.
+	@command -v $(HELM) >/dev/null 2>&1 || { \
+		echo "Installing Helm..." && \
+		curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash; \
+	}
+
+.PHONY: helm-deploy
+helm-deploy: install-helm ## Deploy manager to the K8s cluster via Helm. Specify an image with IMG.
+	$(HELM) upgrade --install $(HELM_RELEASE) $(HELM_CHART_DIR) \
+		--namespace $(HELM_NAMESPACE) \
+		--create-namespace \
+		--set manager.image.repository=$${IMG%:*} \
+		--set manager.image.tag=$${IMG##*:} \
+		--wait \
+		--timeout 5m \
+		$(HELM_EXTRA_ARGS)
+
+.PHONY: helm-uninstall
+helm-uninstall: ## Uninstall the Helm release from the K8s cluster.
+	$(HELM) uninstall $(HELM_RELEASE) --namespace $(HELM_NAMESPACE)
+
+.PHONY: helm-status
+helm-status: ## Show Helm release status.
+	$(HELM) status $(HELM_RELEASE) --namespace $(HELM_NAMESPACE)
+
+.PHONY: helm-history
+helm-history: ## Show Helm release history.
+	$(HELM) history $(HELM_RELEASE) --namespace $(HELM_NAMESPACE)
+
+.PHONY: helm-rollback
+helm-rollback: ## Rollback to previous Helm release.
+	$(HELM) rollback $(HELM_RELEASE) --namespace $(HELM_NAMESPACE)

PROJECT

@@ -6,7 +6,9 @@ domain: posit.co
 layout:
 - go.kubebuilder.io/v4
 plugins:
-  helm.kubebuilder.io/v1-alpha: {}
+  helm.kubebuilder.io/v2-alpha:
+    manifests: dist/install.yaml
+    output: dist
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
 projectName: team-operator

README.md

@@ -88,14 +88,14 @@ helm install team-operator ./dist/chart \
 # With custom image
 helm install team-operator ./dist/chart \
   --namespace posit-team-system --create-namespace \
-  --set controllerManager.container.image.repository=posit/team-operator \
+  --set controllerManager.container.image.repository=posit/ptd-team-operator \
   --set controllerManager.container.image.tag=latest
 ```
 
 #### Via Kustomize (Development)
 
 ```bash
-make deploy IMG=posit/team-operator:latest
+make deploy IMG=posit/ptd-team-operator:latest
 ```
 
 ### Local Development

config/default/kustomization.yaml

@@ -26,8 +26,8 @@ namePrefix: posit-team-system-
 # Protect the /metrics endpoint by putting it behind auth.
 # If you want your controller-manager to expose the /metrics
 # endpoint w/o any authn/z, please comment the following line.
-patchesStrategicMerge:
-- manager_auth_proxy_patch.yaml
+#patchesStrategicMerge:
+#- manager_auth_proxy_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

config/manager/manager.yaml

@@ -70,6 +70,8 @@ spec:
         - /team-operator
         args:
         - --leader-elect
+        - --metrics-bind-address=:8443
+        - --health-probe-bind-address=:8081
         image: controller:latest
         imagePullPolicy: Always
         name: manager