Add Helm chart

Signed-off-by: zeroalphat <taichi-takemura@cybozu.co.jp>

Author: zeroalphat

Makefile

@@ -21,8 +21,12 @@ help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
 .PHONY: manifests
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=imageprefetch-controller-role crd paths="./..." output:crd:artifacts:config=config/crd/bases
+manifests: controller-gen kustomize yq ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	$(CONTROLLER_GEN) rbac:roleName=controller-manager-role crd paths="./..." output:crd:artifacts:config=config/crd/bases
+	echo '{{- if .Values.crds.enabled }}' > charts/ofen/templates/generated/crds/crds.yaml	
+	$(KUSTOMIZE) build config/kustomize-to-helm/overlays/crds | $(YQ) e "." - >> charts/ofen/templates/generated/crds/crds.yaml
+	echo '{{- end }}' >> charts/ofen/templates/generated/crds/crds.yaml
+	kustomize build config/kustomize-to-helm/overlays/templates | yq e "."  -p yaml - > charts/ofen/templates/generated/generated.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -138,6 +142,7 @@ GINKGO = $(LOCALBIN)/ginkgo
 APPLYCONFIGURATION_GEN = $(LOCALBIN)/applyconfiguration-gen
 MODELS_SCHEMA = $(LOCALBIN)/models-schema
 KAPTEST ?= $(LOCALBIN)/kaptest
+YQ ?= $(LOCALBIN)/yq
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.6.0
@@ -148,6 +153,7 @@ GINKGO_VERSION ?= v2.23.4
 CODE_GENERATOR_VERSION ?= v0.31.1
 MODELS_SCHEMA_VERSION ?= v1.31.1
 KAPTEST_VERSION ?= v0.1.2
+YQ_VERSION ?= v4.47.1
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -196,6 +202,15 @@ $(KAPTEST): $(LOCALBIN)
 	tar -xzf kaptest_Linux_x86_64.tar.gz -C $(LOCALBIN) kaptest && \
 	rm -f kaptest_Linux_x86_64.tar.gz
 
+.PHONY: yq
+yq: $(YQ) ## Download yq locally if necessary.
+$(YQ): $(LOCALBIN)
+	curl -sLO "https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_linux_amd64.tar.gz" && \
+	tar -xzf yq_linux_amd64.tar.gz ./yq_linux_amd64 && \
+	mv yq_linux_amd64 $(YQ) && \
+	chmod +x $(YQ) && \
+	rm -f yq_linux_amd64.tar.gz
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
 # $2 - package url which can be installed

charts/ofen/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/ofen/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: ofen
+description: Ofen is a kubernetes controller that prefetch(preheat) container images.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"

charts/ofen/README.md

@@ -0,0 +1,71 @@
+# Ofen Helm Chart
+
+## How to use Ofen Helm repository
+
+You need to add this repository to your Helm repositories:
+
+```console
+helm repo add ofen https://cybozu-go.github.io/ofen/
+helm repo update
+```
+
+## Quick start
+
+### Installing the Chart
+
+To install the chart with the release name `ofen` using a dedicated namespace(recommended):
+
+```console
+$ helm install --create-namespace --namespace ofen-system ofen ofen/ofen
+```
+
+Specify parameters using `--set key=value[,key=value]` argument to `helm install`.
+
+Alternatively a YAML file that specifies the values for the parameters can be provided like this:
+
+```console
+$ helm install --create-namespace --namespace ofen-system ofen -f values.yaml ofen/ofen
+```
+
+## Values
+
+| Key                          | Type   | Default                                       | Description                                                                        |
+| ---------------------------- | ------ | --------------------------------------------- | ---------------------------------------------------------------------------------- |
+| crds.enabled                 | bool   | `true`                                        | Install and update CRDs as part of the Helm chart.                                 |
+| crds.keep                    | bool   | `true`                                        | Keep existing CRDs during uninstallation.                                          |
+| controller.replicas          | int    | `2`                                           | Number of replicas for the ofen-controller Deployment.                             |
+| controller.image.repository  | string | `"ghcr.io/cybozu-go/ofen"`                    | ofen-controller image repository to use.                                           |
+| controller.image.pullPolicy  | string | `"IfNotPresent"`                              | ofen-controller image pull policy.                                                 |
+| controller.image.tag         | string | `""`                                          | ofen-controller image tag to use.                                                  |
+| controller.imagePullSecrets  | list   | `[]`                                          | Secrets for pulling the ofen-controller image from a private repository.           |
+| controller.resources         | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Resource requests and limits for the ofen-controller Deployment.                   |
+| controller.extraArgs         | list   | `[]`                                          | Additional command line arguments to pass to the ofen-controller binary.           |
+| daemon.image.repository      | string | `"ghcr.io/cybozu-go/ofend"`                   | ofen-daemon image repository to use.                                               |
+| daemon.image.pullPolicy      | string | `"IfNotPresent"`                              | ofen-daemon image pull policy.                                                     |
+| daemon.image.tag             | string | `""`                                          | ofen-daemon image tag to use.                                                      |
+| daemon.imagePullSecrets      | list   | `[]`                                          | Secrets for pulling the ofen-daemon image from a private repository.               |
+| daemon.resources             | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Resource requests and limits for the ofen-daemon DaemonSet.                        |
+| daemon.extraArgs             | list   | `[]`                                          | Additional command line arguments to pass to the ofen-daemon binary.               |
+| daemon.containerdSockPath    | string | `"/run/containerd/containerd.sock"`           | Path to the containerd socket.                                                     |
+| daemon.containerdHostDirPath | string | `"/etc/containerd/certs.d"`                   | Path to the host directory where containerd certificate configurations are stored. |
+| allowRegistries.ghcr         | string | `"ghcr.io/"`                                  | Allow pulling images from the ghcr.io registry.                                    |
+| allowRegistries.quay         | string | `"quay.io/"`                                  | Allow pulling images from the quay.io registry.                                    |
+
+## Generate Manifests
+
+You can use the `helm template` command to render manifests.
+
+```console
+$ helm template --namespace ofen ofen ofen/ofen
+```
+
+## CRD considerations
+
+### Installing or updating CRDs
+
+Ofen Helm Chart installs or updates CRDs by default. If you want to manage CRDs on your own, turn off the `crds.enabled` parameter.
+
+### Removing CRDs
+
+Helm does not remove the CRDs due to the [`helm.sh/resource-policy: keep` annotation](https://helm.sh/docs/howto/charts_tips_and_tricks/#tell-helm-not-to-uninstall-a-resource).
+When uninstalling, please remove the CRDs manually.

charts/ofen/templates/NOTES.txt

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ofen.name" -}}
+{{- default .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ofen.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ofen.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ofen.labels" -}}
+helm.sh/chart: {{ include "ofen.chart" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

charts/ofen/templates/_helpers.tpl

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: ofend-daemon
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: daemon
+    app.kubernetes.io/name: {{ include "ofen.name" . }}-daemon
+    {{- include "ofen.labels" . | nindent 4  }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: daemon
+      app.kubernetes.io/name: {{ include "ofen.name" . }}-daemon
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: daemon
+        app.kubernetes.io/name: {{ include "ofen.name" . }}-daemon
+    spec:
+      containers:
+        - name: ofend
+          image: "{{ .Values.daemon.image.repository }}:{{ default .Chart.AppVersion .Values.daemon.image.tag }}"
+          imagePullPolicy: {{ .Values.daemon.image.pullPolicy }}
+          args: 
+            - --containerd-socket={{ .Values.daemon.containerdSockPath }}
+            - --containerd-host-dir={{ .Values.daemon.containerdHostDirPath }}
+          {{- with .Values.daemon.extraArgs }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          ports:
+            - containerPort: 8081
+              name: health
+              protocol: TCP
+            - containerPort: 8080
+              name: metrics
+              protocol: TCP
+          {{- with .Values.daemon.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: health
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          volumeMounts:
+            - name: containerd-sock
+              mountPath: {{ .Values.daemon.containerdSockPath }}
+            - name: containerd-host-dir
+              mountPath: {{ .Values.daemon.containerdHostDirPath }}
+      securityContext:
+        runAsUser: 0 # Run as root to mount containerd socket
+      serviceAccountName: '{{ template "ofen.fullname" . }}-controller-manager'
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: containerd-sock
+          hostPath:
+            path: {{ .Values.daemon.containerdSockPath }}
+        - name: containerd-host-dir
+          hostPath:
+            path: {{ .Values.daemon.containerdHostDirPath }}
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule

charts/ofen/templates/daemonset.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ofen-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: {{ include "ofen.name" . }}-controller
+    {{- include "ofen.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.controller.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/name: {{ include "ofen.name" . }}-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/name: {{ include "ofen.name" . }}-controller
+    spec:
+      containers:
+        - name: manager
+          image: "{{ .Values.controller.image.repository }}:{{ default .Chart.AppVersion .Values.controller.image.tag }}"
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+          args:
+            - -leader-elect=true
+          {{- with .Values.controller.extraArgs }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - containerPort: 8081
+              name: health
+              protocol: TCP
+            - containerPort: 8080
+              name: metrics
+              protocol: TCP
+          {{- with .Values.controller.resources }}
+          resources: {{ toYaml . | nindent 12 }}
+          {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: health
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: '{{ template "ofen.fullname" . }}-controller-manager'
+      terminationGracePeriodSeconds: 10