operator-framework · tmshort · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025 · Jul 18, 2025
@@ -53,6 +53,12 @@ $(GORELEASER): $(BINGO_DIR)/goreleaser.mod
 	@echo "(re)installing $(GOBIN)/goreleaser-v1.26.2"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=goreleaser.mod -o=$(GOBIN)/goreleaser-v1.26.2 "github.com/goreleaser/goreleaser"
 
+HELM := $(GOBIN)/helm-v3.18.4
+$(HELM): $(BINGO_DIR)/helm.mod
+	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
+	@echo "(re)installing $(GOBIN)/helm-v3.18.4"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=helm.mod -o=$(GOBIN)/helm-v3.18.4 "helm.sh/helm/v3/cmd/helm"
+
 KIND := $(GOBIN)/kind-v0.29.0
 $(KIND): $(BINGO_DIR)/kind.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.

@@ -0,0 +1,5 @@
+module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
+
+go 1.24.3
+
+require helm.sh/helm/v3 v3.18.4 // cmd/helm
@@ -20,6 +20,8 @@ GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.1.6"
 
 GORELEASER="${GOBIN}/goreleaser-v1.26.2"
 
+HELM="${GOBIN}/helm-v3.18.4"
+
 KIND="${GOBIN}/kind-v0.29.0"
 
 KUSTOMIZE="${GOBIN}/kustomize-v5.6.0"

@@ -150,4 +150,4 @@ def deploy_repo(data, tags="", debug=True):
         local_port = repo['starting_debug_port']
         build_binary(reponame, repo['binary'], repo['deps'], repo['image'], tags, debug)
         k8s_resource(repo['deployment'], port_forwards=['{}:30000'.format(local_port)])
-    process_yaml(kustomize(data['yaml']))
+    process_yaml(helm('helm/olmv1', name="olmv1", values=[data['yaml']]))
@@ -141,30 +141,32 @@ tidy:
 	go mod tidy
 
 .PHONY: manifests
-KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac
-KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook
-KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac
+KUSTOMIZE_CATD_RBAC_DIR := helm/olmv1/base/catalogd/rbac
+KUSTOMIZE_CATD_WEBHOOKS_DIR := helm/olmv1/base/catalogd/webhook
+KUSTOMIZE_OPCON_RBAC_DIR := helm/olmv1/base/operator-controller/rbac
 # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files
 # So we have to generate them together and then move them into place
-manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
+manifests: $(CONTROLLER_GEN) $(HELM) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	# Generate CRDs via our own generator
 	hack/tools/update-crds.sh
 	# Generate the remaining operator-controller standard manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
 	# Generate the remaining operator-controller experimental manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=operator-controller-manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
 	# Generate the remaining catalogd standard manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard
 	# Generate the remaining catalogd experimental manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=catalogd-manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental
+	# Update base config to include helm templates
+	./hack/tools/patch-base-for-helm.sh
 	# Generate manifests stored in source-control
 	mkdir -p $(MANIFEST_HOME)
-	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST)
-	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_E2E_OVERLAY) > $(STANDARD_E2E_MANIFEST)
-	$(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_OVERLAY) > $(EXPERIMENTAL_MANIFEST)
-	$(KUSTOMIZE) build $(KUSTOMIZE_EXPERIMENTAL_E2E_OVERLAY) > $(EXPERIMENTAL_E2E_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml > $(STANDARD_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/e2e.yaml > $(STANDARD_E2E_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml > $(EXPERIMENTAL_MANIFEST)
+	$(HELM) template olmv1 helm/olmv1 --values helm/cert-manager.yaml --values helm/experimental.yaml --values helm/e2e.yaml > $(EXPERIMENTAL_E2E_MANIFEST)
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -282,7 +284,7 @@ test-experimental-e2e: run image-registry prometheus experimental-e2e e2e e2e-me
 .PHONY: prometheus
 prometheus: PROMETHEUS_NAMESPACE := olmv1-system
 prometheus: PROMETHEUS_VERSION := v0.83.0
-prometheus: #EXHELP Deploy Prometheus into specified namespace
+prometheus: $(KUSTOMIZE) #EXHELP Deploy Prometheus into specified namespace
 	./hack/test/install-prometheus.sh $(PROMETHEUS_NAMESPACE) $(PROMETHEUS_VERSION) $(KUSTOMIZE) $(VERSION)
 
 # The output alerts.out file contains any alerts, pending or firing, collected during a test run in json format.

@@ -17,7 +17,7 @@ olmv1 = {
             'starting_debug_port': 30000,
         },
     },
-    'yaml': 'config/overlays/tilt-local-dev',
+    'yaml': 'helm/tilt.yaml',
 }
 
 deploy_repo(olmv1, '-tags containers_image_openpgp')
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# This script patches the kubebuilder generated files to make them ready for helm
+# The patching is done via a combination of `yq` to add valid YAML to the appropriate location
+# and then `sed` is used to replace some text with Helm templating.
+# This can't be done in one step because `yq` (or `kustomize` for that matter) can't manipulate
+# YAML once helm templating has been added.
+
+# Patch catalogd rbac
+catalogd_rbac_filelist=(
+    helm/olmv1/base/catalogd/rbac/experimental/*.yaml
+    helm/olmv1/base/catalogd/rbac/standard/*.yaml
+)
+for f in "${catalogd_rbac_filelist[@]}"; do
+    yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}"
+    yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "catalogd-role-rules"})' "${f}"
+    yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "catalogd-cluster-role-rules"})' "${f}"
+done
+
+# Patch operator-controller rbac
+operator_controller_rbac_filelist=(
+    helm/olmv1/base/operator-controller/rbac/experimental/*.yaml
+    helm/olmv1/base/operator-controller/rbac/standard/*.yaml
+)
+for f in "${operator_controller_rbac_filelist[@]}"; do
+    yq -i '.metadata.labels["app.kubernetes.io/name"] = "operator-controller"' "${f}"
+    yq -i 'with(.; select(.kind == "Role") | .rules += { "replaceMe": "operator-controller-role-rules"})' "${f}"
+    yq -i 'with(.; select(.kind == "ClusterRole") | .rules += { "replaceMe": "operator-controller-cluster-role-rules"})' "${f}"
+done
+
+# Patch catalogd webhook
+catalogd_webhook_filelist=(
+    helm/olmv1/base/catalogd/webhook/experimental/*.yaml
+    helm/olmv1/base/catalogd/webhook/standard/*.yaml
+)
+for f in "${catalogd_webhook_filelist[@]}"; do
+    yq -i '.metadata.labels["app.kubernetes.io/name"] = "catalogd"' "${f}"
+    yq -i '.metadata.name = "catalogd-mutating-webhook-configuration"' "${f}"
+    yq -i '.metadata.annotations["catalogd-webhook-annotations"] = "replaceMe"' "${f}"
+    yq -i '.webhooks[0].clientConfig.service.namespace = "olmv1-system"' "${f}"
+    yq -i '.webhooks[0].clientConfig.service.name = "catalogd-service"' "${f}"
+    yq -i '.webhooks[0].clientConfig.service.port = 9443' "${f}"
+    yq -i '.webhooks[0].matchConditions[0].name = "MissingOrIncorrectMetadataNameLabel"' "${f}"
+    yq -i '.webhooks[0].matchConditions[0].expression = "\"name\" in object.metadata && (!has(object.metadata.labels) || !(\"olm.operatorframework.io/metadata.name\" in object.metadata.labels) || object.metadata.labels[\"olm.operatorframework.io/metadata.name\"] != object.metadata.name)"' "${f}"
+done
+
+# Patch everything generically
+filelist=(
+    helm/olmv1/base/catalogd/rbac/experimental/*.yaml
+    helm/olmv1/base/catalogd/rbac/standard/*.yaml
+    helm/olmv1/base/catalogd/crd/experimental/*.yaml
+    helm/olmv1/base/catalogd/crd/standard/*.yaml
+    helm/olmv1/base/catalogd/webhook/experimental/*.yaml
+    helm/olmv1/base/catalogd/webhook/standard/*.yaml
+    helm/olmv1/base/operator-controller/rbac/experimental/*.yaml
+    helm/olmv1/base/operator-controller/rbac/standard/*.yaml
+    helm/olmv1/base/operator-controller/crd/experimental/*.yaml
+    helm/olmv1/base/operator-controller/crd/standard/*.yaml
+)
+
+for f in "${filelist[@]}"; do
+    # Patch in the temporary items
+    yq -i '.metadata.annotations.replaceMe = "annotations"' "${f}"
+    yq -i '.metadata.labels.replaceMe = "labels"' "${f}"
+    # Replace with helm template - must be done last or yq will complain about the file format
+    sed -i.bak 's/replaceMe: annotations/{{- include "olmv1.annotations" . | nindent 4 }}/g' "${f}"
+    sed -i.bak 's/catalogd-webhook-annotations: replaceMe/{{- include "olmv1.catalogd.webhook.annotations" . | nindent 4 }}/g' "${f}"
+    sed -i.bak 's/replaceMe: labels/{{- include "olmv1.labels" . | nindent 4 }}/g' "${f}"
+    sed -i.bak 's/olmv1-system/{{ .Values.namespaces.olmv1.name }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: catalogd-role-rules/{{- include "olmv1.catalogd.role.rules" . | nindent 2 }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: catalogd-cluster-role-rules/{{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: operator-controller-role-rules/{{- include "olmv1.operatorController.role.rules" . | nindent 2 }}/g' "${f}"
+    sed -i.bak 's/- replaceMe: operator-controller-cluster-role-rules/{{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}/g' "${f}"
+    # Delete sed's backup file
+    rm -f "${f}.bak"
+done
@@ -42,7 +42,7 @@ for b in ${!modules[@]}; do
         # will not be generated for the standard channel - so we check the expected generated
         # file exists before copying it.
         FILE="${CRD_TMP}/${c}/${crds[${b}]}"
-        [[ -e "${FILE}" ]] && cp "${FILE}" config/base/${modules[${b}]}/crd/${c}
+        [[ -e "${FILE}" ]] && cp "${FILE}" helm/olmv1/base/${modules[${b}]}/crd/${c}
     done
 done
 

@@ -0,0 +1,12 @@
+# Default values for OLMv1.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# List of components to include
+components:
+  catalogd:
+    webhook:
+      annotations:
+        cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca
+  certManager:
+    enabled: true
@@ -0,0 +1,8 @@
+# e2e values for OLMv1.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# List of components to include
+components:
+  e2e:
+    enabled: true
@@ -0,0 +1,18 @@
+# experimental values for OLMv1.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+features:
+  apiV1MetasHandler:
+    enabled: true
+  webhookProviderCertManager:
+    enabled: true
+  singleOwnNamespaceInstallSupport:
+    enabled: true
+  preflightPermissions:
+    enabled: true
+  helmChartSupport:
+    enabled: true
+
+# This can be one of: standard or experimental
+featureSet: experimental
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: olmv1
+description: A Helm chart for OLMv1
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.3.0"