feat(helm): Regenerate helm chart with latest kubebuilder (#159)

* [Helm] - Regenerate helm chart with latest kubebuilder

* rescaffold manifests and helm chart, remove cert-manager subchart

---------

Co-authored-by: Pervakov Grigorii <pervakov.grigory@gmail.com>

Author: Allex1

.github/workflows/ci.yaml

@@ -198,6 +198,10 @@ jobs:
             k8s_image: v1.35.1
             clickhouse_version: "26.3"
             deploy_target: test-compat-e2e
+          - name: olm-deploy-method
+            k8s_image: v1.28.15
+            clickhouse_version: "26.3"
+            deploy_target: test-compat-e2e-olm
           - name: supported-clickhouse-compatibility
             k8s_image: v1.30.13
             clickhouse_version: "26.3,26.2,26.1,25.8"

Makefile

@@ -159,7 +159,11 @@ test-clickhouse-e2e: ## Run clickhouse e2e tests.
 
 .PHONY: test-compat-e2e  # Run compatibility smoke tests across ClickHouse versions.
 test-compat-e2e: ## Run compatibility e2e tests (requires CLICKHOUSE_VERSION env var).
-	go test ./test/deploy/ -test.timeout 30m -v --ginkgo.v --ginkgo.junit-report=report/junit-report.xml
+	go test ./test/deploy/ -test.timeout 30m -v --ginkgo.v --ginkgo.label-filter=!olm --ginkgo.junit-report=report/junit-report.xml
+
+.PHONY: test-compat-e2e-olm  # Run OLM deployment smoke test.
+test-compat-e2e-olm: ## Run OLM deployment e2e test on a dedicated cluster.
+	go test ./test/deploy/ -test.timeout 30m -v --ginkgo.v --ginkgo.label-filter=olm --ginkgo.junit-report=report/junit-report.xml
 
 .PHONY: test-compat-e2e-manifest  # Run compatibility smoke tests (manifests deployment only).
 test-compat-e2e-manifest: ## Run compatibility e2e tests using manifests deployment only (requires CLICKHOUSE_VERSION env var).
@@ -186,17 +190,15 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 ##@ Helm Chart
 
 .PHONY: generate-helmchart
-generate-helmchart: kubebuilder ## Generate helm charts
-	$(KUBEBUILDER) edit --plugins=helm/v2-alpha
-	rm .github/workflows/test-chart.yml dist/install.yaml
+generate-helmchart: kubebuilder kustomize ## Generate helm charts
+	$(KUSTOMIZE) build config/helm -o dist/install-helm.yaml
+	$(KUBEBUILDER) edit --plugins=helm/v2-alpha --manifests dist/install-helm.yaml
+	rm .github/workflows/test-chart.yml dist/install-helm.yaml
 
 .PHONY: generate-helmchart-ci
 generate-helmchart-ci: generate-helmchart ## Generate helm charts and reset some files that will always generate diff
 	git checkout dist/chart/templates/cert-manager/
 	git checkout dist/chart/templates/manager/
-	git checkout dist/chart/templates/metrics/
-	git checkout dist/chart/templates/monitoring/
-	git checkout dist/chart/templates/webhook/
 
 .PHONY: build-helmchart-dependencies
 build-helmchart-dependencies: ## Build helm chart dependencies
@@ -331,7 +333,7 @@ CONTROLLER_TOOLS_VERSION ?= v0.20.1
 ENVTEST_VERSION ?= release-0.23
 GOLANGCI_LINT_VERSION ?= v2.11.4
 GINKGO_VERSION ?= v2.28.1
-KUBEBUILDER_VERSION ?= v4.13.1
+KUBEBUILDER_VERSION ?= v4.14.0
 CODESPELL_VERSION ?= 2.4.2
 CRD_SCHEMA_CHECKER_VERSION ?= latest
 CRD_REF_DOCS_VERSION ?= v0.3.0

PROJECT

@@ -7,7 +7,7 @@ layout:
 - go.kubebuilder.io/v4
 plugins:
   helm.kubebuilder.io/v2-alpha:
-    manifests: dist/install.yaml
+    manifests: dist/install-helm.yaml
     output: dist
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}

config/default/kustomization.yaml

@@ -74,6 +74,35 @@ replacements:
 #          delimiter: '.'
 #          index: 0
 #          create: true
+#      - select:
+#          kind: ServiceMonitor
+#          group: monitoring.coreos.com
+#          version: v1
+#          name: controller-manager-metrics-monitor
+#        fieldPaths:
+#          - spec.endpoints.0.tlsConfig.serverName
+#        options:
+#          delimiter: '.'
+#          index: 0
+#          create: true
+#
+#  - source:
+#      kind: Service
+#      version: v1
+#      name: metrics-service
+#      fieldPath: metadata.namespace
+#    targets:
+#      - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor
+#          kind: ServiceMonitor
+#          group: monitoring.coreos.com
+#          version: v1
+#          name: controller-manager-metrics-monitor
+#        fieldPaths:
+#          - spec.endpoints.0.tlsConfig.serverName
+#        options:
+#          delimiter: '.'
+#          index: 1
+#          create: true
 
 # [WEBHOOK] To enable webhook, uncomment this section.
   - source: # Update Certificate DNS names to match the Service name

config/helm/kustomization.yaml

@@ -0,0 +1,137 @@
+namespace: clickhouse-operator-system
+namePrefix: clickhouse-operator-
+
+resources:
+- ../crd
+- ../rbac
+- ../manager
+- ../prometheus
+
+components:
+  - ../certmanager
+  - ../webhook
+  - ../metrics_secure
+
+replacements:
+  - source:
+      kind: Deployment
+      version: v1
+      name: controller-manager
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - .spec.dnsNames.[=NAMESPACE]
+        options:
+          delimiter: '.'
+          index: 1
+          create: true
+
+  - source:
+      kind: Service
+      version: v1
+      name: metrics-service
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - .spec.dnsNames.[=METRICS_SERVICE_NAME]
+        options:
+          delimiter: '.'
+          index: 0
+          create: true
+      - select:
+          kind: ServiceMonitor
+          group: monitoring.coreos.com
+          version: v1
+          name: controller-manager-metrics-monitor
+        fieldPaths:
+          - spec.endpoints.0.tlsConfig.serverName
+        options:
+          delimiter: '.'
+          index: 0
+          create: true
+
+  - source:
+      kind: Service
+      version: v1
+      name: metrics-service
+      fieldPath: metadata.namespace
+    targets:
+      - select:
+          kind: ServiceMonitor
+          group: monitoring.coreos.com
+          version: v1
+          name: controller-manager-metrics-monitor
+        fieldPaths:
+          - spec.endpoints.0.tlsConfig.serverName
+        options:
+          delimiter: '.'
+          index: 1
+          create: true
+
+  - source: # Update Certificate DNS names to match the Service name
+      kind: Service
+      version: v1
+      name: webhook-service
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Certificate
+          name: serving-cert
+        fieldPaths:
+          - .spec.dnsNames.[=WEBHOOK_SERVICE_NAME]
+        options:
+          delimiter: '.'
+          index: 0
+          create: true
+  - source: # Set certificate reference to cert-manager.io/inject-ca-from annotation
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert # This name should match the one in certificate.yaml
+      fieldPath: .metadata.namespace # Namespace of the certificate CR
+    targets:
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 0
+          create: true
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 0
+          create: true
+  - source:
+      kind: Certificate
+      group: cert-manager.io
+      version: v1
+      name: serving-cert
+      fieldPath: .metadata.name
+    targets:
+      - select:
+          kind: ValidatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 1
+          create: true
+      - select:
+          kind: MutatingWebhookConfiguration
+        fieldPaths:
+          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+        options:
+          delimiter: '/'
+          index: 1
+          create: true

config/metrics/service.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: metrics
+  - name: http
     port: 8080
     protocol: TCP
     targetPort: 8080

config/metrics_secure/service.yaml

@@ -9,7 +9,7 @@ metadata:
   namespace: system
 spec:
   ports:
-  - name: metrics
+  - name: https
     port: 9443
     protocol: TCP
     targetPort: 9443

config/prometheus/monitor.yaml

@@ -11,20 +11,24 @@ metadata:
 spec:
   endpoints:
     - path: /metrics
-      port: metrics # Ensure this is the name of the port that exposes HTTPS metrics
+      port: https # Ensure this is the name of the port that exposes HTTPS metrics
       scheme: https
       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
       tlsConfig:
-        # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables
-        # certificate verification. This poses a significant security risk by making the system vulnerable to
-        # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between
-        # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data,
-        # compromising the integrity and confidentiality of the information.
-        # Please use the following options for secure configurations:
-        # caFile: /etc/metrics-certs/ca.crt
-        # certFile: /etc/metrics-certs/tls.crt
-        # keyFile: /etc/metrics-certs/tls.key
-        insecureSkipVerify: true
+        # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+        serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc
+        insecureSkipVerify: false
+        ca:
+          secret:
+            name: metrics-server-cert
+            key: ca.crt
+        cert:
+          secret:
+            name: metrics-server-cert
+            key: tls.crt
+        keySecret:
+          name: metrics-server-cert
+          key: tls.key
   selector:
     matchLabels:
       control-plane: controller-manager

dist/chart/Chart.lock

@@ -15,8 +15,3 @@ maintainers:
     email: operator@clickhouse.com
 home: https://github.com/ClickHouse/clickhouse-operator
 icon: "https://clickhouse.com/docs/img/clickhouse-operator-logo.svg"
-dependencies:
-  - name: cert-manager
-    version: "v1.19.2"
-    repository: "oci://quay.io/jetstack/charts"
-    condition: certManager.install