review fixes + retire kustomize

Signed-off-by: Andrey Kolkov <androndo@gmail.com>

Author: androndo

.github/workflows/ci.yml

@@ -18,10 +18,12 @@ jobs:
           cache: true
 
       - name: codegen drift
-        # If a contributor edits an API type without re-running codegen,
-        # this gate catches it before CRDs and deepcopy ship out of sync
-        # with the Go types. Runs before `make test` so the as-committed
-        # state of generated files is what we check.
+        # If a contributor edits an API type or +kubebuilder:rbac markers
+        # without re-running codegen, this gate catches it before the chart's
+        # CRDs (charts/etcd-operator/crd-bases), manager RBAC rules
+        # (charts/etcd-operator/files/manager-role-rules.yaml), or deepcopy ship
+        # out of sync. Runs before `make test` so the as-committed state of
+        # generated files is what we check.
         run: |
           make generate manifests
           if ! git diff --quiet --exit-code; then

.github/workflows/helm-publish.yml

@@ -24,9 +24,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      # make helm-sync regenerates the CRDs (controller-gen) and copies them
-      # into the chart, so the published package always carries CRDs matching
-      # the tagged API types — never a stale committed copy.
+      # make manifests regenerates the CRDs and manager RBAC rules (controller-gen)
+      # straight into the chart, so the published package always matches the
+      # tagged API types and +kubebuilder:rbac markers — never a stale committed
+      # copy. (ci.yml's drift gate already enforces this on PRs; this is belt-and-
+      # suspenders at publish time.)
       - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
@@ -37,8 +39,8 @@ jobs:
         with:
           version: 'v3.16.4'
 
-      - name: Sync CRDs into the chart
-        run: make helm-sync
+      - name: Regenerate CRDs and RBAC into the chart
+        run: make manifests
 
       - name: Resolve chart versions from tag
         run: |

.github/workflows/release-assets.yml

@@ -2,9 +2,10 @@ name: Upload release assets
 
 # When a GitHub release is created for a tag, render the install manifests for
 # that tag's image and attach them to the release. `make build-dist-manifests`
-# sets the `controller` image (and, via the kustomize replacement in
-# config/default, the manager's OPERATOR_IMAGE env) to the released ref, so the
-# attached YAML deploys the matching operator and its snapshot/restore agent.
+# is `helm template` of the chart with image.repository/tag set to the released
+# ref; the chart renders image == OPERATOR_IMAGE, so the attached YAML deploys
+# the matching operator and its snapshot/restore agent. For consumers who
+# kubectl-apply rather than helm-install.
 
 on:
   release:
@@ -28,6 +29,12 @@ jobs:
           go-version-file: go.mod
           cache: true
 
+      # build-dist-manifests renders the chart via `helm template`.
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'v3.16.4'
+
       - name: Resolve release tag
         run: echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
 
@@ -57,3 +64,52 @@ jobs:
           asset_name: etcd-operator.non-crds.yaml
           tag: ${{ github.ref }}
           overwrite: true
+
+  # Standalone client CLIs (kubectl-etcd plugin + etcd-migrate). They are not in
+  # the operator image (client-side / admin tools), so they ship as
+  # cross-compiled release binaries. Separate job: no Helm needed, and a failure
+  # here doesn't block the manifest assets above.
+  cli-binaries:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Resolve release tag
+        run: echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+
+      - name: Cross-compile CLIs
+        run: make dist-cli VERSION=${RELEASE_TAG}
+
+      - name: Upload etcd-migrate binaries
+        uses: svenstaro/upload-release-action@2.9.0
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: dist/etcd-migrate-*
+          file_glob: true
+          tag: ${{ github.ref }}
+          overwrite: true
+
+      - name: Upload kubectl-etcd binaries
+        uses: svenstaro/upload-release-action@2.9.0
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: dist/kubectl-etcd-*
+          file_glob: true
+          tag: ${{ github.ref }}
+          overwrite: true
+
+      - name: Upload CLI checksums
+        uses: svenstaro/upload-release-action@2.9.0
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: dist/cli-SHA256SUMS.txt
+          asset_name: cli-SHA256SUMS.txt
+          tag: ${{ github.ref }}
+          overwrite: true

.github/workflows/release-smoke.yml

@@ -20,7 +20,6 @@ on:
       - 'charts/**'
       - 'Makefile'
       - 'Dockerfile'
-      - 'config/**'
       - 'api/**'
   workflow_dispatch:
 

Makefile

@@ -1,6 +1,11 @@
 
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
+
+# Version stamped into the standalone CLIs (etcd-migrate, kubectl-etcd) via
+# -ldflags. Defaults to `git describe`; the release workflow passes the tag.
+VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
+CLI_LDFLAGS ?= -X main.version=$(VERSION)
 # ENVTEST_K8S_VERSION is derived from the k8s.io/api version in go.mod so a
 # dependency bump automatically pulls the matching envtest assets — no need
 # to remember to update this in two places. (Pattern stolen from
@@ -42,8 +47,20 @@ help: ## Display this help.
 ##@ Development
 
 .PHONY: manifests
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+manifests: controller-gen yq ## Generate CRDs and the manager RBAC rules straight into the Helm chart.
+	# CRDs land in charts/etcd-operator/crd-bases/ (templates/crds.yaml renders
+	# them, with the helm.sh/resource-policy:keep annotation); the manager
+	# ClusterRole rules land in charts/etcd-operator/files/ for templates/rbac.yaml
+	# to pull in via .Files.Get. ci.yml's codegen-drift gate (make manifests +
+	# git diff) then guards BOTH against drift from the API types and the
+	# +kubebuilder:rbac markers — no second source of truth, no grep guard.
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd paths="./..." \
+		output:crd:artifacts:config=charts/etcd-operator/crd-bases \
+		output:rbac:artifacts:config=charts/etcd-operator/files
+	# controller-gen emits a whole ClusterRole; the chart only needs its rules
+	# (it wraps them in a release-named, labelled ClusterRole of its own).
+	$(YQ) eval '.rules' charts/etcd-operator/files/role.yaml > charts/etcd-operator/files/manager-role-rules.yaml
+	rm -f charts/etcd-operator/files/role.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -74,7 +91,7 @@ release-smoke: ## Smoke-test the tag-release manifest install path on kind: buil
 	hack/release-smoke.sh
 
 .PHONY: helm-smoke
-helm-smoke: helm-sync ## Smoke-test the Helm chart install path on kind: build image -> helm install chart -> assert operator Available and a 1-node cluster READY. KEEP_CLUSTER=1 keeps the cluster.
+helm-smoke: ## Smoke-test the Helm chart install path on kind: build image -> helm install chart -> assert operator Available and a 1-node cluster READY. KEEP_CLUSTER=1 keeps the cluster.
 	INSTALL_MODE=helm hack/release-smoke.sh
 
 ##@ Build
@@ -85,11 +102,27 @@ build: manifests generate fmt vet ## Build manager binary.
 
 .PHONY: kubectl-etcd
 kubectl-etcd: fmt vet ## Build the kubectl-etcd plugin binary.
-	go build -o bin/kubectl-etcd ./cmd/kubectl-etcd
+	go build -ldflags "$(CLI_LDFLAGS)" -o bin/kubectl-etcd ./cmd/kubectl-etcd
 
 .PHONY: etcd-migrate
 etcd-migrate: fmt vet ## Build the etcd-migrate (legacy v1alpha1 -> v1alpha2) CLI binary.
-	go build -o bin/etcd-migrate ./cmd/etcd-migrate
+	go build -ldflags "$(CLI_LDFLAGS)" -o bin/etcd-migrate ./cmd/etcd-migrate
+
+.PHONY: dist-cli
+dist-cli: ## Cross-compile etcd-migrate and kubectl-etcd into dist/ for release (linux/darwin x amd64/arm64). VERSION stamps the binary version.
+	# Produces the standalone CLIs the release-assets workflow attaches to a
+	# release, named <cmd>-<os>-<arch>, plus a SHA256 checksum file. These are
+	# client-side tools (kubectl-etcd is a kubectl plugin, etcd-migrate is an
+	# admin-run migration CLI), so they ship as binaries, not in the operator image.
+	mkdir -p dist
+	for os in linux darwin; do for arch in amd64 arm64; do \
+	  for cmd in etcd-migrate kubectl-etcd; do \
+	    echo "building dist/$$cmd-$$os-$$arch"; \
+	    CGO_ENABLED=0 GOOS=$$os GOARCH=$$arch \
+	      go build -ldflags "$(CLI_LDFLAGS)" -o dist/$$cmd-$$os-$$arch ./cmd/$$cmd; \
+	  done; \
+	done; done
+	cd dist && { command -v sha256sum >/dev/null 2>&1 && sha256sum etcd-migrate-* kubectl-etcd-* || shasum -a 256 etcd-migrate-* kubectl-etcd-*; } > cli-SHA256SUMS.txt
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
@@ -124,51 +157,46 @@ docker-buildx: test ## Build and push docker image for the manager for cross-pla
 	rm Dockerfile.cross
 
 .PHONY: build-dist-manifests
-build-dist-manifests: manifests generate kustomize yq ## Render the release install manifests into dist/ for IMG.
-	# Produces the YAMLs the release-assets workflow attaches to a tag:
-	#   dist/etcd-operator.yaml          – everything (CRDs + deployment)
+build-dist-manifests: manifests generate require-helm yq ## Render the release install manifests into dist/ for IMG.
+	# Produces the YAMLs the release-assets workflow attaches to a tag, for users
+	# who kubectl-apply instead of helm-install:
+	#   dist/etcd-operator.yaml          – everything (Namespace + CRDs + operator)
 	#   dist/etcd-operator.crds.yaml     – CRDs only
 	#   dist/etcd-operator.non-crds.yaml – everything except CRDs
-	# Setting the `controller` image also propagates into the manager's
-	# OPERATOR_IMAGE env via the kustomize replacement in config/default, so
-	# the snapshot/restore agent runs the same ref. Pass IMG=<registry>/etcd-operator:<tag>.
+	# This is just `helm template` of the chart, so the rendered manifest IS the
+	# chart: the image == OPERATOR_IMAGE wiring and the RBAC come from one source.
+	# namespace.create emits the Namespace so a bare `kubectl apply -f
+	# etcd-operator.yaml` is self-contained. Rendering is pure — no tracked file
+	# is mutated. Pass IMG=<registry>/etcd-operator:<tag>.
 	mkdir -p dist
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default > dist/etcd-operator.yaml
-	$(KUSTOMIZE) build config/default | $(YQ) eval 'select(.kind != "CustomResourceDefinition")' - > dist/etcd-operator.non-crds.yaml
-	$(KUSTOMIZE) build config/default | $(YQ) eval 'select(.kind == "CustomResourceDefinition")' - > dist/etcd-operator.crds.yaml
-
-.PHONY: helm-sync
-helm-sync: manifests ## Vendor the generated CRDs into the Helm chart's crds/ directory.
-	# The chart's RBAC/Deployment templates are hand-authored from config/, but
-	# the CRDs (large, schema-bearing, regenerated by controller-gen) are copied
-	# verbatim so they never drift from the API types. helm-publish.yml re-runs
-	# this before packaging so a published chart always carries current CRDs.
-	mkdir -p charts/etcd-operator/crds
-	cp config/crd/bases/*.yaml charts/etcd-operator/crds/
+	img='$(IMG)'; $(HELM) template etcd-operator charts/etcd-operator \
+		--namespace etcd-operator-system \
+		--set image.repository="$${img%:*}" --set image.tag="$${img##*:}" \
+		--set namespace.create=true \
+		> dist/etcd-operator.yaml
+	$(YQ) eval 'select(.kind != "CustomResourceDefinition")' dist/etcd-operator.yaml > dist/etcd-operator.non-crds.yaml
+	$(YQ) eval 'select(.kind == "CustomResourceDefinition")' dist/etcd-operator.yaml > dist/etcd-operator.crds.yaml
 
 ##@ Deployment
 
-ifndef ignore-not-found
-  ignore-not-found = false
-endif
-
-.PHONY: install
-install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | kubectl apply -f -
-
-.PHONY: uninstall
-uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+# The Helm-driven install targets below. The chart is the single source of
+# truth for CRDs, RBAC, and the manager Deployment.
+HELM_RELEASE ?= etcd-operator
+NAMESPACE ?= etcd-operator-system
 
 .PHONY: deploy
-deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
+deploy: manifests require-helm ## Install/upgrade the operator (CRDs + RBAC + manager) via Helm. Pass IMG=<registry>/etcd-operator:<tag>.
+	# The chart renders image == OPERATOR_IMAGE, so there is no separate image-
+	# replacement step; CRDs are templated into the release so `helm upgrade`
+	# keeps them current. The IMG split into repository:tag handles registry ports.
+	img='$(IMG)'; $(HELM) upgrade --install $(HELM_RELEASE) charts/etcd-operator \
+		--namespace $(NAMESPACE) --create-namespace \
+		--set image.repository="$${img%:*}" --set image.tag="$${img##*:}" \
+		--wait --timeout 5m
 
 .PHONY: undeploy
-undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+undeploy: require-helm ## Uninstall the operator release. CRDs carry resource-policy:keep, so EtcdClusters survive — delete them (and the CRDs) by hand to wipe data.
+	$(HELM) uninstall $(HELM_RELEASE) --namespace $(NAMESPACE)
 
 ##@ Build Dependencies
 
@@ -178,16 +206,17 @@ $(LOCALBIN):
 	mkdir -p $(LOCALBIN)
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.6.0
 CONTROLLER_TOOLS_VERSION ?= v0.18.0
 YQ_VERSION ?= v4.44.1
 
 ## Tool Binaries (version-suffixed so a version bump auto-triggers reinstall
 ## and stale builds of an old version stay on disk alongside the new one).
-KUSTOMIZE ?= $(LOCALBIN)/kustomize-$(KUSTOMIZE_VERSION)
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen-$(CONTROLLER_TOOLS_VERSION)
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 YQ ?= $(LOCALBIN)/yq-$(YQ_VERSION)
+# Helm is the one tool we don't vendor (no clean `go install`); it must be on
+# PATH. release-smoke/e2e and the publish workflows install it via setup-helm.
+HELM ?= helm
 
 # go-install-tool installs $2@$3 under $1. `go install` drops the binary at
 # $LOCALBIN/<basename>, so we rename it after install to the version-suffixed
@@ -202,10 +231,12 @@ mv "$$(echo "$(1)" | sed "s/-$(3)$$//")" $(1) ;\
 }
 endef
 
-.PHONY: kustomize
-kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
-$(KUSTOMIZE): $(LOCALBIN)
-	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION))
+.PHONY: require-helm
+require-helm: ## Assert Helm is on PATH (used by deploy/undeploy/build-dist-manifests).
+	@command -v $(HELM) >/dev/null 2>&1 || { \
+		echo "ERROR: helm not found on PATH. Install Helm v3.16+ (https://helm.sh/docs/intro/install/)."; \
+		exit 1; \
+	}
 
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.

README.md

@@ -37,12 +37,12 @@ No multi-user / per-tenant RBAC inside etcd — single-user `root` auth is avail
 ## Quick start
 
 ```sh
-# 1. Install CRDs and the operator. Builds an image and pushes it to your
-#    registry; substitute IMG= for a prebuilt tag if you have one. The cluster
-#    must be able to pull from <your-registry> — for local clusters (kind /
-#    minikube / k3d) sideload the image or use an ephemeral registry such as
-#    ttl.sh, otherwise the operator Deployment will sit in ImagePullBackOff.
-make install
+# 1. Install the operator (CRDs + RBAC + manager) with Helm. Builds an image and
+#    pushes it to your registry; substitute IMG= for a prebuilt tag if you have
+#    one. The cluster must be able to pull from <your-registry> — for local
+#    clusters (kind / minikube / k3d) sideload the image or use an ephemeral
+#    registry such as ttl.sh, otherwise the Deployment sits in ImagePullBackOff.
+#    `make deploy` runs `helm upgrade --install` (needs helm v3.16+ on PATH).
 make docker-build docker-push deploy IMG=<your-registry>/etcd-operator:<tag>
 
 # 2. Create a cluster.

api/v1alpha2/validation_envtest_test.go

@@ -77,11 +77,12 @@ func TestMain(m *testing.M) {
 	os.Exit(code)
 }
 
-// crdBasesDir resolves config/crd/bases relative to this test file —
-// go test's CWD is the package directory and the CRDs live two levels up.
+// crdBasesDir resolves the chart's raw generated CRDs relative to this test
+// file — go test's CWD is the package directory and the CRDs (written by
+// `make manifests`) live under charts/etcd-operator/crd-bases two levels up.
 func crdBasesDir() string {
 	_, here, _, _ := runtime.Caller(0)
-	return filepath.Join(filepath.Dir(here), "..", "..", "config", "crd", "bases")
+	return filepath.Join(filepath.Dir(here), "..", "..", "charts", "etcd-operator", "crd-bases")
 }
 
 func ptr32(v int32) *int32 { return &v }