Skip to content

feat: add a Helm chart covering the full config/ surface#397

Open
xrl wants to merge 1 commit into
etcd-io:mainfrom
xrl:pr/helm-chart
Open

feat: add a Helm chart covering the full config/ surface#397
xrl wants to merge 1 commit into
etcd-io:mainfrom
xrl:pr/helm-chart

Conversation

@xrl

@xrl xrl commented Jul 7, 2026

Copy link
Copy Markdown

Summary

Adds a first-class Helm chart at charts/etcd-operator (chart 0.1.0, appVersion v0.2.0). It reproduces the full config/ surface with everything parameterized through values, so helm install etcd-operator charts/etcd-operator is equivalent to kustomize build config/default | kubectl apply -f - — and the pieces kustomize keeps behind commented-out [WEBHOOK]/[CERTMANAGER]/[PROMETHEUS]/[NETWORK POLICY] markers become plain toggles.

Parity with kustomize build config/default

kustomize resource chart
Namespace etcd-operator-system omitted — the release namespace is Helm's (--create-namespace)
CRD etcdclusters.operator.etcd.io templates/crds/ (generated, see below), gated by crds.enabled
ServiceAccount …-controller-manager serviceaccount.yaml
ClusterRole/Binding …-manager-role(binding) manager-rbac.yaml
Role/Binding …-leader-election-* leader-election-rbac.yaml (always namespaced)
ClusterRoles …-metrics-auth-*, …-metrics-reader metrics-auth-rbac.yaml, rendered only while metrics.secure=true (the only mode that uses TokenReview/SubjectAccessReview)
ClusterRoles …-etcdcluster-{editor,viewer}-role etcdcluster-user-rbac.yaml
Service …-metrics-service metrics-service.yaml
Deployment …-controller-manager deployment.yaml

Plus the optional surface: ServiceMonitor (config/prometheus), metrics NetworkPolicy (config/network-policy), webhook Service + self-signed Issuer/Certificate (config/webhook, config/certmanager), and the Validating/Mutating WebhookConfigurations with cert-manager CA injection (#384). Webhook toggles default off to match today's config/default and the v0.2.0 image.

Values highlights

  • Digest pinning: controller.image.digest renders repository@digest and wins over tag (which defaults to appVersion).
  • OPERATOR_IMAGE env defaults to the manager image ref. kustomize images: cannot rewrite env values; the chart keeps the two in lockstep automatically (digest pin included).
  • controller.watchNamespace: swaps the manager ClusterRole/ClusterRoleBinding for a namespaced Role/RoleBinding in the watched namespace (no clusterissuers rule — pair with controller.restrictClusterIssuer; includes the events.k8s.io rule from fix: grant RBAC for events.k8s.io Events emitted by the events/v1 recorder #391) and passes --watch-namespace/WATCH_NAMESPACE.
  • metrics.secure=false: plain-HTTP metrics with zero cluster-scoped metrics RBAC; the Service, ServiceMonitor scheme/auth, and NetworkPolicy port all follow.
  • admissionWebhooks.namespaceSelector: constrain the fail-closed webhooks to selected namespaces; empty keeps upstream's cluster-wide behavior.

Split rendering (why three component gates)

crds.enabled / controller.enabled / admissionWebhooks.enabled let one chart serve GitOps setups that split cluster-scoped installs from the namespaced runtime (e.g. two ArgoCD Applications, one privileged): side (a) controller.enabled=false, admissionWebhooks.enabled=true renders only the CRDs + the two WebhookConfigurations; side (b) crds.enabled=false, webhook.enabled=true renders the full runtime with neither. Exact values in the chart README.

CRD sync idiom

templates/crds/ is generated, never hand-edited: make helm-crds copies config/crd/bases/*.yaml verbatim, wraps each in the crds.enabled guard, and escapes any {{ for the template engine (none today; guarded anyway). make manifests helm-crds keeps the chart in lockstep after API changes. make helm-lint runs helm lint. No existing Makefile targets are touched.

Verification

  • helm lint: clean.
  • helm template over four configurations: default, split side (a) (exactly 3 resources), split side (b) (no CRD/WebhookConfiguration leak), and namespace-scoped (watchNamespace=kv, metrics.secure=false: zero ClusterRoles emitted).
  • Resource-by-resource parity against kustomize build config/default (table above); the Namespace is the single deliberate omission.

🤖 Generated with Claude Code


PR series — operability fixes, TLS & EtcdMirror

Small single-purpose PRs from live kind-cluster testing of the operator. Each stands alone unless an After is listed. → = this PR.

PR Lands After
Reviewable now — small, any order
🟢 #374 Requeue instead of swallowing the client-cert provisioning error
🟢 #391 Grant events.k8s.io RBAC so operator Events are actually recorded
🟢 #392 Correlate members[]/leaderID from one health snapshot (consistent leader)
🟢 #393 Propagate user-supplied altNames.ipAddresses into certificates
🟢 #394 Accept day-suffix validityDuration (365d, 100d12h) as documented
🟢 #395 Surface early reconcile errors as a Degraded condition (was empty status)
🟢 #379 Configurable reconcile worker pool (--max-concurrent-reconciles)
🟢 #369 kind-based stress/scale e2e harness (1/3/7 members, churn, quorum watcher)
🟢 #398 podTemplate.spec scheduling fields: topologySpread, resources, priorityClass, schedulerName
🟢→ #397 First-class Helm chart covering the full config/ surface
🟢 #399 Quorum-aware PodDisruptionBudget per EtcdCluster
🟢 #400 Scale-in removes the right member and transfers leadership first
🟢 #401 Backend quota + auto-compaction spec fields, NOSPACE alarm surfacing
🟢 #402 Reconcile-loop gates replace the blocking StatefulSet-ready wait
🟢 #403 Quorum-gated one-pod-at-a-time version upgrades via OnDelete
TLS stack — in order
🟢 #376 Independent spec.tls.{peer,client} surfaces (breaking alpha API)
#377 TLSReady condition + TLS lifecycle Events #376
#378 Multi-member TLS quorum e2e + PeerCANotShared #377
EtcdMirror — in order
🟢 #406 EtcdMirror CRD: one-way cross-cluster replication API (types + CEL)
🟢 #407 pkg/mirroragent replication engine (fenced checkpoint-in-target) #406
🟢 #408 Periodic reconciliation pass wired into the engine's steady-state loop #407
🟢 #412 mirror-agent binary: config/TLS-reload/statusz/metrics + kind e2e #408
🟢 #413 EtcdMirror controller: Deployment rendering, statusz-driven conditions, guards, fenced finalizer #412
🟢 #414 CRD/sample/editor+viewer-role kustomize wiring #413
🟢 #415 Controller-side phase/condition gauges, shipped PrometheusRule + dashboard #414
🟢 #416 Full-lifecycle kind e2e: fence overlap, compaction+prune, restart resume, cert rotation, cutover/reversal #415
Parked as drafts pending #363
#382 Per-cluster domain metrics on the operator /metrics endpoint
#384 EtcdCluster admission webhooks (consolidating with #328) #363
#386 EtcdBackup CR → object storage (S3/GCS) #363
#387 Automatic quorum-loss disaster recovery (bootstrap-latch guarded) #363

🟢 ready · ⚪ draft

charts/etcd-operator covers the full config/ surface (parity with
kustomize build config/default; the Namespace is left to the release):
manager Deployment, RBAC with a cluster/namespace-scoped switch
(controller.watchNamespace), secure/insecure metrics with ServiceMonitor
and NetworkPolicy toggles, cert-manager webhook serving, and the
admission WebhookConfigurations with an optional namespaceSelector.
crds.enabled / controller.enabled / admissionWebhooks.enabled split the
chart into a cluster-scoped install lane and a namespaced runtime lane
so it can be rendered twice (e.g. two ArgoCD Applications).

templates/crds/ is generated: make helm-crds copies config/crd/bases
verbatim, wraps it in the crds.enabled guard, and escapes any {{ for
the template engine. make helm-lint runs helm lint. Nothing is wired
into existing targets.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
@kubernetes-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xrl
Once this PR has been reviewed and has the lgtm label, please assign hakman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow

Copy link
Copy Markdown

Hi @xrl. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

This was referenced Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant