Extend helm-chart with backend & docs (#502)

* Add configurable backend deployment
* Add helm docs
* bump helm version

---------

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: SAP <mangirdas.judeikis@sap.com>

Author: mjudeikis

Makefile

@@ -35,6 +35,7 @@ DEX_VERSION := v2.43.1
 GOLANGCI_LINT_VERSION := 2.1.6
 GORELEASER_VERSION := 2.13.0
 GOTESTSUM_VERSION := 1.8.1
+HELM_DOCS_VERSION := 1.14.2
 HELM_VERSION := 3.18.6
 # unreleased kcp version with vw code for schemas
 KCP_VERSION := 301a8f749e7b99a0c81f43b37aa5b5e5ff0fc0b4
@@ -175,6 +176,14 @@ install-goreleaser:
 install-helm:
 	@hack/uget.sh https://get.helm.sh/helm-v{VERSION}-{GOOS}-{GOARCH}.tar.gz helm $(HELM_VERSION)
 
+HELM_DOCS = $(UGET_DIRECTORY)/helm-docs-$(HELM_DOCS_VERSION)
+
+.PHONY: install-helm-docs
+install-helm-docs: export OS ?= $(shell uname -s)
+install-helm-docs: export ARCH ?= $(shell uname -m)
+install-helm-docs:
+	@hack/uget.sh https://github.com/norwoodj/helm-docs/releases/download/v{VERSION}/helm-docs_{VERSION}_{ENV:OS}_{ENV:ARCH}.tar.gz helm-docs $(HELM_DOCS_VERSION) helm-docs
+
 # e2e tests use this env name to locate the dex binary; make sure it's an absolute path
 export DEX_BINARY = $(ROOT_DIR)/$(UGET_DIRECTORY)/dex-$(DEX_VERSION)
 
@@ -364,7 +373,7 @@ verify-modules: modules  # Verify go modules are up to date
 	done
 
 .PHONY: verify
-verify: verify-go-versions verify-modules verify-imports verify-codegen verify-boilerplate ## verify formal properties of the code
+verify: verify-go-versions verify-modules verify-imports verify-codegen verify-boilerplate verify-helm-docs ## verify formal properties of the code
 
 .PHONY: help
 help: ## Show this help
@@ -442,4 +451,16 @@ helm-push-local: ## Push Helm charts to IMAGE_REPO registry
 helm-test: helm-build-local ## Test Helm chart installation (dry-run)
 	@hack/helm-test.sh
 
+.PHONY: generate-helm-docs
+generate-helm-docs: install-helm-docs ## Generate Helm chart documentation
+	$(HELM_DOCS) --chart-search-root deploy/charts
+
+.PHONY: verify-helm-docs
+verify-helm-docs: generate-helm-docs ## Verify Helm chart documentation is up to date
+	@if ! git diff --quiet HEAD -- deploy/charts/**/README.md; then \
+		git diff -- deploy/charts/**/README.md; \
+		echo "Helm chart documentation is out of date, please run 'make generate-helm-docs'"; \
+		exit 1; \
+	fi
+
 include Makefile.venv

deploy/charts/backend/Chart.yaml

@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.6.0"
+appVersion: "v0.7.1"

deploy/charts/backend/README.md

@@ -0,0 +1,101 @@
+# backend
+
+A Helm chart for kube-bind backend deployment
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.1](https://img.shields.io/badge/AppVersion-v0.7.1-informational?style=flat-square)
+
+## Installation
+
+```bash
+helm install kube-bind-backend oci://ghcr.io/kube-bind/charts/backend --version <version>
+```
+
+## Configuration
+
+See [values.yaml](values.yaml) for the full list of configurable parameters.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity rules for pod scheduling |
+| autoscaling.enabled | bool | `false` | Enable horizontal pod autoscaling |
+| autoscaling.maxReplicas | int | `100` | Maximum number of replicas |
+| autoscaling.minReplicas | int | `1` | Minimum number of replicas |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage |
+| backend.apibindingIgnorePrefixes | list | `[]` | Name prefixes of APIBindings to ignore when generating APIServiceExportTemplates |
+| backend.apiexportEndpointSliceName | string | `""` | APIExport EndpointSlice name to watch |
+| backend.clusterScopeIsolation | string | `"prefix"` | Cluster-scope isolation mode. Options: none, prefix, namespaced |
+| backend.consumerScope | string | `"namespaced"` | Consumer scope. Options: "namespaced" |
+| backend.cookieEncryptionKey | string | `""` | Cookie encryption key (base64 encoded). Empty generates random key on each start (not for production!) |
+| backend.cookieSigningKey | string | `""` | Cookie signing key (base64 encoded). Empty generates random key on each start (not for production!) |
+| backend.externalAddress | string | `""` | External address clients use to reach the backend |
+| backend.externalServerName | string | `""` | External server name for TLS SNI |
+| backend.extraArgs | list | `[]` | Extra command-line arguments to pass to the backend |
+| backend.frontendDisabled | bool | `false` | Disable the frontend UI |
+| backend.listenAddress | string | `"0.0.0.0:8080"` | Address the backend listens on |
+| backend.loggingLevel | int | `2` | Logging verbosity level |
+| backend.multiclusterRuntimeProvider | string | `""` | Multicluster runtime provider (e.g., "kcp") |
+| backend.namespacePrefix | string | `"kube-bind-"` | Prefix for namespaces created by kube-bind |
+| backend.oidc.allowedGroups | list | `[]` | List of groups allowed to access bindings. With embedded OIDC, system:authenticated is added automatically |
+| backend.oidc.allowedUsers | list | `[]` | List of users allowed to access bindings |
+| backend.oidc.callbackUrl | string | `""` | OIDC callback URL |
+| backend.oidc.clientId | string | `""` | OIDC client ID |
+| backend.oidc.clientSecret | string | `""` | OIDC client secret (plaintext, prefer clientSecretName for production) |
+| backend.oidc.clientSecretKey | string | `""` | Key within the secret (e.g., "client-secret") |
+| backend.oidc.clientSecretName | string | `""` | Name of the Kubernetes secret containing the OIDC client secret |
+| backend.oidc.issuerUrl | string | `""` | OIDC issuer URL (leave empty for embedded OIDC server) |
+| backend.oidc.type | string | `"embedded"` | OIDC provider type. Options: "embedded" or "external" |
+| backend.prettyName | string | `""` | Human-readable name for this backend instance |
+| backend.schemaSource | string | `""` | Schema source (e.g., "apiresourceschemas") |
+| backend.tls.certSecretName | string | `""` | Name of the Kubernetes secret containing TLS certificate |
+| backend.tls.enabled | bool | `false` | Enable TLS for the backend |
+| backend.tls.tlsCertFile | string | `"/etc/kube-bind/tls/tls.crt"` | Path to TLS certificate file inside the container |
+| backend.tls.tlsKeyFile | string | `"/etc/kube-bind/tls/tls.key"` | Path to TLS key file inside the container |
+| certManager.clusterIssuer | string | `""` | Name of the ClusterIssuer to use |
+| certManager.enabled | bool | `false` | Enable cert-manager integration for automatic TLS certificates |
+| examples.enabled | bool | `false` | Enable example resources to seed on first start |
+| fullnameOverride | string | `""` | Override the full release name |
+| gatewayApi.enabled | bool | `false` | Enable Gateway API resources |
+| gatewayApi.gateway.annotations | object | `{}` | Annotations to add to the Gateway resource |
+| gatewayApi.gateway.className | string | `""` | Gateway class name |
+| gatewayApi.gateway.httpPort | int | `80` | HTTP listener port |
+| gatewayApi.gateway.httpsPort | int | `443` | HTTPS listener port |
+| gatewayApi.gateway.tls.certificateRefs | list | `[]` | TLS certificate references for the Gateway |
+| gatewayApi.route.annotations | object | `{}` | Annotations to add to the HTTPRoute resource |
+| gatewayApi.route.hostnames | list | `[]` | Hostnames for the HTTPRoute |
+| gatewayApi.route.path | string | `"/"` | Path match for the HTTPRoute |
+| gatewayApi.route.pathType | string | `"PathPrefix"` | Path match type for the HTTPRoute |
+| hostAliases | list | `[]` | Host aliases for /etc/hosts injection into pods |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.repository | string | `"ghcr.io/kube-bind/backend"` | Image repository |
+| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion |
+| imagePullSecrets | list | `[]` | Secrets for pulling images from a private repository |
+| initContainers | list | `[]` | Additional init containers |
+| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":"http"}}` | Liveness probe configuration |
+| nameOverride | string | `""` | Override the chart name |
+| nodeSelector | object | `{}` | Node selector for pod scheduling |
+| podAnnotations | object | `{}` | Annotations to add to the pod |
+| podLabels | object | `{}` | Labels to add to the pod |
+| podSecurityContext | object | `{}` | Pod security context |
+| rbac.create | bool | `true` | Specifies whether RBAC resources should be created |
+| readinessProbe | object | `{"httpGet":{"path":"/healthz","port":"http"}}` | Readiness probe configuration |
+| replicaCount | int | `1` | Number of replicas for the backend deployment |
+| resources | object | `{}` | Resource requests and limits |
+| securityContext | object | `{}` | Container security context |
+| service.httpsNodePort | string | `""` | NodePort for HTTPS (only used when type is NodePort) |
+| service.httpsPort | int | `8443` | HTTPS service port |
+| service.nodePort | string | `""` | NodePort for HTTP (only used when type is NodePort) |
+| service.port | int | `8080` | HTTP service port |
+| service.type | string | `"ClusterIP"` | Service type |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.automount | bool | `true` | Automatically mount the ServiceAccount's API credentials |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| tolerations | list | `[]` | Tolerations for pod scheduling |
+| volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition |
+| volumes | list | `[]` | Additional volumes on the output Deployment definition |
+
+---
+
+*This README is generated by [helm-docs](https://github.com/norwoodj/helm-docs). Do not edit manually.*

deploy/charts/backend/README.md.gotmpl

@@ -0,0 +1,25 @@
+{{ template "chart.header" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+## Installation
+
+```bash
+helm install kube-bind-backend oci://ghcr.io/kube-bind/charts/backend --version <version>
+```
+
+## Configuration
+
+See [values.yaml](values.yaml) for the full list of configurable parameters.
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+---
+
+*This README is generated by [helm-docs](https://github.com/norwoodj/helm-docs). Do not edit manually.*

deploy/charts/backend/templates/deployment.yaml

@@ -36,6 +36,10 @@ spec:
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           {{- with .Values.securityContext }}
@@ -112,6 +116,24 @@ spec:
             - --oidc-allowed-users={{ . }}
             {{- end }}
             {{- end }}
+            {{- if .Values.backend.multiclusterRuntimeProvider }}
+            - --multicluster-runtime-provider={{ .Values.backend.multiclusterRuntimeProvider }}
+            {{- end }}
+            {{- if .Values.backend.schemaSource }}
+            - --schema-source={{ .Values.backend.schemaSource }}
+            {{- end }}
+            {{- if .Values.backend.apiexportEndpointSliceName }}
+            - --apiexport-endpoint-slice-name={{ .Values.backend.apiexportEndpointSliceName }}
+            {{- end }}
+            {{- if .Values.backend.frontendDisabled }}
+            - --frontend-disabled=true
+            {{- end }}
+            {{- range .Values.backend.apibindingIgnorePrefixes }}
+            - --apibinding-ignore-prefixes={{ . }}
+            {{- end }}
+            {{- range .Values.backend.extraArgs }}
+            - {{ . }}
+            {{- end }}
             {{- if .Values.backend.loggingLevel }}
             - -v={{ .Values.backend.loggingLevel }}
             {{- end }}