add helm deployment

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
 On-behalf-of: @SAP mangirdas.judeikis@sap.com

Author: mjudeikis

.github/workflows/image.yaml

@@ -26,6 +26,11 @@ jobs:
     - uses: sigstore/cosign-installer@v3.7.0
     - name: Install ko
       run: go install github.com/google/ko@latest
+    
+    - name: Install Helm
+      uses: azure/setup-helm@v3
+      with:
+        version: 'v3.12.0'
 
     - name: Set LDFLAGS
       run: echo LDFLAGS="$(make ldflags)" | tee -a >> $GITHUB_ENV
@@ -62,6 +67,42 @@ jobs:
             -a run_id=${{ github.run_id }} \
             -a run_attempt=${{ github.run_attempt }}
 
+    - name: Package and push Helm charts as OCI
+      env:
+        HELM_EXPERIMENTAL_OCI: 1
+      run: |
+        # Login to GitHub Container Registry for Helm
+        echo "${{ github.token }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
+        
+        # Set chart version - use tag name if available, otherwise use semver format
+        if [[ "${{ github.ref_type }}" == "tag" ]]; then
+          CHART_VERSION="${{ github.ref_name }}"
+          # Remove 'v' prefix if present
+          CHART_VERSION="${CHART_VERSION#v}"
+        else
+          CHART_VERSION="0.0.0-${{ github.sha }}"
+        fi
+        
+        # Package and push each chart in deploy/charts/
+        for chart_dir in deploy/charts/*/; do
+          if [ -f "${chart_dir}Chart.yaml" ]; then
+            chart_name=$(basename "$chart_dir")
+            echo "Processing chart: $chart_name"
+            
+            # Update chart version and appVersion in Chart.yaml
+            sed -i "s/^version:.*/version: ${CHART_VERSION}/" "${chart_dir}Chart.yaml"
+            sed -i "s/^appVersion:.*/appVersion: ${CHART_VERSION}/" "${chart_dir}Chart.yaml"
+            
+            # Package the chart
+            helm package "$chart_dir" --version "${CHART_VERSION}"
+            
+            # Push to GitHub Container Registry
+            helm push "${chart_name}-${CHART_VERSION}.tgz" "oci://ghcr.io/${{ github.repository_owner }}/charts"
+            
+            echo "Helm chart pushed to oci://ghcr.io/${{ github.repository_owner }}/charts/${chart_name}:${CHART_VERSION}"
+          fi
+        done
+
     - uses: actions/delete-package-versions@v3
       with:
         package-name: 'kube-bind'

Makefile

@@ -24,6 +24,11 @@ GOBIN_DIR=$(abspath ./bin )
 PATH := $(GOBIN_DIR):$(TOOLS_GOBIN_DIR):$(PATH)
 TMPDIR := $(shell mktemp -d)
 
+# Image build configuration
+# REV is the short git sha of latest commit.
+REV=$(shell git rev-parse --short HEAD)
+IMAGE_REPO ?= kube-bind
+
 # Detect the path used for the install target
 ifeq (,$(shell go env GOBIN))
 INSTALL_GOBIN=$(shell go env GOPATH)/bin
@@ -291,25 +296,10 @@ CONTRIBS_E2E := $(patsubst %,test-e2e-contrib-%,$(CONTRIBS))
 .PHONY: test-e2e-contribs $(CONTRIBS_E2E)
 test-e2e-contribs: $(CONTRIBS_E2E) ## Run e2e tests for external integrations
 
-.PHONY: test-e2e-contrib-kcp
 test-e2e-contrib-kcp: $(DEX) $(KCP)
 $(CONTRIBS_E2E):
 	cd contrib/$(patsubst test-e2e-contrib-%,%,$@) && $(GO_TEST) -race -count $(COUNT) $(E2E_PARALLELISM_FLAG) ./test/e2e/...
 
-DESTROY_KIND_CLUSTER ?= true
-REUSE_KIND_CLUSTER_SUFFIX ?= ""
-KIND_CLUSTER_NAME ?= kube-bind
-
-.PHONY: test-e2e-kind
-test-e2e-kind: build image-local
-	echo "Running kube-bind e2e tests"
-	KUBE_BIND_BACKEND_IMAGE=$(KO_DOCKER_REPO)/backend:$(REV) \
-	KUBE_BIND_KONNECTOR_IMAGE=$(KO_DOCKER_REPO)/konnector:$(REV) \
-	$(GO_TEST) -v ./test/e2e-kind/... \
-		-destroy-kind-cluster=$(DESTROY_KIND_CLUSTER) \
-		-collect-logs=true 
-	echo "Kube-bind e2e tests completed"
-
 .PHONY: test
 ifdef USE_GOTESTSUM
 test: $(GOTESTSUM)
@@ -385,32 +375,29 @@ deploy-docs: venv ## Deploy docs
 	. $(VENV)/activate; \
 	REMOTE=$(REMOTE) BRANCH=$(BRANCH) docs/scripts/deploy-docs.sh
 
-# Image build configuration
-# REV is the short git sha of latest commit.
-REV=$(shell git rev-parse --short HEAD)
-KIND_CLUSTER ?= backend
-KO_DOCKER_REPO ?= kube-bind
-
+# Example: make IMAGE_REPO=ghcr.io/<username> image-local 
 .PHONY: image-local
 image-local:
 	@echo "Building images locally with tag $(REV)"
 	@command -v ko >/dev/null 2>&1 || { echo "ko not found. Install with: go install github.com/google/ko@latest"; exit 1; }
 
 	@echo "Building konnector image locally..."
-	KO_DOCKER_REPO=$(KO_DOCKER_REPO) ko build \
+	KO_DOCKER_REPO=$(IMAGE_REPO) ko build \
 		--local \
 		-B \
 		-t $(REV) \
 		./cmd/konnector
 
 	@echo "Building backend image locally..."
-	KO_DOCKER_REPO=$(KO_DOCKER_REPO) ko build \
+	KO_DOCKER_REPO=$(IMAGE_REPO) ko build \
 		--local \
 		-B \
 		-t $(REV) \
 		./cmd/backend
 
-	@echo "Successfully built local images with tag $(REV)"
+	@echo "Successfully built local images:"
+	@echo "  $(IMAGE_REPO)/konnector:$(REV)"
+	@echo "  $(IMAGE_REPO)/backend:$(REV)"
 
 .PHONY: kind-load
 kind-load:
@@ -419,4 +406,67 @@ kind-load:
 	kind load docker-image $(KO_DOCKER_REPO)/backend:$(REV) --name $(KIND_CLUSTER)
 	@echo "Successfully loaded images into kind cluster '$(KIND_CLUSTER)'"
 
+.PHONY: helm-build-local
+helm-build-local: ## Build and package Helm charts locally for testing
+	@echo "Building Helm charts locally..."
+	@command -v helm >/dev/null 2>&1 || { echo "helm not found. Install from: https://helm.sh/docs/intro/install/"; exit 1; }
+	
+	@# Set chart version to semver format for local builds (0.0.0-<git-sha>)
+	CHART_VERSION="0.0.0-$(REV)"; \
+	for chart_dir in deploy/charts/*/; do \
+		if [ -f "$${chart_dir}Chart.yaml" ]; then \
+			chart_name=$$(basename "$$chart_dir"); \
+			echo "Processing chart: $$chart_name"; \
+			\
+			cp "$${chart_dir}Chart.yaml" "$${chart_dir}Chart.yaml.bak"; \
+			sed -i.tmp "s/^version:.*/version: $$CHART_VERSION/" "$${chart_dir}Chart.yaml"; \
+			sed -i.tmp "s/^appVersion:.*/appVersion: $$CHART_VERSION/" "$${chart_dir}Chart.yaml"; \
+			rm -f "$${chart_dir}Chart.yaml.tmp"; \
+			\
+			helm package "$$chart_dir" --version "$$CHART_VERSION" --destination ./bin/; \
+			echo "Packaged: ./bin/$$chart_name-$$CHART_VERSION.tgz"; \
+			\
+			mv "$${chart_dir}Chart.yaml.bak" "$${chart_dir}Chart.yaml"; \
+		fi; \
+	done
+	@echo "Helm charts built successfully in ./bin/"
+
+.PHONY: helm-clean
+helm-clean: ## Clean up built helm charts
+	rm -f ./bin/*.tgz
+
+.PHONY: helm-push-local
+helm-push-local: ## Push Helm charts to IMAGE_REPO registry
+	@echo "Pushing Helm charts to registry: $(IMAGE_REPO)"
+	@command -v helm >/dev/null 2>&1 || { echo "helm not found. Install from: https://helm.sh/docs/intro/install/"; exit 1; }
+	
+	CHART_VERSION="0.0.0-$(REV)"; \
+	export HELM_EXPERIMENTAL_OCI=1; \
+	for chart_file in ./bin/*-$$CHART_VERSION.tgz; do \
+		if [ -f "$$chart_file" ]; then \
+			chart_filename=$$(basename "$$chart_file"); \
+			chart_name=$${chart_filename%-$$CHART_VERSION.tgz}; \
+			if [[ "$$chart_name" =~ [[:space:]] ]]; then \
+				echo "Skipping chart with invalid name: '$$chart_name' (contains spaces)"; \
+				continue; \
+			fi; \
+			echo "Pushing $$chart_name to $(IMAGE_REPO)"; \
+			helm push "$$chart_file" "oci://$(IMAGE_REPO)/charts"; \
+			echo "Chart available at: oci://$(IMAGE_REPO)/charts/$$chart_name:$$CHART_VERSION"; \
+		fi; \
+	done
+
+.PHONY: helm-test
+helm-test: helm-build-local ## Test Helm chart installation (dry-run)
+	@echo "Testing Helm chart installation..."
+	CHART_VERSION="0.0.0-$(REV)"; \
+	for chart_dir in deploy/charts/*/; do \
+		if [ -f "$${chart_dir}Chart.yaml" ]; then \
+			chart_name=$$(basename "$$chart_dir"); \
+			echo "Testing chart: $$chart_name"; \
+			helm install test-$$chart_name "./bin/$$chart_name-$$CHART_VERSION.tgz" --dry-run --debug; \
+			echo "✓ Chart $$chart_name passes dry-run test"; \
+		fi; \
+	done
+
 include Makefile.venv

backend/controllers/rbac.go

@@ -27,3 +27,8 @@ package controllers
 // These permissions allow the backend to grant RBAC permissions for exported resources
 //+kubebuilder:rbac:groups="",resources=configmaps,verbs=*
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=*
+
+// Wildcard permissions to allow granting RBAC permissions for any API group/resource
+// This is needed for kube-bind to create ClusterRoles with permissions for bound resources
+// In a way this makes all the above specific permissions redundant, but they are left for clarity and traceability.
+//+kubebuilder:rbac:groups=*,resources=*,verbs=*

deploy/charts/backend/templates/role.yaml

@@ -24,6 +24,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
 - apiGroups:
   - apiextensions.k8s.io
   resources:

docs/content/setup/helm.md

@@ -1,16 +1,16 @@
-<---
+---
 description: >
   Install kube-bind on an existing Kubernetes cluster via the official Helm chart.
 ---
 
 # Installation with Helm
 
-Kube-bind can be installed on an existing Kubernetes cluster using the official Helm chart.
-There are 2 helm charts available: `kube-bind/backend` for service providers and `kube-bind/konnectors` for service consumers.
+Kube-bind can be installed on an existing Kubernetes cluster using the official Helm OCI charts.
+The backend chart is available as an OCI image for service providers, with konnector charts coming soon for service consumers.
 
 ## Quick Start
 
-**Important**: Current version of kube-bind uses application level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior.
+**Important**: Current version of kube-bind uses application-level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior.
 
 ## Prerequisites & Setup Guides
 
@@ -23,25 +23,39 @@ The following prerequisites are required. Click the links below for detailed set
 
 ### Install Kube-Bind Backend
 
-1. **Add the Helm repository:**
-```bash
-helm repo add kube-bind https://kube-bind.github.io/helm-charts
-helm repo update
-```
+1. **Get the latest chart version:**
+   
+   Visit the [releases page](https://github.com/kube-bind/kube-bind/releases) or check available versions:
+   ```bash
+   # For latest tag version (recommended for production):
+   VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
+   
+   # Or use a specific development version:
+   # VERSION=0.0.0-<git-sha>
+   ```
 
 2. **Configure your values:**
-Edit `deploy/charts/backend/examples/values-local-development.yaml` and replace the placeholder values:
-- `### REPLACE ME ###` with your actual OIDC credentials
-- Update hostnames to match your setup
-
-3. **Install the backend:**
-```bash
-helm upgrade --install \
-    --namespace kube-bind \
-    --create-namespace \
-    --values ./deploy/charts/backend/examples/values-local-development.yaml \
-    kube-bind kube-bind/backend
-```
+   
+   Edit `deploy/charts/backend/examples/values-local-development.yaml` and replace the placeholder values:
+   - `### REPLACE ME ###` with your actual OIDC credentials
+   - Update hostnames to match your setup
+
+3. **Install the backend using OCI chart:**
+   ```bash
+   # Using latest release version
+   helm upgrade --install \
+       --namespace kube-bind \
+       --create-namespace \
+       --values ./deploy/charts/backend/examples/values-local-development.yaml \
+       kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
+   
+   # Or install a specific development version
+   # helm upgrade --install \
+   #     --namespace kube-bind \
+   #     --create-namespace \
+   #     --values ./deploy/charts/backend/examples/values-local-development.yaml \
+   #     kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-21d91e9
+   ```
 
 4. **Seed with example resources (optional):**
 ```bash
@@ -66,6 +80,11 @@ kind create cluster --name kube-bind-test
 ### Helm
 Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs/intro/install/)
 
+**Note**: Helm 3.8+ is required for OCI chart support. Enable experimental OCI support if needed:
+```bash
+export HELM_EXPERIMENTAL_OCI=1
+```
+
 ### cert-manager Setup
 
 Install cert-manager for automatic TLS certificate management:
@@ -239,4 +258,43 @@ The example values file at `deploy/charts/backend/examples/values-local-developm
 - **Cookie keys**: Generate with `openssl rand -base64 32`
 - **Hostnames**: Update to match your actual domains
 
-For production deployments, create your own values file based on the example.
+For production deployments, create your own values file based on the example.
+
+---
+
+## Available OCI Charts
+
+Kube-bind Helm charts are published as OCI images to GitHub Container Registry:
+
+### Backend Chart
+- **Registry**: `oci://ghcr.io/kube-bind/charts/backend`
+- **Latest Release**: Use the latest tag version (e.g., `1.0.0`)
+- **Development Builds**: Available as `0.0.0-<git-sha>` format for each commit to main
+
+### Finding Available Versions
+
+**Release versions:**
+```bash
+# List all releases
+curl -s https://api.github.com/repos/kube-bind/kube-bind/releases | grep '"tag_name"' | head -5
+
+# Get latest release version
+VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
+echo "Latest version: ${VERSION}"
+```
+
+**Development versions:**
+Development charts are built from every commit to the main branch with the format `0.0.0-<short-git-sha>`.
+
+### Installing Different Versions
+
+```bash
+# Install latest stable release (recommended for production)
+helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
+
+# Install specific release version  
+helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 1.0.0
+
+# Install development build (for testing)
+helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a1b2c3d
+```