feat: helm chart

Added a Helm chart so that users can install the Oxide cloud controller
manager using Helm.

Helm has its own quirks, listed below, that influenced my approach.

* Helm "best practices" place arbitrary top-level attributes in
`values.yaml` that, quite frankly, I didn't see as good design. I used
a minimal approach for `_helpers.tpl` and `values.yaml` that we'll refine
over time through usage and feedback.

* `helm push` expects to use `name` and `version` from
`Chart.yaml` as the last part of the image name and the
image tag respectively. Originally, I wanted to push to
`ghcr.io/oxidecomputer/oxide-cloud-controller-manager/charts`
to keep the image name in line with the GitHub organization and
repository name. However, that would mean I'd need to use `charts`
as the value for `name`, which is extremely silly. I ended up
setting `name` to `oxide-cloud-controller-manager` and pushing to
`ghcr.io/oxidecomputer/charts/oxide-cloud-controller-manager`.

I'll hold my thoughts on Helm overall, but let's just say I was reminded
why I avoided Helm most of my career. Regardless, it's good to support
Helm for our Kubernetes integrations so users have a "standard" path
for installation.

Closes #178.

Author: sudomateo

.gitignore

@@ -0,0 +1 @@
+*.tgz

Makefile

@@ -17,6 +17,11 @@ IMAGE_NAME ?= oxide-cloud-controller-manager
 IMAGE_TAG ?= $(patsubst v%,%,$(VERSION))$(if $(RELEASE),,-$(GIT_COMMIT_SHORT))
 IMAGE_FULL ?= $(if $(IMAGE_REGISTRY),$(IMAGE_REGISTRY)/)$(IMAGE_NAME):$(IMAGE_TAG)
 
+# Helm chart configuration.
+CHART_DIR ?= charts/oxide-cloud-controller-manager
+CHART_REGISTRY ?= oci://ghcr.io/oxidecomputer/charts
+HELM ?= go tool -modfile tools/go.mod helm
+
 .PHONY: test
 test:
 	@echo "Running tests in container..."
@@ -45,3 +50,24 @@ build:
 push:
 	@echo "Pushing container image: $(IMAGE_FULL)"
 	$(CONTAINER_RUNTIME) push $(IMAGE_FULL)
+
+.PHONY: manifest
+manifest: helm-set-version
+	@echo "Generating manifest: manifests/oxide-cloud-controller-manager.yaml"
+	$(HELM) template oxide-cloud-controller-manager $(CHART_DIR) \
+		--namespace kube-system \
+		> manifests/oxide-cloud-controller-manager.yaml
+
+.PHONY: helm-set-version
+helm-set-version:
+	@sed -i 's/^version: .*/version: "$(patsubst v%,%,$(VERSION))"/' $(CHART_DIR)/Chart.yaml
+	@sed -i 's/^appVersion: .*/appVersion: "$(patsubst v%,%,$(VERSION))"/' $(CHART_DIR)/Chart.yaml
+
+.PHONY: helm-package
+helm-package: helm-set-version
+	$(HELM) package $(CHART_DIR)
+
+.PHONY: helm-push
+helm-push: helm-package
+	$(HELM) push $(IMAGE_NAME)-$(patsubst v%,%,$(VERSION)).tgz \
+		$(CHART_REGISTRY)

charts/oxide-cloud-controller-manager/Chart.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v2
+name: oxide-cloud-controller-manager
+description: "Oxide Kubernetes Cloud Controller Manager."
+type: application
+version: "0.3.0"
+appVersion: "0.3.0"
+keywords:
+  - oxide
+  - cloud-controller-manager
+home: "https://github.com/oxidecomputer/oxide-cloud-controller-manager"
+sources:
+  - "https://github.com/oxidecomputer/oxide-cloud-controller-manager"
+maintainers:
+  - name: Oxide Computer Company
+    email: support@oxide.computer
+    url: "https://oxide.computer"
+icon: "https://oxide.computer/favicon.svg"

charts/oxide-cloud-controller-manager/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "oxide-ccm.name" -}}
+{{- default .Chart.Name .Values.name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "oxide-ccm.fullName" -}}
+{{- $name := include "oxide-ccm.name" . }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{- define "oxide-ccm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "oxide-ccm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "oxide-ccm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "oxide-ccm.labels" -}}
+helm.sh/chart: {{ include "oxide-ccm.chart" . }}
+{{ include "oxide-ccm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

charts/oxide-cloud-controller-manager/templates/clusterrole.yaml

@@ -0,0 +1,91 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:{{ include "oxide-ccm.fullName" . }}
+  labels:
+    {{- include "oxide-ccm.labels" . | nindent 4 }}
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch

charts/oxide-cloud-controller-manager/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:{{ include "oxide-ccm.fullName" . }}
+  labels:
+    {{- include "oxide-ccm.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:{{ include "oxide-ccm.fullName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "oxide-ccm.fullName" . }}
+  namespace: {{ .Release.Namespace }}

charts/oxide-cloud-controller-manager/templates/deployment.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "oxide-ccm.fullName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "oxide-ccm.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.deployment.replicas }}
+  selector:
+    matchLabels:
+      {{- include "oxide-ccm.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "oxide-ccm.selectorLabels" . | nindent 8 }}
+    spec:
+      dnsPolicy: Default
+      hostNetwork: true
+      serviceAccountName: {{ include "oxide-ccm.fullName" . }}
+      priorityClassName: system-cluster-critical
+      tolerations:
+        - key: "node.cloudprovider.kubernetes.io/uninitialized"
+          value: "true"
+          effect: "NoSchedule"
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - key: "node-role.kubernetes.io/control-plane"
+          effect: NoSchedule
+      containers:
+      - name: {{ include "oxide-ccm.name" . }}
+        image: "{{ .Values.deployment.image.name }}:{{ .Values.deployment.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.deployment.imagePullPolicy }}
+        command:
+          - "/usr/bin/oxide-cloud-controller-manager"
+          - "--cloud-provider=oxide"
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        env:
+          - name: OXIDE_HOST
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "oxide-ccm.fullName" . }}
+                key: oxide-host
+          - name: OXIDE_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "oxide-ccm.fullName" . }}
+                key: oxide-token
+          - name: OXIDE_PROJECT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "oxide-ccm.fullName" . }}
+                key: oxide-project

charts/oxide-cloud-controller-manager/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "oxide-ccm.fullName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "oxide-ccm.labels" . | nindent 4 }}

charts/oxide-cloud-controller-manager/values.yaml

@@ -0,0 +1,6 @@
+deployment:
+  replicas: 1
+  image:
+    name: ghcr.io/oxidecomputer/oxide-cloud-controller-manager
+    tag: ""
+  imagePullPolicy: IfNotPresent