Add helm charts

.github/workflows/publish-chart.yml

@@ -0,0 +1,65 @@
+name: Release Helm Chart
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*.*.*'
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  helm-chart:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.2
+
+      - name: Determine chart version
+        id: chart_version
+        run: |
+          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
+            # Use SHA for main branch
+            CHART_VERSION="0.0.0-$(echo ${{ github.sha }} | cut -c1-7)"
+          elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            # Use tag version (strip 'v' prefix)
+            CHART_VERSION="${GITHUB_REF#refs/tags/v}"
+          else
+            # Use PR SHA for dry run
+            CHART_VERSION="0.0.0-$(echo ${{ github.sha }} | cut -c1-7)"
+          fi
+          echo "version=$CHART_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Install Kustomize
+        run: |
+          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
+          mv kustomize /usr/local/bin
+
+      - name: Prepare CRDs folder
+        run: |
+          mkdir -p dist/chart/crds
+          kustomize build config/default | yq ea 'select(.kind == "CustomResourceDefinition")' > dist/chart/crds/crds.yaml
+          rm -rf dist/chart/templates/crd
+
+      - name: Package Helm chart
+        run: |
+          helm package dist/chart --version ${{ steps.chart_version.outputs.version }}
+
+      - name: Log in to GitHub Container Registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push Helm chart to GHCR
+        run: |
+          helm push boot-operator-${{ steps.chart_version.outputs.version }}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts

.github/workflows/test-chart.yml

@@ -0,0 +1,70 @@
+name: Test Chart
+
+permissions:
+  contents: read
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test-e2e:
+    name: Run on Ubuntu
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone the code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install Helm
+        run: |
+          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+      - name: Verify Helm installation
+        run: helm version
+
+      - name: Lint Helm Chart
+        run: |
+          helm lint ./dist/chart
+  
+      - name: Install the latest version of kind
+        run: |
+          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
+          chmod +x ./kind
+          sudo mv ./kind /usr/local/bin/kind
+
+      - name: Verify kind installation
+        run: kind version
+
+      - name: Create kind cluster
+        run: kind create cluster
+
+      - name: Prepare boot-operator
+        run: |
+          go mod tidy
+          make docker-build IMG=boot-operator:v0.1.0
+          kind load docker-image boot-operator:v0.1.0
+
+      - name: Install cert-manager via Helm
+        run: |
+          helm repo add jetstack https://charts.jetstack.io
+          helm repo update
+          helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
+
+      - name: Wait for cert-manager to be ready
+        run: |
+          kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager
+          kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-cainjector
+          kubectl wait --namespace cert-manager --for=condition=available --timeout=300s deployment/cert-manager-webhook
+
+      - name: Install Helm chart for project
+        run: |
+          helm install my-release ./dist/chart --create-namespace --namespace boot-operator-system
+
+      - name: Check Helm release status
+        run: |
+          helm status my-release --namespace boot-operator-system

Makefile

@@ -171,6 +171,10 @@ e2e-deploy: manifests kustomize ## Deploy controller to the K8s cluster specifie
 undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
 
+.PHONY: helm
+helm: manifests kubebuilder
+	$(KUBEBUILDER) edit --plugins=helm/v1-alpha
+
 ##@ Dependencies
 
 ## Location to install dependencies to
@@ -187,6 +191,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 ADDLICENSE ?= $(LOCALBIN)/addlicense
 GOIMPORTS ?= $(LOCALBIN)/goimports
 GEN_CRD_API_REFERENCE_DOCS ?= $(LOCALBIN)/gen-crd-api-reference-docs
+KUBEBUILDER ?= $(LOCALBIN)/kubebuilder-$(KUBEBUILDER_VERSION)
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.5.0
@@ -199,6 +204,7 @@ GOLANGCI_LINT_VERSION ?= v2.1
 ADDLICENSE_VERSION ?= v1.1.1
 GOIMPORTS_VERSION ?= v0.31.0
 GEN_CRD_API_REFERENCE_DOCS_VERSION ?= v0.3.0
+KUBEBUILDER_VERSION ?= v4.5.1
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -257,6 +263,11 @@ gen-crd-api-reference-docs: $(GEN_CRD_API_REFERENCE_DOCS) ## Download gen-crd-ap
 $(GEN_CRD_API_REFERENCE_DOCS): $(LOCALBIN)
 	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs,$(GEN_CRD_API_REFERENCE_DOCS_VERSION))
 
+.PHONY: kubebuilder
+kubebuilder: $(KUBEBUILDER) ## Download kubebuilder locally if necessary.
+$(KUBEBUILDER): $(LOCALBIN)
+	$(call go-install-tool,$(KUBEBUILDER),sigs.k8s.io/kubebuilder/v4,$(KUBEBUILDER_VERSION))
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
 # $2 - package url which can be installed

PROJECT

@@ -5,6 +5,8 @@
 domain: ironcore.dev
 layout:
 - go.kubebuilder.io/v4
+plugins:
+  helm.kubebuilder.io/v1-alpha: {}
 projectName: boot-operator
 repo: github.com/ironcore-dev/boot-operator
 resources:

REUSE.toml

@@ -4,7 +4,7 @@ SPDX-PackageSupplier = "IronCore authors <[email protected]>"
 SPDX-PackageDownloadLocation = "https://github.com/ironcore-dev/boot-operator"
 
 [[annotations]]
-path = [".github/**", ".gitignore", "CODEOWNERS", "Dockerfile", "Makefile", "PROJECT", "config/**", "gen/**", "go.mod", "go.sum", "hack/**", "server/**", "templates/**", "internal/**", "cmd/**", "api/**", "config/**", "test/**", "CONTRIBUTING.md", "PROJECT", "mkdocs.yml", ".dockerignore", ".golangci.yml", "REUSE.toml"]
+path = [".github/**", ".gitignore", "CODEOWNERS", "Dockerfile", "Makefile", "PROJECT", "config/**", "dist/**", "dist/**", "gen/**", "go.mod", "go.sum", "hack/**", "server/**", "templates/**", "internal/**", "cmd/**", "api/**", "config/**", "test/**", "CONTRIBUTING.md", "PROJECT", "mkdocs.yml", ".dockerignore", ".golangci.yml", "REUSE.toml"]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2025 SAP SE or an SAP affiliate company and IronCore contributors"
 SPDX-License-Identifier = "Apache-2.0"

dist/chart/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building Helm packages.
+# Operating system files
+.DS_Store
+
+# Version control directories
+.git/
+.gitignore
+.bzr/
+.hg/
+.hgignore
+.svn/
+
+# Backup and temporary files
+*.swp
+*.tmp
+*.bak
+*.orig
+*~
+
+# IDE and editor-related files
+.idea/
+.vscode/
+
+# Helm chart artifacts
+dist/chart/*.tgz

dist/chart/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: boot-operator
+description: A Helm chart to distribute the project boot-operator
+type: application
+version: 0.1.0
+appVersion: "0.1.0"
+icon: "https://example.com/icon.png"

dist/chart/templates/_helpers.tpl

@@ -0,0 +1,50 @@
+{{- define "chart.name" -}}
+{{- if .Chart }}
+  {{- if .Chart.Name }}
+    {{- .Chart.Name | trunc 63 | trimSuffix "-" }}
+  {{- else if .Values.nameOverride }}
+    {{ .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    boot-operator
+  {{- end }}
+{{- else }}
+  boot-operator
+{{- end }}
+{{- end }}
+
+
+{{- define "chart.labels" -}}
+{{- if .Chart.AppVersion -}}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if .Chart.Version }}
+helm.sh/chart: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+
+{{- define "chart.hasMutatingWebhooks" -}}
+{{- $hasMutating := false }}
+{{- range . }}
+  {{- if eq .type "mutating" }}
+    $hasMutating = true }}{{- end }}
+{{- end }}
+{{ $hasMutating }}}}{{- end }}
+
+
+{{- define "chart.hasValidatingWebhooks" -}}
+{{- $hasValidating := false }}
+{{- range . }}
+  {{- if eq .type "validating" }}
+    $hasValidating = true }}{{- end }}
+{{- end }}
+{{ $hasValidating }}}}{{- end }}

dist/chart/templates/certmanager/certificate.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.certmanager.enable }}
+# Self-signed Issuer
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+{{- if .Values.webhook.enable }}
+---
+# Certificate for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations:
+    {{- if .Values.crd.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  name: serving-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+    - boot-operator.{{ .Release.Namespace }}.svc
+    - boot-operator.{{ .Release.Namespace }}.svc.cluster.local
+    - boot-operator-webhook-service.{{ .Release.Namespace }}.svc
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: webhook-server-cert
+{{- end }}
+{{- if .Values.metrics.enable }}
+---
+# Certificate for the metrics
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations:
+    {{- if .Values.crd.keep }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: metrics-certs
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+    - boot-operator.{{ .Release.Namespace }}.svc
+    - boot-operator.{{ .Release.Namespace }}.svc.cluster.local
+    - boot-operator-metrics-service.{{ .Release.Namespace }}.svc
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: metrics-server-cert
+{{- end }}
+{{- end }}