Add Helm chart publishing workflow

.github/workflows/publish-chart.yml

@@ -0,0 +1,52 @@
+name: Build and Publish Helm Chart
+
+permissions:
+  contents: read
+
+on:
+  release:
+    types:
+    - published
+  push:
+    branches:
+    - main
+    tags:
+    - v*.*.*
+  pull_request:
+    branches:
+    - main
+    paths-ignore:
+    - 'docs/**'
+    - '**/*.md'
+    types: [labeled, unlabeled, opened, synchronize, reopened]
+
+jobs:
+  publish-charts:
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'ok-to-chart')
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Set up Helm
+      uses: azure/setup-helm@v4.3.0
+      with:
+        version: v3.16.2
+    - name: Configure Git
+      run: |
+        git config user.name "$GITHUB_ACTOR"
+        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+    - name: Set charts version
+      if: github.event_name == 'push'
+      run: |
+        sed -i "s/version: .*/version: ${GITHUB_REF_NAME#v}/" dist/chart/Chart.yaml
+    - name: Move crds folder out of templates
+      run: mv dist/chart/templates/crd dist/chart/crds
+    - name: Run chart-releaser
+      uses: bitdeps/helm-oci-charts-releaser@v0.1.4
+      with:
+        charts_dir: dist/chart
+        oci_registry: ghcr.io/${{ github.repository_owner }}/charts
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        oci_password: ${{ secrets.GITHUB_TOKEN }}
+        oci_username: ${{ github.actor }}
+        skip_gh_release: true

dist/chart/templates/manager/manager.yaml

@@ -8,6 +8,8 @@ metadata:
     control-plane: controller-manager
 spec:
   replicas:  {{ .Values.controllerManager.replicas }}
+  strategy:
+    type: {{ .Values.controllerManager.strategy.type | quote }}
   selector:
     matchLabels:
       {{- include "chart.selectorLabels" . | nindent 6 }}
@@ -28,35 +30,36 @@ spec:
       containers:
         - name: manager
           args:
-            {{- range .Values.controllerManager.container.args }}
+            {{- range .Values.controllerManager.manager.args }}
             - {{ . }}
             {{- end }}
           command:
             - /manager
-          image: {{ .Values.controllerManager.container.image.repository }}:{{ .Values.controllerManager.container.image.tag }}
-          {{- if .Values.controllerManager.container.env }}
+          image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }}
+          {{- if .Values.controllerManager.manager.env }}
           env:
-            {{- range $key, $value := .Values.controllerManager.container.env }}
+            {{- range $key, $value := .Values.controllerManager.manager.env }}
             - name: {{ $key }}
               value: {{ $value }}
             {{- end }}
           {{- end }}
           livenessProbe:
-            {{- toYaml .Values.controllerManager.container.livenessProbe | nindent 12 }}
+            {{- toYaml .Values.controllerManager.manager.livenessProbe | nindent 12 }}
           readinessProbe:
-            {{- toYaml .Values.controllerManager.container.readinessProbe | nindent 12 }}
+            {{- toYaml .Values.controllerManager.manager.readinessProbe | nindent 12 }}
           {{- if .Values.webhook.enable }}
           ports:
             - containerPort: 9443
               name: webhook-server
               protocol: TCP
           {{- end }}
           resources:
-            {{- toYaml .Values.controllerManager.container.resources | nindent 12 }}
+            {{- toYaml .Values.controllerManager.manager.resources | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.controllerManager.container.securityContext | nindent 12 }}
-          {{- if and .Values.certmanager.enable (or .Values.webhook.enable .Values.metrics.enable) }}
+            {{- toYaml .Values.controllerManager.manager.securityContext | nindent 12 }}
           volumeMounts:
+            - mountPath: /etc/macdb/
+              name: macdb
             {{- if and .Values.webhook.enable .Values.certmanager.enable }}
             - name: webhook-cert
               mountPath: /tmp/k8s-webhook-server/serving-certs
@@ -67,14 +70,15 @@ spec:
               mountPath: /tmp/k8s-metrics-server/metrics-certs
               readOnly: true
             {{- end }}
-          {{- end }}
       securityContext:
-        {{- toYaml .Values.controllerManager.securityContext | nindent 8 }}
+        {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ .Values.controllerManager.serviceAccountName }}
       hostNetwork: {{ .Values.controllerManager.hostNetwork }}
       terminationGracePeriodSeconds: {{ .Values.controllerManager.terminationGracePeriodSeconds }}
-      {{- if and .Values.certmanager.enable (or .Values.webhook.enable .Values.metrics.enable) }}
       volumes:
+        - name: macdb
+          secret:
+            secretName: macdb
         {{- if and .Values.webhook.enable .Values.certmanager.enable }}
         - name: webhook-cert
           secret:
@@ -85,4 +89,3 @@ spec:
           secret:
             secretName: metrics-server-cert
         {{- end }}
-      {{- end }}

dist/chart/values.yaml

@@ -1,7 +1,9 @@
 # [MANAGER]: Manager Deployment Configurations
 controllerManager:
   replicas: 1
-  container:
+  strategy:
+    type: Recreate
+  manager:
     image:
       repository: controller
       tag: latest
@@ -11,11 +13,11 @@ controllerManager:
       - "--health-probe-bind-address=:8081"
     resources:
       limits:
-        cpu: 500m
-        memory: 128Mi
+        cpu: 300m
+        memory: 200Mi
       requests:
-        cpu: 10m
-        memory: 64Mi
+        cpu: 300m
+        memory: 50Mi
     livenessProbe:
       initialDelaySeconds: 15
       periodSeconds: 20
@@ -33,12 +35,13 @@ controllerManager:
       capabilities:
         drop:
           - "ALL"
-  securityContext:
+  podSecurityContext:
     runAsNonRoot: true
     seccompProfile:
       type: RuntimeDefault
   terminationGracePeriodSeconds: 10
   serviceAccountName: metal-operator-controller-manager
+  hostNetwork: true
 
 # [RBAC]: To enable RBAC (Permissions) configurations
 rbac: