⭐️ Improve Helm chart management and cleanup (#849, #821)

- Add pre-delete hook to clean up MondooAuditConfig resources on uninstall
- Add cleanup subcommand to operator CLI (replaces external kubectl image)
- Replace helmify-based chart generation with hand-maintained templates
- Add hack/update-helm-crds.sh script to update only CRDs from generated sources
- Add chart-testing (ct) linting to CI and Makefile
- Add Mondoo icon to Helm chart
- Add Helm chart integration tests

The cleanup hook now uses the operator's own image instead of a third-party
kubectl image, eliminating a supply chain dependency.

Fixes #849, Fixes #821

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: chris-rock

.github/workflows/lint.yaml

@@ -40,6 +40,23 @@ jobs:
           # Disabled until existing shellcheck warnings are addressed
           shellcheck: false
 
+  helm-lint:
+    runs-on: ubuntu-latest
+    name: Helm Lint
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Run chart-testing (lint)
+        run: ct lint --charts charts/mondoo-operator --validate-maintainers=false
+
   license-check:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -146,7 +146,7 @@ test/integration: manifests generate generate-manifests load-k3d
 else
 test/integration: manifests generate generate-manifests load-minikube
 endif
-	go test -ldflags $(LDFLAGS) -v -timeout 20m -p 1 ./tests/integration/...
+	MONDOO_OPERATOR_IMAGE_TAG=$(VERSION) go test -ldflags $(LDFLAGS) -v -timeout 20m -p 1 ./tests/integration/...
 
 ifeq ($(K8S_DISTRO),gke)
 test/integration/ci: gotestsum
@@ -159,11 +159,15 @@ test/integration/ci: gotestsum load-k3d/ci
 else
 test/integration/ci: gotestsum load-minikube/ci
 endif
-	$(GOTESTSUM) --junitfile integration-tests.xml -- ./tests/integration/... -ldflags $(LDFLAGS) -v -timeout 20m -p 1
+	MONDOO_OPERATOR_IMAGE_TAG=$(VERSION) $(GOTESTSUM) --junitfile integration-tests.xml -- ./tests/integration/... -ldflags $(LDFLAGS) -v -timeout 20m -p 1
 
 test/integration/external-cluster: ## Run external cluster integration test (requires k3d management cluster)
 	K8S_DISTRO=k3d go test -ldflags $(LDFLAGS) -v -timeout 15m -p 1 ./tests/integration/... -run TestExternalClusterSuite
 
+.PHONY: test/integration/helm
+test/integration/helm: load-k3d ## Run Helm chart integration tests
+	MONDOO_OPERATOR_IMAGE_TAG=$(VERSION) go test -ldflags $(LDFLAGS) -v -timeout 15m -p 1 ./tests/integration/... -run TestHelmChartSuite
+
 ##@ Build
 
 build: manifests generate fmt vet ## Build manager binary.
@@ -351,17 +355,27 @@ catalog-build: opm ## Build a catalog image.
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
 
-HELMIFY = $(LOCALBIN)/helmify
-helmify: $(LOCALBIN) ## Download helmify locally if necessary.
-	GOBIN=$(LOCALBIN) go install github.com/arttor/helmify/cmd/helmify@v0.4.18
-
-helm: manifests kustomize helmify
-	$(KUSTOMIZE) build config/default | $(HELMIFY) $(CHART_NAME)
-	# The above command creates a helm chart, which has duplicate labels after templating
-	# We can remove the static doublicate labels here
-	sed -i -z 's#\(\n[[:blank:]]*selector:\)\n[[:blank:]]*app.kubernetes.io/name: mondoo-operator#\1#' charts/mondoo-operator/templates/metrics-service.yaml
-	sed -i -z 's#\([[:blank:]]*selector:\n[[:blank:]]*matchLabels:\)\n[[:blank:]]*app.kubernetes.io/name: mondoo-operator#\1#' charts/mondoo-operator/templates/deployment.yaml
-	sed -i -z 's#\([[:blank:]]*template:\n[[:blank:]]*metadata:\n[[:blank:]]*labels:\)\n[[:blank:]]*app.kubernetes.io/name: mondoo-operator#\1#' charts/mondoo-operator/templates/deployment.yaml
+##@ Helm Chart Management
+# The Helm chart templates are hand-maintained. Only CRDs are auto-generated.
+# See: https://github.com/mondoohq/mondoo-operator/issues/821
+
+.PHONY: helm/crds
+helm/crds: manifests kustomize ## Update only the CRD templates in the Helm chart from generated CRDs.
+	./hack/update-helm-crds.sh
+
+.PHONY: helm/lint
+helm/lint: ## Lint the Helm chart using chart-testing (ct).
+	@if command -v ct >/dev/null 2>&1; then \
+		ct lint --charts charts/mondoo-operator --validate-maintainers=false; \
+	else \
+		echo "chart-testing (ct) not found, falling back to helm lint"; \
+		echo "Install ct for more comprehensive linting: brew install chart-testing"; \
+		helm lint charts/mondoo-operator; \
+	fi
+
+.PHONY: helm/template
+helm/template: ## Render Helm chart templates for debugging.
+	helm template test charts/mondoo-operator
 
 # Install prettier gloablly via
 # yarn global add prettier --prefix /usr/local

charts/mondoo-operator/Chart.yaml

@@ -22,3 +22,4 @@ version: 12.0.1
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "12.0.1"
+icon: https://raw.githubusercontent.com/mondoohq/mondoo-operator/main/charts/mondoo-operator/icon.svg