Add Helm chart for kubernetes-nmstate operator

[sanjay7178]

Is this a BUG FIX or a FEATURE ?:

Uncomment only one, leave it on its own line:

/kind bug

/kind enhancement

What this PR does / why we need it:
This PR adds support for helm chart for kubernetes-nmstate operator . Helm would help in deploying, updating, and managing the current operator .
Currently tis helm chart can be published to artifacthub.io , for seamless usage .

Special notes for your reviewer:

This Issue #1410 proposes to use similar helm configuration of metallb repository . So CRDs would live in charts/crds/crds/ , Helm's special crds/ directory guarantees they are installed and registered before any templates run, avoiding the NMState CR race condition on fresh installs. CRDs are skippable via --set crds.enabled=false for GitOps / cluster-admin managed environments . NMState CR by default are deploys the handler DaemonSet on all nodes automatically.

# Full install (operator + CRDs + handler)
helm install nmstate charts/kubernetes-nmstate

# Operator only (no handler)
helm install nmstate charts/kubernetes-nmstate --set nmstateCR.create=false

# Skip CRD installation
helm install nmstate charts/kubernetes-nmstate --set crds.enabled=false

# Uninstall
helm uninstall nmstate

Release note:

Closes: #1410

[kubevirt-bot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubevirt-bot]

Hi @sanjay7178. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mkowalski for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the deployability of the kubernetes-nmstate operator by introducing a comprehensive Helm chart. This chart streamlines the installation process, allowing users to easily deploy and configure the operator and its associated components, including CRDs, through standard Helm practices. The addition of a kcli plan also provides a robust testing environment for validating network configurations.

Highlights

• Helm Chart Introduction: A new Helm chart has been added for the kubernetes-nmstate operator, enabling simplified deployment and management of the operator within Kubernetes environments.
• CRD Integration: The Helm chart includes the necessary Custom Resource Definitions (CRDs) for nmstate.io resources, ensuring that the operator can manage network configurations effectively.
• Configurability: The chart provides extensive configuration options through values.yaml for the operator and handler components, including image details, namespaces, resource limits, and an optional NMState Custom Resource creation.
• Testing Utilities: A kcli plan for an RKE2 test cluster with spare NICs has been introduced, facilitating testing of nmstate ethernet configurations.

Changelog

• charts/kubernetes-nmstate/.helmignore
  • Added a new .helmignore file to specify patterns to ignore when building Helm packages.
• charts/kubernetes-nmstate/Chart.yaml
  • Added the Chart.yaml file, defining the Helm chart's metadata, version, description, and maintainer information.
• charts/kubernetes-nmstate/crds/nmstate.io_nmstates.yaml
  • Added a reference to the nmstate.io_nmstates.yaml CRD, linking to the operator's Custom Resource Definition.
• charts/kubernetes-nmstate/crds/nmstate.io_nodenetworkconfigurationenactments.yaml
  • Added a reference to the nmstate.io_nodenetworkconfigurationenactments.yaml CRD.
• charts/kubernetes-nmstate/crds/nmstate.io_nodenetworkconfigurationpolicies.yaml
  • Added a reference to the nmstate.io_nodenetworkconfigurationpolicies.yaml CRD.
• charts/kubernetes-nmstate/crds/nmstate.io_nodenetworkstates.yaml
  • Added a reference to the nmstate.io_nodenetworkstates.yaml CRD.
• charts/kubernetes-nmstate/templates/NOTES.txt
  • Added installation notes for the Helm chart, providing instructions and status checks for the deployed operator.
• charts/kubernetes-nmstate/templates/_helpers.tpl
  • Added a helper template file containing Go template functions for consistent naming, labels, and image string generation within the Helm chart.
• charts/kubernetes-nmstate/templates/clusterrole.yaml
  • Added the ClusterRole definition for the nmstate-operator, granting necessary cluster-wide permissions.
• charts/kubernetes-nmstate/templates/deployment.yaml
  • Added the Deployment definition for the nmstate-operator, including container images, resource limits, and environment variables.
• charts/kubernetes-nmstate/templates/namespace.yaml
  • Added the Namespace definition for the operator, including pod security labels.
• charts/kubernetes-nmstate/templates/nmstate-cr.yaml
  • Added an optional NMState Custom Resource definition, allowing the operator to deploy the handler DaemonSet upon installation.
• charts/kubernetes-nmstate/templates/role.yaml
  • Added the Role definition for the nmstate-operator, granting namespaced permissions.
• charts/kubernetes-nmstate/templates/rolebinding.yaml
  • Added RoleBinding and ClusterRoleBinding definitions to associate the service account with the respective roles.
• charts/kubernetes-nmstate/templates/serviceaccount.yaml
  • Added the ServiceAccount definition for the nmstate-operator.
• charts/kubernetes-nmstate/templates/tests/test-connection.yaml
  • Added a Helm test pod to verify the operator deployment status after installation.
• charts/kubernetes-nmstate/values.yaml
  • Added the default values file for the Helm chart, configuring operator and handler images, namespaces, resources, and other parameters.
• nmstate-rke2.yaml
  • Added a kcli plan for an RKE2 Kubernetes test cluster, configured with multiple network interfaces for nmstate testing.

Activity

• No specific human activity (comments, reviews) was recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a Helm chart for deploying the kubernetes-nmstate operator, which is a great addition for simplifying deployment. The overall structure of the chart is good and follows many Helm best practices. However, I've identified a few critical issues that need to be addressed before this can be merged. The most significant issue is with how Custom Resource Definitions (CRDs) are included, which will prevent the chart from being packaged or installed. Additionally, there are some security concerns related to overly permissive RBAC roles that should be tightened. I've provided specific comments and suggestions for each of these points in the review.

[gemini-code-assist]

The ClusterRole grants overly permissive access by using wildcards (*) for verbs on many resources. This violates the principle of least privilege and introduces a security risk. The roles should only grant the specific permissions required by the operator.

Additionally, this ClusterRole appears to be missing permissions for validatingadmissionpolicies and validatingadmissionpolicybindings that are present in the source deploy/operator/role.yaml. This discrepancy could lead to runtime errors.

Please replace the wildcards with a specific list of required verbs for each resource.

[gemini-code-assist]

Applying pod-security.kubernetes.io/enforce: privileged at the namespace level allows any pod in the namespace to run as privileged. This includes the operator deployment, which is designed to be unprivileged. While the handler daemonset likely requires privileged access, a more secure approach would be to apply Pod Security Standards at the pod level for the handler and use a more restrictive profile (like baseline) for the namespace by default. Since the handler is deployed by the operator, this might require changes in the operator logic to set the appropriate securityContext on the handler pods it creates. If that's not feasible, this is an acceptable compromise, but it's a security risk worth noting.

[gemini-code-assist]

Similar to the ClusterRole, this namespaced Role uses a wildcard (*) for verbs, granting excessive permissions within the operator's namespace. To adhere to the principle of least privilege, please specify only the required verbs instead of using a wildcard.

[sanjay7178]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a Helm chart for the kubernetes-nmstate operator. The chart is well-structured and follows many Helm best practices, including configurable values, helper templates, and conditional resource creation. However, I've found a critical issue where a required CRD file is missing, which will cause installation to fail. I've also identified several areas for improvement, such as removing redundant RBAC permissions and pinning image versions to ensure deterministic deployments. Please see my detailed comments for suggestions.

[sanjay7178]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a Helm chart for deploying the kubernetes-nmstate operator, which is a significant enhancement for users who prefer Helm for managing applications. The chart is well-structured, following common Helm best practices like using helper templates, providing a NOTES.txt, and making CRD installation optional. My review focuses on improving security by adhering to the principle of least privilege in RBAC resources, and enhancing maintainability and correctness in the chart's values and test configurations. I've suggested changes to pin image versions, correct the typing of values for environment variables, and restrict overly permissive RBAC rules.

[gemini-code-assist]

The use of a wildcard * for verbs grants excessive permissions to the operator. According to the principle of least privilege, permissions should be as restrictive as possible. Please replace the wildcard with a specific list of required verbs (e.g., get, list, watch, create, update, patch, delete). This should be applied to all rules in this ClusterRole that use a wildcard.

  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

[gemini-code-assist]

The values for enableProfiler and profilerPort are defined as strings in values.yaml. However, the deployment template uses the quote function, which will result in double-quoted values in the final YAML (e.g., value: '"False"'). This is likely incorrect. To ensure the correct values are passed to the container, these should be typed as a boolean and a number in values.yaml.

[gemini-code-assist]

Similar to the ClusterRole, this Role uses a wildcard * for verbs, which is overly permissive. For better security, please specify the exact verbs required by the operator for these resources. This applies to both rules in this file.

  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

[gemini-code-assist]

Using the :latest tag for the test image is not recommended as it can lead to flaky tests if the image changes unexpectedly. It is a best practice to pin images to a specific version to ensure deterministic and reliable tests.

      image: bitnami/kubectl:1.29

[gemini-code-assist]

Using the :latest tag for default image versions is discouraged as it makes deployments non-deterministic and can cause unexpected upgrades. It's better to tie the default image tag to the chart's appVersion. Please remove the tag: latest line for both the operator (line 10) and handler (line 54) images. This will cause the image tags to default to the appVersion from Chart.yaml, as configured in _helpers.tpl.

[mkowalski]

I need to see some additional things before this can fly, but the general idea is good

1. There is no mechanism to keep deployment yamls in sync. If I now go and modify deploy/handler/operator.yaml (what is the standard workflow in the project), there is nothing that will ensure the change also made it to charts/kubernetes-nmstate/templates/deployment.yaml introduced by this PR.

This one is a big no. We have manifests which are source of truth (e.g. deploy/handler/operator.yaml) and if there is some copy-paste to another place, it has to go through some orchestration and not manual.

2. I need to see some at least basic verification that helm chart in the repo is correct. If I now go and delete for example the file charts/kubernetes-nmstate/charts/crds/crds/nmstate.io_nmstates.yaml, helm chart will be very incorrect but there is nothing here that will catch this.

Look at what we do for OLM manifests. We have a Makefile target which is responsible for trying to build a bundle from what's in the repository and if that fails, it means someone tries to merge invalid change. Something similar in needed here.

3. Once those are solved, we will need to think about the mechanism of pushing the chart itself to some upstream repo. It's good that we can have it in-repo but it does not help people to consume the project. For OLM we have GitHub Action which can push the bundle to the OperatorHub. For Helm similar approach may be used.

At the current stage it looks like an one-off but not something production ready.

[sanjay7178]

currently we could have some symlink for CRD's (eg : deploy/crds/nmstate.io_nmstates.yaml --> charts/kubernetes-nmstate/charts/crds/crds/nmstate.io_nmstates.yaml ) so the changes in CRD's deploy/crds would reflect to helm chart.

But symlink kinda poses risks https://helm.sh/blog/2019/10/30/helm-symlink-security-notice/ , so we could have like vice versa ( charts/kubernetes-nmstate/charts/crds/crds/nmstate.io_nmstates.yaml -->deploy/crds/nmstate.io_nmstates.yaml ) .

A make target (like make manifests) that auto-generates/updates the Helm chart templates from the source-of-truth deploy/ files and a make check-helm CI check that verifies the chart is in sync, similar to how make check-gen / make check-bundle work for the OLM manifests.

we could make a helm-lint as make check-helm Makefile target that runs helm lint + helm template, wired into CI (Prow), similar to make check-bundle.

Also we could have a GitHub Action using chart-releaser to publish to GitHub Pages / ArtifactHub .