feat: chart proposal

Signed-off-by: Oliver Bähler <[email protected]>

.goreleaser.yml

@@ -29,6 +29,13 @@ builds:
           -X main.BuildTime={{ .Date }}
           -X main.GitRepo={{ .ProjectName }}
 release:
+  extra_files:
+    - glob: ./path/to/file.txt
+    - glob: ./glob/**/to/**/file/**/*
+    - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
+    - glob: ./single_file.txt
+      name_template: install-crds.yaml
+
   prerelease: auto
   footer: |
     Thanks to all the contributors!
@@ -44,6 +51,11 @@ release:
 
     - `ghcr.io/projectcapsule/charts/{{ .ProjectName }}:{{ .Version }}`
 
+    [Review the breaking changes section first before upgrading to a new version](https://artifacthub.io/packages/helm/projectcapsule/capsule/{{ .Version }}#breaking-changes)
+
+    **Upgrading CustomResourceDefinitions**
+    
+    CRDs are managed via the Helm Chart.
 checksum:
   name_template: 'checksums.txt'
 changelog:

charts/capsule/README.md

@@ -204,9 +204,11 @@ Here the values you can override:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| crds.annnotations | object | `{}` | Extra Annotations for CRDs |
 | crds.exclusive | bool | `false` | Only install the CRDs, no other primitives |
 | crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
 | crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |
+| crds.labels | object | `{}` | Extra Labels for CRDs |
 
 ### General Parameters
 
@@ -355,6 +357,10 @@ And optionally, depending on the values set:
 * RBAC ClusterRole and RoleBinding for pod security policy
 * RBAC Role and Rolebinding for metrics scrape
 
+## Notes on installing Custom Resource Definitions with Helm3
+
+Capsule, as many other add-ons, defines its own set of Custom Resource Definitions (CRDs). Helm3 removed the old CRDs installation method for a more simple methodology. In the Helm Chart, there is now a special directory called `crds` to hold the CRDs. These CRDs are not templated, but will be installed by default when running a `helm install` for the chart. If the CRDs already exist (for example, you already executed `helm install`), it will be skipped with a warning. When you wish to skip the CRDs installation, and do not see the warning, you can pass the `--skip-crds` flag to the `helm install` command.
+
 ## Cert-Manager integration
 
 You can enable the generation of certificates using `cert-manager` as follows.

charts/capsule/README.md.gotmpl

@@ -20,7 +20,7 @@ Use the Capsule Operator for easily implementing, managing, and maintaining mult
 
 In the following sections you see actions which are required when you are upgrading to a specific version.
 
-### 0.7.x
+### Upgrading to 0.7.x
 
 Introduces a new methode to manage all capsule CRDs and their lifecycle. We are no longer relying on the [native CRD hook with the Helm Chart](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). The hook only allows to manage CRDs on install and uninstall but we can't deliver updates to the CRDs.
 When you newly install the chart we recommend to set  `crds.install` to `true`. This will manage the CRDs with the Helm Chart.

charts/capsule/ci/crds-values.yaml

@@ -2,3 +2,7 @@ crds:
   install: true
   keep: true
   exclusive: true
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+  labels:
+    argocd.argoproj.io/hook: PreSync

charts/capsule/crd/capsule.clastix.io_capsuleconfigurations.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: capsuleconfigurations.capsule.clastix.io
 spec:
   group: capsule.clastix.io
@@ -22,14 +21,19 @@ spec:
           API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -38,23 +42,20 @@ spec:
             properties:
               enableTLSReconciler:
                 default: true
-                description: Toggles the TLS reconciler, the controller that is able
-                  to generate CA and certificates for the webhooks when not using
-                  an already provided CA and certificate, or when these are managed
-                  externally with Vault, or cert-manager.
+                description: |-
+                  Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
+                  when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
                 type: boolean
               forceTenantPrefix:
                 default: false
-                description: Enforces the Tenant owner, during Namespace creation,
-                  to name it using the selected Tenant name as prefix, separated by
-                  a dash. This is useful to avoid Namespace name collision in a public
-                  CaaS environment.
+                description: |-
+                  Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
+                  separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
                 type: boolean
               nodeMetadata:
-                description: Allows to set the forbidden metadata for the worker nodes
-                  that could be patched by a Tenant. This applies only if the Tenant
-                  has an active NodeSelector, and the Owner have right to patch their
-                  nodes.
+                description: |-
+                  Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
+                  This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
                 properties:
                   forbiddenAnnotations:
                     description: Define the annotations that a Tenant Owner cannot
@@ -87,15 +88,15 @@ spec:
                   TLSSecretName: capsule-tls
                   mutatingWebhookConfigurationName: capsule-mutating-webhook-configuration
                   validatingWebhookConfigurationName: capsule-validating-webhook-configuration
-                description: Allows to set different name rather than the canonical
-                  one for the Capsule configuration objects, such as webhook secret
-                  or configurations.
+                description: |-
+                  Allows to set different name rather than the canonical one for the Capsule configuration objects,
+                  such as webhook secret or configurations.
                 properties:
                   TLSSecretName:
                     default: capsule-tls
-                    description: Defines the Secret name used for the webhook server.
-                      Must be in the same Namespace where the Capsule Deployment is
-                      deployed.
+                    description: |-
+                      Defines the Secret name used for the webhook server.
+                      Must be in the same Namespace where the Capsule Deployment is deployed.
                     type: string
                   mutatingWebhookConfigurationName:
                     default: capsule-mutating-webhook-configuration