From dcf224f85ef5c813577405478f8224bd8c8253ac Mon Sep 17 00:00:00 2001 From: manuelbuil Date: Wed, 5 Nov 2025 16:30:14 +0100 Subject: [PATCH 1/3] Add Makefile target and the code to create new API Signed-off-by: manuelbuil --- Dockerfile | 12 +- Makefile | 9 +- README.md | 16 +- manifests/crd.yaml | 796 ++++++++++++++++++ .../helm.cattle.io_helmchartconfigs.yaml | 2 +- .../generated/helm.cattle.io_helmcharts.yaml | 2 +- scripts/validate | 2 +- 7 files changed, 825 insertions(+), 14 deletions(-) create mode 100644 manifests/crd.yaml diff --git a/Dockerfile b/Dockerfile index 30d6b977..a57ff08b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,11 @@ RUN apk add --no-cache bash git gcc musl-dev WORKDIR /src COPY . . +RUN GOPROXY=direct go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.19.0 +RUN GOPROXY=direct go install github.com/elastic/crd-ref-docs@v0.2.0 + +RUN go generate ./... + RUN --mount=type=cache,id=gomod,target=/go/pkg/mod \ --mount=type=cache,id=gobuild,target=/root/.cache/go-build \ ./scripts/build @@ -16,9 +21,7 @@ COPY --from=builder /src/bin/helm-controller /bin/ FROM golang:1.24-alpine3.22 AS dev ARG ARCH ENV ARCH=$ARCH -RUN apk add --no-cache bash git gcc musl-dev curl -RUN GOPROXY=direct go install golang.org/x/tools/cmd/goimports@gopls/v0.18.1 -RUN GOPROXY=direct go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.3 +RUN apk add --no-cache bash git curl RUN if [ "${ARCH}" != "arm" ]; then \ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.64.7; \ fi @@ -37,6 +40,9 @@ RUN ./scripts/package FROM scratch AS artifacts COPY --from=package /src/dist/artifacts /dist/artifacts +FROM scratch AS crds +COPY --from=builder /src/pkg/crds/yaml/generated/ / + FROM alpine:3.22 AS production COPY bin/helm-controller /usr/bin/ CMD ["helm-controller"] diff --git a/Makefile b/Makefile index e37291a0..e83e119f 100644 --- a/Makefile +++ b/Makefile @@ -2,13 +2,18 @@ IMAGE_NAME ?= helm-controller ARCH ?= amd64 .DEFAULT_GOAL := ci -.PHONY: build test validate package clean +.PHONY: build test validate package clean generate-crd -build: +build: generate-crd DOCKER_BUILDKIT=1 docker build \ --target binary \ --output type=local,dest=. . +generate-crd: + DOCKER_BUILDKIT=1 docker build \ + --target crds \ + --output type=local,dest=./pkg/crds/yaml/generated . + validate: docker build --target dev --build-arg ARCH=$(ARCH) -t $(IMAGE_NAME)-dev . docker run --rm $(IMAGE_NAME)-dev ./scripts/validate diff --git a/README.md b/README.md index cd59f1db..fc4c3ed0 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ helm-controller A simple way to manage helm charts with Custom Resource Definitions in k8s. ## Manifests and Deploying -The `./manifests` folder contains useful YAML manifests to use for deploying and developing the Helm Controller. This simple YAML deployment creates a HelmChart CRD + a Deployment using the `rancher/helm-controller` container. The YAML might need some modifications for your environment so read below for Namespaced vs Cluster deployments and how to use them properly. +The `./manifests` folder contains useful YAML manifests to use for deploying and developing the Helm Controller. However, we recommend using the `deploy-cluster-scoped.yaml` or `deploy-namespaced.yaml` manifests included in the releases. The YAML might need some modifications for your environment so read below for Namespaced vs Cluster deployments and how to use them properly. #### Namespaced Deploys Use the `deploy-namespaced.yaml` to create a namespace and add the Helm Controller and CRD to that namespace locking down the Helm Controller to only see changes to CRDs within that namespace. This is defaulted to `helm-controller` so update the YAML to your needs before running `kubectl create` @@ -22,7 +22,10 @@ To remove the Helm Controller run `kubectl delete` and pass the deployment YAML ## Developing and Building The Helm Controller is easy to get running locally, follow the instructions for your needs and requires a running k8s server + CRDs etc. When you have a working k8s cluster, you can use `./manifests/crd.yaml` to create the CRD and `./manifests/example-helmchart.yaml` which runs the `stable/traefik` helm chart. -#### Locally +### Build +Run `make build` to build the binary and, opitonally, generate new CRDs if the API changed. We recommend execute `make` to additionally run validation and testing. + +#### Running it locally Building and running natively will start a daemon which will watch a local k8s API. See Manifests section above about how to create the CRD and Objects using the provided manifests. ``` @@ -30,14 +33,15 @@ go build -o ./bin/helm-controller ./bin/helm-controller --kubeconfig $HOME/.kube/config ``` -#### docker/k8s -An easy way to get started with docker/k8s is to install docker for windows/mac and use the included k8s cluster. Once functioning you can easily build locally and get a docker container to pull the Helm Controller container and run it in k8s. Use `make` to launch a Linux container and build to create a container. Use the `./manifests/deploy-*.yaml` definitions to get it into your cluster and update `containers.image` to point to your locally image e.g. `image: rancher/helm-controller:dev` +#### Running it on k8s +Use the `deploy-cluster-scoped.yaml` or `deploy-namespaced.yaml` manifests in the assets of each release to run the helm-controller in Kubernetes. #### Options and Usage Use `./bin/helm-controller help` to get full usage details. The outside of a k8s Pod the most important options are `--kubeconfig` or `--masterurl` or it will not run. All options have corresponding ENV variables you could use. -## Testing -`go test ./...` +## Testing/Validating +`make test` +`make validate` ## License Copyright (c) 2019 [Rancher Labs, Inc.](http://rancher.com) diff --git a/manifests/crd.yaml b/manifests/crd.yaml new file mode 100644 index 00000000..bfdd4a94 --- /dev/null +++ b/manifests/crd.yaml @@ -0,0 +1,796 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: helmchartconfigs.helm.cattle.io +spec: + group: helm.cattle.io + names: + kind: HelmChartConfig + listKind: HelmChartConfigList + plural: helmchartconfigs + singular: helmchartconfig + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + HelmChartConfig represents additional configuration for the installation of Helm chart release. + This resource is intended for use when additional configuration needs to be passed to a HelmChart + that is managed by an external system. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + HelmChartConfigSpec represents additional user-configurable details of an installed and configured Helm chart release. + These fields are merged with or override the corresponding fields on the related HelmChart resource. + properties: + failurePolicy: + default: reinstall + description: |- + Configures handling of failed chart installation or upgrades. + - `reinstall` will perform a clean uninstall and reinstall of the chart. + - `abort` will take no action and leave the chart in a failed state so that the administrator can manually resolve the error. + enum: + - abort + - reinstall + type: string + valuesContent: + description: |- + Override complex Chart values via inline YAML content. + Helm CLI positional argument/flag: `--values` + type: string + valuesSecrets: + description: |- + Override complex Chart values via references to external Secrets. + Helm CLI positional argument/flag: `--values` + items: + description: SecretSpec describes a key in a secret to load chart + values from. + properties: + ignoreUpdates: + description: |- + Ignore changes to the secret, and mark the secret as optional. + By default, the secret must exist, and changes to the secret will trigger an upgrade of the chart to apply the updated values. + If `ignoreUpdates` is true, the secret is optional, and changes to the secret will not trigger an upgrade of the chart. + type: boolean + keys: + description: Keys to read values content from. If no keys are + specified, the secret is not used. + items: + type: string + type: array + name: + description: Name of the secret. Must be in the same namespace + as the HelmChart resource. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: helmcharts.helm.cattle.io +spec: + group: helm.cattle.io + names: + kind: HelmChart + listKind: HelmChartList + plural: helmcharts + singular: helmchart + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.repo + name: Repo + type: string + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.targetNamespace + name: TargetNamespace + type: string + - jsonPath: .spec.bootstrap + name: Bootstrap + type: boolean + - jsonPath: .status.conditions[?(@.type=='Failed')].status + name: Failed + type: string + - jsonPath: .status.jobName + name: Job + priority: 10 + type: string + name: v1 + schema: + openAPIV3Schema: + description: HelmChart represents configuration and state for the deployment + of a Helm chart. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HelmChartSpec represents the user-configurable details for + installation and upgrade of a Helm chart release. + properties: + authPassCredentials: + description: |- + Pass Basic auth credentials to all domains. + Helm CLI positional argument/flag: `--pass-credentials` + type: boolean + authSecret: + description: Reference to Secret of type kubernetes.io/basic-auth + holding Basic auth credentials for the Chart repo. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + backOffLimit: + description: Specify the number of retries before considering the + helm job failed. + format: int32 + type: integer + bootstrap: + description: Set to True if this chart is needed to bootstrap the + cluster (Cloud Controller Manager, CNI, etc). + type: boolean + chart: + description: |- + Helm Chart name in repository, or complete HTTPS URL to chart archive (.tgz) + Helm CLI positional argument/flag: `CHART` + type: string + chartContent: + description: |- + Base64-encoded chart archive .tgz; overides `.spec.chart` and `.spec.version`. + Helm CLI positional argument/flag: `CHART` + type: string + createNamespace: + description: |- + Create target namespace if not present. + Helm CLI positional argument/flag: `--create-namespace` + type: boolean + dockerRegistrySecret: + description: Reference to Secret of type kubernetes.io/dockerconfigjson + holding Docker auth credentials for the OCI-based registry acting + as the Chart repo. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + failurePolicy: + default: reinstall + description: |- + Configures handling of failed chart installation or upgrades. + - `reinstall` will perform a clean uninstall and reinstall of the chart. + - `abort` will take no action and leave the chart in a failed state so that the administrator can manually resolve the error. + enum: + - abort + - reinstall + type: string + helmVersion: + description: DEPRECATED. Helm version to use. Only v3 is currently + supported. + type: string + insecureSkipTLSVerify: + description: |- + Skip TLS certificate checks for the chart download. + Helm CLI positional argument/flag: `--insecure-skip-tls-verify` + type: boolean + jobImage: + description: Specify the image to use for tht helm job pod when installing + or upgrading the helm chart. + type: string + plainHTTP: + description: |- + Use insecure HTTP connections for the chart download. + Helm CLI positional argument/flag: `--plain-http` + type: boolean + podSecurityContext: + description: Custom PodSecurityContext for the helm job pod. + properties: + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: |- + A special supplemental group that applies to all containers in a pod. + Some volume types allow the Kubelet to change the ownership of that volume + to be owned by the pod: + + 1. The owning GID will be the FSGroup + 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- + + If unset, the Kubelet will not modify the ownership and permissions of any volume. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: |- + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + before being exposed inside Pod. This field will only apply to + volume types which support fsGroup based ownership(and permissions). + It will have no effect on ephemeral volume types such as: secret, configmaps + and emptydir. + Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name is windows. + type: string + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: |- + seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. + It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. + Valid values are "MountOption" and "Recursive". + + "Recursive" means relabeling of all files on all Pod volumes by the container runtime. + This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. + + "MountOption" mounts all eligible Pod volumes with `-o context` mount option. + This requires all Pods that share the same volume to use the same SELinux label. + It is not possible to share the same volume among privileged and unprivileged Pods. + Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes + whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their + CSIDriver instance. Other volumes are always re-labelled recursively. + "MountOption" value is allowed only when SELinuxMount feature gate is enabled. + + If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. + If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes + and "Recursive" for all other volumes. + + This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. + + All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. + Note that this field cannot be set when spec.os.name is windows. + type: string + seLinuxOptions: + description: |- + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies to + the container. + type: string + role: + description: Role is a SELinux role label that applies to + the container. + type: string + type: + description: Type is a SELinux type label that applies to + the container. + type: string + user: + description: User is a SELinux user label that applies to + the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + supplementalGroups: + description: |- + A list of groups applied to the first process run in each container, in + addition to the container's primary GID and fsGroup (if specified). If + the SupplementalGroupsPolicy feature is enabled, the + supplementalGroupsPolicy field determines whether these are in addition + to or instead of any group memberships defined in the container image. + If unspecified, no additional groups are added, though group memberships + defined in the container image may still be used, depending on the + supplementalGroupsPolicy field. + Note that this field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: |- + Defines how supplemental groups of the first container processes are calculated. + Valid values are "Merge" and "Strict". If not specified, "Merge" is used. + (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled + and the container runtime must implement support for this feature. + Note that this field cannot be set when spec.os.name is windows. + type: string + sysctls: + description: |- + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + repo: + description: |- + Helm Chart repository URL. + Helm CLI positional argument/flag: `--repo` + type: string + repoCA: + description: |- + Verify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates. + Helm CLI positional argument/flag: `--ca-file` + type: string + repoCAConfigMap: + description: |- + Reference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of `.spec.repoCA` + Helm CLI positional argument/flag: `--ca-file` + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + securityContext: + description: custom SecurityContext for the helm job pod. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by this container. If set, this profile + overrides the pod's appArmorProfile. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default value is Default which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies to + the container. + type: string + role: + description: Role is a SELinux role label that applies to + the container. + type: string + type: + description: Type is a SELinux type label that applies to + the container. + type: string + user: + description: User is a SELinux user label that applies to + the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + set: + additionalProperties: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + description: |- + Override simple Chart values. These take precedence over options set via valuesContent. + Helm CLI positional argument/flag: `--set`, `--set-string` + type: object + takeOwnership: + description: |- + Set to True if helm should take ownership of existing resources when installing/upgrading the chart. + Helm CLI positional argument/flag: `--take-ownership` + type: boolean + targetNamespace: + description: |- + Helm Chart target namespace. + Helm CLI positional argument/flag: `--namespace` + type: string + timeout: + description: |- + Timeout for Helm operations. + Helm CLI positional argument/flag: `--timeout` + type: string + valuesContent: + description: |- + Override complex Chart values via inline YAML content. + Helm CLI positional argument/flag: `--values` + type: string + valuesSecrets: + description: |- + Override complex Chart values via references to external Secrets. + Helm CLI positional argument/flag: `--values` + items: + description: SecretSpec describes a key in a secret to load chart + values from. + properties: + ignoreUpdates: + description: |- + Ignore changes to the secret, and mark the secret as optional. + By default, the secret must exist, and changes to the secret will trigger an upgrade of the chart to apply the updated values. + If `ignoreUpdates` is true, the secret is optional, and changes to the secret will not trigger an upgrade of the chart. + type: boolean + keys: + description: Keys to read values content from. If no keys are + specified, the secret is not used. + items: + type: string + type: array + name: + description: Name of the secret. Must be in the same namespace + as the HelmChart resource. + type: string + type: object + type: array + version: + description: |- + Helm Chart version. Only used when installing from repository; ignored when .spec.chart or .spec.chartContent is used to install a specific chart archive. + Helm CLI positional argument/flag: `--version` + type: string + type: object + status: + description: HelmChartStatus represents the resulting state from processing + HelmChart events + properties: + conditions: + description: |- + `JobCreated` indicates that a job has been created to install or upgrade the chart. + `Failed` indicates that the helm job has failed and the failure policy is set to `abort`. + items: + properties: + message: + description: Human readable message indicating details about + last transition. + type: string + reason: + description: (brief) reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + jobName: + description: The name of the job created to install or upgrade the + chart. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/crds/yaml/generated/helm.cattle.io_helmchartconfigs.yaml b/pkg/crds/yaml/generated/helm.cattle.io_helmchartconfigs.yaml index b2deb102..86dd7f4a 100644 --- a/pkg/crds/yaml/generated/helm.cattle.io_helmchartconfigs.yaml +++ b/pkg/crds/yaml/generated/helm.cattle.io_helmchartconfigs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.17.3 + controller-gen.kubebuilder.io/version: v0.19.0 name: helmchartconfigs.helm.cattle.io spec: group: helm.cattle.io diff --git a/pkg/crds/yaml/generated/helm.cattle.io_helmcharts.yaml b/pkg/crds/yaml/generated/helm.cattle.io_helmcharts.yaml index 4c8c4bdc..6f327144 100644 --- a/pkg/crds/yaml/generated/helm.cattle.io_helmcharts.yaml +++ b/pkg/crds/yaml/generated/helm.cattle.io_helmcharts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.17.3 + controller-gen.kubebuilder.io/version: v0.19.0 name: helmcharts.helm.cattle.io spec: group: helm.cattle.io diff --git a/scripts/validate b/scripts/validate index 4bbe2a7c..5f37533f 100755 --- a/scripts/validate +++ b/scripts/validate @@ -11,7 +11,7 @@ fi echo Running validation echo Running: golangci-lint -golangci-lint run +golangci-lint run --timeout 3m echo Running: go fmt test -z "$(go fmt ${PACKAGES} | tee /dev/stderr)" From 95a152aabda90610e1fac39239d42c40134fa4b1 Mon Sep 17 00:00:00 2001 From: manuelbuil Date: Thu, 6 Nov 2025 10:03:26 +0100 Subject: [PATCH 2/3] Extract the doc generated helmchart.md Signed-off-by: manuelbuil --- Dockerfile | 1 + Makefile | 2 ++ 2 files changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index a57ff08b..8cd67b17 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,6 +42,7 @@ COPY --from=package /src/dist/artifacts /dist/artifacts FROM scratch AS crds COPY --from=builder /src/pkg/crds/yaml/generated/ / +COPY --from=builder /src/doc/helmchart.md /tmp_doc/ FROM alpine:3.22 AS production COPY bin/helm-controller /usr/bin/ diff --git a/Makefile b/Makefile index e83e119f..b8f3b56f 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,8 @@ generate-crd: DOCKER_BUILDKIT=1 docker build \ --target crds \ --output type=local,dest=./pkg/crds/yaml/generated . + mv ./pkg/crds/yaml/generated/tmp_doc/helmchart.md ./doc/ + rm -r ./pkg/crds/yaml/generated/tmp_doc/ validate: docker build --target dev --build-arg ARCH=$(ARCH) -t $(IMAGE_NAME)-dev . From 8e22142df3567a8d322ef56417ccbb9fccf16ae9 Mon Sep 17 00:00:00 2001 From: manuelbuil Date: Thu, 6 Nov 2025 10:11:09 +0100 Subject: [PATCH 3/3] Address Brad comments: remove crd.yaml and change README Signed-off-by: manuelbuil --- README.md | 4 +- manifests/crd.yaml | 796 --------------------------------------------- 2 files changed, 2 insertions(+), 798 deletions(-) delete mode 100644 manifests/crd.yaml diff --git a/README.md b/README.md index fc4c3ed0..568ff233 100644 --- a/README.md +++ b/README.md @@ -20,10 +20,10 @@ Autogenerated API docs for `helm.cattle.io/v1 HelmChart` and `HelmChartConfig` a To remove the Helm Controller run `kubectl delete` and pass the deployment YAML used using to create the Deployment `-f` parameter. ## Developing and Building -The Helm Controller is easy to get running locally, follow the instructions for your needs and requires a running k8s server + CRDs etc. When you have a working k8s cluster, you can use `./manifests/crd.yaml` to create the CRD and `./manifests/example-helmchart.yaml` which runs the `stable/traefik` helm chart. +The Helm Controller is easy to get running locally, follow the instructions for your needs and requires a running k8s server + CRDs etc. When you have a working k8s cluster, you can apply the manifests inside `./pkg/crds/yaml/generated/` to create the CRD and `./manifests/example-helmchart.yaml` which runs the `stable/traefik` helm chart. ### Build -Run `make build` to build the binary and, opitonally, generate new CRDs if the API changed. We recommend execute `make` to additionally run validation and testing. +Run `make build` to build the binary and, optionally, generate new CRDs if the API changed. We recommend just running `make` as the default target will also perform validation and testing. #### Running it locally Building and running natively will start a daemon which will watch a local k8s API. See Manifests section above about how to create the CRD and Objects using the provided manifests. diff --git a/manifests/crd.yaml b/manifests/crd.yaml deleted file mode 100644 index bfdd4a94..00000000 --- a/manifests/crd.yaml +++ /dev/null @@ -1,796 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - name: helmchartconfigs.helm.cattle.io -spec: - group: helm.cattle.io - names: - kind: HelmChartConfig - listKind: HelmChartConfigList - plural: helmchartconfigs - singular: helmchartconfig - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - HelmChartConfig represents additional configuration for the installation of Helm chart release. - This resource is intended for use when additional configuration needs to be passed to a HelmChart - that is managed by an external system. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - HelmChartConfigSpec represents additional user-configurable details of an installed and configured Helm chart release. - These fields are merged with or override the corresponding fields on the related HelmChart resource. - properties: - failurePolicy: - default: reinstall - description: |- - Configures handling of failed chart installation or upgrades. - - `reinstall` will perform a clean uninstall and reinstall of the chart. - - `abort` will take no action and leave the chart in a failed state so that the administrator can manually resolve the error. - enum: - - abort - - reinstall - type: string - valuesContent: - description: |- - Override complex Chart values via inline YAML content. - Helm CLI positional argument/flag: `--values` - type: string - valuesSecrets: - description: |- - Override complex Chart values via references to external Secrets. - Helm CLI positional argument/flag: `--values` - items: - description: SecretSpec describes a key in a secret to load chart - values from. - properties: - ignoreUpdates: - description: |- - Ignore changes to the secret, and mark the secret as optional. - By default, the secret must exist, and changes to the secret will trigger an upgrade of the chart to apply the updated values. - If `ignoreUpdates` is true, the secret is optional, and changes to the secret will not trigger an upgrade of the chart. - type: boolean - keys: - description: Keys to read values content from. If no keys are - specified, the secret is not used. - items: - type: string - type: array - name: - description: Name of the secret. Must be in the same namespace - as the HelmChart resource. - type: string - type: object - type: array - type: object - type: object - served: true - storage: true ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.19.0 - name: helmcharts.helm.cattle.io -spec: - group: helm.cattle.io - names: - kind: HelmChart - listKind: HelmChartList - plural: helmcharts - singular: helmchart - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.repo - name: Repo - type: string - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.targetNamespace - name: TargetNamespace - type: string - - jsonPath: .spec.bootstrap - name: Bootstrap - type: boolean - - jsonPath: .status.conditions[?(@.type=='Failed')].status - name: Failed - type: string - - jsonPath: .status.jobName - name: Job - priority: 10 - type: string - name: v1 - schema: - openAPIV3Schema: - description: HelmChart represents configuration and state for the deployment - of a Helm chart. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HelmChartSpec represents the user-configurable details for - installation and upgrade of a Helm chart release. - properties: - authPassCredentials: - description: |- - Pass Basic auth credentials to all domains. - Helm CLI positional argument/flag: `--pass-credentials` - type: boolean - authSecret: - description: Reference to Secret of type kubernetes.io/basic-auth - holding Basic auth credentials for the Chart repo. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backOffLimit: - description: Specify the number of retries before considering the - helm job failed. - format: int32 - type: integer - bootstrap: - description: Set to True if this chart is needed to bootstrap the - cluster (Cloud Controller Manager, CNI, etc). - type: boolean - chart: - description: |- - Helm Chart name in repository, or complete HTTPS URL to chart archive (.tgz) - Helm CLI positional argument/flag: `CHART` - type: string - chartContent: - description: |- - Base64-encoded chart archive .tgz; overides `.spec.chart` and `.spec.version`. - Helm CLI positional argument/flag: `CHART` - type: string - createNamespace: - description: |- - Create target namespace if not present. - Helm CLI positional argument/flag: `--create-namespace` - type: boolean - dockerRegistrySecret: - description: Reference to Secret of type kubernetes.io/dockerconfigjson - holding Docker auth credentials for the OCI-based registry acting - as the Chart repo. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - failurePolicy: - default: reinstall - description: |- - Configures handling of failed chart installation or upgrades. - - `reinstall` will perform a clean uninstall and reinstall of the chart. - - `abort` will take no action and leave the chart in a failed state so that the administrator can manually resolve the error. - enum: - - abort - - reinstall - type: string - helmVersion: - description: DEPRECATED. Helm version to use. Only v3 is currently - supported. - type: string - insecureSkipTLSVerify: - description: |- - Skip TLS certificate checks for the chart download. - Helm CLI positional argument/flag: `--insecure-skip-tls-verify` - type: boolean - jobImage: - description: Specify the image to use for tht helm job pod when installing - or upgrading the helm chart. - type: string - plainHTTP: - description: |- - Use insecure HTTP connections for the chart download. - Helm CLI positional argument/flag: `--plain-http` - type: boolean - podSecurityContext: - description: Custom PodSecurityContext for the helm job pod. - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - repo: - description: |- - Helm Chart repository URL. - Helm CLI positional argument/flag: `--repo` - type: string - repoCA: - description: |- - Verify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates. - Helm CLI positional argument/flag: `--ca-file` - type: string - repoCAConfigMap: - description: |- - Reference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of `.spec.repoCA` - Helm CLI positional argument/flag: `--ca-file` - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - securityContext: - description: custom SecurityContext for the helm job pod. - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies to - the container. - type: string - role: - description: Role is a SELinux role label that applies to - the container. - type: string - type: - description: Type is a SELinux type label that applies to - the container. - type: string - user: - description: User is a SELinux user label that applies to - the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA - credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - set: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - description: |- - Override simple Chart values. These take precedence over options set via valuesContent. - Helm CLI positional argument/flag: `--set`, `--set-string` - type: object - takeOwnership: - description: |- - Set to True if helm should take ownership of existing resources when installing/upgrading the chart. - Helm CLI positional argument/flag: `--take-ownership` - type: boolean - targetNamespace: - description: |- - Helm Chart target namespace. - Helm CLI positional argument/flag: `--namespace` - type: string - timeout: - description: |- - Timeout for Helm operations. - Helm CLI positional argument/flag: `--timeout` - type: string - valuesContent: - description: |- - Override complex Chart values via inline YAML content. - Helm CLI positional argument/flag: `--values` - type: string - valuesSecrets: - description: |- - Override complex Chart values via references to external Secrets. - Helm CLI positional argument/flag: `--values` - items: - description: SecretSpec describes a key in a secret to load chart - values from. - properties: - ignoreUpdates: - description: |- - Ignore changes to the secret, and mark the secret as optional. - By default, the secret must exist, and changes to the secret will trigger an upgrade of the chart to apply the updated values. - If `ignoreUpdates` is true, the secret is optional, and changes to the secret will not trigger an upgrade of the chart. - type: boolean - keys: - description: Keys to read values content from. If no keys are - specified, the secret is not used. - items: - type: string - type: array - name: - description: Name of the secret. Must be in the same namespace - as the HelmChart resource. - type: string - type: object - type: array - version: - description: |- - Helm Chart version. Only used when installing from repository; ignored when .spec.chart or .spec.chartContent is used to install a specific chart archive. - Helm CLI positional argument/flag: `--version` - type: string - type: object - status: - description: HelmChartStatus represents the resulting state from processing - HelmChart events - properties: - conditions: - description: |- - `JobCreated` indicates that a job has been created to install or upgrade the chart. - `Failed` indicates that the helm job has failed and the failure policy is set to `abort`. - items: - properties: - message: - description: Human readable message indicating details about - last transition. - type: string - reason: - description: (brief) reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of job condition. - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - jobName: - description: The name of the job created to install or upgrade the - chart. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {}