Publish static kro manifests on release (#820)

* Publish static kro manifests on release

The industry tends to have different descriptions for
helm and plain k8s manifests with kustomize.

We can notice it in argoCD where they maintain the
[manifests](https://github.com/argoproj/argo-cd/blob/master/manifests/core-install.yaml)
as well as the helm [chart](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd)
(even in a different repository).

When we first tried to generate static manifests using this technique,
during the review, a concern was raised about the additional cognitive
load and maintenance burden having 2 different deployment methods would introduce.

This commit aims at providing static bundles to benefit from static manifests without
the additional maintenance burden.
It keeps Helm as the source of truth for deployment description and picks a list of well-known
values combination to generate static manifests out of it.

* Add make commands to install static manifests in kind

* Install static manifests in kro-system

chainsaw tests are using kro-system that is a standard
practice for operator namespaces.
Follow this naming convention

* Add make commands to run plain manifests e2e tests

* Add cluster-roles for chainsaw tests

chainsaw tests are run with unrestricted kro.
to tests raw manifests generation, we want to ensure that
it works for least-privilege mode.

in the least-privilege mode (core-install) kro does not have permission
to manage individual resources and hence e2e tests fails.

This commits extends Kro's privileges in end to end tests to
ensure they pass. It reflects how users should use KRO when using
the `rbac.mode=aggregation` in helm

* Update installation docs

* Address review comments

* Run 1 raw manifest in CI

Run the least privileged install in CI to ensure raw manifests works as expected

* Fix remaining failing chainsaw cleanup

* Move raw manifests e2e tests to dedicated script

Author: tjamet

.github/workflows/github-release.yaml

@@ -13,6 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - name: Build static manifests
+        env:
+          TAG: ${{ github.ref_name}}
+        run: |
+          make render-static-manifests RELEASE_VERSION=${TAG}
+
       - uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # 2.4.1
         with:
           generate_release_notes: true
+          files: |
+            ./manifests/rendered/kro-*.yaml

.gitignore

@@ -44,3 +44,4 @@ TODO.*
 node_modules/
 
 tools/lsp/client/out/
+manifests/rendered

Makefile

@@ -44,6 +44,15 @@ LDFLAGS="-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION
 
 WITH_GOFLAGS = GOFLAGS="$(GOFLAGS)"
 
+HELM_STATIC_MANIFESTS_FLAGS ?= --set metadata.includeHelmChart=false --set metadata.includeManagedBy=false --include-crds --namespace kro-system
+HELM_STATIC_MANIFEST_IMAGE_FLAGS ?= --set image.tag=${RELEASE_VERSION}
+
+ifeq ($(shell uname -s),Darwin)
+	SED_INPLACE_FLAGS ?= -i ''
+else
+	SED_INPLACE_FLAGS ?= -i
+endif
+
 HELM_DIR = ./helm
 WHAT ?= unit
 
@@ -228,17 +237,33 @@ publish-image: ko ## Publish the kro controller images
 		$(KO) publish --bare github.com/kubernetes-sigs/kro/cmd/controller \
 		--tags ${RELEASE_VERSION} --sbom=none
 
+.PHONY: inject-helm-version
+inject-helm-version:
+	sed $(SED_INPLACE_FLAGS) 's/tag: .*/tag: "$(RELEASE_VERSION)"/' helm/values.yaml
+	sed $(SED_INPLACE_FLAGS) 's/version: .*/version: $(RELEASE_VERSION)/' helm/Chart.yaml
+	sed $(SED_INPLACE_FLAGS) 's/appVersion: .*/appVersion: "$(RELEASE_VERSION)"/' helm/Chart.yaml
+
 .PHONY: package-helm
-package-helm: ## Package Helm chart
-	sed -i 's/tag: .*/tag: "$(RELEASE_VERSION)"/' helm/values.yaml
-	sed -i 's/version: .*/version: $(RELEASE_VERSION)/' helm/Chart.yaml
-	sed -i 's/appVersion: .*/appVersion: "$(RELEASE_VERSION)"/' helm/Chart.yaml
+package-helm: inject-helm-version ## Package Helm chart
 	${HELM} package helm
 
 .PHONY: publish-helm
 publish-helm: ## Helm publish
 	${HELM} push ./kro-${RELEASE_VERSION}.tgz oci://${HELM_IMAGE}
 
+.PHONY: render-static-manifests
+render-static-manifests: inject-helm-version
+	mkdir -p manifests/rendered
+	@command -v yq >/dev/null 2>&1 || { echo >&2 "yq is required but not installed. Please install yq v4+"; exit 1; }
+	@variants=$$(yq -r '.variants[].name' manifests/variants.yaml); \
+	for v in $$variants; do \
+		echo "Rendering variant: $$v"; \
+		tmpfile=$$(mktemp); \
+		yq -r ".variants[] | select(.name==\"$${v}\") | .values" manifests/variants.yaml > $$tmpfile; \
+		${HELM} template ${HELM_STATIC_MANIFESTS_FLAGS} ${HELM_STATIC_MANIFEST_IMAGE_FLAGS} -f $$tmpfile kro ./helm > manifests/rendered/$${v}.yaml; \
+		rm -f $$tmpfile; \
+	done
+
 .PHONY:
 release: build-image publish-image package-helm publish-helm
 
@@ -256,19 +281,31 @@ install: manifests ## Install CRDs into the K8s cluster specified in ~/.kube/con
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config
 	$(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f ./helm/crds
 
-.PHONY: deploy-kind
-deploy-kind: export KO_DOCKER_REPO=kind.local
-deploy-kind: ko ## Deploy kro to a kind cluster
-	$(KIND) delete clusters ${KIND_CLUSTER_NAME} || true
+.PHONY: start-kind
+start-kind:
+	$(KIND) delete cluster --name ${KIND_CLUSTER_NAME} || true
 	$(KIND) create cluster --name ${KIND_CLUSTER_NAME}
-	$(KUBECTL) --context kind-$(KIND_CLUSTER_NAME) create namespace kro-system
+	$(KUBECTL) --context kind-${KIND_CLUSTER_NAME} create namespace kro-system
+
+.PHONY: deploy-kind-helm
+deploy-kind-helm: export KO_DOCKER_REPO=kind.local
+deploy-kind-helm: ko start-kind
 	make install
 	# This generates deployment with ko://... used in image.
 	# ko then intercepts it builds image, pushes to kind node, replaces the image in deployment and applies it
 	${HELM} template kro ./helm --namespace kro-system --set image.pullPolicy=Never --set image.ko=true --set config.allowCRDDeletion=true | $(KO) apply -f -
 	kubectl wait --for=condition=ready --timeout=1m pod -n kro-system -l app.kubernetes.io/component=controller
 	$(KUBECTL) --context kind-${KIND_CLUSTER_NAME} get pods -A
 
+.PHONY: deploy-kind-%
+deploy-kind-%: export KO_DOCKER_REPO=kind.local
+deploy-kind-%: export HELM_STATIC_MANIFEST_IMAGE_FLAGS=--set image.pullPolicy=Never --set image.ko=true
+deploy-kind-%: export RELEASE_VERSION=v0.0.0-dev
+deploy-kind-%: ko start-kind render-static-manifests ## Apply the static manifests for the given variant
+	$(KO) apply -f manifests/rendered/kro-$*.yaml
+	kubectl wait --for=condition=ready --timeout=1m pod -n kro-system -l app.kubernetes.io/component=controller
+	$(KUBECTL) --context kind-${KIND_CLUSTER_NAME} get pods -A
+
 .PHONY: ko-apply
 ko-apply: ko
 	${HELM} template kro ./helm --namespace kro-system --set image.pullPolicy=Never --set image.ko=true | $(KO) apply -f -
@@ -286,6 +323,18 @@ cli:
 test-e2e: chainsaw ## Run e2e tests
 	$(CHAINSAW) test ./test/e2e/chainsaw
 
+
+.PHONY: test-e2e-kind-%
+test-e2e-kind-%: deploy-kind-%
+	make test-e2e
+
+
+# Default deployment uses helm deployments
+
+.PHONY: deploy-kind
+deploy-kind: export KO_DOCKER_REPO=kind.local
+deploy-kind: ko deploy-kind-helm ## Deploy kro to a kind cluster
+
+# Default end to end tests uses helm deployments
 .PHONY: test-e2e-kind
-test-e2e-kind: deploy-kind
-	make test-e2e
+test-e2e-kind: deploy-kind-helm

helm/templates/_helpers.tpl

@@ -45,12 +45,16 @@ Create the name of the service account to use
 Common labels
 */}}
 {{- define "kro.labels" -}}
+{{- if .Values.metadata.includeHelmChart }}
 helm.sh/chart: {{ include "kro.chart" . }}
+{{- end }}
 {{ include "kro.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
+{{- if .Values.metadata.includeManagedBy }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
 app.kubernetes.io/component: controller
 app.kubernetes.io/part-of: kro
 {{- if .Values.additionalLabels }}

helm/values.yaml

@@ -7,6 +7,10 @@ fullnameOverride: ""
 additionalLabels: {}
   # app: kro
 
+metadata:
+  includeHelmChart: true
+  includeManagedBy: true
+
 image:
   # The location of the container image repository
   repository: registry.k8s.io/kro/kro

manifests/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- ./bundled/kro-core-install-manifests.yaml

manifests/variants.yaml

@@ -0,0 +1,14 @@
+variants:
+- name: kro-core-install-manifests
+  values:
+    rbac:
+      mode: aggregation
+- name: kro-core-install-manifests-with-prometheus
+  values:
+    rbac:
+      mode: aggregation
+    metrics:
+      service:
+        create: true
+      serviceMonitor:
+        enabled: true

scripts/ci/presubmits/e2e-raw-manifests-tests

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd ${REPO_ROOT}
+
+# Build
+go build cmd
+
+mkdir -p ./bin
+curl -Lo ./bin/kind https://kind.sigs.k8s.io/dl/v0.30.0/kind-linux-amd64
+chmod +x ./bin/kind
+
+# Raw manifests based end to end tests, with minimal installation and "aggregated" mode
+make test-e2e-kind-core-install-manifests KIND=./bin/kind

scripts/ci/presubmits/e2e-tests

@@ -14,4 +14,5 @@ mkdir -p ./bin
 curl -Lo ./bin/kind https://kind.sigs.k8s.io/dl/v0.30.0/kind-linux-amd64
 chmod +x ./bin/kind
 
+# Helm based end to end tests, with helm defaults
 make test-e2e-kind KIND=./bin/kind

test/e2e/chainsaw/check-arbitary-objects/chainsaw-test.yaml

@@ -9,6 +9,9 @@ spec:
   - name: install-rgd
     try:
     #description: Install the RGD that creates an Instance CRD
+    - apply:
+        file: cluster-role.yaml
+      description: Apply Cluster Role
     - apply:
         file: rgd.yaml
       description: Apply RGD