add helm charts

Signed-off-by: Zhiwei Yin <[email protected]>

Author: zhiweiyin318

Makefile

@@ -21,6 +21,10 @@ OPERATOR_SDK?=$(PERMANENT_TMP_GOPATH)/bin/operator-sdk
 OPERATOR_SDK_VERSION?=v1.32.0
 operatorsdk_gen_dir:=$(dir $(OPERATOR_SDK))
 
+HELM?=$(PERMANENT_TMP_GOPATH)/bin/helm
+HELM_VERSION?=v3.14.0
+helm_gen_dir:=$(dir $(HELM))
+
 # RELEASED_CSV_VERSION is used to generate a released CSV manifests
 RELEASED_CSV_VERSION?=0.14.0
 export RELEASED_CSV_VERSION
@@ -30,12 +34,15 @@ CSV_VERSION?=9.9.9
 export CSV_VERSION
 
 OPERATOR_SDK_ARCHOS:=linux_amd64
+HELM_ARCHOS:=linux-amd64
 ifeq ($(GOHOSTOS),darwin)
 	ifeq ($(GOHOSTARCH),amd64)
 		OPERATOR_SDK_ARCHOS:=darwin_amd64
+		HELM_ARCHOS:=darwin-amd64
 	endif
 	ifeq ($(GOHOSTARCH),arm64)
 		OPERATOR_SDK_ARCHOS:=darwin_arm64
+		HELM_ARCHOS:=darwin-arm64
 	endif
 endif
 
@@ -69,7 +76,9 @@ update: copy-crd update-csv
 
 test-unit: ensure-kubebuilder-tools
 
-update-csv: ensure-operator-sdk
+update-csv: ensure-operator-sdk ensure-operator-helm
+	bash -x hack/update-csv.sh
+
 	# update the replaces to released version in csv
 	$(SED_CMD) -i 's/cluster-manager\.v[0-9]\+\.[0-9]\+\.[0-9]\+/cluster-manager\.v$(RELEASED_CSV_VERSION)/g' deploy/cluster-manager/config/manifests/bases/cluster-manager.clusterserviceversion.yaml
 	$(SED_CMD) -i 's/klusterlet\.v[0-9]\+\.[0-9]\+\.[0-9]\+/klusterlet\.v$(RELEASED_CSV_VERSION)/g' deploy/klusterlet/config/manifests/bases/klusterlet.clusterserviceversion.yaml
@@ -116,3 +125,16 @@ ifeq "" "$(wildcard $(OPERATOR_SDK))"
 else
 	$(info Using existing operator-sdk from "$(OPERATOR_SDK)")
 endif
+
+ensure-operator-helm:
+ifeq "" "$(wildcard $(HELM))"
+	$(info Installing helm into '$(HELM)')
+	mkdir -p '$(helm_gen_dir)'
+	curl -s -f -L https://get.helm.sh/helm-$(HELM_VERSION)-$(HELM_ARCHOS).tar.gz -o '$(helm_gen_dir)$(HELM_VERSION)-$(HELM_ARCHOS).tar.gz'
+	tar -zvxf '$(helm_gen_dir)/$(HELM_VERSION)-$(HELM_ARCHOS).tar.gz' -C $(helm_gen_dir)
+	mv $(helm_gen_dir)/$(HELM_ARCHOS)/helm $(HELM)
+	rm -rf $(helm_gen_dir)/$(HELM_ARCHOS)
+	chmod +x '$(HELM)';
+else
+	$(info Using existing helm from "$(HELM)")
+endif

deploy/cluster-manager/chart/cluster-manager/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: cluster-manager
+version: 1.0.0
+
+# appVersion will be replaced with the release version after released, and is the default image tag, for example v0.14.0.
+appVersion: latest
+
+description: |-
+  The Cluster Manager provides the multi-cluster hub, which can manage Kubernetes-based clusters across data centers, 
+  public clouds, and private clouds. This Helm Chart supports the installation and upgrade of ClusterManager.
+type: application
+home: https://open-cluster-management.io/
+sources:
+  - https://github.com/open-cluster-management-io/ocm
+keywords:
+  - open-cluster-management
+  - clusterManager

deploy/cluster-manager/chart/cluster-manager/README.md

@@ -0,0 +1,41 @@
+# cluster-manager
+
+The cluster-manager provides the multicluster hub, which can manage Kubernetes-based clusters across data centers,
+public clouds, and private clouds. This operator supports the installation and upgrade of ClusterManager.
+
+# Get Repo Info
+
+```bash
+helm repo add ocm https://open-cluster-management.io/helm-charts
+helm repo update
+helm search repo ocm
+```
+
+# Install the Chart
+
+For example, install the chart into `open-cluster-management` namespace.
+
+```bash
+$ helm install cluster-manager  --version <version> ocm/cluster-manager --namespace=open-cluster-management --create-namespace
+```
+
+# Uninstall the Chart
+
+## Delete all managedClusters before uninstall the Chart.
+
+```bash
+kubectl get managedcluster | awk '{print $1}' | xargs kubectl delete managedcluster
+```
+
+## And then delete the clusterManager CR.
+
+``` bash
+kubectl delete clustermanagers cluster-manager
+```
+
+## Uninstall the Chart
+
+```bash
+helm uninstall cluster-manager
+```
+

deploy/cluster-manager/chart/cluster-manager/crds/0000_01_operator.open-cluster-management.io_clustermanagers.crd.yaml

@@ -0,0 +1,28 @@
+{{/* Create secret to access docker registry */}}
+{{- define "imagePullSecret" }}
+{{- with .Values.images }}
+{{- if and .imageCredentials.userName .imageCredentials.password }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .registry (printf "%s:%s" .imageCredentials.userName .imageCredentials.password | b64enc) | b64enc }}
+{{- else }}
+{{- printf "{}" | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{/* Create random bootstrap token secret. */}}
+{{- define "tokenID" }}
+{{- printf "ocmhub" }}
+{{- end }}
+{{- define "tokenSecret" }}
+{{- printf "%s" (randAlphaNum 6) }}
+{{- end }}
+
+{{/* Define the image tag. */}}
+{{- define "imageTag" }}
+{{- if .Values.images.version }}
+{{- printf "%s" .Values.images.version }}
+{{- else }}
+{{- printf "%s" .Chart.AppVersion }}
+{{- end }}
+{{- end }}

deploy/cluster-manager/chart/cluster-manager/templates/_helpers.tpl

@@ -0,0 +1,37 @@
+{{- if .Values.createBootstrapToken }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:open-cluster-management:bootstrap
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - managedclusters
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+- apiGroups: 
+  - "cluster.open-cluster-management.io"
+  resources: 
+  - "managedclustersets/join"
+  verbs: 
+  - "create"
+{{- end }}

deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.createBootstrapToken }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-bootstrap
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:open-cluster-management:bootstrap
+subjects:
+- kind: Group
+  apiGroup: rbac.authorization.k8s.io
+  name: system:bootstrappers:managedcluster
+{{- end }}

deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_cluster_role_binding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.createBootstrapToken }}
+apiVersion: v1
+kind: Secret
+metadata:
+  # Name MUST be of form "bootstrap-token-<token id>"
+  name: bootstrap-token-{{ template "tokenID" .}}
+  namespace: kube-system
+  labels:
+    app: cluster-manager
+type: bootstrap.kubernetes.io/token
+stringData:
+  # Token ID and secret. Required.
+  token-id: "{{ template "tokenID" .}}"
+  token-secret: "{{ template "tokenSecret" .}}"
+  # Allowed usages.
+  usage-bootstrap-authentication: "true"
+
+  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
+  auth-extra-groups: "system:bootstrappers:managedcluster"
+{{- end }}

deploy/cluster-manager/chart/cluster-manager/templates/bootstrap_token_secret.yaml

@@ -0,0 +1,33 @@
+apiVersion: operator.open-cluster-management.io/v1
+kind: ClusterManager
+metadata:
+  name: cluster-manager
+spec:
+  registrationImagePullSpec: {{ .Values.images.registry }}/registration:{{ template "imageTag" . }}
+  workImagePullSpec: {{ .Values.images.registry }}/work:{{ template "imageTag" . }}
+  placementImagePullSpec: {{ .Values.images.registry }}/placement:{{ template "imageTag" . }}
+  addOnManagerImagePullSpec: {{ .Values.images.registry }}/addon-manager:{{ template "imageTag" . }}
+  deployOption:
+    mode: {{ .Values.clusterManager.mode }}
+  {{- with .Values.clusterManager.resourceRequirement }}
+  resourceRequirement:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  registrationConfiguration:
+    {{- if .Values.createBootstrapToken }}
+    autoApproveUsers:
+      - system:bootstrap:bootstrap-token-{{ template "tokenID" .}}
+      - system:serviceaccount:open-cluster-management:cluster-bootstrap
+    {{- end }}
+    {{- with .Values.clusterManager.registrationConfiguration.featureGates }}
+    featureGates:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with .Values.clusterManager.workConfiguration }}
+  workConfiguration:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{if .Values.clusterManager.addOnManagerConfiguration }}
+  addOnManagerConfiguration:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

deploy/cluster-manager/chart/cluster-manager/templates/cluster_manager.yaml

@@ -0,0 +1,146 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cluster-manager
+rules:
+# Allow the registration-operator to create workload
+- apiGroups: [""]
+  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "patch", "delete"]
+  resourceNames:
+    - "signer-secret"
+    - "registration-webhook-serving-cert"
+    - "work-webhook-serving-cert"
+    - "registration-controller-sa-kubeconfig"
+    - "registration-webhook-sa-kubeconfig"
+    - "work-webhook-sa-kubeconfig"
+    - "placement-controller-sa-kubeconfig"
+    - "work-controller-sa-kubeconfig"
+    - "addon-manager-controller-sa-kubeconfig"
+    - "external-hub-kubeconfig"
+    - "work-driver-config"
+    - "open-cluster-management-image-pull-credentials"
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create", "get"]
+- apiGroups: ["", "events.k8s.io"]
+  resources: ["events"]
+  verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "deletecollection"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["get"]  
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings", "rolebindings"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterroles", "roles"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+# Allow the registration-operator to create crds
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+# Allow the registration-operator to update crds status
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions/status"]
+  verbs: ["update", "patch"]
+# Allow the registration-operator to create apiservice
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+# Allow the registration-operator to create validatingwebhookconfigurration
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+# Allow the nuclues to manage clustermanager apis.
+- apiGroups: ["operator.open-cluster-management.io"]
+  resources: ["clustermanagers"]
+  verbs: ["get", "list", "watch", "update", "delete", "patch"]
+- apiGroups: ["operator.open-cluster-management.io"]
+  resources: ["clustermanagers/status"]
+  verbs: ["update", "patch"]
+# Allow the registration-operator to create storageversionmigration
+- apiGroups: ["migration.k8s.io"]
+  resources: ["storageversionmigrations"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+# Some rbac needed in cluster-manager
+- apiGroups: ["addon.open-cluster-management.io"]
+  resources: ["managedclusteraddons", "clustermanagementaddons"]
+  verbs: ["create", "update", "patch", "get", "list", "watch", "delete"]
+- apiGroups: ["addon.open-cluster-management.io"]
+  resources: ["managedclusteraddons/status", "clustermanagementaddons/status"]
+  verbs: ["patch", "update"]
+- apiGroups: ["addon.open-cluster-management.io"]
+  resources: [managedclusteraddons/finalizers, "clustermanagementaddons/finalizers"]
+  verbs: ["update"]
+- apiGroups: ["addon.open-cluster-management.io"]
+  resources: [addondeploymentconfigs, "addontemplates"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["certificates.k8s.io"]
+  resources: ["certificatesigningrequests"]
+  verbs: ["create", "get", "list", "watch"]
+- apiGroups: ["certificates.k8s.io"]
+  resources: ["certificatesigningrequests/approval", "certificatesigningrequests/status"]
+  verbs: ["update"]
+- apiGroups: ["certificates.k8s.io"]
+  resources: ["signers"]
+  verbs: ["approve", "sign"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["managedclusters"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["managedclustersetbindings", "placements", "addonplacementscores"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["managedclustersets","placementdecisions"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["managedclusters/status","managedclustersetbindings/status", "managedclustersets/status", "placements/status", "placementdecisions/status"]
+  verbs: ["update", "patch"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["placements/finalizers"]
+  verbs: ["update"]
+- apiGroups: ["register.open-cluster-management.io"]
+  resources: ["managedclusters/clientcertificates"]
+  verbs: ["renew"]
+- apiGroups: ["register.open-cluster-management.io"]
+  resources: ["managedclusters/accept"]
+  verbs: ["update"]
+- apiGroups: ["work.open-cluster-management.io"]
+  resources: ["manifestworkreplicasets"]
+  verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
+- apiGroups: ["work.open-cluster-management.io"]
+  resources: ["manifestworkreplicasets/finalizers"]
+  verbs: ["update"]
+- apiGroups: ["work.open-cluster-management.io"]
+  resources: ["manifestworks"]
+  verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch", "execute-as"]
+- apiGroups: ["work.open-cluster-management.io"]
+  resources: ["manifestworks/status", "manifestworkreplicasets/status"]
+  verbs: ["update", "patch"]
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["flowschemas", "prioritylevelconfigurations"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["config.openshift.io"]
+  resources: ["infrastructures"]
+  verbs: ["get"]