Add bash script to sync manifests from Helm chart to Kustomize

Signed-off-by: Yi Chen <github@chenyicn.net>

Author: ChenYi015

Makefile

@@ -25,7 +25,11 @@ IMAGE_REGISTRY ?= $(STAGING_IMAGE_REGISTRY)/jobset
 IMAGE_NAME := jobset
 IMAGE_REPO ?= $(IMAGE_REGISTRY)/$(IMAGE_NAME)
 IMAGE_TAG ?= $(IMAGE_REPO):$(GIT_TAG)
+
+# Helm
 HELM_CHART_REPO := $(STAGING_IMAGE_REGISTRY)/jobset/charts
+RELEASE_NAME ?= jobset
+RELEASE_NAMESPACE ?= jobset-system
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
@@ -203,6 +207,11 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/confi
 	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
 ##@ Helm
+
+.PHONY: sync-manifests
+sync-manifests: helm yq ## Sync Kustomize manifests from manifests templated by Helm chart.
+	RELEASE_NAME=$(RELEASE_NAME) RELEASE_NAMESPACE=$(RELEASE_NAMESPACE) HELM=$(HELM) YQ=$(YQ) hack/sync-manifests.sh
+
 .PHONY: helm-unittest
 helm-unittest: helm-unittest-plugin ## Run Helm chart unittests.
 	$(HELM) unittest $(JOBSET_CHART_DIR) --strict --file "tests/**/*_test.yaml"
@@ -219,8 +228,8 @@ helm-docs: helm-docs-plugin ## Generates markdown documentation for helm charts
 helm-chart-push: yq helm
 	EXTRA_TAG="$(EXTRA_TAG)" GIT_TAG="$(GIT_TAG)" IMAGE_REGISTRY="$(IMAGE_REGISTRY)" HELM_CHART_REPO="$(HELM_CHART_REPO)" IMAGE_REPO="$(IMAGE_REPO)" HELM="$(HELM)" YQ="$(YQ)" ./hack/push-chart.sh
 
-
 ##@ Release
+
 .PHONY: artifacts
 artifacts: kustomize helm
 	cd config/components/manager && $(KUSTOMIZE) edit set image controller=${IMAGE_TAG}
@@ -267,16 +276,22 @@ $(LOCALBIN):
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v3.8.7
 CONTROLLER_TOOLS_VERSION ?= v0.17.2
+GINKGO_VERSION ?= v2.1.4
+KIND_VERSION ?= v0.23.0
 HELM_VERSION ?= v3.17.1
 HELM_UNITTEST_VERSION ?= 0.7.2
 HELM_DOCS_VERSION ?= v1.14.2
+YQ_VERSION ?= v4.45.1
 
 ## Tool Binaries
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
-HELM ?= $(ARTIFACTS)/helm
-HELM_DOCS ?= $(ARTIFACTS)/helm-docs
+GINKGO = $(LOCALBIN)/ginkgo
+KIND = $(LOCALBIN)/kind
+HELM ?= $(LOCALBIN)/helm
+HELM_DOCS ?= $(LOCALBIN)/helm-docs
+YQ ?= $(LOCALBIN)/yq
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize
@@ -317,15 +332,13 @@ envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
 $(ENVTEST): $(LOCALBIN)
 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) $(GO_CMD) install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20240813183042-b901db121e1f
 
-GINKGO = $(shell pwd)/bin/ginkgo
 .PHONY: ginkgo
 ginkgo: ## Download ginkgo locally if necessary.
-	@GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install github.com/onsi/ginkgo/v2/ginkgo@v2.1.4
+	@GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install github.com/onsi/ginkgo/v2/ginkgo@$(GINKGO_VERSION)
 
-KIND = $(shell pwd)/bin/kind
 .PHONY: kind
 kind:
-	@GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install sigs.k8s.io/kind@v0.23.0
+	@GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install sigs.k8s.io/kind@$(KIND_VERSION)
 
 .PHONY: kind-image-build
 kind-image-build: PLATFORMS=linux/amd64
@@ -345,7 +358,6 @@ test-e2e-kind: manifests kustomize fmt vet envtest ginkgo kind-image-build
 prometheus:
 	kubectl apply --server-side -k config/prometheus
 
-HELM = $(PROJECT_DIR)/bin/helm
 .PHONY: helm
 helm: ## Download helm locally if necessary.
 	GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION)
@@ -362,8 +374,6 @@ helm-docs-plugin: $(HELM_DOCS) ## Download helm-docs plugin locally if necessary
 $(HELM_DOCS): $(LOCALBIN)
 	GOBIN=$(LOCALBIN) $(GO_CMD) install github.com/norwoodj/helm-docs/cmd/helm-docs@$(HELM_DOCS_VERSION)
 
-YQ = $(PROJECT_DIR)/bin/yq
 .PHONY: yq
 yq: ## Download yq locally if necessary.
-	GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install github.com/mikefarah/yq/v4@v4.45.1
-
+	GOBIN=$(PROJECT_DIR)/bin GO111MODULE=on $(GO_CMD) install github.com/mikefarah/yq/v4@$(YQ_VERSION)

charts/jobset/crds/jobset.x-k8s.io_jobsets.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.2
+    controller-gen.kubebuilder.io/version: v0.17.2
   name: jobsets.jobset.x-k8s.io
 spec:
   group: jobset.x-k8s.io
@@ -237,6 +237,11 @@ spec:
                       x-kubernetes-validations:
                       - message: Value is immutable
                         rule: self == oldSelf
+                    groupName:
+                      default: default
+                      description: GroupName defines the name of the group this ReplicatedJob
+                        belongs to. Defaults to "default"
+                      type: string
                     name:
                       description: |-
                         Name is the name of the entry and will be used as a suffix

charts/jobset/templates/prometheus/service_monitor.yaml

@@ -31,4 +31,9 @@ spec:
       {{- include "jobset.controller.selectorLabels" . | nindent 6 }}
   endpoints:
   - port: metrics
+    path: /metrics
+    scheme: https
+    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    tlsConfig:
+      insecureSkipVerify: true
 {{- end }}

config/components/certmanager/certificate.yaml

@@ -1,39 +1,25 @@
-# The following manifests contain a self-signed issuer CR and a certificate CR.
-# More document can be found at https://docs.cert-manager.io
-# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  labels:
-    app.kubernetes.io/name: issuer
-    app.kubernetes.io/instance: selfsigned-issuer
-    app.kubernetes.io/component: certificate
-    app.kubernetes.io/created-by: jobset
-    app.kubernetes.io/part-of: jobset
-    app.kubernetes.io/managed-by: kustomize
-  name: selfsigned-issuer
-  namespace: system
-spec:
-  selfSigned: {}
----
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
+  name: jobset-cert
+  namespace: jobset-system
   labels:
-    app.kubernetes.io/name: certificate
-    app.kubernetes.io/instance: serving-cert
-    app.kubernetes.io/component: certificate
-    app.kubernetes.io/created-by: jobset
-    app.kubernetes.io/part-of: jobset
-    app.kubernetes.io/managed-by: kustomize
-  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
-  namespace: system
+    app.kubernetes.io/managed-by: Kustomize
+    app.kubernetes.io/version: "0.7.3"
+    app.kubernetes.io/name: jobset
+    app.kubernetes.io/instance: jobset
 spec:
-  # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
-  dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  secretName: jobset-webhook-server-cert
   issuerRef:
+    group: cert-manager.io/v1
     kind: Issuer
-    name: selfsigned-issuer
-  secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize
+    name: jobset-self-signed-issuer
+  commonName: jobset-webhook-service.jobset-system.svc
+  dnsNames:
+    - jobset-webhook-service.jobset-system.svc
+    - jobset-webhook-service.jobset-system.svc.cluster.local
+  duration: 8760h
+  renewBefore: 720h
+  usages:
+    - server auth
+    - client auth

config/components/certmanager/issuer.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: jobset-self-signed-issuer
+  namespace: jobset-system
+  labels:
+    app.kubernetes.io/managed-by: Kustomize
+    app.kubernetes.io/version: "0.7.3"
+    app.kubernetes.io/name: jobset
+    app.kubernetes.io/instance: jobset
+spec:
+  selfSigned: {}

config/components/certmanager/kustomization.yaml

@@ -1,5 +1,6 @@
 resources:
 - certificate.yaml
+- issuer.yaml
 
 configurations:
 - kustomizeconfig.yaml

config/components/certmanager/kustomizeconfig.yaml

@@ -6,11 +6,3 @@ nameReference:
   - kind: Certificate
     group: cert-manager.io
     path: spec/issuerRef/name
-
-varReference:
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/commonName
-- kind: Certificate
-  group: cert-manager.io
-  path: spec/dnsNames

config/components/manager/configmap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jobset-controller-config
+  namespace: jobset-system
+  labels:
+    app.kubernetes.io/managed-by: Kustomize
+    app.kubernetes.io/version: "0.7.3"
+    app.kubernetes.io/name: jobset
+    app.kubernetes.io/instance: jobset
+    app.kubernetes.io/component: controller
+data:
+  controller_manager_config.yaml: |2
+    apiVersion: config.jobset.x-k8s.io/v1alpha1
+    kind: Configuration
+    leaderElection:
+      leaderElect: true
+    clientConnection:
+      qps: 500
+      burst: 500
+    internalCertManagement:
+      enable: false
+      webhookServiceName: jobset-webhook-service
+      webhookSecretName: jobset-webhook-server-cert

config/components/manager/controller_manager_config.yaml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jobset-controller
+  namespace: jobset-system
+  labels:
+    app.kubernetes.io/managed-by: Kustomize
+    app.kubernetes.io/version: "0.7.3"
+    app.kubernetes.io/name: jobset
+    app.kubernetes.io/instance: jobset
+    app.kubernetes.io/component: controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: jobset
+      app.kubernetes.io/instance: jobset
+      app.kubernetes.io/component: controller
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: jobset-0.7.3
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/version: "0.7.3"
+        app.kubernetes.io/name: jobset
+        app.kubernetes.io/instance: jobset
+        app.kubernetes.io/component: controller
+      annotations:
+        jobset.x-k8s.io/config-hash: dce001eda0b7844802217531a27610b3940fc050b7999ee6a3a43956db1f726d
+    spec:
+      containers:
+        - name: controller
+          image: "us-central1-docker.pkg.dev/k8s-staging-images/jobset/jobset:main"
+          imagePullPolicy: Always
+          command:
+            - /manager
+          args:
+            - --zap-log-level=2
+            - --config=/controller_manager_config.yaml
+          volumeMounts:
+            - name: manager-config
+              subPath: controller_manager_config.yaml
+              mountPath: /controller_manager_config.yaml
+            - name: webhook-cert
+              mountPath: /tmp/k8s-webhook-server/serving-certs
+              readOnly: true
+          ports:
+            - name: health-probe
+              containerPort: 8081
+              protocol: TCP
+            - name: webhook
+              containerPort: 9443
+              protocol: TCP
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              port: 8081
+              scheme: HTTP
+              path: /healthz
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              port: 8081
+              scheme: HTTP
+              path: /readyz
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 2
+              memory: 4Gi
+            requests:
+              cpu: 500m
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+      volumes:
+        - name: manager-config
+          configMap:
+            name: jobset-controller-config
+        - name: webhook-cert
+          secret:
+            secretName: jobset-webhook-server-cert
+            defaultMode: 420
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: jobset-controller