Helm ServiceAccount scaffolding NIL pointers

[klaudworks]

What broke? What's expected?

Problem 1: Helm doesn't short circuit and conditions

Creating a helm chart with kubebuilder edit --plugins=helm/v1-alpha creates a ServiceAccount template:

{{- if .Values.rbac.enable }}
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    {{- include "chart.labels" . | nindent 4 }}
  {{- if and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations }}
  annotations:
    {{- range $key, $value := .Values.controllerManager.serviceAccount.annotations }}
    {{ $key }}: {{ $value }}
    {{- end }}
  {{- end }}
  name: {{ .Values.controllerManager.serviceAccountName }}
  namespace: {{ .Release.Namespace }}
{{- end -}}

The issue is the following line of code:

  {{- if and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations }}

This does not work because Values.controllerManager.serviceAccount is not set by default and Helm evaluates all statements in the and condition first. I.e. the following error arises:

Error: template: kimi-operator/templates/rbac/service_account.yaml:7:61: executing "kimi-operator/templates/rbac/service_account.yaml" at <.Values.controllerManager.serviceAccount.annotations>: nil pointer evaluating interface {}.annotations

Same problem exists for pod.labels:

        {{- if and .Values.controllerManager.pod .Values.controllerManager.pod.labels }}
        {{- range $key, $value := .Values.controllerManager.pod.labels }}
        {{ $key }}: {{ $value }}
        {{- end }}
        {{- end }}

Proposed solution:
In both cases we can just use a with statement so that the subkey is not checked if the parent doesn't exist e.g.:

{{- with .Values.controllerManager.pod }}
  {{- if .labels }}
    {{- range $key, $value := .labels }}
      {{ $key }}: {{ $value }}
    {{- end }}
  {{- end }}
{{- end }}

Problem 2: webhook not set by default in values.yaml

The webhook key is not set by default in the values.yaml. However, in multiple places webhook.enabled is checked.

Proposed solution:
An easy consistent solution would be to just set the following in the values.yaml.

webhook:
  enable: false

If I make the above changes Helm can template the chart.
I'm happy to fix this if the proposed solutions are accepted.

Reproducing this issue

No response

KubeBuilder (CLI) Version

4.5.0

PROJECT version

No response

Plugin versions

Other versions

No response

Extra Labels

No response

[camilamacedo86]

Hi @klaudworks

Thank you for raising this one.
I'm not sure if I follow the scenario because we haven't tested it out.

Could you please let me know how I can reproduce it with a scaffold generated by Kuebbuidler?
Could you please provide all the commands and steps so that we can review the scenario?

[camilamacedo86]

Projects can be packaged with HelmChart see: https://book.kubebuilder.io/plugins/available/helm-v1-alpha
So, we need create a basic project and scaffold the HelmChart and analyse the issue scenario reported in this one.
Following the steps to produce the project to test out

Repro steps

1. Init a new project with Helm plugin and owner/license:
   kubebuilder init

2. Create an API and controller:
   kubebuilder create api --group example.com --version v1 --kind App --controller=true --resource=true

3. Opt into Helm plugin editing (generates Helm chart & CI):
   kubebuilder edit --plugins=helm.kubebuilder.io/v1-alpha

[camilamacedo86]

Fixed with #5058
Closing it