docs: rewrite README with Helm as primary install method

mchmarny · mchmarny · commit 2cccf2be1ec9 · 2026-03-01T08:23:23.000-08:00
Restructure around user journey: install, configure, upgrade,
uninstall. Move Helm to top as recommended method. Add full
configuration table. Remove demo/contributor sections to focus
on end users.
diff --git a/README.md b/README.md
@@ -6,107 +6,92 @@ Kubernetes controller that automatically assigns node roles based on a configura
 
 By default, `kubeadm` enables the NodeRestriction admission controller that restricts what labels `kubelet` can self-apply on node registration. The `node-role.kubernetes.io/*` label is restricted and can't be set in cloud init scripts or during other node bootstrap processes.
 
-## Features
-
-- Watches node add/update events via Kubernetes informer
-- Patches nodes with role labels derived from a configurable source label
-- Leader election via Lease for safe multi-replica deployments
-- Exponential backoff with permanent error detection for patch retries
-- Rate-limited Kubernetes API client to prevent API server overload
-- Prometheus metrics for successful and failed patch operations
-- Health (`/healthz`) and readiness (`/readyz`) endpoints
-- Graceful shutdown on SIGINT/SIGTERM with context propagation
-
-## Requirements
-
-- Kubernetes 1.33+
-- RBAC permissions: nodes (list, watch, patch) and leases (get, create, update)
-
-## Usage
-
-Update [patch-configmap.yaml](deployment/overlays/prod/patch-configmap.yaml) to configure the source label and behavior:
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: node-role-controller-config
-  namespace: node-labeler
-data:
-  roleLabel: "nodeGroup"  # value of this label becomes the node role
-  roleReplace: "false"    # whether to replace existing node roles
-  logLevel: "info"        # debug, info, warn, error
-```
+## Install
 
-Then apply to the cluster:
+### Helm (recommended)
 
-```sh
-kubectl apply -k deployment/overlays/prod
+```shell
+helm install node-role-controller oci://ghcr.io/mchmarny/node-role-controller \
+  --namespace node-labeler --create-namespace
 ```
 
-This ensures all nodes with `nodeGroup=customer-gpu` get labeled with `node-role.kubernetes.io/customer-gpu`.
-
-> If you change ConfigMap values after deployment, restart to apply: `kubectl -n node-labeler rollout restart deployment node-role-controller`
-
-Alternatively, apply the prebuilt manifest:
+### Manifest
 
 ```shell
 kubectl apply -f https://raw.githubusercontent.com/mchmarny/rolesetter/refs/heads/main/deployment/manifest.yaml
 ```
 
-This creates:
-
-* `Namespace` - Isolates the controller resources
-* `ServiceAccount` - Authenticates the controller
-* `ClusterRole` - Grants node list/watch/patch and lease permissions
-* `ClusterRoleBinding` - Links the role to the ServiceAccount
-* `ConfigMap` - Defines label, replace, and logging configuration
-* `Deployment` - Runs the controller with leader election, health probes, and security hardening
-
-## Helm
-
-Install from the OCI registry:
+### Kustomize
 
 ```shell
-helm install node-role-controller oci://ghcr.io/mchmarny/node-role-controller \
-  --namespace node-labeler --create-namespace
+kubectl apply -k deployment/overlays/prod
 ```
 
-Configure via values:
+## Configuration
+
+The controller is configured via environment variables sourced from a ConfigMap. With Helm, set values directly:
 
 ```shell
 helm install node-role-controller oci://ghcr.io/mchmarny/node-role-controller \
   --namespace node-labeler --create-namespace \
   --set config.roleLabel=nodeGroup \
   --set config.roleReplace=true \
-  --set replicas=2
+  --set config.logLevel=debug
 ```
 
-Uninstall:
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `config.roleLabel` | `nodeGroup` | Source label whose value becomes the node role |
+| `config.roleReplace` | `false` | Replace existing `node-role.kubernetes.io/*` labels |
+| `config.logLevel` | `info` | Log level (`debug`, `info`, `warn`, `error`) |
+| `replicas` | `1` | Number of controller replicas (leader election enabled) |
+| `image.tag` | Chart `appVersion` | Override the image tag |
+| `resources.requests.cpu` | `50m` | CPU request |
+| `resources.requests.memory` | `64Mi` | Memory request |
+| `resources.limits.cpu` | `250m` | CPU limit |
+| `resources.limits.memory` | `256Mi` | Memory limit |
+| `tolerations` | `[]` | Pod tolerations |
+| `nodeSelector` | `{}` | Pod node selector |
+
+> After changing configuration, restart to apply: `kubectl -n node-labeler rollout restart deployment node-role-controller`
+
+## Upgrade
+
+```shell
+helm upgrade node-role-controller oci://ghcr.io/mchmarny/node-role-controller \
+  --namespace node-labeler
+```
+
+## Uninstall
 
 ```shell
 helm uninstall node-role-controller -n node-labeler
 ```
 
-## Metrics
+## How It Works
 
-The controller exposes:
+1. Nodes are labeled with a source label (e.g., `nodeGroup=gpu-worker`)
+2. The controller watches node add/update events via a Kubernetes informer
+3. When a node has the source label, the controller patches it with `node-role.kubernetes.io/<value>`
+4. Leader election via Lease ensures only one replica is active
 
-- `node_role_patch_success_total` - Successful node patch operations (labeled by role)
-- `node_role_patch_failure_total` - Failed node patch operations (labeled by role)
+**Example:** A node with `nodeGroup=gpu-worker` gets `node-role.kubernetes.io/gpu-worker`.
 
-Available at the `/metrics` endpoint on port `8080`.
+## Metrics
 
-## Validation
+| Metric | Description |
+|--------|-------------|
+| `node_role_patch_success_total` | Successful patch operations (labeled by role) |
+| `node_role_patch_failure_total` | Failed patch operations (labeled by role) |
 
-The image comes with SLSA attestation verifying it was built in this repo. You can verify using [Sigstore](https://docs.sigstore.dev/about/overview/) CLI or the in-cluster policy controller.
+Available at `/metrics` on port `8080`. Health at `/healthz`, readiness at `/readyz`.
 
-### Manual
+## Image Verification
 
-> Update the image digest to the version you are using.
+Every release includes [SLSA](https://slsa.dev) provenance attestation:
 
 ```shell
-export IMAGE=ghcr.io/mchmarny/node-role-controller:v0.5.1
+export IMAGE=ghcr.io/mchmarny/node-role-controller:v0.6.0
 
 cosign verify-attestation \
     --output json \
@@ -116,85 +101,16 @@ cosign verify-attestation \
     $IMAGE
 ```
 
-### In Cluster
-
-To enforce provenance verification on the `node-labeler` namespace:
+To enforce verification in-cluster with the [Sigstore policy controller](https://docs.sigstore.dev/about/overview/):
 
 ```shell
 kubectl label namespace node-labeler policy.sigstore.dev/include=true
 kubectl apply -f policy/clusterimagepolicy.yaml
 ```
 
-Test admission:
-
-```shell
-kubectl -n node-labeler run test --image=$IMAGE
-```
-
-If you don't already have the [Sigstore](https://docs.sigstore.dev/about/overview/) policy controller:
-
-```shell
-kubectl create namespace cosign-system
-helm repo add sigstore https://sigstore.github.io/helm-charts
-helm repo update
-helm install policy-controller -n cosign-system sigstore/policy-controller
-```
-
-## Demo
+## Contributing
 
-> Requires [Kind](https://kind.sigs.k8s.io/)
-
-Create a Kind cluster with multiple nodes:
-
-```shell
-make up
-```
-
-Check the nodes (workers have no role):
-
-```shell
-kubectl get nodes
-```
-
-```
-NAME                                 STATUS   ROLES           AGE    VERSION
-node-role-controller-control-plane   Ready    control-plane   2m9s   v1.33.1
-node-role-controller-worker          Ready    <none>          114s   v1.33.1
-node-role-controller-worker2         Ready    <none>          114s   v1.33.1
-```
-
-Label the workers and deploy:
-
-```shell
-kubectl get nodes -l '!node-role.kubernetes.io/control-plane' -o name | \
-  xargs -I {} kubectl label {} nodeGroup=worker --overwrite
-kubectl apply -k deployment/overlays/dev
-```
-
-After a few seconds, roles appear:
-
-```shell
-kubectl get nodes
-```
-
-```
-NAME                                 STATUS   ROLES                  AGE     VERSION
-node-role-controller-control-plane   Ready    control-plane          3m12s   v1.33.1
-node-role-controller-worker          Ready    worker                 2m57s   v1.33.1
-node-role-controller-worker2         Ready    worker                 2m57s   v1.33.1
-```
-
-Change a node's label to see the role update:
-
-```shell
-kubectl label node node-role-controller-worker nodeGroup=gpu --overwrite
-```
-
-Clean up:
-
-```shell
-make down
-```
+See [CONTRIBUTING.md](CONTRIBUTING.md). Run `make pre` before submitting PRs.
 
 ## Disclaimer
 
