Merge pull request #75 from spinkube/fix-helm-install

chart changes to fix race condition during helm install

.github/workflows/helm-install-smoketest.yaml

@@ -0,0 +1,81 @@
+name: Helm Install Smoketest
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  helm-install-smoke-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22.x"
+
+      - name: Install helm
+        uses: Azure/setup-helm@v3
+        with:
+          version: v3.14.0
+
+      - name: setup k3d
+        uses: engineerd/[email protected]
+        with:
+          name: k3d
+          url: https://github.com/k3d-io/k3d/releases/download/v5.6.0/k3d-linux-amd64
+
+      - name: create spin-operator docker image
+        run: make docker-build IMG=spin-operator:latest
+
+      - name: start k3d cluster
+        run: |
+          k3d cluster create wasm-cluster \
+          --image ghcr.io/deislabs/containerd-wasm-shims/examples/k3d:v0.11.0 \
+          --port  "8081:80@loadbalancer" \
+          --agents 2
+
+      - name: import operator image into k3d cluster
+        run: k3d image import -c wasm-cluster spin-operator:latest
+
+      - name: install crd
+        run: make install
+
+      - name: apply runtime class
+        run: kubectl apply -f spin-runtime-class.yaml
+
+      - name: helm install cert-manager
+        run: |
+          helm repo add jetstack https://charts.jetstack.io
+          helm install cert-manager jetstack/cert-manager \
+            --namespace cert-manager \
+            --create-namespace \
+            --version v1.13.3 \
+            --set installCRDs=true
+
+      - name: helm install spin-operator
+        run: |
+          make helm-install IMG=spin-operator:latest
+
+      - name: debug
+        if: failure()
+        run: |
+          kubectl get pods -A
+          kubectl get pods -n spin-operator
+          kubectl logs -n spin-operator $(kubectl get pods -n spin-operator | grep spin-operator-controller-manager | awk '{print $1}')
+          kubectl describe -n spin-operator pod $(kubectl get pods -n spin-operator | grep spin-operator-controller-manager | awk '{print $1}')
+          kubectl logs -n spin-operator $(kubectl get pods -n spin-operator | grep wait-for-webhook-svc | awk '{print $1}')
+          kubectl describe -n spin-operator pod $(kubectl get pods -n spin-operator | grep wait-for-webhook-svc | awk '{print $1}')
+
+      - name: run spin app
+        run: |
+          kubectl apply -f config/samples/simple.yaml
+          kubectl rollout status deployment simple-spinapp --timeout 90s
+          kubectl get pods -A
+          kubectl port-forward svc/simple-spinapp 8083:80 &
+          timeout 15s bash -c 'until curl -f -vvv http://localhost:8083/hello; do sleep 2; done'
+
+      - name: Verify curl
+        run: curl localhost:8083/hello

Makefile

@@ -146,7 +146,7 @@ CRD_DIR     := ./config/crd/bases
 
 .PHONY: helm-generate
 helm-generate: manifests kustomize helmify ## Create/update the Helm chart based on kustomize manifests. (Note: CRDs not included)
-	$(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir -cert-manager-as-subchart -cert-manager-version v1.13.3 charts/$(CHART_NAME)
+	$(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir charts/$(CHART_NAME)
 	rm -rf charts/$(CHART_NAME)/crds
 	@# Copy the containerd-shim-spin SpinAppExecutor yaml from its canonical location into the chart
 	cp config/samples/shim-executor.yaml charts/$(CHART_NAME)/templates/containerd-shim-spin-executor.yaml
@@ -216,6 +216,7 @@ helm-install: helm-generate ## Install the Helm chart onto the K8s cluster speci
 	$(HELM) upgrade --install \
 		-n $(HELM_NAMESPACE) \
 		--create-namespace \
+		--wait \
 		--set controllerManager.manager.image.repository=$(IMG_REPO) \
 		--set controllerManager.manager.image.tag=$(IMG_TAG) \
 		$(HELM_RELEASE) charts/$(CHART_NAME)

charts/spin-operator/Chart.lock

@@ -2,8 +2,5 @@ dependencies:
 - name: kwasm-operator
   repository: http://kwasm.sh/kwasm-operator
   version: 0.2.3
-- name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.13.3
-digest: sha256:656e3b0c5aadd5694ec9271cb9d257a619ab0ce6453466f61de060346144dd91
-generated: "2024-01-25T13:44:43.972708-07:00"
+digest: sha256:40d405e4fdf2625d9b164f29f5d777cf6598ed74f155c4cf4259914128318cbd
+generated: "2024-02-20T21:28:07.788307+05:30"

charts/spin-operator/Chart.yaml

@@ -27,8 +27,3 @@ dependencies:
     version: "0.2.3"
     repository: "http://kwasm.sh/kwasm-operator"
 
-  - name: cert-manager
-    repository: https://charts.jetstack.io
-    condition: certmanager.enabled
-    alias: certmanager
-    version: "v1.13.3"

charts/spin-operator/README.md

@@ -26,17 +26,16 @@ Prior to installing the chart, you'll need to ensure the following:
   kubectl apply -f https://github.com/spinkube/spin-operator/releases/download/v0.1.0-rc.1/spin-operator.runtime-class.yaml
   ```
 
+## Chart prerequisites
+
+- [Cert Manager](https://github.com/cert-manager/cert-manager) to automatically provision and manage TLS certificates (used by spin-operator's admission webhook system). Cert Manager must be running and the corresponding CRDs must be present on the cluster before installing the spin-operator chart.
+
 ## Chart dependencies
 
 The spin-operator chart currently includes the following sub-charts:
 
 - [Kwasm Operator](https://github.com/kwasm/kwasm-operator) to install WebAssembly support on Kubernetes nodes
-- [Cert Manager](https://github.com/cert-manager/cert-manager) to automatically provision and manage TLS certificates (used by spin-operator's admission webhook system)
-  - If you'd like to manage Cert Manager completely separate from spin-operator, you can disable installation via:
-    `--set certmanager.enabled=false` on `helm install`.
-  - Or, if you'd like to install Cert Manager separate from its CRDs, you can opt-out of installing the CRDs via:
-    `--set certmanager.installCRDs=false` on `helm install`.
-  - In either case, Cert Manager must be running and the corresponding CRDs must be present on the cluster before installing the spin-operator chart.
+
 
 ## Installing the chart
 

charts/spin-operator/templates/containerd-shim-spin-executor.yaml

@@ -2,6 +2,10 @@ apiVersion: core.spinoperator.dev/v1
 kind: SpinAppExecutor
 metadata:
   name: containerd-shim-spin
+  namespace: default
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "1"
 spec:
   createDeployment: true
   deploymentConfig:

charts/spin-operator/templates/deployment.yaml

@@ -31,6 +31,7 @@ spec:
           value: {{ quote .Values.kubernetesClusterDomain }}
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
           | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }}
         livenessProbe:
           httpGet:
             path: /healthz

charts/spin-operator/templates/selfsigned-issuer.yaml

@@ -2,9 +2,6 @@ apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: {{ include "spin-operator.fullname" . }}-selfsigned-issuer
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "1"
   labels:
   {{- include "spin-operator.labels" . | nindent 4 }}
 spec:

charts/spin-operator/templates/serving-cert.yaml

@@ -2,9 +2,6 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "spin-operator.fullname" . }}-serving-cert
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "2"
   labels:
   {{- include "spin-operator.labels" . | nindent 4 }}
 spec:

charts/spin-operator/values.yaml

@@ -1,6 +1,3 @@
-certmanager:
-  enabled: true
-  installCRDs: true
 controllerManager:
   kubeRbacProxy:
     args:
@@ -37,6 +34,7 @@ controllerManager:
     image:
       repository: ghcr.io/spinkube/spin-operator
       tag: latest
+    imagePullPolicy: IfNotPresent
     resources:
       limits:
         cpu: 500m

config/manager/manager.yaml

@@ -73,6 +73,7 @@ spec:
             - --enable-webhooks
           image: ghcr.io/spinkube/spin-operator:latest
           name: manager
+          imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:

config/samples/shim-executor.yaml

@@ -2,6 +2,10 @@ apiVersion: core.spinoperator.dev/v1
 kind: SpinAppExecutor
 metadata:
   name: containerd-shim-spin
+  namespace: default
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "1"
 spec:
   createDeployment: true
   deploymentConfig: