feat: Extract CAAPH values templates to files (#896)

This simplifies the Helm templating directives by not requiring
inception-style escaping of templating braces, e.g. `{{ "{{" }}``
which are very hard to read and can introduce bugs.

This PR also removes the duplicate helm values files currently being
used
to generate the CRS configmaps, and instead references the helm values
that are in the charts directory, which ends up with a reduction in LOC
in
the project to maintain.

I feel this is a simpler way to achieve the same goals as #819 but
without
duplicating files and keeping all chart source files in the charts
directory.

Blocked by #895.

Author: jimmidyson

.pre-commit-config.yaml

@@ -70,7 +70,7 @@ repos:
   - id: check-yaml
     args: ["-m", "--unsafe"]
     stages: [commit]
-    exclude: ^charts/.+/templates/
+    exclude: ^charts/.+/(templates|addons)/.+\.ya?ml$
   - id: mixed-line-ending
     args: ["-f", "lf"]
     exclude: \.bat$
@@ -140,7 +140,7 @@ repos:
     name: License headers - YAML and Makefiles
     stages: [commit]
     files: (^Makefile|\.(ya?ml|mk))$
-    exclude: ^(internal/test|pkg/handlers/.+/embedded|examples|charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses)/.+\.ya?ml|docs/static/helm/index\.yaml|charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml$
+    exclude: ^(internal/test|pkg/handlers/.+/embedded|examples|charts/cluster-api-runtime-extensions-nutanix/(defaultclusterclasses|addons))/.+\.ya?ml|docs/static/helm/index\.yaml|charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml$
     args:
       - --license-filepath
       - hack/license-header.txt

charts/cluster-api-runtime-extensions-nutanix/addons/ccm/aws/image-selection.yaml

@@ -0,0 +1,4 @@
+{{ $clusterSemver := semver .Cluster.spec.topology.version }}
+{{ $ccmVersion := get $k8sMinorVersionToCCMVersion ( print $clusterSemver.Major "." $clusterSemver.Minor ) }}
+image:
+  tag: "{{ $ccmVersion }}"

charts/cluster-api-runtime-extensions-nutanix/addons/ccm/aws/map-template.yaml

@@ -0,0 +1,4 @@
+$k8sMinorVersionToCCMVersion := dict
+{{ range $k8sVersion, $ccmVersion := .Values.hooks.ccm.aws.k8sMinorVersionToCCMVersion -}}
+  "{{ $k8sVersion }}" "{{ $ccmVersion }}"
+{{ end -}}

hack/addons/kustomize/aws-ccm/helm-values.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/addons/ccm/aws/values-template.yaml

@@ -1,7 +1,3 @@
-# Copyright 2024 Nutanix. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
----
 # Starting in Kubernetes v1.29 the Kubelet no longer adds temporary addresses to the Node.
 # See https://github.com/kubernetes/kubernetes/pull/121028
 # This causes a deadlock with the AWS CCM and some CNI providers including Calico.
@@ -17,8 +13,8 @@ args:
   - --configure-cloud-routes=false
 
 tolerations:
-- key: node.cloudprovider.kubernetes.io/uninitialized
-  value: "true"
-  effect: NoSchedule
-- key: node-role.kubernetes.io/control-plane
-  effect: NoSchedule
+  - key: node.cloudprovider.kubernetes.io/uninitialized
+    value: "true"
+    effect: NoSchedule
+  - key: node-role.kubernetes.io/control-plane
+    effect: NoSchedule

charts/cluster-api-runtime-extensions-nutanix/addons/ccm/nutanix/values-template.yaml

@@ -0,0 +1,13 @@
+prismCentralEndPoint: {{ .PrismCentralHost }}
+prismCentralPort: {{ .PrismCentralPort }}
+prismCentralInsecure: {{ .PrismCentralInsecure }}
+{{- with .PrismCentralAdditionalTrustBundle }}
+prismCentralAdditionalTrustBundle: "{{ . }}"
+{{- end }}
+{{- with .ControlPlaneEndpointHost }}
+ignoredNodeIPs: [ {{ printf "%q" . }} ]
+ {{- end }}
+
+# The Secret containing the credentials will be created by the handler.
+createSecret: false
+secretName: nutanix-ccm-credentials

hack/addons/kustomize/cluster-autoscaler/helm-values.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/addons/cluster-autoscaler/values-template.yaml

@@ -1,11 +1,4 @@
-# Copyright 2023 Nutanix. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
----
-# This is a hack, but because a single cluster-autoscaler deployment can only monitor a single Kubernetes cluster
-# we expect 'tmpl-clustername-tmpl' and 'tmpl-clusternamespace-tmpl'
-# to be replaced with the Cluster's name and namespace.
-fullnameOverride: cluster-autoscaler-tmpl-clusteruuid-tmpl
+fullnameOverride: "cluster-autoscaler-{{ index .Cluster.Annotations "caren.nutanix.com/cluster-uuid" }}"
 
 cloudProvider: clusterapi
 
@@ -20,18 +13,18 @@ tolerations:
 
 # Limit a single cluster-autoscaler Deployment to a single Cluster.
 autoDiscovery:
-  clusterName: tmpl-clustername-tmpl
+  clusterName: "{{ .Cluster.Name }}"
   # The controller failed with an RBAC error trying to watch CAPI objects at the cluster scope without this.
   labels:
-    - namespace: tmpl-clusternamespace-tmpl
+    - namespace: "{{ .Cluster.Namespace }}"
 
 # For workload clusters it is not possible to use the in-cluster client.
 # To simplify the configuration, use the admin kubeconfig generated by CAPI for all clusters.
 clusterAPIMode: kubeconfig-incluster
 clusterAPIWorkloadKubeconfigPath: /cluster/kubeconfig
 extraVolumeSecrets:
   kubeconfig:
-    name: tmpl-clustername-tmpl-kubeconfig
+    name: "{{ .Cluster.Name }}-kubeconfig"
     mountPath: /cluster
     readOnly: true
     items:

charts/cluster-api-runtime-extensions-nutanix/addons/cni/calico/aws/values-template.yaml

@@ -0,0 +1,13 @@
+installation:
+  cni:
+    type: Calico
+  calicoNetwork:
+    bgp: Enabled
+    ipPools: {{ range $cidr := .Cluster.spec.clusterNetwork.pods.cidrBlocks }}
+    - cidr: "{{ $cidr }}"
+      encapsulation: None
+      natOutgoing: Enabled
+      nodeSelector: all(){{ end }}
+  nodeMetricsPort: 9091
+  typhaMetricsPort: 9093
+  registry: quay.io/

charts/cluster-api-runtime-extensions-nutanix/addons/cni/calico/docker/values-template.yaml

@@ -0,0 +1,12 @@
+installation:
+  cni:
+    type: Calico
+  calicoNetwork:
+    ipPools:{{ range $cidr := .Cluster.spec.clusterNetwork.pods.cidrBlocks }}
+    - cidr: "{{ $cidr }}"
+      encapsulation: None
+      natOutgoing: Enabled
+      nodeSelector: all(){{ end }}
+  nodeMetricsPort: 9091
+  typhaMetricsPort: 9093
+  registry: quay.io/

charts/cluster-api-runtime-extensions-nutanix/addons/cni/calico/nutanix/values-template.yaml

@@ -0,0 +1,13 @@
+installation:
+  cni:
+    type: Calico
+  calicoNetwork:
+    bgp: Enabled
+    ipPools:{{ range $cidr := .Cluster.spec.clusterNetwork.pods.cidrBlocks }}
+    - cidr: "{{ $cidr }}"
+      encapsulation: None
+      natOutgoing: Enabled
+      nodeSelector: all(){{ end }}
+  nodeMetricsPort: 9091
+  typhaMetricsPort: 9093
+  registry: quay.io/

charts/cluster-api-runtime-extensions-nutanix/addons/cni/cilium/values-template.yaml

@@ -0,0 +1,27 @@
+cni:
+  chainingMode: portmap
+  exclusive: false
+hubble:
+  enabled: true
+  tls:
+    auto:
+      enabled: true               # enable automatic TLS certificate generation
+      method: cronJob             # auto generate certificates using cronJob method
+      certValidityDuration: 60    # certificates validity duration in days (default 2 months)
+      schedule: "0 0 1 * *"       # schedule on the 1st day regeneration of each month
+  relay:
+    enabled: true
+    image:
+      useDigest: false
+ipam:
+  mode: kubernetes
+image:
+  useDigest: false
+operator:
+  image:
+    useDigest: false
+certgen:
+  image:
+    useDigest: false
+socketLB:
+  hostNamespaceOnly: true

hack/addons/kustomize/aws-ebs-csi/helm-values.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/addons/csi/aws-ebs/values-template.yaml

@@ -1,7 +1,3 @@
-# Copyright 2024 Nutanix. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
----
 controller:
   affinity:
     nodeAffinity:

hack/addons/kustomize/local-path-provisioner-csi/helm-values.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/addons/csi/local-path/values-template.yaml

@@ -1,7 +1,3 @@
-# Copyright 2024 Nutanix. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
----
 storageClass:
   create: false
   provisionerName: rancher.io/local-path

charts/cluster-api-runtime-extensions-nutanix/addons/csi/nutanix/values-template.yaml

@@ -0,0 +1,15 @@
+# Disable creating the Prism Central credentials Secret, the Secret will be created by the handler.
+createPrismCentralSecret: false
+# Disable creating the Prism Element credentials Secret, it won't be used the CSI driver as configured here.
+createSecret: false
+pcSecretName: nutanix-csi-credentials
+
+tolerations:
+  - key: CriticalAddonsOnly
+    operator: Exists
+  - effect: NoExecute
+    operator: Exists
+    tolerationSeconds: 300
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/control-plane
+    operator: Exists

hack/addons/kustomize/snapshot-controller/helm-values.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/addons/csi/snapshot-controller/values-template.yaml

@@ -1,6 +1,3 @@
-# Copyright 2024 Nutanix. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
 controller:
   priorityClassName: system-cluster-critical
   tolerations:
@@ -9,9 +6,6 @@ controller:
     - effect: NoExecute
       operator: Exists
       tolerationSeconds: 300
-    - effect: NoSchedule
-      key: node-role.kubernetes.io/master
-      operator: Exists
     - effect: NoSchedule
       key: node-role.kubernetes.io/control-plane
       operator: Exists

hack/addons/kustomize/nfd/helm-values.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/addons/nfd/values-template.yaml

@@ -1,12 +1,13 @@
-# Copyright 2023 Nutanix. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
----
 master:
   extraLabelNs:
     - nvidia.com
     - beta.amd.com
     - amd.com
+  tolerations:
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Equal"
+      value: ""
+      effect: "NoSchedule"
   affinity:
     nodeAffinity:
       preferredDuringSchedulingIgnoredDuringExecution:
@@ -27,7 +28,6 @@ worker: ### <NFD-WORKER-CONF-START-DO-NOT-REMOVE>
   tolerations:
     - effect: NoSchedule
       key: node-role.kubernetes.io/control-plane
-### <NFD-WORKER-CONF-END-DO-NOT-REMOVE>
 
 gc:
   tolerations:

charts/cluster-api-runtime-extensions-nutanix/addons/serviceloadbalancer/metallb/values-template.yaml

@@ -0,0 +1,20 @@
+controller:
+  tolerations:
+    - key: node-role.kubernetes.io/control-plane
+      effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+      tolerationSeconds: 300
+speaker:
+  tolerations:
+    - key: node-role.kubernetes.io/control-plane
+      effect: NoSchedule
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+      tolerationSeconds: 300

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/helm-addon-installation.yaml

@@ -7,37 +7,13 @@ kind: ConfigMap
 metadata:
   name: '{{ .Values.hooks.ccm.aws.helmAddonStrategy.defaultValueTemplateConfigMap.name }}'
 data:
+  # These values are a combination of a Helm template to create the dict for the k8s version to
+  # CCM version map, and then including the non-templated values from the values-template.yaml.
+  # This simplifies the templating required in the values-template.yaml.
   values.yaml: |-
-    # Starting in Kubernetes v1.29 the Kubelet no longer adds temporary addresses to the Node.
-    # See https://github.com/kubernetes/kubernetes/pull/121028
-    # This causes a deadlock with the AWS CCM and some CNI providers including Calico.
-    # The Calico Pods won't start until some addresses are assigned,
-    # but the AWS CCM that adds the addresses can't start until the Calico Pods are running.
-    # Using hostNetworking allows the AWS CCM to start before the Calico Pods.
-    # The upstream CAPA templates are also already using hostNetworking for the CCM Pods.
-    hostNetworking: true
-
-    args:
-      - --v=2
-      - --cloud-provider=aws
-      - --configure-cloud-routes=false
-
-    {{ "{{" }} $k8sMinorVersionToCCMVersion := dict
-    {{ range $k8sVersion, $ccmVersion := .Values.hooks.ccm.aws.k8sMinorVersionToCCMVersion -}}
-      "{{ $k8sVersion }}" "{{ $ccmVersion }}"
-    {{ end -}}
+    {{ "{{" }}
+    {{- tpl (.Files.Get "addons/ccm/aws/map-template.yaml") . | nindent 4 -}}
     {{ "}}" }}
-    {{ "{{" }}$clusterSemver := semver .Cluster.spec.topology.version {{ "}}" }}
-    {{ "{{" }}$ccmVersion := get $k8sMinorVersionToCCMVersion ( print $clusterSemver.Major "." $clusterSemver.Minor ) {{ "}}" }}
-    image:
-      tag: {{ "{{ " }} $ccmVersion {{ "}}" }}
-
-    tolerations:
-    - key: node.cloudprovider.kubernetes.io/uninitialized
-      value: "true"
-      effect: NoSchedule
-    - key: node-role.kubernetes.io/control-plane
-      effect: NoSchedule
-
-
+    {{- .Files.Get "addons/ccm/aws/image-selection.yaml" | nindent 4 -}}
+    {{- .Files.Get "addons/ccm/aws/values-template.yaml" | nindent 4 -}}
 {{- end -}}

charts/cluster-api-runtime-extensions-nutanix/templates/ccm/nutanix/manifests/helm-addon-installation.yaml

@@ -8,18 +8,5 @@ metadata:
   name: '{{ .Values.hooks.ccm.nutanix.helmAddonStrategy.defaultValueTemplateConfigMap.name }}'
 data:
   values.yaml: |-
-    ---
-    prismCentralEndPoint: {{ `{{ .PrismCentralHost }}` }}
-    prismCentralPort: {{ `{{ .PrismCentralPort }}` }}
-    prismCentralInsecure: {{ `{{ .PrismCentralInsecure }}` }}
-    {{ `{{- with .PrismCentralAdditionalTrustBundle }}` }}
-    prismCentralAdditionalTrustBundle: {{ `{{ printf "%q" . }}` }}
-    {{ `{{- end }}` }}
-    {{ `{{- with .ControlPlaneEndpointHost }}` }}
-    ignoredNodeIPs: [ {{ `{{ printf "%q" . }}` }} ]
-    {{ `{{- end }}` }}
-
-    # The Secret containing the credentials will be created by the handler.
-    createSecret: false
-    secretName: nutanix-ccm-credentials
+    {{- .Files.Get "addons/ccm/nutanix/values-template.yaml" | nindent 4 }}
 {{- end -}}

charts/cluster-api-runtime-extensions-nutanix/templates/cluster-autoscaler/manifests/helm-addon-installation.yaml

@@ -8,40 +8,5 @@ metadata:
   name: '{{ .Values.hooks.clusterAutoscaler.helmAddonStrategy.defaultValueTemplateConfigMap.name }}'
 data:
   values.yaml: |-
-    ---
-    fullnameOverride: "cluster-autoscaler-{{ `{{ index .Cluster.Annotations "caren.nutanix.com/cluster-uuid" }}` }}"
-
-    cloudProvider: clusterapi
-
-    # Always trigger a scale-out if replicas are less than the min.
-    extraArgs:
-      enforce-node-group-min-size: true
-
-    # Enable it to run in a 1 Node cluster.
-    tolerations:
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/control-plane
-
-    # Limit a single cluster-autoscaler Deployment to a single Cluster.
-    autoDiscovery:
-      clusterName: "{{ `{{ .Cluster.Name }}` }}"
-      # The controller failed with an RBAC error trying to watch CAPI objects at the cluster scope without this.
-      labels:
-        - namespace: "{{ `{{ .Cluster.Namespace }}` }}"
-
-    # For workload clusters it is not possible to use the in-cluster client.
-    # To simplify the configuration, use the admin kubeconfig generated by CAPI for all clusters.
-    clusterAPIMode: kubeconfig-incluster
-    clusterAPIWorkloadKubeconfigPath: /cluster/kubeconfig
-    extraVolumeSecrets:
-      kubeconfig:
-        name: "{{ `{{ .Cluster.Name }}` }}-kubeconfig"
-        mountPath: /cluster
-        readOnly: true
-        items:
-          - key: value
-            path: kubeconfig
-    rbac:
-      # Create a Role instead of a ClusterRoles to update cluster-api objects
-      clusterScoped: false
+    {{- .Files.Get "addons/cluster-autoscaler/values-template.yaml" | nindent 4 }}
 {{- end -}}

charts/cluster-api-runtime-extensions-nutanix/templates/cni/calico/manifests/aws/helm-addon-installation.yaml

@@ -8,17 +8,5 @@ metadata:
   name: '{{ .Values.hooks.cni.calico.helmAddonStrategy.defaultValueTemplatesConfigMaps.AWSCluster.name }}'
 data:
   values.yaml: |-
-    installation:
-      cni:
-        type: Calico
-      calicoNetwork:
-        bgp: Enabled
-        ipPools:{{ printf "{{ range $cidr := .Cluster.spec.clusterNetwork.pods.cidrBlocks }}" }}
-        - cidr: {{ printf "{{ $cidr }}" }}
-          encapsulation: None
-          natOutgoing: Enabled
-          nodeSelector: all(){{ printf "{{ end }}" }}
-      nodeMetricsPort: 9091
-      typhaMetricsPort: 9093
-      registry: quay.io/
+    {{- .Files.Get "addons/cni/calico/aws/values-template.yaml" | nindent 4 }}
 {{- end -}}