fix: issues with mindthegap deplotment

.github/workflows/checks.yml

@@ -198,7 +198,7 @@ jobs:
         name: Run chart-testing (lint)
         run: |
           devbox run -- \
-            ct lint --config charts/ct-config.yaml
+            ct lint --namespace=caren-system --config charts/ct-config.yaml
 
       - if: steps.list-changed.outputs.changed == 'true'
         name: Create kind cluster

README.md

@@ -51,6 +51,7 @@ export KUBERNETES_VERSION=v1.28.7
 clusterctl generate cluster ${CLUSTER_NAME} \
   --from ${CLUSTER_FILE} \
   --kubernetes-version ${KUBERNETES_VERSION} \
+  -n caren-system \
   --worker-machine-count 1 | \
   kubectl apply --server-side -f -
 ```

charts/cluster-api-runtime-extensions-nutanix/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: trust-manager
+  repository: https://charts.jetstack.io
+  version: v0.10.0
+digest: sha256:58f4f9fd7f71f972e9344c62c1f61978ab19cc174d8854c9d5de7da83eee2049
+generated: "2024-05-13T12:35:00.623992598-06:00"

charts/cluster-api-runtime-extensions-nutanix/Chart.yaml

@@ -14,6 +14,10 @@ maintainers:
   url: https://eng.d2iq.com
 sources:
 - https://github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix
+dependencies:
+  - name: trust-manager
+    version: v0.10.0
+    repository: https://charts.jetstack.io
 
 appVersion: v0.0.0-dev
 version: v0.0.0-dev

charts/cluster-api-runtime-extensions-nutanix/README.md

@@ -21,6 +21,12 @@ A Helm chart for cluster-api-runtime-extensions-nutanix
 
 * <https://github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix>
 
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.jetstack.io | trust-manager | v0.10.0 |
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -84,3 +90,4 @@ A Helm chart for cluster-api-runtime-extensions-nutanix
 | service.port | int | `443` |  |
 | service.type | string | `"ClusterIP"` |  |
 | tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Equal"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Equal"}]` | Kubernetes pod tolerations |
+| trust-manager.app.trust.namespace | string | `"caren-system"` |  |

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: aws
   name: aws-quick-start
+  namespace: caren-system
 spec:
   controlPlane:
     machineInfrastructure:
@@ -64,6 +65,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: aws
   name: aws-quick-start
+  namespace: caren-system
 spec:
   template:
     spec: {}
@@ -74,6 +76,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: aws
   name: aws-quick-start-control-plane
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -102,6 +105,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: aws
   name: aws-quick-start-control-plane
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -114,6 +118,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: aws
   name: aws-quick-start-worker-machinetemplate
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -126,6 +131,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: aws
   name: aws-quick-start-worker-bootstraptemplate
+  namespace: caren-system
 spec:
   template:
     spec:

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: docker
   name: docker-quick-start
+  namespace: caren-system
 spec:
   controlPlane:
     machineInfrastructure:
@@ -50,6 +51,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: docker
   name: docker-quick-start-cluster
+  namespace: caren-system
 spec:
   template:
     spec: {}
@@ -60,6 +62,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: docker
   name: docker-quick-start-control-plane
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -76,6 +79,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: docker
   name: docker-quick-start-control-plane
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -89,6 +93,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: docker
   name: docker-quick-start-default-worker-machinetemplate
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -102,6 +107,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: docker
   name: docker-quick-start-default-worker-bootstraptemplate
+  namespace: caren-system
 spec:
   template:
     spec:

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: nutanix
   name: nutanix-quick-start-kcfg-0
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -26,6 +27,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: nutanix
   name: nutanix-quick-start
+  namespace: caren-system
 spec:
   controlPlane:
     machineHealthCheck:
@@ -116,6 +118,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: nutanix
   name: nutanix-quick-start-kcpt
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -164,6 +167,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: nutanix
   name: nutanix-quick-start-nct
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -185,6 +189,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: nutanix
   name: nutanix-quick-start-cp-nmt
+  namespace: caren-system
 spec:
   template:
     spec:
@@ -210,6 +215,7 @@ metadata:
   labels:
     cluster.x-k8s.io/provider: nutanix
   name: nutanix-quick-start-md-nmt
+  namespace: caren-system
 spec:
   template:
     spec:

charts/cluster-api-runtime-extensions-nutanix/templates/bundle.yaml

@@ -0,0 +1,19 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: caren-bundle
+spec:
+  sources:
+  - useDefaultCAs: true
+  - secret:
+      key: tls.crt
+      name: mindthegap-tls
+  target:
+    configMap:
+      key: ca-certificates.crt
+    namespaceSelector:
+      matchLabels:
+        clusterctl.cluster.x-k8s.io: ""

charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml

@@ -10,36 +10,37 @@ data:
   cilium: |
     ChartName: cilium
     ChartVersion: 1.15.0
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   cluster-autoscaler: |
     ChartName: cluster-autoscaler
     ChartVersion: 9.35.0
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   metallb: |
     ChartName: metallb
     ChartVersion: v0.14.5
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   nfd: |
     ChartName: node-feature-discovery
-    ChartVersion: v0.15.2
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    ChartVersion: 0.15.2
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   nutanix-ccm: |
     ChartName: nutanix-cloud-provider
     ChartVersion: 0.3.3
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   nutanix-snapshot-csi: |
     ChartName: nutanix-csi-snapshot
     ChartVersion: 6.3.2
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   nutanix-storage-csi: |
     ChartName: nutanix-csi-storage
-    ChartVersion: v3.0.0-beta.1912
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    ChartVersion: 3.0.0-beta.1912
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
   tigera-operator: |
     ChartName: tigera-operator
     ChartVersion: v3.26.4
-    RepositoryURL: oci://mindthegap.{{ .Release.Namespace }}.svc
+    RepositoryURL: oci://mindthegap.caren-system.svc/charts
 kind: ConfigMap
 metadata:
   creationTimestamp: null
   name: {{ .Values.helmAddonsConfigMap }}
+  namespace: caren-system

charts/cluster-api-runtime-extensions-nutanix/templates/job-role.yaml

@@ -0,0 +1,18 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: helm-hook-role
+  namespace: caaph-system
+rules:
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    verbs:
+    - get
+    - list
+    - patch
+    - update

charts/cluster-api-runtime-extensions-nutanix/templates/job-rolebinding.yaml

@@ -0,0 +1,15 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: helm-hook-binding
+  namespace: caaph-system
+subjects:
+- kind: ServiceAccount
+  name: helm-hook-sa
+  namespace: caaph-system
+roleRef:
+  kind: Role
+  name: helm-hook-role
+  apiGroup: rbac.authorization.k8s.io

charts/cluster-api-runtime-extensions-nutanix/templates/job-sa.yaml

@@ -0,0 +1,8 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: helm-hook-sa
+  namespace: caaph-system

charts/cluster-api-runtime-extensions-nutanix/templates/job.yaml

@@ -0,0 +1,66 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: update-trust-manager-namespace
+  namespace: caaph-system
+spec:
+  template:
+    spec:
+      serviceAccountName: helm-hook-sa
+      containers:
+        - name: kubectl
+          image: bitnami/kubectl:latest
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+              # Check if volume already exists
+              if kubectl get deployment caaph-controller-manager -n caaph-system -o jsonpath='{.spec.template.spec.volumes[?(@.name=="ca-certificate-only")]}' | grep -q "ca-certificate-only"; then
+                echo "Volume already exists. Skipping addition."
+              else
+                kubectl patch deployment caaph-controller-manager \
+                -n caaph-system \
+                --type=json \
+                -p='[
+                  {
+                    "op": "add",
+                    "path": "/spec/template/spec/volumes/-",
+                    "value": {
+                      "name": "ca-certificate-only",
+                      "configMap": {
+                        "name": "caren-bundle",
+                        "defaultMode": 420,
+                        "optional": false,
+                        "items": [
+                          {
+                            "key": "ca-certificates.crt",
+                            "path": "ca-certificates.crt"
+                          }
+                        ]
+                      }
+                    }
+                  }
+                ]'
+              fi
+              if kubectl get deployment caaph-controller-manager -n caaph-system -o jsonpath='{.spec.template.spec.containers[0].volumeMounts[?(@.mountPath=="/etc/ssl/certs/")]}' | grep -q "ca-certificate-only"; then
+                echo "VolumeMount already exists. Skipping addition."
+              else
+                kubectl patch deployment caaph-controller-manager \
+                -n caaph-system \
+                --type=json \
+                -p='[
+                  {
+                    "op": "add",
+                    "path": "/spec/template/spec/containers/0/volumeMounts/-",
+                    "value": {
+                      "mountPath": "/etc/ssl/certs/",
+                      "name": "ca-certificate-only",
+                      "readOnly": true
+                    }
+                  }
+                ]'
+              fi
+      restartPolicy: Never