Helm: add support for auto upgrading CRDs

.github/workflows/build.yaml

@@ -108,7 +108,7 @@ jobs:
         run: |
           mkdir dist out
           make ci-build
-          zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip dist/${{ env.GOOS }}/${{ env.GOARCH }}/
+          zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip dist/${{ env.GOOS }}/${{ env.GOARCH }}/${{ env.PKG_NAME }}
       - name: Upload binaries
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
@@ -125,9 +125,12 @@ jobs:
     env:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
-
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - name: Setup scripts directory
+        shell: bash
+        run: |
+          make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
       - name: Docker Build (Action)
         uses: hashicorp/actions-docker-build@v2
         env:
@@ -163,9 +166,12 @@ jobs:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
       image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi
-
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - name: Setup scripts directory
+        shell: bash
+        run: |
+          make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
       - name: Docker Build (Action)
         uses: hashicorp/actions-docker-build@v2
         env:
@@ -203,9 +209,12 @@ jobs:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
       image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi
-
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - name: Setup scripts directory
+        shell: bash
+        run: |
+          make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
       - name: Docker Build (Action)
         uses: hashicorp/actions-docker-build@v2
         env:
@@ -230,6 +239,56 @@ jobs:
             exit 1
           fi
 
+  chart-upgrade-tests:
+    runs-on: ubuntu-latest
+    needs:
+      - get-product-version
+      - build-pre-checks
+      - build-docker
+    strategy:
+      fail-fast: false
+      matrix:
+        # Test upgrading from the previous version to the current build.
+        # This list should be updated with each new release.
+        # We probably only want to maintain the last 5-6 versions.
+        start-chart-version:
+        - "0.2.0"
+        - "0.3.1"
+        - "0.4.0"
+        - "0.5.0"
+        - "0.6.0"
+        - "0.7.1"
+    steps:
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        with:
+          name: ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar
+      - name: Load docker image
+        shell: bash
+        run: |
+            docker load --input ${{ github.event.repository.name }}_release-default_linux_amd64_${{ needs.get-product-version.outputs.product-version }}_${{ github.sha }}.docker.tar
+      - name: Install kind
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        with:
+          version: "v0.22.0"
+          install_only: true
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        id: setup-helm
+        with:
+          version: "v3.15.1"
+      - name: Add repo
+        shell: bash
+        run: |
+          helm repo add hashicorp https://helm.releases.hashicorp.com
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - name: Setup go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version-file: .go-version
+      - name: Run tests
+        shell: bash
+        run: |
+          export TEST_START_CHART_VERSION="${{ matrix.start-chart-version }}"
+          make integration-test-chart VERSION="${{ needs.get-product-version.outputs.product-version }}"
   versions:
     runs-on: ubuntu-latest
     steps:

Dockerfile

@@ -31,13 +31,20 @@ ARG LD_FLAGS
 # Build
 RUN CGO_ENABLED=0 GOOS=$GOOS GOARCH=$GOARCH go build -ldflags "$LD_FLAGS" -a -o $BIN_NAME main.go
 
+# setup scripts directory needed for upgrading CRDs.
+RUN mkdir scripts
+COPY chart/crds scripts/crds
+RUN ln -s ../$BIN_NAME scripts/upgrade-crds
+
 # dev image
 # -----------------------------------
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot as dev
+ENV BIN_NAME=vault-secrets-operator
 WORKDIR /
 COPY --from=dev-builder /workspace/$BIN_NAME /
+COPY --from=dev-builder /workspace/scripts /scripts
 USER 65532:65532
 
 ENTRYPOINT ["/vault-secrets-operator"]
@@ -59,7 +66,8 @@ LABEL revision=$PRODUCT_REVISION
 
 WORKDIR /
 
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /
+COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /$BIN_NAME
+COPY dist/$TARGETOS/$TARGETARCH/scripts /scripts
 COPY LICENSE /licenses/copyright.txt
 
 USER 65532:65532
@@ -93,7 +101,8 @@ LABEL name="Vault Secrets Operator" \
 
 WORKDIR /
 
-COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /
+COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /$BIN_NAME
+COPY dist/$TARGETOS/$TARGETARCH/scripts /scripts
 COPY LICENSE /licenses/copyright.txt
 COPY --from=build-ubi /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/
 

Makefile

@@ -272,9 +272,15 @@ docker-push: ## Push docker image with the manager.
 
 ##@ CI
 
+.PHONY: ci-build-scripts-dir
+ci-build-scripts-dir: ## Build operator binary (without generating assets).
+	rm -rf $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts
+	mkdir -p $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts
+	cp -a chart/crds $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts/.
+	ln -s ../$(BIN_NAME) $(BUILD_DIR)/$(GOOS)/$(GOARCH)/scripts/upgrade-crds
+
 .PHONY: ci-build
-ci-build: ## Build operator binary (without generating assets).
-	mkdir -p $(BUILD_DIR)/$(GOOS)/$(GOARCH)
+ci-build: ci-build-scripts-dir ## Build operator binary (without generating assets).
 	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build \
 		-ldflags "${LD_FLAGS} $(shell GOOS=$(GOOS) GOARCH=$(GOARCH) ./scripts/ldflags-version.sh)" \
 		-a \
@@ -332,6 +338,13 @@ integration-test-both: ## Run integration tests against Vault Enterprise and Vau
 	$(MAKE) integration-test VAULT_ENTERPRISE=true ENT_TESTS=$(VAULT_ENTERPRISE)
 	$(MAKE) integration-test
 
+.PHONY: integration-test-chart
+integration-test-chart:
+	IMAGE_TAG_BASE=$(IMAGE_TAG_BASE) \
+	VERSION=$(VERSION) \
+	INTEGRATION_TESTS=true \
+	go test github.com/hashicorp/vault-secrets-operator/test/chart/... $(TESTARGS) -timeout=10m
+
 .PHONY: setup-kind
 setup-kind: ## create a kind cluster for running the acceptance tests locally
 	kind get clusters | grep --silent "^$(KIND_CLUSTER_NAME)$$" || \

chart/templates/cluster-role-binding.yaml

@@ -1,3 +1,8 @@
+{{- /*
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+*/ -}}
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

chart/templates/clusterrole-aggregated-editor.yaml

@@ -1,3 +1,8 @@
+{{- /*
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+*/ -}}
+
 {{- if .Values.controller.rbac.clusterRoleAggregation.editorRoles -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

chart/templates/clusterrole-aggregated-viewer.yaml

@@ -1,3 +1,8 @@
+{{- /*
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+*/ -}}
+
 {{- if .Values.controller.rbac.clusterRoleAggregation.viewerRoles -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

chart/templates/deployment.yaml

@@ -9,6 +9,7 @@ metadata:
   name: {{ include "vso.chart.fullname" . }}-controller-manager
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: controller-manager
   {{- include "vso.chart.labels" . | nindent 4 }}
 {{ include "vso.imagePullSecrets" .}}
 ---
@@ -167,6 +168,7 @@ metadata:
   name: {{ printf "%s-%s" "pdcc" (include "vso.chart.fullname" .) | trunc 63 | trimSuffix "-" }}
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: controller-manager
   {{- include "vso.chart.labels" . | nindent 4 }}
   annotations:
     # This is what defines this resource as a hook. Without this line, the
@@ -177,6 +179,7 @@ metadata:
       {{- toYaml .Values.controller.annotations | nindent 4 }}
     {{- end }}
 spec:
+  backoffLimit: 5
   template:
     metadata:
       # This name is truncated because kubernetes applies labels to the job which contain the job and pod
@@ -195,15 +198,20 @@ spec:
         - --pre-delete-hook-timeout-seconds={{ .Values.controller.preDeleteHookTimeoutSeconds }}
         command:
         - /vault-secrets-operator
-        resources: {{- toYaml .Values.controller.manager.resources | nindent 10 }}
+        {{- with .Values.hooks.resources  }}
+        resources:
+        {{- toYaml . | nindent 10 }}
+        {{- end}}
+        {{- with  .Values.controller.securityContext }}
         securityContext:
-          {{- toYaml .Values.controller.securityContext | nindent 10 }}
+        {{- toYaml .| nindent 10 }}
+        {{- end}}
       restartPolicy: Never
-      {{- if .Values.controller.nodeSelector }}
+      {{- with .Values.controller.nodeSelector }}
       nodeSelector:
-      {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.controller.tolerations }}
+      {{- with .Values.controller.tolerations }}
       tolerations:
-      {{- toYaml .Values.controller.tolerations | nindent 8 }}
+      {{- toYaml .| nindent 8 }}
       {{- end }}

chart/templates/hook-upgrade-crds.yaml

@@ -0,0 +1,116 @@
+{{- /*
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+*/ -}}
+
+{{- if .Values.hooks.upgradeCRDs.enabled -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: controller-manager
+{{ include "vso.chart.labels" . | indent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  labels:
+    app.kubernetes.io/component: rbac
+{{ include "vso.chart.labels" . | indent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+rules:
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+    - customresourcedefinitions
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  labels:
+    app.kubernetes.io/component: rbac
+{{ include "vso.chart.labels" . | indent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "vso.chart.fullname" . }}-upgrade-crds
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" "upgrade-crds" (include "vso.chart.fullname" .) | trunc 63 | trimSuffix "-" }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: controller-manager
+  {{- include "vso.chart.labels" . | nindent 4 }}
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "99"
+    {{- if .Values.controller.annotations }}
+      {{- toYaml .Values.controller.annotations | nindent 4 }}
+    {{- end }}
+spec:
+  backoffLimit: {{ .Values.hooks.upgradeCRDs.backoffLimit | default 5 }}
+  template:
+    metadata:
+      name: {{ printf "%s-%s" "upgrade-crds" (include "vso.chart.fullname" .) | trunc 63 | trimSuffix "-" }}
+    spec:
+      serviceAccountName: {{ template "vso.chart.fullname" . }}-upgrade-crds
+      securityContext:
+        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+      containers:
+      - name: pre-upgrade-crds
+        image: {{ .Values.controller.manager.image.repository }}:{{ .Values.controller.manager.image.tag }}
+        env:
+        - name: VSO_UPGRADE_CRDS_TIMEOUT
+          value: {{ .Values.hooks.upgradeCRDs.executionTimeout }}
+        command:
+        - /scripts/upgrade-crds
+        {{- with .Values.hooks.resources  }}
+        resources:
+        {{- toYaml . | nindent 10 }}
+        {{- end}}
+        {{- with  .Values.controller.securityContext }}
+        securityContext:
+        {{- toYaml .| nindent 10 }}
+        {{- end}}
+      restartPolicy: Never
+      {{- with .Values.controller.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.tolerations }}
+      tolerations:
+      {{- toYaml .| nindent 8 }}
+      {{- end }}
+{{- end -}}

chart/templates/tests/test-runner.yaml

@@ -9,6 +9,7 @@ metadata:
   name: {{ template "vso.chart.fullname" . }}-test
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: controller-manager
     app: {{ template "vso.chart.name" . }}
     chart: {{ template "vso.chart.chart" . }}
     heritage: {{ .Release.Service }}