ci(chart): use curated values.yaml

Signed-off-by: Vaughn Dice <vaughn.dice@fermyon.com>

Makefile

@@ -154,8 +154,8 @@ CRD_DIR     := ./config/crd/bases
 helm-generate: manifests kustomize helmify ## Create/update the Helm chart based on kustomize manifests. (Note: CRDs not included)
 	$(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir charts/$(CHART_NAME)
 	rm -rf charts/$(CHART_NAME)/crds
-	@# Copy the containerd-shim-spin SpinAppExecutor yaml from its canonical location into the chart
-	cp config/samples/spin-shim-executor.yaml charts/$(CHART_NAME)/templates/containerd-shim-spin-executor.yaml
+	@# Swap in a values.yaml that we curate/control
+	cp config/chart/values.yaml charts/$(CHART_NAME)/values.yaml
 	$(HELM) dep up charts/$(CHART_NAME)
 
 .PHONY: helm-publish

charts/spin-operator/values.yaml

@@ -1,61 +1,107 @@
+## Spin Operator configuration
+
+## controllerManager represents the Spin Operator deployment.
 controllerManager:
-  kubeRbacProxy:
+  ## manager represents the Spin Operator container.
+  manager:
+    ## args are the default arguments to supply to the operator.
+    ## In general, these should be left as-is.
     args:
-    - --secure-listen-address=0.0.0.0:8443
-    - --upstream=http://127.0.0.1:8080/
-    - --logtostderr=true
-    - --v=0
+    - --health-probe-bind-address=:8082
+    - --metrics-bind-address=127.0.0.1:8080
+    - --leader-elect
+    - --enable-webhooks
+    ## containerSecurityContext defines privilege and access control for the
+    ## container.
+    ## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
     containerSecurityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
         - ALL
+    ## image indicates which repository and tag combination will be used for
+    ## pulling the operator image.
     image:
-      repository: gcr.io/kubebuilder/kube-rbac-proxy
-      tag: v0.15.0
+      repository: ghcr.io/spinkube/spin-operator
+      ## By default, .Chart.AppVersion is used as the tag.
+      ## Updating this value to a version not aligned with the current chart
+      ## version may lead to unexpected or broken behavior.
+      # tag: latest
+    imagePullPolicy: IfNotPresent
+    ## resources represent default cpu/mem limits for the operator container.
     resources:
+      # TODO: update these per https://github.com/spinkube/spin-operator/issues/21
       limits:
         cpu: 500m
         memory: 128Mi
       requests:
-        cpu: 5m
+        cpu: 10m
         memory: 64Mi
-  manager:
+
+  ## kubeRbacProxy handles RBAC authorization with the Kubernetes API server.
+  kubeRbacProxy:
+    ## args are the default arguments to supply to the RBAC proxy.
+    ## In general, these should be left as-is.
     args:
-    - --health-probe-bind-address=:8082
-    - --metrics-bind-address=127.0.0.1:8080
-    - --leader-elect
-    - --enable-webhooks
+    - --secure-listen-address=0.0.0.0:8443
+    - --upstream=http://127.0.0.1:8080/
+    - --logtostderr=true
+    - --v=0
+    ## containerSecurityContext defines privilege and access control for the
+    ## container.
+    ## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
     containerSecurityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
         - ALL
+    ## image indicates which repository and tag combination will be used for
+    ## pulling the RBAC proxy image.
     image:
-      repository: ghcr.io/spinkube/spin-operator
-      tag: latest
-    imagePullPolicy: IfNotPresent
+      repository: gcr.io/kubebuilder/kube-rbac-proxy
+      tag: v0.15.0
+    ## resources represent default cpu/mem limits for the RBAC proxy container.
     resources:
+      # TODO: update these per https://github.com/spinkube/spin-operator/issues/21
       limits:
         cpu: 500m
         memory: 128Mi
       requests:
-        cpu: 10m
+        cpu: 5m
         memory: 64Mi
+
+  # replicas represent how many pod replicas of the controllerManager to run.
   replicas: 1
+
+  # serviceAccount represents configuration for the controllerManager Service Account.
+  # See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   serviceAccount:
     annotations: {}
+
+## kubernetesClusterDomain represents the domain used for service DNS within the cluster.
 kubernetesClusterDomain: cluster.local
+
+## metricsService configuration.
+## This configuration should only be updated in tandem with corresponding
+## controller and RBAC proxy configuration.
 metricsService:
   ports:
   - name: https
     port: 8443
     protocol: TCP
     targetPort: https
   type: ClusterIP
+
+## webhookService configuration.
 webhookService:
   ports:
   - port: 443
     protocol: TCP
     targetPort: 9443
   type: ClusterIP
+
+## Sub-chart(s) configuration
+
+## kwasm-operator configuration overrides can be added below.
+## See https://github.com/KWasm/kwasm-operator/blob/main/charts/kwasm-operator/values.yaml
+# kwasm-operator:

config/chart/README.md

@@ -0,0 +1,10 @@
+This chart directory currently holds files related to the
+[Spin Operator Helm chart](../../charts/spin-operator/) that we inject after
+[helmify](../../README.md#packaging-and-deployment-via-helm) performs chart
+(re-)generation.
+
+As an example, helmify produces an auto-generated
+`values.yaml` but we'd like to provide a more ergonomic and descriptive
+version for users, eg with ample comments.
+
+If we no longer use helmify, this configuration directory can be removed.

config/chart/values.yaml

@@ -0,0 +1,107 @@
+## Spin Operator configuration
+
+## controllerManager represents the Spin Operator deployment.
+controllerManager:
+  ## manager represents the Spin Operator container.
+  manager:
+    ## args are the default arguments to supply to the operator.
+    ## In general, these should be left as-is.
+    args:
+    - --health-probe-bind-address=:8082
+    - --metrics-bind-address=127.0.0.1:8080
+    - --leader-elect
+    - --enable-webhooks
+    ## containerSecurityContext defines privilege and access control for the
+    ## container.
+    ## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+    ## image indicates which repository and tag combination will be used for
+    ## pulling the operator image.
+    image:
+      repository: ghcr.io/spinkube/spin-operator
+      ## By default, .Chart.AppVersion is used as the tag.
+      ## Updating this value to a version not aligned with the current chart
+      ## version may lead to unexpected or broken behavior.
+      # tag: latest
+    imagePullPolicy: IfNotPresent
+    ## resources represent default cpu/mem limits for the operator container.
+    resources:
+      # TODO: update these per https://github.com/spinkube/spin-operator/issues/21
+      limits:
+        cpu: 500m
+        memory: 128Mi
+      requests:
+        cpu: 10m
+        memory: 64Mi
+
+  ## kubeRbacProxy handles RBAC authorization with the Kubernetes API server.
+  kubeRbacProxy:
+    ## args are the default arguments to supply to the RBAC proxy.
+    ## In general, these should be left as-is.
+    args:
+    - --secure-listen-address=0.0.0.0:8443
+    - --upstream=http://127.0.0.1:8080/
+    - --logtostderr=true
+    - --v=0
+    ## containerSecurityContext defines privilege and access control for the
+    ## container.
+    ## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+    ## image indicates which repository and tag combination will be used for
+    ## pulling the RBAC proxy image.
+    image:
+      repository: gcr.io/kubebuilder/kube-rbac-proxy
+      tag: v0.15.0
+    ## resources represent default cpu/mem limits for the RBAC proxy container.
+    resources:
+      # TODO: update these per https://github.com/spinkube/spin-operator/issues/21
+      limits:
+        cpu: 500m
+        memory: 128Mi
+      requests:
+        cpu: 5m
+        memory: 64Mi
+
+  # replicas represent how many pod replicas of the controllerManager to run.
+  replicas: 1
+
+  # serviceAccount represents configuration for the controllerManager Service Account.
+  # See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  serviceAccount:
+    annotations: {}
+
+## kubernetesClusterDomain represents the domain used for service DNS within the cluster.
+kubernetesClusterDomain: cluster.local
+
+## metricsService configuration.
+## This configuration should only be updated in tandem with corresponding
+## controller and RBAC proxy configuration.
+metricsService:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  type: ClusterIP
+
+## webhookService configuration.
+webhookService:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  type: ClusterIP
+
+## Sub-chart(s) configuration
+
+## kwasm-operator configuration overrides can be added below.
+## See https://github.com/KWasm/kwasm-operator/blob/main/charts/kwasm-operator/values.yaml
+# kwasm-operator: