fix: split provider CRs from operator deployment

This commit splits the cluster-api-operator Helm chart into two
separate charts to resolve flaky installations caused by webhook
validation timing issues.

Problem:
- Provider Custom Resources (CoreProvider, BootstrapProvider, etc.)
  were applied at the same time as the operator deployment.
- The webhook service was not yet ready, leading to validation errors:
  "no endpoints available for service 'capi-operator-webhook-service'".

Solution:
- Create two charts:
  1. cluster-api-operator: contains only the operator deployment and
     its resources.
  2. cluster-api-operator-providers: contains all provider Custom
     Resources.
- Installing the operator first allows the webhook to start before
  provider CRs are applied.

Installation now requires:
1. Install operator:
   helm install capi-operator capi-operator/cluster-api-operator \
     --create-namespace -n capi-operator-system --wait --timeout 90s
2. Install providers:
   helm install capi-providers \
     capi-operator/cluster-api-operator-providers \
     -n capi-operator-system \
     --set infrastructure.docker.enabled=true \
     --set cert-manager.enabled=true \
     --set configSecret.name=${CREDENTIALS_SECRET_NAME} \
     --set configSecret.namespace=${CREDENTIALS_SECRET_NAMESPACE}

Fixes: #534
Signed-off-by: kahirokunn <okinakahiro@gmail.com>

Author: kahirokunn

Makefile

@@ -180,6 +180,7 @@ endif
 RELEASE_ALIAS_TAG ?= $(PULL_BASE_REF)
 RELEASE_DIR := $(ROOT)/out
 CHART_DIR := $(RELEASE_DIR)/charts/cluster-api-operator
+CHART_PROVIDERS_DIR := $(RELEASE_DIR)/charts/cluster-api-operator-providers
 CHART_PACKAGE_DIR := $(RELEASE_DIR)/package
 
 # Set --output-base for conversion-gen if we are not within GOPATH
@@ -455,6 +456,9 @@ $(CHART_DIR):
 $(CHART_PACKAGE_DIR):
 	mkdir -p $(CHART_PACKAGE_DIR)
 
+$(CHART_PROVIDERS_DIR):
+	mkdir -p $(CHART_PROVIDERS_DIR)/templates
+
 .PHONY: release
 release: clean-release $(RELEASE_DIR)  ## Builds and push container images using the latest git tag for the commit.
 	@if [ -z "${RELEASE_TAG}" ]; then echo "RELEASE_TAG is not set"; exit 1; fi
@@ -485,11 +489,16 @@ release-manifests: $(KUSTOMIZE) $(RELEASE_DIR) ## Builds the manifests to publis
 	$(KUSTOMIZE) build ./config/default > $(RELEASE_DIR)/operator-components.yaml
 
 .PHONY: release-chart
-release-chart: $(HELM) $(KUSTOMIZE) $(RELEASE_DIR) $(CHART_DIR) $(CHART_PACKAGE_DIR) ## Builds the chart to publish with a release
+release-chart: $(HELM) $(KUSTOMIZE) $(RELEASE_DIR) $(CHART_DIR) $(CHART_PROVIDERS_DIR) $(CHART_PACKAGE_DIR) ## Builds the chart to publish with a release
+	# cluster-api-operator チャートの処理
 	cp -rf $(ROOT)/hack/charts/cluster-api-operator/. $(CHART_DIR)
 	$(KUSTOMIZE) build ./config/chart > $(CHART_DIR)/templates/operator-components.yaml
 	$(HELM) package $(CHART_DIR) --app-version=$(HELM_CHART_TAG) --version=$(HELM_CHART_TAG) --destination=$(CHART_PACKAGE_DIR)
 
+	# cluster-api-operator-providers チャートの処理
+	cp -rf $(ROOT)/hack/charts/cluster-api-operator-providers/. $(CHART_PROVIDERS_DIR)
+	$(HELM) package $(CHART_PROVIDERS_DIR) --app-version=$(HELM_CHART_TAG) --version=$(HELM_CHART_TAG) --destination=$(CHART_PACKAGE_DIR)
+
 .PHONY: release-staging
 release-staging: ## Builds and push container images and manifests to the staging bucket.
 	$(MAKE) docker-build-all

hack/charts/cluster-api-operator-providers/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

hack/charts/cluster-api-operator-providers/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cluster-api-operator-providers
+description: Cluster API Provider Custom Resources
+type: application
+version: 0.0.0
+appVersion: "0.0.0"

hack/charts/cluster-api-operator-providers/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "capi-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "capi-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

hack/charts/cluster-api-operator/templates/addon.yaml renamed to hack/charts/cluster-api-operator-providers/templates/addon.yaml

@@ -0,0 +1,65 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "type": "object",
+  "properties": {
+    "core": {
+      "oneOf": [
+        { "type": "object" },
+        { "type": "null" }
+      ]
+    },
+    "bootstrap": {
+      "type": "object",
+      "oneOf": [
+        { "type": "object" },
+        { "type": "null" }
+      ]
+    },
+    "controlPlane": {
+      "type": "object",
+      "oneOf": [
+        { "type": "object" },
+        { "type": "null" }
+      ]
+    },
+    "infrastructure": {
+      "type": "object",
+      "oneOf": [
+        { "type": "object" },
+        { "type": "null" }
+      ]
+    },
+    "addon": {
+      "type": "object",
+      "oneOf": [
+        { "type": "object" },
+        { "type": "null" }
+      ]
+    },
+    "ipam": {
+      "type": "object",
+      "oneOf": [
+        { "type": "object" },
+        { "type": "null" }
+      ]
+    },
+    "manager": {
+      "type": "object",
+      "properties": {
+        "featureGates": {
+          "type": "object"
+        }
+      }
+    },
+    "fetchConfig": {
+      "type": "object"
+    },
+    "configSecret": {
+      "type": "object"
+    },
+    "enableHelmHook": {
+      "type": "boolean",
+      "default": false
+    }
+  }
+}

hack/charts/cluster-api-operator/templates/bootstrap.yaml renamed to hack/charts/cluster-api-operator-providers/templates/bootstrap.yaml

@@ -0,0 +1,48 @@
+---
+# Cluster API provider options
+core: {}
+# cluster-api: {}         # Name, required
+#   namespace: ""         # Optional
+#   version: ""           # Optional
+#   createNamespace: true # Optional
+bootstrap: {}
+# kubeadm: {}             # Name, required
+#   namespace: ""         # Optional
+#   version: ""           # Optional
+#   createNamespace: true # Optional
+controlPlane: {}
+# kubeadm: {}             # Name, required
+#   namespace: ""         # Optional
+#   version: ""           # Optional
+#   createNamespace: true # Optional
+infrastructure: {}
+# docker: {}              # Name, required
+#   namespace: ""         # Optional
+#   version: ""           # Optional
+#   createNamespace: true # Optional
+addon: {}
+# helm: {}                # Name, required
+#   namespace: ""         # Optional
+#   version: ""           # Optional
+#   createNamespace: true # Optional
+ipam: {}
+# in-cluster: {}          # Name, required
+#   namespace: ""         # Optional
+#   version: ""           # Optional
+#   createNamespace: true # Optional
+manager:
+  featureGates: {}
+# Configuration for enabling feature gates in different providers
+# manager:
+#   featureGates:
+#     proxmox: # Name of the provider
+#       ClusterTopology: true
+#     core:
+#       ClusterTopology: true
+#     kubeadm:
+#       ClusterTopology: true
+fetchConfig: {}
+# ---
+# Common configuration secret options
+configSecret: {}
+enableHelmHook: false  # Provider CRsではHookは不要

hack/charts/cluster-api-operator/templates/control-plane.yaml renamed to hack/charts/cluster-api-operator-providers/templates/control-plane.yaml

@@ -2,46 +2,154 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "type": "object",
   "properties": {
-    "core": {
-      "oneOf": [
-        { "type": "object" },
-        { "type": "null" }
-      ]
+    "logLevel": {
+      "type": "integer",
+      "default": 2
     },
-    "bootstrap": {
+    "replicaCount": {
+      "type": "integer",
+      "default": 1
+    },
+    "leaderElection": {
       "type": "object",
-      "oneOf": [
-        { "type": "object" },
-        { "type": "null" }
-      ]
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "default": true
+        },
+        "leaseDuration": {
+          "type": "string"
+        },
+        "renewDeadline": {
+          "type": "string"
+        },
+        "retryPeriod": {
+          "type": "string"
+        }
+      }
     },
-    "controlPlane": {
+    "image": {
       "type": "object",
-      "oneOf": [
-        { "type": "object" },
-        { "type": "null" }
-      ]
+      "properties": {
+        "manager": {
+          "type": "object",
+          "properties": {
+            "repository": {
+              "type": "string"
+            },
+            "tag": {
+              "type": "string"
+            },
+            "pullPolicy": {
+              "type": "string",
+              "enum": ["Always", "IfNotPresent", "Never"]
+            },
+            "registry": {
+              "type": "string"
+            },
+            "digest": {
+              "type": "string"
+            }
+          }
+        }
+      }
     },
-    "infrastructure": {
+    "env": {
       "type": "object",
-      "oneOf": [
-        { "type": "object" },
-        { "type": "null" }
-      ]
+      "properties": {
+        "manager": {
+          "type": "array"
+        }
+      }
+    },
+    "diagnosticsAddress": {
+      "type": "string",
+      "default": ":8443"
+    },
+    "healthAddr": {
+      "type": "string",
+      "default": ":9440"
+    },
+    "profilerAddress": {
+      "type": "string",
+      "default": ":6060"
+    },
+    "contentionProfiling": {
+      "type": "boolean",
+      "default": false
+    },
+    "insecureDiagnostics": {
+      "type": "boolean",
+      "default": false
     },
-    "addon": {
+    "watchConfigSecret": {
+      "type": "boolean",
+      "default": false
+    },
+    "imagePullSecrets": {
+      "type": "object"
+    },
+    "resources": {
       "type": "object",
-      "oneOf": [
-        { "type": "object" },
-        { "type": "null" }
-      ]
+      "properties": {
+        "manager": {
+          "type": "object"
+        }
+      }
+    },
+    "containerSecurityContext": {
+      "type": "object"
+    },
+    "affinity": {
+      "type": "object"
+    },
+    "tolerations": {
+      "type": "array"
+    },
+    "volumes": {
+      "type": "array"
     },
-    "ipam": {
+    "volumeMounts": {
       "type": "object",
-      "oneOf": [
-        { "type": "object" },
-        { "type": "null" }
-      ]
+      "properties": {
+        "manager": {
+          "type": "array"
+        }
+      }
+    },
+    "enableHelmHook": {
+      "type": "boolean",
+      "default": true
+    },
+    "deploymentLabels": {
+      "type": "object"
+    },
+    "deploymentAnnotations": {
+      "type": "object"
+    },
+    "podLabels": {
+      "type": "object"
+    },
+    "podAnnotations": {
+      "type": "object"
+    },
+    "securityContext": {
+      "type": "object"
+    },
+    "strategy": {
+      "type": "object"
+    },
+    "nodeSelector": {
+      "type": "object"
+    },
+    "topologySpreadConstraints": {
+      "type": "array"
+    },
+    "podDnsPolicy": {
+      "type": "string"
+    },
+    "podDnsConfig": {
+      "type": "object"
     }
   }
 }