Skip to content

ROX-33114: operator helm chart generation #19055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
porridge merged 5 commits into from
Feb 18, 2026
Merged

ROX-33114: operator helm chart generation #19055

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6772b47
feat: operator helm chart generation
porridge Feb 17, 2026
d63f431
Running scripts/fixxxers/operator/40-bundle.sh
rhacs-bot Feb 17, 2026
3bcd23e
delete differently
porridge Feb 17, 2026
71d2a26
use sane yq version
porridge Feb 17, 2026
d15ecc3
:facepalm:
porridge Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion operator/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,7 @@ include $(PROJECT_DIR)/../make/gotools.mk
$(call go-tool, CONTROLLER_GEN, sigs.k8s.io/controller-tools/cmd/controller-gen, tools/controller-gen)
$(call go-tool, ENVTEST, sigs.k8s.io/controller-runtime/tools/setup-envtest, tools/envtest)
$(call go-tool, KUSTOMIZE, sigs.k8s.io/kustomize/kustomize/v5, tools/kustomize)
$(call go-tool, KUBEBUILDER, sigs.k8s.io/kubebuilder/v4, tools/kubebuilder)
$(call go-tool, KUTTL, github.com/kudobuilder/kuttl/cmd/kubectl-kuttl, tools/kuttl)
$(call go-tool, YQ, github.com/mikefarah/yq/v4, tools/yq)

Expand All @@ -208,6 +209,9 @@ OPERATOR_SDK_VERSION = $(shell cd tools/operator-sdk; go list -m -f '{{ .Version
.PHONY: kustomize
kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.

.PHONY: kubebuilder
kubebuilder: $(KUBEBUILDER) ## Download kubebuilder locally if necessary.

.PHONY: controller-gen
controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.

Expand All @@ -228,7 +232,7 @@ yq: $(YQ) ## Download yq.

.PHONY: parent-proto-generate
parent-proto-generate: ## Make sure ../generated directory has up-to-date content that this operator (transitively) depends upon.
$(MAKE) -C .. proto-generated-srcs
[[ $${ROX_OPERATOR_SKIP_PROTO_GENERATED_SRCS:-false} = true ]] || $(MAKE) -C .. proto-generated-srcs

.PHONY: manifests
manifests: parent-proto-generate controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
Expand Down Expand Up @@ -315,6 +319,14 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
mkdir -p dist
$(KUSTOMIZE) build build/dist > dist/install.yaml

.PHONY: chart
chart: kubebuilder manifests ## Generate a helm chart with all necessary resources.
# The dependency above makes sure protos are up to date, so we can skip this time-consuming process below
# by specifying the SKIP env var. Otherwise each target that kubebuilder invokes (and there is a bunch) would regen protos.
ROX_OPERATOR_SKIP_PROTO_GENERATED_SRCS=true $(KUBEBUILDER) edit --plugins=helm/v2-alpha --force
sed -i'.bak' -e 's,0.1.0,$(VERSION),g' dist/chart/Chart.yaml
rm -f dist/chart/Chart.yaml.bak

.PHONY: build
build: manifests generate fmt vet ## Build operator local binary.
../scripts/go-build-file.sh ./cmd/main.go bin/manager
Expand Down
3 changes: 3 additions & 0 deletions operator/PROJECT
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ domain: stackrox.io
layout:
- go.kubebuilder.io/v4
plugins:
helm.kubebuilder.io/v2-alpha:
manifests: dist/install.yaml
output: dist
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
projectName: rhacs-operator
Expand Down
3 changes: 2 additions & 1 deletion operator/bundle/manifests/rhacs-operator.clusterserviceversion.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion operator/config/manager/manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@ spec:
# type: RuntimeDefault
containers:
- args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=0.0.0.0:8443"
- "--health-probe-bind-address=:8081"
- --leader-elect
env:
- name: RELATED_IMAGE_MAIN
Expand All @@ -75,6 +75,7 @@ spec:
containerName: manager
resource: limits.memory
image: controller:latest
imagePullPolicy: IfNotPresent
name: manager
securityContext:
allowPrivilegeEscalation: false
Expand Down
36 changes: 36 additions & 0 deletions operator/tools/kubebuilder/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
module github.com/stackrox/rox/operator/tools/kubebuilder

go 1.25.7

require sigs.k8s.io/kubebuilder/v4 v4.12.0

require (
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/gobuffalo/flect v1.0.3 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kr/pretty v0.3.1 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/spf13/afero v1.15.0 // indirect
github.com/spf13/cobra v1.10.2 // indirect
github.com/spf13/pflag v1.0.10 // indirect
github.com/x448/float16 v0.8.4 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/mod v0.33.0 // indirect
golang.org/x/net v0.50.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/text v0.34.0 // indirect
golang.org/x/tools v0.42.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
k8s.io/apimachinery v0.35.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
)
113 changes: 113 additions & 0 deletions operator/tools/kubebuilder/go.sum
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions operator/tools/kubebuilder/noop.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
package main

// See https://github.com/stackrox/stackrox/pull/10125#discussion_r1507387689
8 changes: 8 additions & 0 deletions operator/tools/kubebuilder/tool.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
//go:build tools
// +build tools

package main

import (
_ "sigs.k8s.io/kubebuilder/v4"
)
20 changes: 20 additions & 0 deletions scripts/ci/jobs/check-generated.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,31 @@ function check-operator-generated-files-up-to-date() {
make -C operator/ manifests
echo 'Checking for diffs after making generate and manifests...'
git diff --exit-code HEAD

make -C operator/ bundle
echo 'Checking for diffs after making bundle...'
echo 'If this fails, check if the invocation of the normalize-metadata.py script in operator/Makefile'
echo 'needs to change due to formatting changes in the generated files.'
git diff --exit-code HEAD

# For as long as the helm chart kubebuilder plugin is alpha, we want to check that kubebuilder bumps do not surprise
# us with unexpected divergence compared to the (more seasoned and predictable) manifest output.
make -C operator/ chart
echo 'Expanding the operator helm chart...'
helm template --namespace rhacs-operator-system rhacs-operator ./operator/dist/chart/ > operator/dist/chart.yaml
echo 'Downloading yq...'
make -C operator/ yq
yq=$(make --no-print-directory --silent -C operator/ which-yq)
echo 'Normalizing the manifests...'
# Reorder resources in the files, strip comments, pretty print, and remove expected differences:
# - "resource-policy: keep" on the CRDs in the chart
# - namespace resource in the manifest
$yq -P ea '[.] | sort_by(.kind, .metadata.name) | del(.[].metadata.annotations.["helm.sh/resource-policy"]) | .[] | splitDoc | ... comments=""' \
operator/dist/chart.yaml > operator/dist/chart-sorted.yaml
$yq -P ea '[.] | sort_by(.kind, .metadata.name) | filter(.kind != "Namespace") | .[] | splitDoc | ... comments=""' \
operator/dist/install.yaml > operator/dist/install-sorted.yaml
echo 'Checking for differences between normalized operator manifest and normalized and expanded operator helm chart...'
diff -U 10 operator/dist/install-sorted.yaml operator/dist/chart-sorted.yaml
}
export -f check-operator-generated-files-up-to-date
bash -c check-operator-generated-files-up-to-date || {
Expand Down