Add lint and dry run checks for the Helm chart

Author: Fawad Khaliq

.gitignore

@@ -6,6 +6,7 @@
 *.so
 *.dylib
 bin
+build
 
 # mkdocs generated live docs
 site

Makefile

@@ -1,4 +1,6 @@
 
+MAKEFILE_PATH = $(dir $(realpath -s $(firstword $(MAKEFILE_LIST))))
+
 # Image URL to use all building/pushing image targets
 IMG ?= amazon/aws-alb-ingress-controller:v2.2.0
 
@@ -14,7 +16,7 @@ endif
 all: controller
 
 # Run tests
-test: generate fmt vet manifests
+test: generate fmt vet manifests helm-lint
 	go test -race ./pkg/... ./webhooks/... -coverprofile cover.out
 
 # Build controller binary
@@ -51,6 +53,9 @@ fmt:
 vet:
 	go vet ./...
 
+helm-lint:
+	${MAKEFILE_PATH}/test/helm/helm-lint.sh
+
 # Generate code
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."

helm/aws-load-balancer-controller/test.yaml

@@ -0,0 +1,181 @@
+# Default values for aws-load-balancer-controller.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 2
+
+image:
+  repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller
+  tag: v2.2.0
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# The name of the Kubernetes cluster. A non-empty value is required
+clusterName: test-cluster
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+  # Automount API credentials for a Service Account.
+  automountServiceAccountToken: true
+
+rbac:
+  # Specifies whether rbac resources should be created
+  create: true
+
+podSecurityContext:
+  fsGroup: 65534
+
+securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+
+# Time period for the controller pod to do a graceful shutdown
+terminationGracePeriodSeconds: 10
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+# priorityClassName specifies the PriorityClass to indicate the importance of controller pods
+# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+priorityClassName: system-cluster-critical
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+podAnnotations: {}
+
+podLabels: {}
+
+# Enable cert-manager
+enableCertManager: false
+
+# The ingress class this controller will satisfy. If not specified, controller will match all
+# ingresses without ingress class annotation and ingresses of type alb
+ingressClass: alb
+
+# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example.
+region:
+
+# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically
+vpcId:
+
+# Maximum retries for AWS APIs (default 10)
+awsMaxRetries:
+
+# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true)
+enablePodReadinessGateInject:
+
+# Enable Shield addon for ALB (default true)
+enableShield:
+
+# Enable WAF addon for ALB (default true)
+enableWaf:
+
+# Enable WAF V2 addon for ALB (default true)
+enableWafv2:
+
+# Maximum number of concurrently running reconcile loops for ingress (default 3)
+ingressMaxConcurrentReconciles:
+
+# Set the controller log level - info(default), debug (default "info")
+logLevel:
+
+# The address the metric endpoint binds to. (default ":8080")
+metricsBindAddr: ""
+
+# The TCP port the Webhook server binds to. (default 9443)
+webhookBindPort:
+
+# Maximum number of concurrently running reconcile loops for service (default 3)
+serviceMaxConcurrentReconciles:
+
+# Maximum number of concurrently running reconcile loops for targetGroupBinding
+targetgroupbindingMaxConcurrentReconciles:
+
+# Period at which the controller forces the repopulation of its local object stores. (default 1h0m0s)
+syncPeriod:
+
+# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched.
+watchNamespace:
+
+# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default
+disableIngressClassAnnotation:
+
+# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default
+disableIngressGroupNameAnnotation:
+
+# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners
+defaultSSLPolicy:
+
+# Liveness probe configuration for the controller
+livenessProbe:
+  failureThreshold: 2
+  httpGet:
+    path: /healthz
+    port: 61779
+    scheme: HTTP
+  initialDelaySeconds: 30
+  timeoutSeconds: 10
+
+# Environment variables to set for aws-load-balancer-controller pod.
+# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or
+# comparable solutions like kube2iam, kiam etc instead.
+env:
+
+# Specifies if aws-load-balancer-controller should be started in hostNetwork mode.
+#
+# This is required if using a custom CNI where the managed control plane nodes are unable to initiate
+# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or
+# recommended if using the Amazon VPC CNI plugin.
+hostNetwork: false
+
+# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster
+extraVolumeMounts:
+   - name: aws-iam-token
+     mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
+     readOnly: true
+
+# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example.
+extraVolumes:
+   - name: aws-iam-token
+     projected:
+       defaultMode: 420
+       sources:
+       - serviceAccountToken:
+           audience: sts.amazonaws.com
+           expirationSeconds: 86400
+           path: token
+
+# defaultTags are the tags to apply to all AWS resources managed by this controller
+defaultTags:
+  default_tag1: value1
+  default_tag2: value2
+
+# podDisruptionBudget specifies the disruption budget for the controller pods.
+# Disruption budget will be configured only when the replicaCount is greater than 1
+podDisruptionBudget:
+  maxUnavailable: 1
+
+# externalManagedTags is the list of tag keys on AWS resources that will be managed externally
+externalManagedTags: []

test/helm/helm-lint.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+set +x
+
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+TMP_DIR="$SCRIPTPATH/../../build"
+PLATFORM=$(uname | tr '[:upper:]' '[:lower:]')
+HELM3_VERSION="3.3.1"
+HELM2_VERSION="2.16.10"
+HELM_DIR="${SCRIPTPATH}/../../helm"
+LB_HELM_CHART=${HELM_DIR}/aws-load-balancer-controller
+
+mkdir -p $TMP_DIR
+
+if [ ! -x "$TMP_DIR/helm" ]; then
+    echo " Downloading the \"helm3\" binary"
+    curl -L https://get.helm.sh/helm-v$HELM3_VERSION-$PLATFORM-amd64.tar.gz | tar zxf - -C $TMP_DIR
+    mv $TMP_DIR/$PLATFORM-amd64/helm $TMP_DIR/.
+    chmod +x $TMP_DIR/helm
+    echo " Downloaded the \"helm\" binary"
+fi
+
+if [ ! -x "$TMP_DIR/helm2" ]; then
+    echo " Downloading the \"helm2\" binary"
+    curl -L https://get.helm.sh/helm-v$HELM2_VERSION-$PLATFORM-amd64.tar.gz | tar zxf - -C $TMP_DIR
+    mv $TMP_DIR/$PLATFORM-amd64/helm $TMP_DIR/helm2
+    chmod +x $TMP_DIR/helm2
+    echo " Downloaded the \"helm2\" binary"
+fi
+export PATH=$TMP_DIR:$PATH
+
+echo "=============================================================================="
+echo "                     Linting Helm Chart w/ Helm v3"
+echo "=============================================================================="
+helm lint $LB_HELM_CHART
+
+echo "=============================================================================="
+echo "                     Linting Helm Chart w/ Helm v2"
+echo "=============================================================================="
+helm2 lint $LB_HELM_CHART
+
+echo " Helm Linting for v2 and v3 have successfully completed!"
+
+echo "=============================================================================="
+echo "                   Generate Template w/ Helm v3"
+echo "=============================================================================="
+
+helm template aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null
+
+echo "=============================================================================="
+echo "                   Generate Template w/ Helm v2"
+echo "=============================================================================="
+
+helm2 template --name aws-load-balancer-controller "${LB_HELM_CHART}" --debug --namespace=kube-system -f "${LB_HELM_CHART}/test.yaml" > /dev/null
+
+echo " Helm template generation for v2 and v3 have successfully completed!"