Move all global helm values to top-level

 - Global is a historic leftover from when we had subcharts so the
   values in global should be at the top-level instead

[#2650]

Co-authored-by: Matt Royal <mroyal@vmware.com>

INSTALL.EKS.md

@@ -256,14 +256,14 @@ Use the following Helm command to install Korifi:
 ```sh
 helm install korifi https://github.com/cloudfoundry/korifi/releases/download/v<VERSION>/korifi-<VERSION>.tgz \
   --namespace="$KORIFI_NAMESPACE" \
-  --set=global.generateIngressCertificates=true \
-  --set=global.rootNamespace="${ROOT_NAMESPACE}" \
+  --set=generateIngressCertificates=true \
+  --set=rootNamespace="${ROOT_NAMESPACE}" \
   --set=adminUserName="${ADMIN_USERNAME}" \
   --set=api.apiServer.url="api.${BASE_DOMAIN}" \
-  --set=global.defaultAppDomainName="apps.${BASE_DOMAIN}" \
-  --set=global.containerRepositoryPrefix="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${CLUSTER_NAME}/" \
-  --set=global.containerRegistrySecrets={} \
-  --set=global.eksContainerRegistryRoleARN="${ECR_ROLE_ARN}" \
+  --set=defaultAppDomainName="apps.${BASE_DOMAIN}" \
+  --set=containerRepositoryPrefix="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${CLUSTER_NAME}/" \
+  --set=containerRegistrySecrets={} \
+  --set=eksContainerRegistryRoleARN="${ECR_ROLE_ARN}" \
   --set=kpackImageBuilder.builderRepository="${KPACK_BUILDER_REPO}" \
   --wait
 ```

INSTALL.kind.md

@@ -64,9 +64,9 @@ No changes here, follow the [common instructions](./INSTALL.md#install-korifi).
 If using DockerHub as recommended above, set the following values:
 
 -   `kpackImageBuilder.builderRepository`: `index.docker.io/<username>/kpack-builder`;
--   `global.containerRepositoryPrefix`: `index.docker.io/<username>/`;
+-   `containerRepositoryPrefix`: `index.docker.io/<username>/`;
 
-Remember to set `global.generateIngressCertificates` to `true` if you want to use self-signed TLS certificates.
+Remember to set `generateIngressCertificates` to `true` if you want to use self-signed TLS certificates.
 
 If `$KORIFI_NAMESPACE` doesn't exist yet, you can add the `--create-namespace` flag to the `helm` invocation.
 

INSTALL.md

@@ -123,9 +123,9 @@ Make sure the value of `--docker-server` is a valid [URI authority](https://data
 
 ### TLS certificates
 
-Self-signed TLS certificates are generated automatically by the installation if `global.generateIngressCertificates` has been set to `true`.
+Self-signed TLS certificates are generated automatically by the installation if `generateIngressCertificates` has been set to `true`.
 
-If you want to generate certificates yourself, you should not set the `global.generateIngressCertificates` value, and instead provide your certificates to Korifi by creating two TLS secrets in `$KORIFI_NAMESPACE`:
+If you want to generate certificates yourself, you should not set the `generateIngressCertificates` value, and instead provide your certificates to Korifi by creating two TLS secrets in `$KORIFI_NAMESPACE`:
 
 1. `korifi-api-ingress-cert`;
 1. `korifi-workloads-ingress-cert`.
@@ -139,7 +139,7 @@ kubectl --namespace "$KORIFI_NAMESPACE" create secret generic <registry-ca-secre
     --from-file=ca.crt=</path/to/ca-certificate>
 ```
 
-You can then specify the `<registry-ca-secret-name>` using the `global.containerRegistryCACertSecret`.
+You can then specify the `<registry-ca-secret-name>` using the `containerRegistryCACertSecret`.
 
 > **Warning**
 > Kpack does not support self-signed/internal CA configuration out of the box (see [pivotal/kpack#207](https://github.com/pivotal/kpack/issues/207)).
@@ -156,17 +156,17 @@ For example:
 ```sh
 helm install korifi https://github.com/cloudfoundry/korifi/releases/download/v<VERSION>/korifi-<VERSION>.tgz \
     --namespace="$KORIFI_NAMESPACE" \
-    --set=global.generateIngressCertificates=true \
-    --set=global.rootNamespace="$ROOT_NAMESPACE" \
+    --set=generateIngressCertificates=true \
+    --set=rootNamespace="$ROOT_NAMESPACE" \
     --set=adminUserName="$ADMIN_USERNAME" \
     --set=api.apiServer.url="api.$BASE_DOMAIN" \
-    --set=global.defaultAppDomainName="apps.$BASE_DOMAIN" \
-    --set=global.containerRepositoryPrefix=europe-docker.pkg.dev/my-project/korifi/ \
+    --set=defaultAppDomainName="apps.$BASE_DOMAIN" \
+    --set=containerRepositoryPrefix=europe-docker.pkg.dev/my-project/korifi/ \
     --set=kpackImageBuilder.builderRepository=europe-docker.pkg.dev/my-project/korifi/kpack-builder \
     --wait
 ```
 
-`global.containerRepositoryPrefix` is used to determine the container repository for the package and droplet images produced by Korifi.
+`containerRepositoryPrefix` is used to determine the container repository for the package and droplet images produced by Korifi.
 In particular, the app GUID and image type (`packages` or `droplets`) are appended to form the name of the repository.
 For example:
 
@@ -200,7 +200,7 @@ Make sure your ingress targets a service with name `korifi-api-svc` and port `44
 Create DNS entries for the Korifi API and for the apps running on Korifi. They should match the Helm values used to [deploy Korifi](#deploy-korifi):
 
 -   The Korifi API entry should match the `api.apiServer.url` value. In our example, that would be `api.korifi.example.org`.
--   The apps entry should be a wildcard matching the `global.defaultAppDomainName` value. In our example, `*.apps.korifi.example.org`.
+-   The apps entry should be a wildcard matching the `defaultAppDomainName` value. In our example, `*.apps.korifi.example.org`.
 
 The DNS entries should point to the load balancer endpoint created by Contour when installed. To discover your endpoint, run:
 

README.helm.md

@@ -9,19 +9,6 @@ See [_Customizing the Chart Before Installing_](https://helm.sh/docs/intro/using
 
 Here are all the values that can be set for the chart:
 
-- `global`: Global values that are shared between Korifi and its subcharts.
-  - `containerRegistrySecret` (_String_): Deprecated in favor of containerRegistrySecrets.
-  - `containerRegistrySecrets` (_Array_): List of `Secret` names to use when pushing or pulling from package, droplet and kpack builder repositories. Required if eksContainerRegistryRoleARN not set. Ignored if eksContainerRegistryRoleARN is set.
-  - `containerRepositoryPrefix` (_String_): The prefix of the container repository where package and droplet images will be pushed. This is suffixed with the app GUID and `-packages` or `-droplets`. For example, a value of `index.docker.io/korifi/` will result in `index.docker.io/korifi/<appGUID>-packages` and `index.docker.io/korifi/<appGUID>-droplets` being pushed.
-  - `debug` (_Boolean_): Enables remote debugging with [Delve](https://github.com/go-delve/delve).
-  - `defaultAppDomainName` (_String_): Base domain name for application URLs.
-  - `eksContainerRegistryRoleARN` (_String_): Amazon Resource Name (ARN) of the IAM role to use to access the ECR registry from an EKS deployed Korifi. Required if containerRegistrySecret not set.
-  - `generateIngressCertificates` (_Boolean_): Use `cert-manager` to generate self-signed certificates for the API and app endpoints.
-  - `logLevel` (_String_): Sets level of logging for api and controllers components. Can be 'info' or 'debug'.
-  - `reconcilers`:
-    - `app` (_String_): ID of the workload runner to set on all `AppWorkload` objects. Defaults to `statefulset-runner`.
-    - `build` (_String_): ID of the image builder to set on all `BuildWorkload` objects. Defaults to `kpack-image-builder`.
-  - `rootNamespace` (_String_): Root of the Cloud Foundry namespace hierarchy.
 - `adminUserName` (_String_): Name of the admin user that will be bound to the Cloud Foundry Admin role.
 - `api`:
   - `apiServer`:
@@ -51,6 +38,9 @@ Here are all the values that can be set for the chart:
       - `cpu` (_String_): CPU request.
       - `memory` (_String_): Memory request.
   - `userCertificateExpirationWarningDuration` (_String_): Issue a warning if the user certificate provided for login has a long expiry. See [`time.ParseDuration`](https://pkg.go.dev/time#ParseDuration) for details on the format.
+- `containerRegistrySecret` (_String_): Deprecated in favor of containerRegistrySecrets.
+- `containerRegistrySecrets` (_Array_): List of `Secret` names to use when pushing or pulling from package, droplet and kpack builder repositories. Required if eksContainerRegistryRoleARN not set. Ignored if eksContainerRegistryRoleARN is set.
+- `containerRepositoryPrefix` (_String_): The prefix of the container repository where package and droplet images will be pushed. This is suffixed with the app GUID and `-packages` or `-droplets`. For example, a value of `index.docker.io/korifi/` will result in `index.docker.io/korifi/<appGUID>-packages` and `index.docker.io/korifi/<appGUID>-droplets` being pushed.
 - `contourRouter`:
   - `include` (_Boolean_): Deploy the `contour-router` component.
 - `controllers`:
@@ -72,6 +62,10 @@ Here are all the values that can be set for the chart:
       - `memory` (_String_): Memory request.
   - `taskTTL` (_String_): How long before the `CFTask` object is deleted after the task has completed. See [`time.ParseDuration`](https://pkg.go.dev/time#ParseDuration) for details on the format, an additional `d` suffix for days is supported.
   - `workloadsTLSSecret` (_String_): TLS secret used when setting up an app routes.
+- `debug` (_Boolean_): Enables remote debugging with [Delve](https://github.com/go-delve/delve).
+- `defaultAppDomainName` (_String_): Base domain name for application URLs.
+- `eksContainerRegistryRoleARN` (_String_): Amazon Resource Name (ARN) of the IAM role to use to access the ECR registry from an EKS deployed Korifi. Required if containerRegistrySecret not set.
+- `generateIngressCertificates` (_Boolean_): Use `cert-manager` to generate self-signed certificates for the API and app endpoints.
 - `helm`:
   - `hooksImage` (_String_): Image for the helm hooks containing kubectl
 - `jobTaskRunner`:
@@ -101,6 +95,11 @@ Here are all the values that can be set for the chart:
     - `requests`: Resource requests.
       - `cpu` (_String_): CPU request.
       - `memory` (_String_): Memory request.
+- `logLevel` (_String_): Sets level of logging for api and controllers components. Can be 'info' or 'debug'.
+- `reconcilers`:
+  - `app` (_String_): ID of the workload runner to set on all `AppWorkload` objects. Defaults to `statefulset-runner`.
+  - `build` (_String_): ID of the image builder to set on all `BuildWorkload` objects. Defaults to `kpack-image-builder`.
+- `rootNamespace` (_String_): Root of the Cloud Foundry namespace hierarchy.
 - `stagingRequirements`:
   - `buildCacheMB` (_Integer_): Persistent disk in MB for caching staging artifacts across builds.
   - `diskMB` (_Integer_): Ephemeral Disk request in MB for staging apps.

api/Makefile

@@ -42,7 +42,7 @@ manifests: install-controller-gen install-yq
 		output:rbac:artifacts:config=../helm/korifi/api \
 		rbac:roleName=korifi-api-system-role
 
-	$(YQ) -i 'with(.metadata | select(.namespace == "ROOT_NAMESPACE"); .namespace="{{ .Values.global.rootNamespace }}")' ../helm/korifi/api/role.yaml
+	$(YQ) -i 'with(.metadata | select(.namespace == "ROOT_NAMESPACE"); .namespace="{{ .Values.rootNamespace }}")' ../helm/korifi/api/role.yaml
 
 test: install-ginkgo
 	../scripts/run-tests.sh --skip-package=test

helm/korifi/api/configmap.yaml

@@ -12,35 +12,35 @@ data:
     readTimeout: {{ .Values.api.apiServer.timeouts.read }}
     readHeaderTimeout: {{ .Values.api.apiServer.timeouts.readHeader }}
     writeTimeout: {{ .Values.api.apiServer.timeouts.write }}
-    rootNamespace: {{ .Values.global.rootNamespace }}
-    builderName: {{ .Values.global.reconcilers.build }}
-    runnerName: {{ .Values.global.reconcilers.run }}
+    rootNamespace: {{ .Values.rootNamespace }}
+    builderName: {{ .Values.reconcilers.build }}
+    runnerName: {{ .Values.reconcilers.run }}
     defaultLifecycleConfig:
       type: {{ .Values.api.lifecycle.type }}
       stack: {{ .Values.api.lifecycle.stack }}
       stagingMemoryMB: {{ .Values.stagingRequirements.memoryMB }}
-    containerRepositoryPrefix: {{ .Values.global.containerRepositoryPrefix | quote }}
-    {{- if not .Values.global.eksContainerRegistryRoleARN }}
-    {{- if .Values.global.containerRegistrySecrets }}
+    containerRepositoryPrefix: {{ .Values.containerRepositoryPrefix | quote }}
+    {{- if not .Values.eksContainerRegistryRoleARN }}
+    {{- if .Values.containerRegistrySecrets }}
     packageRegistrySecretNames:
-    {{- range .Values.global.containerRegistrySecrets }}
+    {{- range .Values.containerRegistrySecrets }}
     - {{ . | quote }}
     {{- end }}
-    {{- else if .Values.global.containerRegistrySecret }}
+    {{- else if .Values.containerRegistrySecret }}
     packageRegistrySecretNames:
-    - {{ .Values.global.containerRegistrySecret | quote }}
+    - {{ .Values.containerRegistrySecret | quote }}
     {{- else }}
-    {{ required "global.containerRegistrySecrets is required when global.eksContainerRegistryRoleARN is not set" .Values.global.containerRegistrySecrets }}
+    {{ required "containerRegistrySecrets is required when eksContainerRegistryRoleARN is not set" .Values.containerRegistrySecrets }}
     {{- end }}
     {{- end }}
-    defaultDomainName: {{ .Values.global.defaultAppDomainName }}
+    defaultDomainName: {{ .Values.defaultAppDomainName }}
     userCertificateExpirationWarningDuration: {{ .Values.api.userCertificateExpirationWarningDuration }}
     {{- if .Values.api.authProxy }}
     authProxyHost: {{ .Values.api.authProxy.host | quote }}
     authProxyCACert: {{ .Values.api.authProxy.caCert | quote }}
     {{- end }}
-    logLevel: {{ .Values.global.logLevel }}
-    {{- if .Values.global.eksContainerRegistryRoleARN }}
+    logLevel: {{ .Values.logLevel }}
+    {{- if .Values.eksContainerRegistryRoleARN }}
     containerRegistryType: "ECR"
     {{- end }}
   role_mappings_config.yaml: |

helm/korifi/api/deployment.yaml

@@ -24,7 +24,7 @@ spec:
         - name: TLSCONFIG
           value: /etc/korifi-tls-config
         image: {{ .Values.api.image }}
-{{- if .Values.global.debug }}
+{{- if .Values.debug }}
         command:
         - "/dlv"
         args:
@@ -49,7 +49,7 @@ spec:
         - mountPath: /etc/korifi-tls-config
           name: korifi-tls-config
           readOnly: true
-{{- if .Values.global.containerRegistryCACertSecret }}
+{{- if .Values.containerRegistryCACertSecret }}
         - mountPath: /etc/ssl/certs/registry-ca.crt
           name: korifi-registry-ca-cert
           subPath: ca.crt
@@ -64,8 +64,8 @@ spec:
       - name: korifi-tls-config
         secret:
           secretName: korifi-api-internal-cert
-{{- if .Values.global.containerRegistryCACertSecret }}
+{{- if .Values.containerRegistryCACertSecret }}
       - name: korifi-registry-ca-cert
         secret:
-          secretName: {{ .Values.global.containerRegistryCACertSecret }}
+          secretName: {{ .Values.containerRegistryCACertSecret }}
 {{- end }}

helm/korifi/api/ingress-cert.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.global.generateIngressCertificates }}
+{{- if .Values.generateIngressCertificates }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

helm/korifi/api/rbac.yaml

@@ -3,9 +3,9 @@ kind: ServiceAccount
 metadata:
   name: korifi-api-system-serviceaccount
   namespace: {{ .Release.Namespace }}
-  {{- if .Values.global.eksContainerRegistryRoleARN }}
+  {{- if .Values.eksContainerRegistryRoleARN }}
   annotations:
-    eks.amazonaws.com/role-arn: {{ .Values.global.eksContainerRegistryRoleARN }}
+    eks.amazonaws.com/role-arn: {{ .Values.eksContainerRegistryRoleARN }}
   {{- end }}
 
 ---
@@ -27,7 +27,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: korifi-api-system-rolebinding
-  namespace: {{ .Values.global.rootNamespace }}
+  namespace: {{ .Values.rootNamespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

helm/korifi/api/role.yaml

@@ -52,7 +52,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: korifi-api-system-role
-  namespace: '{{ .Values.global.rootNamespace }}'
+  namespace: '{{ .Values.rootNamespace }}'
 rules:
   - apiGroups:
       - ""

helm/korifi/api/service.yaml

@@ -18,7 +18,7 @@ spec:
   type: ClusterIP
 
 ---
-{{- if .Values.global.debug }}
+{{- if .Values.debug }}
 apiVersion: v1
 kind: Service
 metadata:

helm/korifi/controllers/configmap.yaml

@@ -9,21 +9,21 @@ data:
     includeJobTaskRunner: {{ .Values.jobTaskRunner.include }}
     includeStatefulsetRunner: {{ .Values.statefulsetRunner.include }}
     includeContourRouter: {{ .Values.contourRouter.include }}
-    builderName: {{ .Values.global.reconcilers.build }}
-    runnerName: {{ .Values.global.reconcilers.run }}
+    builderName: {{ .Values.reconcilers.build }}
+    runnerName: {{ .Values.reconcilers.run }}
     cfProcessDefaults:
       memoryMB: {{ .Values.controllers.processDefaults.memoryMB }}
       diskQuotaMB: {{ .Values.controllers.processDefaults.diskQuotaMB }}
-    cfRootNamespace: {{ .Values.global.rootNamespace }}
-    {{- if not .Values.global.eksContainerRegistryRoleARN }}
-    {{- if .Values.global.containerRegistrySecrets }}
+    cfRootNamespace: {{ .Values.rootNamespace }}
+    {{- if not .Values.eksContainerRegistryRoleARN }}
+    {{- if .Values.containerRegistrySecrets }}
     containerRegistrySecretNames:
-    {{- range .Values.global.containerRegistrySecrets }}
+    {{- range .Values.containerRegistrySecrets }}
     - {{ . | quote }}
     {{- end }}
     {{- else }}
     containerRegistrySecretNames:
-    - {{ .Values.global.containerRegistrySecret | quote }}
+    - {{ .Values.containerRegistrySecret | quote }}
     {{- end }}
     {{- end }}
     taskTTL: {{ .Values.controllers.taskTTL }}
@@ -40,17 +40,17 @@ data:
     {{- end }}
     maxRetainedPackagesPerApp: {{ .Values.controllers.maxRetainedPackagesPerApp }}
     maxRetainedBuildsPerApp: {{ .Values.controllers.maxRetainedBuildsPerApp }}
-    logLevel: {{ .Values.global.logLevel }}
+    logLevel: {{ .Values.logLevel }}
     {{- if .Values.kpackImageBuilder.include }}
     clusterBuilderName: {{ .Values.kpackImageBuilder.clusterBuilderName | default "cf-kpack-cluster-builder" }}
     builderReadinessTimeout: {{ required "builderReadinessTimeout is required" .Values.kpackImageBuilder.builderReadinessTimeout }}
-    containerRepositoryPrefix: {{ .Values.global.containerRepositoryPrefix | quote }}
+    containerRepositoryPrefix: {{ .Values.containerRepositoryPrefix | quote }}
     builderServiceAccount: kpack-service-account
     cfStagingResources:
       buildCacheMB: {{ .Values.stagingRequirements.buildCacheMB }}
       diskMB: {{ .Values.stagingRequirements.diskMB }}
       memoryMB: {{ .Values.stagingRequirements.memoryMB }}
-    {{- if .Values.global.eksContainerRegistryRoleARN }}
+    {{- if .Values.eksContainerRegistryRoleARN }}
     containerRegistryType: "ECR"
     {{- end }}
     {{- end }}

helm/korifi/controllers/deployment.yaml

@@ -27,7 +27,7 @@ spec:
         - name: CONTROLLERSCONFIG
           value: /etc/korifi-controllers-config
         image: {{ .Values.controllers.image }}
-{{- if .Values.global.debug }}
+{{- if .Values.debug }}
         command:
         - "/dlv"
         args:

helm/korifi/controllers/ingress-cert.yaml

@@ -1,13 +1,13 @@
-{{- if .Values.global.generateIngressCertificates }}
+{{- if .Values.generateIngressCertificates }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: korifi-workloads-ingress-cert
   namespace: {{ .Release.Namespace }}
 spec:
-  commonName: \*.{{ .Values.global.defaultAppDomainName }}
+  commonName: \*.{{ .Values.defaultAppDomainName }}
   dnsNames:
-  - \*.{{ .Values.global.defaultAppDomainName }}
+  - \*.{{ .Values.defaultAppDomainName }}
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer

helm/korifi/controllers/post-install-app-domain.yaml

@@ -42,11 +42,11 @@ spec:
         - sh
         - -c
         - |
-          cat <<EOF | kubectl -n {{ .Values.global.rootNamespace }} apply -f -
+          cat <<EOF | kubectl -n {{ .Values.rootNamespace }} apply -f -
           apiVersion: korifi.cloudfoundry.org/v1alpha1
           kind: CFDomain
           metadata:
             name: default-domain
           spec:
-            name: {{ .Values.global.defaultAppDomainName }}
+            name: {{ .Values.defaultAppDomainName }}
           EOF

helm/korifi/controllers/rbac.yaml

@@ -3,9 +3,9 @@ kind: ServiceAccount
 metadata:
   name: korifi-controllers-controller-manager
   namespace: {{ .Release.Namespace }}
-  {{- if .Values.global.eksContainerRegistryRoleARN }}
+  {{- if .Values.eksContainerRegistryRoleARN }}
   annotations:
-    eks.amazonaws.com/role-arn: {{ .Values.global.eksContainerRegistryRoleARN }}
+    eks.amazonaws.com/role-arn: {{ .Values.eksContainerRegistryRoleARN }}
   {{- end }}
 
 ---

helm/korifi/controllers/service.yaml

@@ -10,7 +10,7 @@ spec:
   selector:
     app: korifi-controllers
 
-{{- if .Values.global.debug }}
+{{- if .Values.debug }}
 ---
 apiVersion: v1
 kind: Service