Do not overwrite HMC values passed with the initial installation

Makefile

@@ -265,16 +265,12 @@ dev-push: docker-build helm-push
 dev-templates: templates-generate
 	$(KUBECTL) -n $(NAMESPACE) apply -f templates/hmc-templates/files/templates
 
-.PHONY: dev-management
-dev-management: yq
-	$(YQ) '.spec.core.hmc.config += (load("config/dev/hmc_values.yaml"))' config/dev/management.yaml | $(KUBECTL) -n $(NAMESPACE) apply -f -
-
 .PHONY: dev-aws
 dev-aws: yq
 	@$(YQ) e ".data.credentials = \"${AWS_CREDENTIALS}\"" config/dev/awscredentials.yaml | $(KUBECTL) -n $(NAMESPACE) apply -f -
 
 .PHONY: dev-apply
-dev-apply: kind-deploy registry-deploy dev-push dev-deploy dev-templates dev-management dev-aws
+dev-apply: kind-deploy registry-deploy dev-push dev-deploy dev-templates dev-aws
 
 .PHONY: dev-destroy
 dev-destroy: kind-undeploy registry-undeploy

README.md

@@ -12,6 +12,10 @@ or install using `helm`
 
 Then follow the [Deploy a managed cluster](#deploy-a-managed-cluster) guide to create a managed cluster.
 
+> Note: The HMC installation using Kubernetes manifests does not allow customization of the deployment. To apply a custom HMC configuration, install HMC using the Helm chart.
+> deployment. If the custom HMC configuration should be applied, install HMC using
+> the Helm chart.
+
 ### Development guide
 
 See [Install HMC for development purposes](docs/dev.md#hmc-installation-for-development).

api/v1alpha1/management_types.go

@@ -32,6 +32,15 @@ const (
 	ManagementNamespace = "hmc-system"
 )
 
+var DefaultCoreConfiguration = Core{
+	HMC: Component{
+		Template: DefaultCoreHMCTemplate,
+	},
+	CAPI: Component{
+		Template: DefaultCoreCAPITemplate,
+	},
+}
+
 // ManagementSpec defines the desired state of Management
 type ManagementSpec struct {
 	// Core holds the core Management components that are mandatory.
@@ -68,7 +77,7 @@ func (in *Component) HelmValues() (values map[string]interface{}, err error) {
 	return values, err
 }
 
-func (m *ManagementSpec) SetDefaults() {
+func (m *ManagementSpec) SetProvidersDefaults() {
 	m.Providers = []Component{
 		{
 			Template: "k0smotron",

cmd/main.go

@@ -185,6 +185,7 @@ func main() {
 	}
 	if err = mgr.Add(&controller.Poller{
 		Client:                    mgr.GetClient(),
+		Config:                    mgr.GetConfig(),
 		CreateManagement:          createManagement,
 		CreateTemplates:           createTemplates,
 		DefaultOCIRegistry:        defaultOCIRegistry,

config/dev/hmc_values.yaml

@@ -5,5 +5,4 @@ controllerManager:
     args:
     - --default-oci-registry=oci://hmc-local-registry:5000/charts
     - --insecure-registry=true
-    - --create-management=false
     - --create-templates=false

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.19.1
 	github.com/onsi/gomega v1.34.1
 	github.com/opencontainers/go-digest v1.0.1-0.20231025023718-d50d2fec9c98
+	github.com/pkg/errors v0.9.1
 	github.com/segmentio/analytics-go v3.1.0+incompatible
 	helm.sh/helm/v3 v3.15.3
 	k8s.io/api v0.30.3
@@ -111,7 +112,6 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc6 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.19.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.53.0 // indirect

internal/controller/management_controller.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/fluxcd/pkg/apis/meta"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -144,18 +145,21 @@ func wrappedComponents(mgmt *hmc.Management) (components []component) {
 func (r *ManagementReconciler) enableAdmissionWebhook(ctx context.Context, mgmt *hmc.Management) error {
 	l := log.FromContext(ctx)
 
-	mgmtComponent := mgmt.Spec.Core.HMC
-	config := map[string]interface{}{}
-	err := json.Unmarshal(mgmtComponent.Config.Raw, &config)
-	if err != nil {
-		return fmt.Errorf("failed to unmarshal HMC config into map[string]interface{}: %v", err)
+	hmcComponent := &mgmt.Spec.Core.HMC
+	config := make(map[string]interface{})
+
+	if hmcComponent.Config != nil {
+		err := json.Unmarshal(hmcComponent.Config.Raw, &config)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal HMC config into map[string]interface{}: %v", err)
+		}
 	}
 	admissionWebhookValues := make(map[string]interface{})
 	if config["admissionWebhook"] != nil {
 		admissionWebhookValues = config["admissionWebhook"].(map[string]interface{})
 	}
 
-	err = certmanager.VerifyAPI(ctx, r.Config, r.Scheme, hmc.ManagementNamespace)
+	err := certmanager.VerifyAPI(ctx, r.Config, r.Scheme, hmc.ManagementNamespace)
 	if err != nil {
 		return fmt.Errorf("failed to check in the cert-manager API is installed: %v", err)
 	}
@@ -167,7 +171,9 @@ func (r *ManagementReconciler) enableAdmissionWebhook(ctx context.Context, mgmt
 	if err != nil {
 		return fmt.Errorf("failed to marshal HMC config: %v", err)
 	}
-	mgmtComponent.Config.Raw = updatedConfig
+	hmcComponent.Config = &apiextensionsv1.JSON{
+		Raw: updatedConfig,
+	}
 	return nil
 }
 
@@ -176,15 +182,7 @@ func applyDefaultCoreConfiguration(mgmt *hmc.Management) (changed bool) {
 		// Only apply defaults when there's no configuration provided
 		return false
 	}
-	mgmt.Spec.Core = &hmc.Core{
-		HMC: hmc.Component{
-			Template: hmc.DefaultCoreHMCTemplate,
-		},
-		CAPI: hmc.Component{
-			Template: hmc.DefaultCoreCAPITemplate,
-		},
-	}
-
+	mgmt.Spec.Core = &hmc.DefaultCoreConfiguration
 	return true
 }
 

internal/controller/release_controller.go

@@ -16,6 +16,7 @@ package controller
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"time"
 
@@ -25,8 +26,13 @@ import (
 	hcv2 "github.com/fluxcd/helm-controller/api/v2"
 	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	"github.com/pkg/errors"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/storage/driver"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -44,6 +50,8 @@ const (
 type Poller struct {
 	client.Client
 
+	Config *rest.Config
+
 	CreateManagement bool
 	CreateTemplates  bool
 
@@ -113,8 +121,34 @@ func (p *Poller) ensureManagement(ctx context.Context) error {
 		if !apierrors.IsNotFound(err) {
 			return fmt.Errorf("failed to get %s/%s Management object", hmc.ManagementNamespace, hmc.ManagementName)
 		}
-		mgmtObj.Spec.SetDefaults()
-		err := p.Create(ctx, mgmtObj)
+		mgmtObj.Spec.SetProvidersDefaults()
+
+		getter := helm.NewMemoryRESTClientGetter(p.Config, p.RESTMapper())
+		actionConfig := new(action.Configuration)
+		err = actionConfig.Init(getter, hmc.TemplatesNamespace, "secret", l.Info)
+		if err != nil {
+			return err
+		}
+		release, err := actionConfig.Releases.Last("hmc")
+		if err != nil {
+			if !errors.Is(err, driver.ErrReleaseNotFound) {
+				return err
+			}
+		} else {
+			if len(release.Config) > 0 {
+				values, err := json.Marshal(release.Config)
+				if err != nil {
+					return err
+				}
+				_ = applyDefaultCoreConfiguration(mgmtObj)
+				mgmtObj.Spec.Core = &hmc.DefaultCoreConfiguration
+				mgmtObj.Spec.Core.HMC.Config = &apiextensionsv1.JSON{
+					Raw: values,
+				}
+			}
+		}
+
+		err = p.Create(ctx, mgmtObj)
 		if err != nil {
 			return fmt.Errorf("failed to create %s/%s Management object", hmc.ManagementNamespace, hmc.ManagementName)
 		}

templates/hmc/templates/rbac/rolebindings.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "hmc.fullname" . }}-manager-rolebinding
+  labels:
+  {{- include "hmc.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "hmc.fullname" . }}-manager-role'
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "hmc.fullname" . }}-controller-manager'
+  namespace: '{{ .Release.Namespace }}'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "hmc.fullname" . }}-manager-secrets-reader-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "hmc.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ include "hmc.fullname" . }}-manager-secrets-reader-role'
+subjects:
+  - kind: ServiceAccount
+    name: '{{ include "hmc.fullname" . }}-controller-manager'
+    namespace: '{{ .Release.Namespace }}'

templates/hmc/templates/rbac/manager-rbac.yaml → templates/hmc/templates/rbac/roles.yaml

@@ -142,16 +142,17 @@ rules:
   - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: Role
 metadata:
-  name: {{ include "hmc.fullname" . }}-manager-rolebinding
+  name: {{ include "hmc.fullname" . }}-manager-secrets-reader-role
+  namespace: {{ .Release.Namespace }}
   labels:
   {{- include "hmc.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: '{{ include "hmc.fullname" . }}-manager-role'
-subjects:
-- kind: ServiceAccount
-  name: '{{ include "hmc.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list