Merge pull request #2736 from justinsb/propose_version

chore: create a script for updating the version

config/installbundle/releases/scopes/cluster/autopilot-withsecretvolume/kustomization.yaml

@@ -16,5 +16,5 @@ namespace: cnrm-system
 resources:
   - ../withsecretvolume
 patches:
-  - hostnetwork_patch.yaml
+  - path: hostnetwork_patch.yaml
 

config/installbundle/releases/scopes/cluster/autopilot-withworkloadidentity/kustomization.yaml

@@ -16,5 +16,5 @@ namespace: cnrm-system
 resources:
   - ../withworkloadidentity
 patches:
-  - hostnetwork_patch.yaml
+  - path: hostnetwork_patch.yaml
 

config/installbundle/releases/scopes/namespaced/autopilot-shared-components/kustomization.yaml

@@ -16,5 +16,5 @@ namespace: cnrm-system
 resources:
   - ../shared-components
 patches:
-  - hostnetwork_patch.yaml
+  - path: hostnetwork_patch.yaml
 

dev/tasks/build-release-bundle

@@ -44,7 +44,31 @@ echo ${VERSION} > ${BUNDLE_DIR}/version
 # Create temp crds.yaml file
 CRDS_FILE=$(mktemp -t crds.XXXXXXXX.yaml)
 
+# Update container registry for kustomize
+IMAGE_PREFIX=${IMAGE_PREFIX:-"gcr.io/gke-release/cnrm/"}
+IMAGE_TAG=${IMAGE_TAG:-${VERSION}}
+
+RECORDER_IMG=${RECORDER_IMG:-"${IMAGE_PREFIX}recorder:${IMAGE_TAG}"}
+WEBHOOK_IMG=${WEBHOOK_IMG:-"${IMAGE_PREFIX}webhook:${IMAGE_TAG}"}
+UNMANAGEDDETECTOR_IMG=${UNMANAGEDDETECTOR_IMG:-"${IMAGE_PREFIX}unmanageddetector:${IMAGE_TAG}"}
+DELETIONDEFENDER_IMG=${DELETIONDEFENDER_IMG:-"${IMAGE_PREFIX}deletiondefender:${IMAGE_TAG}"}
+MANAGER_IMG=${MANAGER_IMG:-"${IMAGE_PREFIX}controller:${IMAGE_TAG}"}
+
+cd ${REPO_ROOT}
+cat config/installbundle/components/recorder/recorder_image_patch_template.yaml | \
+  sed -e "s@IMAGE_URL@${RECORDER_IMG}@g" > config/installbundle/components/recorder/recorder_image_patch.yaml
+cat config/installbundle/components/webhook/webhook_image_patch_template.yaml | \
+  sed -e "s@IMAGE_URL@${WEBHOOK_IMG}@g" > config/installbundle/components/webhook/webhook_image_patch.yaml
+cat config/installbundle/components/unmanageddetector/unmanageddetector_image_patch_template.yaml | \
+  sed -e "s@IMAGE_URL@${UNMANAGEDDETECTOR_IMG}@g" > config/installbundle/components/unmanageddetector/unmanageddetector_image_patch.yaml
+cat config/installbundle/components/deletiondefender/deletiondefender_image_patch_template.yaml | \
+  sed -e "s@IMAGE_URL@${DELETIONDEFENDER_IMG}@g" > config/installbundle/components/deletiondefender/deletiondefender_image_patch.yaml
+cat config/installbundle/components/manager/base/manager_image_patch_template.yaml | \
+  sed -e "s@IMAGE_URL@${MANAGER_IMG}@g" > config/installbundle/components/manager/base/manager_image_patch.yaml
+
+
 # Combine CRDs into one file and add a license header
+rm -f kustomization.yaml
 kustomize create
 kustomize edit add resource config/crds/resources/*.yaml
 $LICENSING_SCRIPT <(kustomize build .) > $CRDS_FILE
@@ -96,3 +120,6 @@ sed -i "s/0.0.0-dev/${VERSION}/g" ${AUTOPILOT_NAMESPACED_BUNDLE_DIR}/*
 cp -r config/samples/ ${BUNDLE_DIR}/
 
 tar -czvf ${DIST}/release-bundle.tar.gz -C ${BUNDLE_DIR}/ .
+
+# Remove the temporary kustomization.yaml file we wrote
+rm -f ${REPO_ROOT}/kustomization.yaml

dev/tasks/propose-tag

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Update the manifests etc in the repository to reflect a new tagged release.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd ${REPO_ROOT}
+
+BUILD_DIR="${REPO_ROOT}/.build"
+mkdir -p "${BUILD_DIR}"
+
+WORKDIR="${BUILD_DIR}/workdir"
+rm -rf "${WORKDIR}"
+mkdir -p "${WORKDIR}"
+
+
+BIN_DIR="${BUILD_DIR}/bin"
+mkdir -p "${BIN_DIR}"
+
+GOBIN=${BIN_DIR}/ go install sigs.k8s.io/kustomize/kustomize/[email protected]
+export PATH=${BIN_DIR}/:$PATH
+
+if [[ -z "${VERSION:-}" ]]; then
+  echo "VERSION must be set"
+  exit 1
+fi
+
+# Update our version marker file (used for user agent etc)
+cat <<EOF > version/VERSION
+${VERSION}
+EOF
+
+# Update the version label in our kustomization files
+sed -i -e "[email protected]/operator-version:.*@cnrm.cloud.google.com/operator-version: \"${VERSION}\"@g" \
+  operator/config/autopilot/kustomization.yaml \
+  operator/config/default/kustomization.yaml \
+  config/installbundle/release-manifests/standard/kustomization.yaml \
+  config/installbundle/release-manifests/autopilot/kustomization.yaml
+
+# Update the default version in the "default" operator channel
+cat <<EOF > operator/channels/stable
+manifests:
+ - version: ${VERSION}
+EOF
+
+# Update the default version in the "autopilot" operator channel
+cat <<EOF > operator/autopilot-channels/stable
+manifests:
+ - version: ${VERSION}
+EOF
+
+
+# Build the release bundle
+VERSION=${VERSION} dev/tasks/build-release-bundle
+cp dist/release-bundle.tar.gz ${WORKDIR}/
+cd ${WORKDIR}
+tar xzf release-bundle.tar.gz
+
+
+# Update the operator manifests in the channels / autopilot-channels directory
+
+for channeldir in channels autopilot-channels; do
+  mkdir -p ${REPO_ROOT}/operator/config/${channeldir}/release-bundle
+  cd ${REPO_ROOT}/operator/config/${channeldir}/release-bundle
+  tar xzf ${WORKDIR}/release-bundle.tar.gz
+
+  cd ${REPO_ROOT}/operator/config/${channeldir}
+
+  mkdir -p ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/cluster/gcp-identity
+  kustomize build --load-restrictor=LoadRestrictionsNone cluster-gcp-identity > ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/cluster/gcp-identity/0-cnrm-system.yaml
+
+  mkdir -p ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/cluster/workload-identity
+  kustomize build --load-restrictor=LoadRestrictionsNone cluster-workload-identity > ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/cluster/workload-identity/0-cnrm-system.yaml
+
+  mkdir -p ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/namespaced
+  kustomize build --load-restrictor=LoadRestrictionsNone namespaced-main > ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/namespaced/0-cnrm-system.yaml
+  kustomize build --load-restrictor=LoadRestrictionsNone namespaced-per-namespace-components > ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/namespaced/per-namespace-components.yaml
+
+  kustomize build --load-restrictor=LoadRestrictionsNone  crds > ${REPO_ROOT}/operator/${channeldir}/packages/configconnector/${VERSION}/crds.yaml
+
+  rm -rf ${REPO_ROOT}/operator/config/${channeldir}/release-bundle
+done
+
+# Swap container registry
+# TODO: This is only needed for release bundles that we didn't build with our scripts here (i.e. only needed for release bundles built with the legacy process)
+for channeldir in channels autopilot-channels; do
+  find ${REPO_ROOT}/operator/${channeldir}/packages -type f -name "*.yaml" | xargs sed -i -e "[email protected]/cnrm-eap/@gcr.io/gke-release/cnrm/@g"
+done
+
+# Generate operator/config/gke-addon/image_configmap.yaml
+make -C ${REPO_ROOT}/operator manifests

operator/config/autopilot-channels/cluster-gcp-identity/kustomization.yaml

@@ -0,0 +1,25 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+- ../release-bundle/install-bundle-autopilot-gcp-identity/0-cnrm-system.yaml
+
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cnrm-resource-stats-recorder
+    namespace: cnrm-system
+  path: recorder_remove_hostport_patch.yaml

operator/config/autopilot-channels/cluster-gcp-identity/recorder_remove_hostport_patch.yaml

@@ -0,0 +1,16 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- op: remove
+  path: /spec/template/spec/containers/0/ports/0/hostPort

operator/config/autopilot-channels/cluster-workload-identity/kustomization.yaml

@@ -0,0 +1,25 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+- ../release-bundle/install-bundle-autopilot-workload-identity/0-cnrm-system.yaml
+
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cnrm-resource-stats-recorder
+    namespace: cnrm-system
+  path: recorder_remove_hostport_patch.yaml

operator/config/autopilot-channels/cluster-workload-identity/recorder_remove_hostport_patch.yaml

@@ -0,0 +1,16 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- op: remove
+  path: /spec/template/spec/containers/0/ports/0/hostPort

operator/config/autopilot-channels/crds/kustomization.yaml

@@ -0,0 +1,16 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+- ../release-bundle/install-bundle-namespaced/crds.yaml

operator/config/autopilot-channels/namespaced-main/kustomization.yaml

@@ -0,0 +1,25 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+- ../release-bundle/install-bundle-autopilot-namespaced/0-cnrm-system.yaml
+
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cnrm-resource-stats-recorder
+    namespace: cnrm-system
+  path: recorder_remove_hostport_patch.yaml

operator/config/autopilot-channels/namespaced-main/recorder_remove_hostport_patch.yaml

@@ -0,0 +1,16 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- op: remove
+  path: /spec/template/spec/containers/0/ports/0/hostPort

operator/config/autopilot-channels/namespaced-per-namespace-components/finalizer_patch.yaml

@@ -0,0 +1,21 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# When a KCC managed namespace is deleted the RoleBindings in the namespace are deleted. As a result the KCC controllers
+# are unable to clean up the KCC resources in the namespace. This finalizer prevents the RoleBinding deletion from
+# occurring. The operator can then wait for the KCC controllers to delete all resources before removing this finalizer.
+- op: add
+  path: /metadata/finalizers
+  value:
+  - configconnector.cnrm.cloud.google.com/finalizer

operator/config/autopilot-channels/namespaced-per-namespace-components/kustomization.yaml

@@ -0,0 +1,35 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../release-bundle/install-bundle-autopilot-namespaced/per-namespace-components.yaml
+
+patchesJson6902:
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: RoleBinding
+    namespace: \$\{NAMESPACE\?\}
+    name: cnrm-admin-binding-\$\{NAMESPACE\?\}
+  path: finalizer_patch.yaml
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: RoleBinding
+    namespace: \$\{NAMESPACE\?\}
+    name: cnrm-manager-ns-binding-\$\{NAMESPACE\?\}
+  path: finalizer_patch.yaml

operator/config/channels/cluster-gcp-identity/kustomization.yaml

@@ -0,0 +1,16 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+- ../release-bundle/install-bundle-gcp-identity/0-cnrm-system.yaml