From a56e2ecc5e6ec4a3b5e6ac832e83607ccf482bf2 Mon Sep 17 00:00:00 2001 From: Hasan Turken Date: Fri, 3 Nov 2023 09:08:04 +0300 Subject: [PATCH] Apply upbound patches Signed-off-by: Hasan Turken --- .github/workflows/ci.yml | 24 +--- .github/workflows/commands.yml | 21 --- .github/workflows/promote.yml | 10 +- CODEOWNERS | 64 --------- Makefile | 16 +-- README.md | 131 ++---------------- cluster/charts/crossplane/values.yaml | 2 +- cluster/local/kind.sh | 2 +- cmd/crossplane/core/core.go | 12 ++ go.mod | 2 +- .../controller/pkg/revision/reconciler.go | 4 + internal/controller/pkg/revision/runtime.go | 13 ++ .../revision/uxp_runtime_override_options.go | 32 +++++ .../pkg/revision/uxp_runtime_test.go | 70 ++++++++++ internal/features/uxp_features.go | 10 ++ 15 files changed, 163 insertions(+), 250 deletions(-) delete mode 100644 CODEOWNERS create mode 100644 internal/controller/pkg/revision/uxp_runtime_override_options.go create mode 100644 internal/controller/pkg/revision/uxp_runtime_test.go create mode 100644 internal/features/uxp_features.go diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7e9aa86d..abeabfe3d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,11 +14,10 @@ env: GOLANGCI_VERSION: 'v1.54.2' DOCKER_BUILDX_VERSION: 'v0.10.0' - # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run - # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether + # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run + # a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. DOCKER_USR: ${{ secrets.DOCKER_USR }} - AWS_USR: ${{ secrets.AWS_USR }} UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} jobs: @@ -402,26 +401,15 @@ jobs: username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} - - name: Publish Artifacts to S3, Marketplace, DockerHub + - name: Publish Artifacts to Marketplace, DockerHub run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/} - if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 - GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DOCS_GIT_USR: ${{ secrets.UPBOUND_BOT_GITHUB_USR }} - DOCS_GIT_PSW: ${{ secrets.UPBOUND_BOT_GITHUB_PSW }} - - - name: Promote Artifacts in S3, DockerHub - if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' + + - name: Promote Artifacts in DockerHub + if: github.ref == 'refs/heads/master' && env.DOCKER_USR != '' run: make -j2 promote env: BRANCH_NAME: master CHANNEL: master - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 fuzz-test: runs-on: ubuntu-22.04 diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index 94503b7f3..9f3feae53 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -31,24 +31,3 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} github_workspace: ${{ github.workspace }} version: v0.0.4 - - fresh: - runs-on: ubuntu-22.04 - if: startsWith(github.event.comment.body, '/fresh') - - steps: - - name: Extract Command - id: command - uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - command: fresh - reaction: "true" - reaction-type: "eyes" - allow-edits: "false" - permission-level: read - - name: Handle Command - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - labels: stale diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index 1faad002c..1d6938a11 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -27,8 +27,6 @@ env: # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. DOCKER_USR: ${{ secrets.DOCKER_USR }} - AWS_USR: ${{ secrets.AWS_USR }} - UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} jobs: promote-artifacts: @@ -63,13 +61,9 @@ jobs: username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} - - name: Promote Artifacts in S3, DockerHub, and Upbound Registry - if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' + - name: Promote Artifacts in DockerHub and Upbound Registry + if: env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/} env: VERSION: ${{ github.event.inputs.version }} CHANNEL: ${{ github.event.inputs.channel }} - PRE_RELEASE: ${{ github.event.inputs.pre-release }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index d9993d379..000000000 --- a/CODEOWNERS +++ /dev/null @@ -1,64 +0,0 @@ -# This file controls automatic PR reviewer assignment. See the following docs: -# -# * https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners -# * https://docs.github.com/en/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team -# -# The goal of this file is for most PRs to automatically and fairly have 1 to 2 -# maintainers set as PR reviewers. All maintainers have permission to approve -# and merge PRs. PRs only need -# -# Most lines in this file will assign one subject matter expert and one random -# maintainer. PRs only need to be approved by one of these people to be merged. -# -# This in part depends on how the groups in this file are configured. -# -# @crossplane/steering-committee - Assigns 3 members. Admin perms to this repo. -# @crossplane/crossplane-maintainers - Assigns 1 member. Maintain perms to this repo. -# -# Where possible, prefer explicitly specifying a maintainer who is a subject -# matter expert for a particular part of the codebase rather than using the -# @crossplane/crossplane-maintainers group. -# -# See also OWNERS.md for governance details - -# Fallback owners -* @crossplane/crossplane-maintainers - -# Governance owners - steering committee -/README.md @crossplane/steering-committee -/OWNERS.md @crossplane/steering-committee -/CHARTER.md @crossplane/steering-committee -/CODE_OF_CONDUCT.md @crossplane/steering-committee -/GOVERNANCE.md @crossplane/steering-committee -/ROADMAP.md @crossplane/steering-committee -/LICENSE @crossplane/steering-committee - -# Design documents -/design/ @crossplane/crossplane-maintainers @negz - -# Contributing documentation -/contributing/ @crossplane/crossplane-maintainers @negz - -# Package manager -/apis/pkg/ @crossplane/crossplane-maintainers @turkenh -/internal/xpkg/ @crossplane/crossplane-maintainers @turkenh -/internal/dag/ @crossplane/crossplane-maintainers @turkenh -/internal/controller/pkg/ @crossplane/crossplane-maintainers @turkenh - -# Composition -/apis/apiextensions/ @crossplane/crossplane-maintainers @negz -/internal/controller/apiextensions/ @crossplane/crossplane-maintainers @negz -/internal/xcrd/ @crossplane/crossplane-maintainers @negz -/internal/xfn/ @crossplane/crossplane-maintainers @negz -/internal/validation/ @crossplane/crossplane-maintainers @phisco - -# RBAC Manager -/cmd/crossplane/rbac/ @crossplane/crossplane-maintainers @negz -/internal/controller/rbac/ @crossplane/crossplane-maintainers @negz - -# Crossplane CLI -/cmd/crank/ @crossplane/crossplane-maintainers @phisco - -# Misc -/apis/secrets/ @crossplane/crossplane-maintainers @turkenh -/internal/features/ @crossplane/crossplane-maintainers @negz diff --git a/Makefile b/Makefile index 820e7db31..e20f56c29 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,6 @@ PLATFORMS ?= linux_amd64 linux_arm64 linux_arm linux_ppc64le darwin_amd64 darwin # ==================================================================================== # Setup Output -S3_BUCKET ?= crossplane.releases -include build/makelib/output.mk # ==================================================================================== @@ -31,7 +30,7 @@ GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 ))) GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/crossplane $(GO_PROJECT)/cmd/crank GO_TEST_PACKAGES = $(GO_PROJECT)/test/e2e -GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(VERSION) +GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(shell echo $(VERSION) | sed 's/[\.,-]up.*//' ) GO_SUBDIRS += cmd internal apis GO111MODULE = on GOLANGCILINT_VERSION = 1.54.2 @@ -47,23 +46,12 @@ HELM3_VERSION = v3.13.1 KIND_VERSION = v0.20.0 -include build/makelib/k8s_tools.mk -# ==================================================================================== -# Setup Helm - -HELM_BASE_URL = https://charts.crossplane.io -HELM_S3_BUCKET = crossplane.charts -HELM_CHARTS = crossplane -HELM_CHART_LINT_ARGS_crossplane = --set nameOverride='',imagePullSecrets='' -HELM_DOCS_ENABLED = true -HELM_VALUES_TEMPLATE_SKIPPED = true --include build/makelib/helm.mk - # ==================================================================================== # Setup Images # Due to the way that the shared build logic works, images should # all be in folders at the same level (no additional levels of nesting). -REGISTRY_ORGS ?= docker.io/crossplane xpkg.upbound.io/crossplane +REGISTRY_ORGS ?= docker.io/upbound xpkg.upbound.io/upbound IMAGES = crossplane -include build/makelib/imagelight.mk diff --git a/README.md b/README.md index a14e1c7f9..65569366b 100644 --- a/README.md +++ b/README.md @@ -1,127 +1,14 @@ -![CI](https://github.com/crossplane/crossplane/workflows/CI/badge.svg) [![GitHub release](https://img.shields.io/github/release/crossplane/crossplane/all.svg)](https://github.com/crossplane/crossplane/releases) [![Docker Pulls](https://img.shields.io/docker/pulls/crossplane/crossplane.svg)](https://hub.docker.com/r/crossplane/crossplane) [![Go Report Card](https://goreportcard.com/badge/github.com/crossplane/crossplane)](https://goreportcard.com/report/github.com/crossplane/crossplane) [![Slack](https://img.shields.io/badge/slack-crossplane-red?logo=slack)](https://slack.crossplane.io) [![Twitter Follow](https://img.shields.io/twitter/follow/crossplane_io?logo=X&label=Follow&style=flat)](https://twitter.com/intent/follow?screen_name=crossplane_io&user_id=788180534543339520) +# Upbound Crossplane -![Crossplane](banner.png) +This is the [Upbound] maintained version of [Crossplane] which is bundled and +shipped as part of the [Universal Crossplane]. - -Crossplane is a framework for building cloud native control planes without -needing to write code. It has a highly extensible backend that enables you to -build a control plane that can orchestrate applications and infrastructure no -matter where they run, and a highly configurable frontend that puts you in -control of the schema of the declarative API it offers. - -Crossplane is a [Cloud Native Computing Foundation][cncf] project. - -## Get Started - -Crossplane's [Get Started Docs] cover install and cloud provider quickstarts. - -## Releases - -Currently maintained releases, as well as the next few upcoming releases are -listed below. For more information take a look at the Crossplane [release cycle -documentation]. - -| Release | Release Date | EOL | -|:-------:|:------------:|:--------:| -| v1.11 | Jan 31, 2023 | Oct 2023 | -| v1.12 | Apr 25, 2023 | Jan 2024 | -| v1.13 | Jul 27, 2023 | Apr 2024 | -| v1.14 | Late Oct '23 | Jul 2024 | -| v1.15 | Late Jan '24 | Oct 2024 | -| v1.16 | Late Apr '24 | Jan 2025 | - -You can subscribe to the [community calendar] to track all release dates, and -find the most recent releases on the [releases] page. - -## Roadmap - -The public roadmap for Crossplane is published as a GitHub project board. Issues -added to the roadmap have been triaged and identified as valuable to the -community, and therefore a priority for the project that we expect to invest in. - -Milestones assigned to any issues in the roadmap are intended to give a sense of -overall priority and the expected order of delivery. They should be considered -approximate estimations and are **not** a strict commitment to a specific -delivery timeline. - -[Crossplane Roadmap] - -## Get Involved - -Crossplane is a community driven project; we welcome your contribution. To file -a bug, suggest an improvement, or request a new feature please open an [issue -against Crossplane] or the relevant provider. Refer to our [contributing guide] -for more information on how you can help. - -* Discuss Crossplane on [Slack] or our [developer mailing list]. -* Follow us on [Twitter], or contact us via [Email]. -* Join our regular community meetings. -* Provide feedback on our [roadmap and releases board]. - -The Crossplane community meeting takes place every other [Thursday at 10:00am -Pacific Time][community meeting time]. Anyone who wants to discuss the direction -of the project, design and implementation reviews, or raise general questions -with the broader community is encouraged to join. - -* Meeting link: -* [Current agenda and past meeting notes] -* [Past meeting recordings] -* [Community Calendar][community calendar] - -### Special Interest Groups (SIG) -Each SIG collaborates in Slack and some groups have regular meetings, you can -find the meetings in the [Community Calendar][community calendar]. -- [#sig-composition-environments][sig-composition-environments-slack] -- [#sig-composition-functions][sig-composition-functions-slack] -- [#sig-deletion-ordering][sig-deletion-ordering-slack] -- [#sig-devex][sig-devex-slack] -- [#sig-e2e-testing][sig-e2e-testing-slack] -- [#sig-observability][sig-observability-slack] -- [#sig-observe-only][sig-observe-only-slack] -- [#sig-provider-families][sig-provider-families-slack] -- [#sig-secret-stores][sig-secret-stores-slack] -- [#sig-upjet-provider-efficiency][sig-upjet-provider-efficiency-slack] - -## Adopters - -A list of publicly known users of the Crossplane project can be found in [ADOPTERS.md]. We -encourage all users of Crossplane to add themselves to this list - we want to see the community's -growing success! - -## License - -Crossplane is under the Apache 2.0 license. - -[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcrossplane%2Fcrossplane.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcrossplane%2Fcrossplane?ref=badge_large) +Please check the [Universal Crossplane Github Repo] and [documentation] for further +details. - +[Upbound]: https://www.upbound.io [Crossplane]: https://crossplane.io -[release cycle documentation]: https://docs.crossplane.io/knowledge-base/guides/release-cycle -[install]: https://crossplane.io/docs/latest -[Slack]: https://slack.crossplane.io -[developer mailing list]: https://groups.google.com/forum/#!forum/crossplane-dev -[Twitter]: https://twitter.com/crossplane_io -[Email]: mailto:info@crossplane.io -[issue against Crossplane]: https://github.com/crossplane/crossplane/issues -[contributing guide]: contributing/README.md -[community meeting time]: https://www.thetimezoneconverter.com/?t=10:00&tz=PT%20%28Pacific%20Time%29 -[Current agenda and past meeting notes]: https://docs.google.com/document/d/1q_sp2jLQsDEOX7Yug6TPOv7Fwrys6EwcF5Itxjkno7Y/edit?usp=sharing -[Past meeting recordings]: https://www.youtube.com/playlist?list=PL510POnNVaaYYYDSICFSNWFqNbx1EMr-M -[roadmap and releases board]: https://github.com/orgs/crossplane/projects/20/views/3?pane=info -[cncf]: https://www.cncf.io/ -[Get Started Docs]: https://docs.crossplane.io/latest/getting-started/ -[community calendar]: https://calendar.google.com/calendar/embed?src=c_2cdn0hs9e2m05rrv1233cjoj1k%40group.calendar.google.com -[releases]: https://github.com/crossplane/crossplane/releases -[ADOPTERS.md]: ADOPTERS.md -[Crossplane Roadmap]: https://github.com/orgs/crossplane/projects/20/views/3?pane=info -[sig-composition-environments-slack]: https://crossplane.slack.com/archives/C05BP6QFLUW -[sig-composition-functions-slack]: https://crossplane.slack.com/archives/C031Y29CSAE -[sig-deletion-ordering-slack]: https://crossplane.slack.com/archives/C05BP8W5ALW -[sig-devex-slack]: https://crossplane.slack.com/archives/C05U1LLM3B2 -[sig-e2e-testing-slack]: https://crossplane.slack.com/archives/C05C8CCTVNV -[sig-observability-slack]: https://crossplane.slack.com/archives/C061GNH3LA0 -[sig-observe-only-slack]: https://crossplane.slack.com/archives/C04D5988QEA -[sig-provider-families-slack]: https://crossplane.slack.com/archives/C056YAQRV16 -[sig-secret-stores-slack]: https://crossplane.slack.com/archives/C05BY7DKFV2 -[sig-upjet-provider-efficiency-slack]: https://crossplane.slack.com/archives/C04QLETDJGN +[Universal Crossplane]: https://www.upbound.io/uxp +[Universal Crossplane Github Repo]: https://github.com/upbound/universal-crossplane +[documentation]: https://cloud.upbound.io/docs/uxp diff --git a/cluster/charts/crossplane/values.yaml b/cluster/charts/crossplane/values.yaml index 1f2a758bb..693b3b13c 100755 --- a/cluster/charts/crossplane/values.yaml +++ b/cluster/charts/crossplane/values.yaml @@ -9,7 +9,7 @@ deploymentStrategy: RollingUpdate image: # -- Repository for the Crossplane pod image. - repository: xpkg.upbound.io/crossplane/crossplane + repository: xpkg.upbound.io/upbound/crossplane # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. tag: "" # -- The image pull policy used for Crossplane and RBAC Manager pods. diff --git a/cluster/local/kind.sh b/cluster/local/kind.sh index 37721f26d..1ab270076 100755 --- a/cluster/local/kind.sh +++ b/cluster/local/kind.sh @@ -43,7 +43,7 @@ function check_context() { # configure kind KIND_NAME=${KIND_NAME:-"kind"} -IMAGE_REPOSITORY="xpkg.upbound.io/${PROJECT_NAME}/${PROJECT_NAME}" +IMAGE_REPOSITORY="xpkg.upbound.io/upbound/${PROJECT_NAME}" case "${1:-}" in up) ${KIND} create cluster --name "${KIND_NAME}" --image "${KUBE_IMAGE}" --wait 5m diff --git a/cmd/crossplane/core/core.go b/cmd/crossplane/core/core.go index dbeea29c2..8bd9ddd5e 100644 --- a/cmd/crossplane/core/core.go +++ b/cmd/crossplane/core/core.go @@ -112,6 +112,13 @@ type startCommand struct { EnableExternalSecretStores bool `group:"Alpha Features:" help:"Enable support for External Secret Stores."` EnableUsages bool `group:"Alpha Features:" help:"Enable support for deletion ordering and resource protection with Usages."` EnableRealtimeCompositions bool `group:"Alpha Features:" help:"Enable support for realtime compositions, i.e. watching composed resources and reconciling compositions immediately when any of the composed resources is updated."` + // NOTE(hasheddan): this feature is unlikely to graduate from alpha status + // and should be removed when a runtime interface is introduced upstream. + // See https://github.com/crossplane/crossplane/issues/2671 for more + // information. + // TODO(turkenh): Consider removing this feature flag in favor of providing + // a default DeploymentRuntimeConfig. + EnableProviderIdentity bool `group:"Alpha Features:" help:"Enable support for Provider identity."` EnableCompositionFunctions bool `group:"Beta Features:" default:"true" help:"Enable support for Composition Functions."` EnableCompositionWebhookSchemaValidation bool `group:"Beta Features:" default:"true" help:"Enable support for Composition validation using schemas."` @@ -218,6 +225,11 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli Features: &feature.Flags{}, } + if c.EnableProviderIdentity { + o.Features.Enable(features.EnableProviderIdentity) + log.Info("Alpha feature enabled", "flag", features.EnableProviderIdentity) + } + if !c.EnableCompositionRevisions { log.Info("CompositionRevisions feature is GA and cannot be disabled. The --enable-composition-revisions flag will be removed in a future release.") } diff --git a/go.mod b/go.mod index 52aafea84..9ad8c6fbb 100644 --- a/go.mod +++ b/go.mod @@ -108,7 +108,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 // indirect - github.com/aws/smithy-go v1.13.5 // indirect + github.com/aws/smithy-go v1.13.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20230510185313-f5e39e5f34c7 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bufbuild/protocompile v0.6.0 // indirect diff --git a/internal/controller/pkg/revision/reconciler.go b/internal/controller/pkg/revision/reconciler.go index 492fd9cab..3230519a9 100644 --- a/internal/controller/pkg/revision/reconciler.go +++ b/internal/controller/pkg/revision/reconciler.go @@ -907,6 +907,10 @@ func (r *Reconciler) runtimeManifestBuilderOptions(ctx context.Context, pwr v1.P opts = append(opts, RuntimeManifestBuilderWithRuntimeConfig(rc)) } + if r.features.Enabled(features.EnableProviderIdentity) { + opts = append(opts, RuntimeManifestBuilderWithProviderIdentity()) + } + // Note(turkenh): Until we completely remove the old controller config // reference, we support both the old and the new way with DeploymentRuntimeConfig. // If both are specified, we will start with DeploymentRuntimeConfig as the diff --git a/internal/controller/pkg/revision/runtime.go b/internal/controller/pkg/revision/runtime.go index ef123430d..67e272252 100644 --- a/internal/controller/pkg/revision/runtime.go +++ b/internal/controller/pkg/revision/runtime.go @@ -100,6 +100,7 @@ type RuntimeManifestBuilder struct { serviceAccountPullSecrets []corev1.LocalObjectReference runtimeConfig *v1beta1.DeploymentRuntimeConfig controllerConfig *v1alpha1.ControllerConfig + providerIdentity bool } // RuntimeManifestBuilderOption is used to configure a RuntimeManifestBuilder. @@ -129,6 +130,14 @@ func RuntimeManifestBuilderWithServiceAccountPullSecrets(secrets []corev1.LocalO } } +// RuntimeManifestBuilderWithProviderIdentity sets the provider identity flag +// to use when building the runtime manifests. +func RuntimeManifestBuilderWithProviderIdentity() RuntimeManifestBuilderOption { + return func(b *RuntimeManifestBuilder) { + b.providerIdentity = true + } +} + // NewRuntimeManifestBuilder returns a new RuntimeManifestBuilder. func NewRuntimeManifestBuilder(pwr v1.PackageRevisionWithRuntime, namespace string, opts ...RuntimeManifestBuilderOption) *RuntimeManifestBuilder { b := &RuntimeManifestBuilder{ @@ -236,6 +245,10 @@ func (b *RuntimeManifestBuilder) Deployment(serviceAccount string, overrides ... allOverrides = append(allOverrides, DeploymentRuntimeWithTLSServerSecret(*b.revision.GetTLSServerSecretName())) } + if b.providerIdentity { + allOverrides = append(allOverrides, DeploymentWithUpboundProviderIdentity()) + } + // We append the overrides passed to the function last so that they can // override the above ones. allOverrides = append(allOverrides, overrides...) diff --git a/internal/controller/pkg/revision/uxp_runtime_override_options.go b/internal/controller/pkg/revision/uxp_runtime_override_options.go new file mode 100644 index 000000000..8b988f256 --- /dev/null +++ b/internal/controller/pkg/revision/uxp_runtime_override_options.go @@ -0,0 +1,32 @@ +package revision + +import ( + "github.com/aws/smithy-go/ptr" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" +) + +// DeploymentWithUpboundProviderIdentity mounts the Upbound Provider Identity +// CSI driver as a volume to the runtime container of a Deployment. +func DeploymentWithUpboundProviderIdentity() DeploymentOverride { + proidcVolumeName := "proidc" + proidcDriverName := "proidc.csi.upbound.io" + proidcMountPath := "/var/run/secrets/upbound.io/provider" + + return func(d *appsv1.Deployment) { + d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{ + Name: proidcVolumeName, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: proidcDriverName, + ReadOnly: ptr.Bool(true), + }, + }, + }) + d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{ + Name: proidcVolumeName, + ReadOnly: true, + MountPath: proidcMountPath, + }) + } +} diff --git a/internal/controller/pkg/revision/uxp_runtime_test.go b/internal/controller/pkg/revision/uxp_runtime_test.go new file mode 100644 index 000000000..e6da7dad1 --- /dev/null +++ b/internal/controller/pkg/revision/uxp_runtime_test.go @@ -0,0 +1,70 @@ +/* +Copyright 2023 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package revision + +import ( + "testing" + + "github.com/google/go-cmp/cmp" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + pkgmetav1 "github.com/crossplane/crossplane/apis/pkg/meta/v1" +) + +func TestUXPRuntimeManifestBuilderDeployment(t *testing.T) { + type args struct { + builder ManifestBuilder + overrides []DeploymentOverride + serviceAccountName string + } + type want struct { + want *appsv1.Deployment + } + cases := map[string]struct { + reason string + args args + want want + }{ + "ProviderDeploymentWithProviderIdentity": { + reason: "If provider identity is enabled, a proidc volume should be added.", + args: args{ + builder: &RuntimeManifestBuilder{ + revision: providerRevision, + namespace: namespace, + providerIdentity: true, + }, + serviceAccountName: providerRevisionName, + overrides: providerDeploymentOverrides(&pkgmetav1.Provider{ObjectMeta: metav1.ObjectMeta{Name: providerMetaName}}, providerRevision), + }, + want: want{ + want: deploymentProvider(providerName, providerRevisionName, providerImage, DeploymentWithSelectors(map[string]string{ + "pkg.crossplane.io/provider": providerMetaName, + "pkg.crossplane.io/revision": providerRevisionName, + }), DeploymentWithUpboundProviderIdentity()), + }, + }, + } + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + got := tc.args.builder.Deployment(tc.args.serviceAccountName, tc.args.overrides...) + if diff := cmp.Diff(tc.want.want, got); diff != "" { + t.Errorf("\n%s\nDeployment(...): -want, +got:\n%s\n", tc.reason, diff) + } + }) + } +} diff --git a/internal/features/uxp_features.go b/internal/features/uxp_features.go new file mode 100644 index 000000000..d3bbf3846 --- /dev/null +++ b/internal/features/uxp_features.go @@ -0,0 +1,10 @@ +package features + +import "github.com/crossplane/crossplane-runtime/pkg/feature" + +// Alpha Feature flags. +const ( + // EnableProviderIdentity enables alpha support for Provider identity. This + // feature is only available when running on Upbound. + EnableProviderIdentity feature.Flag = "EnableProviderIdentity" +)