Merge pull request #131 from phisco/patch-release-1.16

Apply upbound patches on 1.16

.github/workflows/ci.yml

@@ -14,11 +14,10 @@ env:
   GOLANGCI_VERSION: 'v1.57.2'
   DOCKER_BUILDX_VERSION: 'v0.10.0'
 
-  # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
-  # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
+  # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run
+  # a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether
   # credentials have been provided before trying to run steps that need them.
   DOCKER_USR: ${{ secrets.DOCKER_USR }}
-  AWS_USR: ${{ secrets.AWS_USR }}
   UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
 
 jobs:
@@ -402,26 +401,15 @@ jobs:
           username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
           password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}
 
-      - name: Publish Artifacts to S3, Marketplace, DockerHub
+      - name: Publish Artifacts to Marketplace, DockerHub
         run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}
-        if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
-          AWS_DEFAULT_REGION: us-east-1
-          GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DOCS_GIT_USR: ${{ secrets.UPBOUND_BOT_GITHUB_USR }}
-          DOCS_GIT_PSW: ${{ secrets.UPBOUND_BOT_GITHUB_PSW }}
-
-      - name: Promote Artifacts in S3, DockerHub
-        if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
+
+      - name: Promote Artifacts in DockerHub
+        if: github.ref == 'refs/heads/master' && env.DOCKER_USR != ''
         run: make -j2 promote
         env:
           BRANCH_NAME: master
           CHANNEL: master
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
-          AWS_DEFAULT_REGION: us-east-1
 
   fuzz-test:
     runs-on: ubuntu-22.04

.github/workflows/commands.yml

@@ -31,24 +31,3 @@ jobs:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         github_workspace: ${{ github.workspace }}
         version: v0.0.4
-
-  fresh:
-    runs-on: ubuntu-22.04
-    if: startsWith(github.event.comment.body, '/fresh')
-
-    steps:
-    - name: Extract Command
-      id: command
-      uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        command: fresh
-        reaction: "true"
-        reaction-type: "eyes"
-        allow-edits: "false"
-        permission-level: read
-    - name: Handle Command
-      uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1
-      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        labels: stale

.github/workflows/promote.yml

@@ -27,8 +27,6 @@ env:
   # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
   # credentials have been provided before trying to run steps that need them.
   DOCKER_USR: ${{ secrets.DOCKER_USR }}
-  AWS_USR: ${{ secrets.AWS_USR }}
-  UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
 
 jobs:
   promote-artifacts:
@@ -63,13 +61,9 @@ jobs:
           username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
           password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}
 
-      - name: Promote Artifacts in S3, DockerHub, and Upbound Registry
-        if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
+      - name: Promote Artifacts in DockerHub and Upbound Registry
+        if: env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
         run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/}
         env:
           VERSION: ${{ github.event.inputs.version }}
           CHANNEL: ${{ github.event.inputs.channel }}
-          PRE_RELEASE: ${{ github.event.inputs.pre-release }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
-          AWS_DEFAULT_REGION: us-east-1

Makefile

@@ -14,7 +14,6 @@ PLATFORMS ?= linux_amd64 linux_arm64 linux_arm linux_ppc64le darwin_amd64 darwin
 # ====================================================================================
 # Setup Output
 
-S3_BUCKET ?= crossplane.releases
 -include build/makelib/output.mk
 
 # ====================================================================================
@@ -31,7 +30,7 @@ GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 )))
 
 GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/crossplane $(GO_PROJECT)/cmd/crank
 GO_TEST_PACKAGES = $(GO_PROJECT)/test/e2e
-GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(VERSION)
+GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(shell echo $(VERSION) | sed 's/[\.,-]up.*//' )
 GO_SUBDIRS += cmd internal apis
 GO111MODULE = on
 GOLANGCILINT_VERSION = 1.57.2
@@ -47,23 +46,12 @@ HELM3_VERSION = v3.14.4
 KIND_VERSION = v0.21.0
 -include build/makelib/k8s_tools.mk
 
-# ====================================================================================
-# Setup Helm
-
-HELM_BASE_URL = https://charts.crossplane.io
-HELM_S3_BUCKET = crossplane.charts
-HELM_CHARTS = crossplane
-HELM_CHART_LINT_ARGS_crossplane = --set nameOverride='',imagePullSecrets=''
-HELM_DOCS_ENABLED = true
-HELM_VALUES_TEMPLATE_SKIPPED = true
--include build/makelib/helm.mk
-
 # ====================================================================================
 # Setup Images
 # Due to the way that the shared build logic works, images should
 # all be in folders at the same level (no additional levels of nesting).
 
-REGISTRY_ORGS ?= docker.io/crossplane xpkg.upbound.io/crossplane
+REGISTRY_ORGS ?= docker.io/upbound xpkg.upbound.io/upbound
 IMAGES = crossplane
 -include build/makelib/imagelight.mk
 

cluster/charts/crossplane/values.yaml

@@ -9,7 +9,7 @@ deploymentStrategy: RollingUpdate
 
 image:
   # -- Repository for the Crossplane pod image.
-  repository: xpkg.upbound.io/crossplane/crossplane
+  repository: xpkg.upbound.io/upbound/crossplane
   # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
   tag: ""
   # -- The image pull policy used for Crossplane and RBAC Manager pods.

cluster/local/kind.sh

@@ -43,7 +43,7 @@ function check_context() {
 
 # configure kind
 KIND_NAME=${KIND_NAME:-"kind"}
-IMAGE_REPOSITORY="xpkg.upbound.io/${PROJECT_NAME}/${PROJECT_NAME}"
+IMAGE_REPOSITORY="xpkg.upbound.io/upbound/${PROJECT_NAME}"
 case "${1:-}" in
   up)
     ${KIND} create cluster --name "${KIND_NAME}" --image "${KUBE_IMAGE}" --wait 5m

cmd/crossplane/core/core.go

@@ -109,6 +109,13 @@ type startCommand struct {
 	EnableUsages               bool `group:"Alpha Features:" help:"Enable support for deletion ordering and resource protection with Usages."`
 	EnableRealtimeCompositions bool `group:"Alpha Features:" help:"Enable support for realtime compositions, i.e. watching composed resources and reconciling compositions immediately when any of the composed resources is updated."`
 	EnableSSAClaims            bool `group:"Alpha Features:" help:"Enable support for using Kubernetes server-side apply to sync claims with composite resources (XRs)."`
+	// NOTE(hasheddan): this feature is unlikely to graduate from alpha status
+	// and should be removed when a runtime interface is introduced upstream.
+	// See https://github.com/crossplane/crossplane/issues/2671 for more
+	// information.
+	// TODO(turkenh): Consider removing this feature flag in favor of providing
+	//  a default DeploymentRuntimeConfig.
+	EnableProviderIdentity bool `group:"Alpha Features:" help:"Enable support for Provider identity."`
 
 	EnableCompositionFunctions               bool `default:"true" group:"Beta Features:" help:"Enable support for Composition Functions."`
 	EnableCompositionFunctionsExtraResources bool `default:"true" group:"Beta Features:" help:"Enable support for Composition Functions Extra Resources. Only respected if --enable-composition-functions is set to true."`
@@ -190,6 +197,11 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli
 		Features:                &feature.Flags{},
 	}
 
+	if c.EnableProviderIdentity {
+		o.Features.Enable(features.EnableProviderIdentity)
+		log.Info("Alpha feature enabled", "flag", features.EnableProviderIdentity)
+	}
+
 	if !c.EnableCompositionRevisions {
 		log.Info("CompositionRevisions feature is GA and cannot be disabled. The --enable-composition-revisions flag will be removed in a future release.")
 	}

internal/controller/pkg/revision/reconciler.go

@@ -909,6 +909,10 @@ func (r *Reconciler) runtimeManifestBuilderOptions(ctx context.Context, pwr v1.P
 		opts = append(opts, RuntimeManifestBuilderWithRuntimeConfig(rc))
 	}
 
+	if r.features.Enabled(features.EnableProviderIdentity) {
+		opts = append(opts, RuntimeManifestBuilderWithProviderIdentity())
+	}
+
 	// Note(turkenh): Until we completely remove the old controller config
 	// reference, we support both the old and the new way with DeploymentRuntimeConfig.
 	// If both are specified, we will start with DeploymentRuntimeConfig as the

internal/controller/pkg/revision/runtime.go

@@ -101,6 +101,7 @@ type RuntimeManifestBuilder struct {
 	serviceAccountPullSecrets []corev1.LocalObjectReference
 	runtimeConfig             *v1beta1.DeploymentRuntimeConfig
 	controllerConfig          *v1alpha1.ControllerConfig
+	providerIdentity          bool
 }
 
 // RuntimeManifestBuilderOption is used to configure a RuntimeManifestBuilder.
@@ -130,6 +131,14 @@ func RuntimeManifestBuilderWithServiceAccountPullSecrets(secrets []corev1.LocalO
 	}
 }
 
+// RuntimeManifestBuilderWithProviderIdentity sets the provider identity flag
+// to use when building the runtime manifests.
+func RuntimeManifestBuilderWithProviderIdentity() RuntimeManifestBuilderOption {
+	return func(b *RuntimeManifestBuilder) {
+		b.providerIdentity = true
+	}
+}
+
 // NewRuntimeManifestBuilder returns a new RuntimeManifestBuilder.
 func NewRuntimeManifestBuilder(pwr v1.PackageRevisionWithRuntime, namespace string, opts ...RuntimeManifestBuilderOption) *RuntimeManifestBuilder {
 	b := &RuntimeManifestBuilder{
@@ -237,6 +246,10 @@ func (b *RuntimeManifestBuilder) Deployment(serviceAccount string, overrides ...
 		allOverrides = append(allOverrides, DeploymentRuntimeWithTLSServerSecret(*b.revision.GetTLSServerSecretName()))
 	}
 
+	if b.providerIdentity {
+		allOverrides = append(allOverrides, DeploymentWithUpboundProviderIdentity())
+	}
+
 	// We append the overrides passed to the function last so that they can
 	// override the above ones.
 	allOverrides = append(allOverrides, overrides...)

internal/controller/pkg/revision/uxp_runtime_override_options.go

@@ -0,0 +1,32 @@
+package revision
+
+import (
+	"github.com/aws/smithy-go/ptr"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+// DeploymentWithUpboundProviderIdentity mounts the Upbound Provider Identity
+// CSI driver as a volume to the runtime container of a Deployment.
+func DeploymentWithUpboundProviderIdentity() DeploymentOverride {
+	proidcVolumeName := "proidc"
+	proidcDriverName := "proidc.csi.upbound.io"
+	proidcMountPath := "/var/run/secrets/upbound.io/provider"
+
+	return func(d *appsv1.Deployment) {
+		d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: proidcVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				CSI: &corev1.CSIVolumeSource{
+					Driver:   proidcDriverName,
+					ReadOnly: ptr.Bool(true),
+				},
+			},
+		})
+		d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+			Name:      proidcVolumeName,
+			ReadOnly:  true,
+			MountPath: proidcMountPath,
+		})
+	}
+}

internal/controller/pkg/revision/uxp_runtime_test.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2023 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package revision
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	appsv1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	pkgmetav1 "github.com/crossplane/crossplane/apis/pkg/meta/v1"
+)
+
+func TestUXPRuntimeManifestBuilderDeployment(t *testing.T) {
+	type args struct {
+		builder            ManifestBuilder
+		overrides          []DeploymentOverride
+		serviceAccountName string
+	}
+	type want struct {
+		want *appsv1.Deployment
+	}
+	cases := map[string]struct {
+		reason string
+		args   args
+		want   want
+	}{
+		"ProviderDeploymentWithProviderIdentity": {
+			reason: "If provider identity is enabled, a proidc volume should be added.",
+			args: args{
+				builder: &RuntimeManifestBuilder{
+					revision:         providerRevision,
+					namespace:        namespace,
+					providerIdentity: true,
+				},
+				serviceAccountName: providerRevisionName,
+				overrides:          providerDeploymentOverrides(&pkgmetav1.Provider{ObjectMeta: metav1.ObjectMeta{Name: providerMetaName}}, providerRevision, providerImage),
+			},
+			want: want{
+				want: deploymentProvider(providerName, providerRevisionName, providerImage, DeploymentWithSelectors(map[string]string{
+					"pkg.crossplane.io/provider": providerMetaName,
+					"pkg.crossplane.io/revision": providerRevisionName,
+				}), DeploymentWithUpboundProviderIdentity()),
+			},
+		},
+	}
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			got := tc.args.builder.Deployment(tc.args.serviceAccountName, tc.args.overrides...)
+			if diff := cmp.Diff(tc.want.want, got); diff != "" {
+				t.Errorf("\n%s\nDeployment(...): -want, +got:\n%s\n", tc.reason, diff)
+			}
+		})
+	}
+}