From e7d2fde55c4f81c5137716fe93e87a178589e1bb Mon Sep 17 00:00:00 2001
From: Philippe Scorsolini
Date: Wed, 29 May 2024 11:58:11 +0100
Subject: [PATCH] Apply upbound patches
Signed-off-by: Philippe Scorsolini
---
.github/workflows/ci.yml | 24 ++-----
.github/workflows/commands.yml | 21 ------
.github/workflows/promote.yml | 10 +--
CODEOWNERS | 67 ------------------
Makefile | 16 +----
cluster/charts/crossplane/values.yaml | 2 +-
cluster/local/kind.sh | 2 +-
cmd/crossplane/core/core.go | 12 ++++
.../controller/pkg/revision/reconciler.go | 4 ++
internal/controller/pkg/revision/runtime.go | 13 ++++
.../revision/uxp_runtime_override_options.go | 32 +++++++++
.../pkg/revision/uxp_runtime_test.go | 70 +++++++++++++++++++
internal/features/uxp_features.go | 10 +++
13 files changed, 153 insertions(+), 130 deletions(-)
delete mode 100644 CODEOWNERS
create mode 100644 internal/controller/pkg/revision/uxp_runtime_override_options.go
create mode 100644 internal/controller/pkg/revision/uxp_runtime_test.go
create mode 100644 internal/features/uxp_features.go
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 07b857bd7..44b5bd031 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,11 +14,10 @@ env:
GOLANGCI_VERSION: 'v1.57.2'
DOCKER_BUILDX_VERSION: 'v0.10.0'
- # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
- # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
+ # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run
+ # a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
DOCKER_USR: ${{ secrets.DOCKER_USR }}
- AWS_USR: ${{ secrets.AWS_USR }}
UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
jobs:
@@ -402,26 +401,15 @@ jobs:
username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}
- - name: Publish Artifacts to S3, Marketplace, DockerHub
+ - name: Publish Artifacts to Marketplace, DockerHub
run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}
- if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
- env:
- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
- AWS_DEFAULT_REGION: us-east-1
- GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- DOCS_GIT_USR: ${{ secrets.UPBOUND_BOT_GITHUB_USR }}
- DOCS_GIT_PSW: ${{ secrets.UPBOUND_BOT_GITHUB_PSW }}
-
- - name: Promote Artifacts in S3, DockerHub
- if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
+
+ - name: Promote Artifacts in DockerHub
+ if: github.ref == 'refs/heads/master' && env.DOCKER_USR != ''
run: make -j2 promote
env:
BRANCH_NAME: master
CHANNEL: master
- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
- AWS_DEFAULT_REGION: us-east-1
fuzz-test:
runs-on: ubuntu-22.04
diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
index 0232d5760..6ab39cf8c 100644
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -31,24 +31,3 @@ jobs:
github_token: ${{ secrets.GITHUB_TOKEN }}
github_workspace: ${{ github.workspace }}
version: v0.0.4
-
- fresh:
- runs-on: ubuntu-22.04
- if: startsWith(github.event.comment.body, '/fresh')
-
- steps:
- - name: Extract Command
- id: command
- uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2
- with:
- repo-token: ${{ secrets.GITHUB_TOKEN }}
- command: fresh
- reaction: "true"
- reaction-type: "eyes"
- allow-edits: "false"
- permission-level: read
- - name: Handle Command
- uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- labels: stale
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
index 93cf57a60..5b09e4219 100644
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -27,8 +27,6 @@ env:
# a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
DOCKER_USR: ${{ secrets.DOCKER_USR }}
- AWS_USR: ${{ secrets.AWS_USR }}
- UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
jobs:
promote-artifacts:
@@ -63,13 +61,9 @@ jobs:
username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}
- - name: Promote Artifacts in S3, DockerHub, and Upbound Registry
- if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
+ - name: Promote Artifacts in DockerHub and Upbound Registry
+ if: env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/}
env:
VERSION: ${{ github.event.inputs.version }}
CHANNEL: ${{ github.event.inputs.channel }}
- PRE_RELEASE: ${{ github.event.inputs.pre-release }}
- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
- AWS_DEFAULT_REGION: us-east-1
diff --git a/CODEOWNERS b/CODEOWNERS
deleted file mode 100644
index 52be8b996..000000000
--- a/CODEOWNERS
+++ /dev/null
@@ -1,67 +0,0 @@
-# This file controls automatic PR reviewer assignment. See the following docs:
-#
-# * https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-# * https://docs.github.com/en/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team
-#
-# The goal of this file is for most PRs to automatically and fairly have 1 to 2
-# maintainers set as PR reviewers. All maintainers have permission to approve
-# and merge PRs. PRs only need
-#
-# Most lines in this file will assign one subject matter expert and one random
-# maintainer. PRs only need to be approved by one of these people to be merged.
-#
-# This in part depends on how the groups in this file are configured.
-#
-# @crossplane/steering-committee - Assigns 3 members. Admin perms to this repo.
-# @crossplane/crossplane-maintainers - Assigns 1 member. Maintain perms to this repo.
-#
-# Where possible, prefer explicitly specifying a maintainer who is a subject
-# matter expert for a particular part of the codebase rather than using the
-# @crossplane/crossplane-maintainers group.
-#
-# See also OWNERS.md for governance details
-
-# Fallback owners
-* @crossplane/crossplane-maintainers
-
-# Governance owners - steering committee
-/README.md @crossplane/steering-committee
-/OWNERS.md @crossplane/steering-committee
-/CHARTER.md @crossplane/steering-committee
-/CODE_OF_CONDUCT.md @crossplane/steering-committee
-/GOVERNANCE.md @crossplane/steering-committee
-/ROADMAP.md @crossplane/steering-committee
-/LICENSE @crossplane/steering-committee
-
-# Adopters list - steering committee and maintainers
-/ADOPTERS.md @crossplane/steering-committee @crossplane/crossplane-maintainers
-
-# Design documents
-/design/ @crossplane/crossplane-maintainers @negz
-
-# Contributing documentation
-/contributing/ @crossplane/crossplane-maintainers @negz
-
-# Package manager
-/apis/pkg/ @crossplane/crossplane-maintainers @turkenh
-/internal/xpkg/ @crossplane/crossplane-maintainers @turkenh
-/internal/dag/ @crossplane/crossplane-maintainers @turkenh
-/internal/controller/pkg/ @crossplane/crossplane-maintainers @turkenh
-
-# Composition
-/apis/apiextensions/ @crossplane/crossplane-maintainers @negz
-/internal/controller/apiextensions/ @crossplane/crossplane-maintainers @negz
-/internal/xcrd/ @crossplane/crossplane-maintainers @negz
-/internal/xfn/ @crossplane/crossplane-maintainers @negz
-/internal/validation/ @crossplane/crossplane-maintainers @phisco
-
-# RBAC Manager
-/cmd/crossplane/rbac/ @crossplane/crossplane-maintainers @negz
-/internal/controller/rbac/ @crossplane/crossplane-maintainers @negz
-
-# Crossplane CLI
-/cmd/crank/ @crossplane/crossplane-maintainers @phisco
-
-# Misc
-/apis/secrets/ @crossplane/crossplane-maintainers @turkenh
-/internal/features/ @crossplane/crossplane-maintainers @negz
diff --git a/Makefile b/Makefile
index f852c8a92..d6a3d25e5 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,6 @@ PLATFORMS ?= linux_amd64 linux_arm64 linux_arm linux_ppc64le darwin_amd64 darwin
# ====================================================================================
# Setup Output
-S3_BUCKET ?= crossplane.releases
-include build/makelib/output.mk
# ====================================================================================
@@ -31,7 +30,7 @@ GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 )))
GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/crossplane $(GO_PROJECT)/cmd/crank
GO_TEST_PACKAGES = $(GO_PROJECT)/test/e2e
-GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(VERSION)
+GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(shell echo $(VERSION) | sed 's/[\.,-]up.*//' )
GO_SUBDIRS += cmd internal apis
GO111MODULE = on
GOLANGCILINT_VERSION = 1.57.2
@@ -47,23 +46,12 @@ HELM3_VERSION = v3.14.4
KIND_VERSION = v0.21.0
-include build/makelib/k8s_tools.mk
-# ====================================================================================
-# Setup Helm
-
-HELM_BASE_URL = https://charts.crossplane.io
-HELM_S3_BUCKET = crossplane.charts
-HELM_CHARTS = crossplane
-HELM_CHART_LINT_ARGS_crossplane = --set nameOverride='',imagePullSecrets=''
-HELM_DOCS_ENABLED = true
-HELM_VALUES_TEMPLATE_SKIPPED = true
--include build/makelib/helm.mk
-
# ====================================================================================
# Setup Images
# Due to the way that the shared build logic works, images should
# all be in folders at the same level (no additional levels of nesting).
-REGISTRY_ORGS ?= docker.io/crossplane xpkg.upbound.io/crossplane
+REGISTRY_ORGS ?= docker.io/upbound xpkg.upbound.io/upbound
IMAGES = crossplane
-include build/makelib/imagelight.mk
diff --git a/cluster/charts/crossplane/values.yaml b/cluster/charts/crossplane/values.yaml
index 4b88ccf60..9c3d6fe9a 100755
--- a/cluster/charts/crossplane/values.yaml
+++ b/cluster/charts/crossplane/values.yaml
@@ -9,7 +9,7 @@ deploymentStrategy: RollingUpdate
image:
# -- Repository for the Crossplane pod image.
- repository: xpkg.upbound.io/crossplane/crossplane
+ repository: xpkg.upbound.io/upbound/crossplane
# -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
tag: ""
# -- The image pull policy used for Crossplane and RBAC Manager pods.
diff --git a/cluster/local/kind.sh b/cluster/local/kind.sh
index 37721f26d..1ab270076 100755
--- a/cluster/local/kind.sh
+++ b/cluster/local/kind.sh
@@ -43,7 +43,7 @@ function check_context() {
# configure kind
KIND_NAME=${KIND_NAME:-"kind"}
-IMAGE_REPOSITORY="xpkg.upbound.io/${PROJECT_NAME}/${PROJECT_NAME}"
+IMAGE_REPOSITORY="xpkg.upbound.io/upbound/${PROJECT_NAME}"
case "${1:-}" in
up)
${KIND} create cluster --name "${KIND_NAME}" --image "${KUBE_IMAGE}" --wait 5m
diff --git a/cmd/crossplane/core/core.go b/cmd/crossplane/core/core.go
index d82dd5522..1d3c0ff6a 100644
--- a/cmd/crossplane/core/core.go
+++ b/cmd/crossplane/core/core.go
@@ -109,6 +109,13 @@ type startCommand struct {
EnableUsages bool `group:"Alpha Features:" help:"Enable support for deletion ordering and resource protection with Usages."`
EnableRealtimeCompositions bool `group:"Alpha Features:" help:"Enable support for realtime compositions, i.e. watching composed resources and reconciling compositions immediately when any of the composed resources is updated."`
EnableSSAClaims bool `group:"Alpha Features:" help:"Enable support for using Kubernetes server-side apply to sync claims with composite resources (XRs)."`
+ // NOTE(hasheddan): this feature is unlikely to graduate from alpha status
+ // and should be removed when a runtime interface is introduced upstream.
+ // See https://github.com/crossplane/crossplane/issues/2671 for more
+ // information.
+ // TODO(turkenh): Consider removing this feature flag in favor of providing
+ // a default DeploymentRuntimeConfig.
+ EnableProviderIdentity bool `group:"Alpha Features:" help:"Enable support for Provider identity."`
EnableCompositionFunctions bool `default:"true" group:"Beta Features:" help:"Enable support for Composition Functions."`
EnableCompositionFunctionsExtraResources bool `default:"true" group:"Beta Features:" help:"Enable support for Composition Functions Extra Resources. Only respected if --enable-composition-functions is set to true."`
@@ -190,6 +197,11 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli
Features: &feature.Flags{},
}
+ if c.EnableProviderIdentity {
+ o.Features.Enable(features.EnableProviderIdentity)
+ log.Info("Alpha feature enabled", "flag", features.EnableProviderIdentity)
+ }
+
if !c.EnableCompositionRevisions {
log.Info("CompositionRevisions feature is GA and cannot be disabled. The --enable-composition-revisions flag will be removed in a future release.")
}
diff --git a/internal/controller/pkg/revision/reconciler.go b/internal/controller/pkg/revision/reconciler.go
index 3b59a6584..5a0463164 100644
--- a/internal/controller/pkg/revision/reconciler.go
+++ b/internal/controller/pkg/revision/reconciler.go
@@ -909,6 +909,10 @@ func (r *Reconciler) runtimeManifestBuilderOptions(ctx context.Context, pwr v1.P
opts = append(opts, RuntimeManifestBuilderWithRuntimeConfig(rc))
}
+ if r.features.Enabled(features.EnableProviderIdentity) {
+ opts = append(opts, RuntimeManifestBuilderWithProviderIdentity())
+ }
+
// Note(turkenh): Until we completely remove the old controller config
// reference, we support both the old and the new way with DeploymentRuntimeConfig.
// If both are specified, we will start with DeploymentRuntimeConfig as the
diff --git a/internal/controller/pkg/revision/runtime.go b/internal/controller/pkg/revision/runtime.go
index 8b74113fd..4dd9ace7f 100644
--- a/internal/controller/pkg/revision/runtime.go
+++ b/internal/controller/pkg/revision/runtime.go
@@ -101,6 +101,7 @@ type RuntimeManifestBuilder struct {
serviceAccountPullSecrets []corev1.LocalObjectReference
runtimeConfig *v1beta1.DeploymentRuntimeConfig
controllerConfig *v1alpha1.ControllerConfig
+ providerIdentity bool
}
// RuntimeManifestBuilderOption is used to configure a RuntimeManifestBuilder.
@@ -130,6 +131,14 @@ func RuntimeManifestBuilderWithServiceAccountPullSecrets(secrets []corev1.LocalO
}
}
+// RuntimeManifestBuilderWithProviderIdentity sets the provider identity flag
+// to use when building the runtime manifests.
+func RuntimeManifestBuilderWithProviderIdentity() RuntimeManifestBuilderOption {
+ return func(b *RuntimeManifestBuilder) {
+ b.providerIdentity = true
+ }
+}
+
// NewRuntimeManifestBuilder returns a new RuntimeManifestBuilder.
func NewRuntimeManifestBuilder(pwr v1.PackageRevisionWithRuntime, namespace string, opts ...RuntimeManifestBuilderOption) *RuntimeManifestBuilder {
b := &RuntimeManifestBuilder{
@@ -237,6 +246,10 @@ func (b *RuntimeManifestBuilder) Deployment(serviceAccount string, overrides ...
allOverrides = append(allOverrides, DeploymentRuntimeWithTLSServerSecret(*b.revision.GetTLSServerSecretName()))
}
+ if b.providerIdentity {
+ allOverrides = append(allOverrides, DeploymentWithUpboundProviderIdentity())
+ }
+
// We append the overrides passed to the function last so that they can
// override the above ones.
allOverrides = append(allOverrides, overrides...)
diff --git a/internal/controller/pkg/revision/uxp_runtime_override_options.go b/internal/controller/pkg/revision/uxp_runtime_override_options.go
new file mode 100644
index 000000000..8b988f256
--- /dev/null
+++ b/internal/controller/pkg/revision/uxp_runtime_override_options.go
@@ -0,0 +1,32 @@
+package revision
+
+import (
+ "github.com/aws/smithy-go/ptr"
+ appsv1 "k8s.io/api/apps/v1"
+ corev1 "k8s.io/api/core/v1"
+)
+
+// DeploymentWithUpboundProviderIdentity mounts the Upbound Provider Identity
+// CSI driver as a volume to the runtime container of a Deployment.
+func DeploymentWithUpboundProviderIdentity() DeploymentOverride {
+ proidcVolumeName := "proidc"
+ proidcDriverName := "proidc.csi.upbound.io"
+ proidcMountPath := "/var/run/secrets/upbound.io/provider"
+
+ return func(d *appsv1.Deployment) {
+ d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{
+ Name: proidcVolumeName,
+ VolumeSource: corev1.VolumeSource{
+ CSI: &corev1.CSIVolumeSource{
+ Driver: proidcDriverName,
+ ReadOnly: ptr.Bool(true),
+ },
+ },
+ })
+ d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{
+ Name: proidcVolumeName,
+ ReadOnly: true,
+ MountPath: proidcMountPath,
+ })
+ }
+}
diff --git a/internal/controller/pkg/revision/uxp_runtime_test.go b/internal/controller/pkg/revision/uxp_runtime_test.go
new file mode 100644
index 000000000..22075a3db
--- /dev/null
+++ b/internal/controller/pkg/revision/uxp_runtime_test.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2023 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package revision
+
+import (
+ "testing"
+
+ "github.com/google/go-cmp/cmp"
+ appsv1 "k8s.io/api/apps/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ pkgmetav1 "github.com/crossplane/crossplane/apis/pkg/meta/v1"
+)
+
+func TestUXPRuntimeManifestBuilderDeployment(t *testing.T) {
+ type args struct {
+ builder ManifestBuilder
+ overrides []DeploymentOverride
+ serviceAccountName string
+ }
+ type want struct {
+ want *appsv1.Deployment
+ }
+ cases := map[string]struct {
+ reason string
+ args args
+ want want
+ }{
+ "ProviderDeploymentWithProviderIdentity": {
+ reason: "If provider identity is enabled, a proidc volume should be added.",
+ args: args{
+ builder: &RuntimeManifestBuilder{
+ revision: providerRevision,
+ namespace: namespace,
+ providerIdentity: true,
+ },
+ serviceAccountName: providerRevisionName,
+ overrides: providerDeploymentOverrides(&pkgmetav1.Provider{ObjectMeta: metav1.ObjectMeta{Name: providerMetaName}}, providerRevision, providerImage),
+ },
+ want: want{
+ want: deploymentProvider(providerName, providerRevisionName, providerImage, DeploymentWithSelectors(map[string]string{
+ "pkg.crossplane.io/provider": providerMetaName,
+ "pkg.crossplane.io/revision": providerRevisionName,
+ }), DeploymentWithUpboundProviderIdentity()),
+ },
+ },
+ }
+ for name, tc := range cases {
+ t.Run(name, func(t *testing.T) {
+ got := tc.args.builder.Deployment(tc.args.serviceAccountName, tc.args.overrides...)
+ if diff := cmp.Diff(tc.want.want, got); diff != "" {
+ t.Errorf("\n%s\nDeployment(...): -want, +got:\n%s\n", tc.reason, diff)
+ }
+ })
+ }
+}
diff --git a/internal/features/uxp_features.go b/internal/features/uxp_features.go
new file mode 100644
index 000000000..d3bbf3846
--- /dev/null
+++ b/internal/features/uxp_features.go
@@ -0,0 +1,10 @@
+package features
+
+import "github.com/crossplane/crossplane-runtime/pkg/feature"
+
+// Alpha Feature flags.
+const (
+ // EnableProviderIdentity enables alpha support for Provider identity. This
+ // feature is only available when running on Upbound.
+ EnableProviderIdentity feature.Flag = "EnableProviderIdentity"
+)