From e7d2fde55c4f81c5137716fe93e87a178589e1bb Mon Sep 17 00:00:00 2001 From: Philippe Scorsolini Date: Wed, 29 May 2024 11:58:11 +0100 Subject: [PATCH] Apply upbound patches Signed-off-by: Philippe Scorsolini --- .github/workflows/ci.yml | 24 ++----- .github/workflows/commands.yml | 21 ------ .github/workflows/promote.yml | 10 +-- CODEOWNERS | 67 ------------------ Makefile | 16 +---- cluster/charts/crossplane/values.yaml | 2 +- cluster/local/kind.sh | 2 +- cmd/crossplane/core/core.go | 12 ++++ .../controller/pkg/revision/reconciler.go | 4 ++ internal/controller/pkg/revision/runtime.go | 13 ++++ .../revision/uxp_runtime_override_options.go | 32 +++++++++ .../pkg/revision/uxp_runtime_test.go | 70 +++++++++++++++++++ internal/features/uxp_features.go | 10 +++ 13 files changed, 153 insertions(+), 130 deletions(-) delete mode 100644 CODEOWNERS create mode 100644 internal/controller/pkg/revision/uxp_runtime_override_options.go create mode 100644 internal/controller/pkg/revision/uxp_runtime_test.go create mode 100644 internal/features/uxp_features.go diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 07b857bd7..44b5bd031 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,11 +14,10 @@ env: GOLANGCI_VERSION: 'v1.57.2' DOCKER_BUILDX_VERSION: 'v0.10.0' - # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run - # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether + # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run + # a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. DOCKER_USR: ${{ secrets.DOCKER_USR }} - AWS_USR: ${{ secrets.AWS_USR }} UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} jobs: @@ -402,26 +401,15 @@ jobs: username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} - - name: Publish Artifacts to S3, Marketplace, DockerHub + - name: Publish Artifacts to Marketplace, DockerHub run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/} - if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 - GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DOCS_GIT_USR: ${{ secrets.UPBOUND_BOT_GITHUB_USR }} - DOCS_GIT_PSW: ${{ secrets.UPBOUND_BOT_GITHUB_PSW }} - - - name: Promote Artifacts in S3, DockerHub - if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' + + - name: Promote Artifacts in DockerHub + if: github.ref == 'refs/heads/master' && env.DOCKER_USR != '' run: make -j2 promote env: BRANCH_NAME: master CHANNEL: master - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 fuzz-test: runs-on: ubuntu-22.04 diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index 0232d5760..6ab39cf8c 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -31,24 +31,3 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} github_workspace: ${{ github.workspace }} version: v0.0.4 - - fresh: - runs-on: ubuntu-22.04 - if: startsWith(github.event.comment.body, '/fresh') - - steps: - - name: Extract Command - id: command - uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - command: fresh - reaction: "true" - reaction-type: "eyes" - allow-edits: "false" - permission-level: read - - name: Handle Command - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - labels: stale diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index 93cf57a60..5b09e4219 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -27,8 +27,6 @@ env: # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. DOCKER_USR: ${{ secrets.DOCKER_USR }} - AWS_USR: ${{ secrets.AWS_USR }} - UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} jobs: promote-artifacts: @@ -63,13 +61,9 @@ jobs: username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} - - name: Promote Artifacts in S3, DockerHub, and Upbound Registry - if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' + - name: Promote Artifacts in DockerHub and Upbound Registry + if: env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/} env: VERSION: ${{ github.event.inputs.version }} CHANNEL: ${{ github.event.inputs.channel }} - PRE_RELEASE: ${{ github.event.inputs.pre-release }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index 52be8b996..000000000 --- a/CODEOWNERS +++ /dev/null @@ -1,67 +0,0 @@ -# This file controls automatic PR reviewer assignment. See the following docs: -# -# * https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners -# * https://docs.github.com/en/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team -# -# The goal of this file is for most PRs to automatically and fairly have 1 to 2 -# maintainers set as PR reviewers. All maintainers have permission to approve -# and merge PRs. PRs only need -# -# Most lines in this file will assign one subject matter expert and one random -# maintainer. PRs only need to be approved by one of these people to be merged. -# -# This in part depends on how the groups in this file are configured. -# -# @crossplane/steering-committee - Assigns 3 members. Admin perms to this repo. -# @crossplane/crossplane-maintainers - Assigns 1 member. Maintain perms to this repo. -# -# Where possible, prefer explicitly specifying a maintainer who is a subject -# matter expert for a particular part of the codebase rather than using the -# @crossplane/crossplane-maintainers group. -# -# See also OWNERS.md for governance details - -# Fallback owners -* @crossplane/crossplane-maintainers - -# Governance owners - steering committee -/README.md @crossplane/steering-committee -/OWNERS.md @crossplane/steering-committee -/CHARTER.md @crossplane/steering-committee -/CODE_OF_CONDUCT.md @crossplane/steering-committee -/GOVERNANCE.md @crossplane/steering-committee -/ROADMAP.md @crossplane/steering-committee -/LICENSE @crossplane/steering-committee - -# Adopters list - steering committee and maintainers -/ADOPTERS.md @crossplane/steering-committee @crossplane/crossplane-maintainers - -# Design documents -/design/ @crossplane/crossplane-maintainers @negz - -# Contributing documentation -/contributing/ @crossplane/crossplane-maintainers @negz - -# Package manager -/apis/pkg/ @crossplane/crossplane-maintainers @turkenh -/internal/xpkg/ @crossplane/crossplane-maintainers @turkenh -/internal/dag/ @crossplane/crossplane-maintainers @turkenh -/internal/controller/pkg/ @crossplane/crossplane-maintainers @turkenh - -# Composition -/apis/apiextensions/ @crossplane/crossplane-maintainers @negz -/internal/controller/apiextensions/ @crossplane/crossplane-maintainers @negz -/internal/xcrd/ @crossplane/crossplane-maintainers @negz -/internal/xfn/ @crossplane/crossplane-maintainers @negz -/internal/validation/ @crossplane/crossplane-maintainers @phisco - -# RBAC Manager -/cmd/crossplane/rbac/ @crossplane/crossplane-maintainers @negz -/internal/controller/rbac/ @crossplane/crossplane-maintainers @negz - -# Crossplane CLI -/cmd/crank/ @crossplane/crossplane-maintainers @phisco - -# Misc -/apis/secrets/ @crossplane/crossplane-maintainers @turkenh -/internal/features/ @crossplane/crossplane-maintainers @negz diff --git a/Makefile b/Makefile index f852c8a92..d6a3d25e5 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,6 @@ PLATFORMS ?= linux_amd64 linux_arm64 linux_arm linux_ppc64le darwin_amd64 darwin # ==================================================================================== # Setup Output -S3_BUCKET ?= crossplane.releases -include build/makelib/output.mk # ==================================================================================== @@ -31,7 +30,7 @@ GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 ))) GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/crossplane $(GO_PROJECT)/cmd/crank GO_TEST_PACKAGES = $(GO_PROJECT)/test/e2e -GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(VERSION) +GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(shell echo $(VERSION) | sed 's/[\.,-]up.*//' ) GO_SUBDIRS += cmd internal apis GO111MODULE = on GOLANGCILINT_VERSION = 1.57.2 @@ -47,23 +46,12 @@ HELM3_VERSION = v3.14.4 KIND_VERSION = v0.21.0 -include build/makelib/k8s_tools.mk -# ==================================================================================== -# Setup Helm - -HELM_BASE_URL = https://charts.crossplane.io -HELM_S3_BUCKET = crossplane.charts -HELM_CHARTS = crossplane -HELM_CHART_LINT_ARGS_crossplane = --set nameOverride='',imagePullSecrets='' -HELM_DOCS_ENABLED = true -HELM_VALUES_TEMPLATE_SKIPPED = true --include build/makelib/helm.mk - # ==================================================================================== # Setup Images # Due to the way that the shared build logic works, images should # all be in folders at the same level (no additional levels of nesting). -REGISTRY_ORGS ?= docker.io/crossplane xpkg.upbound.io/crossplane +REGISTRY_ORGS ?= docker.io/upbound xpkg.upbound.io/upbound IMAGES = crossplane -include build/makelib/imagelight.mk diff --git a/cluster/charts/crossplane/values.yaml b/cluster/charts/crossplane/values.yaml index 4b88ccf60..9c3d6fe9a 100755 --- a/cluster/charts/crossplane/values.yaml +++ b/cluster/charts/crossplane/values.yaml @@ -9,7 +9,7 @@ deploymentStrategy: RollingUpdate image: # -- Repository for the Crossplane pod image. - repository: xpkg.upbound.io/crossplane/crossplane + repository: xpkg.upbound.io/upbound/crossplane # -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. tag: "" # -- The image pull policy used for Crossplane and RBAC Manager pods. diff --git a/cluster/local/kind.sh b/cluster/local/kind.sh index 37721f26d..1ab270076 100755 --- a/cluster/local/kind.sh +++ b/cluster/local/kind.sh @@ -43,7 +43,7 @@ function check_context() { # configure kind KIND_NAME=${KIND_NAME:-"kind"} -IMAGE_REPOSITORY="xpkg.upbound.io/${PROJECT_NAME}/${PROJECT_NAME}" +IMAGE_REPOSITORY="xpkg.upbound.io/upbound/${PROJECT_NAME}" case "${1:-}" in up) ${KIND} create cluster --name "${KIND_NAME}" --image "${KUBE_IMAGE}" --wait 5m diff --git a/cmd/crossplane/core/core.go b/cmd/crossplane/core/core.go index d82dd5522..1d3c0ff6a 100644 --- a/cmd/crossplane/core/core.go +++ b/cmd/crossplane/core/core.go @@ -109,6 +109,13 @@ type startCommand struct { EnableUsages bool `group:"Alpha Features:" help:"Enable support for deletion ordering and resource protection with Usages."` EnableRealtimeCompositions bool `group:"Alpha Features:" help:"Enable support for realtime compositions, i.e. watching composed resources and reconciling compositions immediately when any of the composed resources is updated."` EnableSSAClaims bool `group:"Alpha Features:" help:"Enable support for using Kubernetes server-side apply to sync claims with composite resources (XRs)."` + // NOTE(hasheddan): this feature is unlikely to graduate from alpha status + // and should be removed when a runtime interface is introduced upstream. + // See https://github.com/crossplane/crossplane/issues/2671 for more + // information. + // TODO(turkenh): Consider removing this feature flag in favor of providing + // a default DeploymentRuntimeConfig. + EnableProviderIdentity bool `group:"Alpha Features:" help:"Enable support for Provider identity."` EnableCompositionFunctions bool `default:"true" group:"Beta Features:" help:"Enable support for Composition Functions."` EnableCompositionFunctionsExtraResources bool `default:"true" group:"Beta Features:" help:"Enable support for Composition Functions Extra Resources. Only respected if --enable-composition-functions is set to true."` @@ -190,6 +197,11 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli Features: &feature.Flags{}, } + if c.EnableProviderIdentity { + o.Features.Enable(features.EnableProviderIdentity) + log.Info("Alpha feature enabled", "flag", features.EnableProviderIdentity) + } + if !c.EnableCompositionRevisions { log.Info("CompositionRevisions feature is GA and cannot be disabled. The --enable-composition-revisions flag will be removed in a future release.") } diff --git a/internal/controller/pkg/revision/reconciler.go b/internal/controller/pkg/revision/reconciler.go index 3b59a6584..5a0463164 100644 --- a/internal/controller/pkg/revision/reconciler.go +++ b/internal/controller/pkg/revision/reconciler.go @@ -909,6 +909,10 @@ func (r *Reconciler) runtimeManifestBuilderOptions(ctx context.Context, pwr v1.P opts = append(opts, RuntimeManifestBuilderWithRuntimeConfig(rc)) } + if r.features.Enabled(features.EnableProviderIdentity) { + opts = append(opts, RuntimeManifestBuilderWithProviderIdentity()) + } + // Note(turkenh): Until we completely remove the old controller config // reference, we support both the old and the new way with DeploymentRuntimeConfig. // If both are specified, we will start with DeploymentRuntimeConfig as the diff --git a/internal/controller/pkg/revision/runtime.go b/internal/controller/pkg/revision/runtime.go index 8b74113fd..4dd9ace7f 100644 --- a/internal/controller/pkg/revision/runtime.go +++ b/internal/controller/pkg/revision/runtime.go @@ -101,6 +101,7 @@ type RuntimeManifestBuilder struct { serviceAccountPullSecrets []corev1.LocalObjectReference runtimeConfig *v1beta1.DeploymentRuntimeConfig controllerConfig *v1alpha1.ControllerConfig + providerIdentity bool } // RuntimeManifestBuilderOption is used to configure a RuntimeManifestBuilder. @@ -130,6 +131,14 @@ func RuntimeManifestBuilderWithServiceAccountPullSecrets(secrets []corev1.LocalO } } +// RuntimeManifestBuilderWithProviderIdentity sets the provider identity flag +// to use when building the runtime manifests. +func RuntimeManifestBuilderWithProviderIdentity() RuntimeManifestBuilderOption { + return func(b *RuntimeManifestBuilder) { + b.providerIdentity = true + } +} + // NewRuntimeManifestBuilder returns a new RuntimeManifestBuilder. func NewRuntimeManifestBuilder(pwr v1.PackageRevisionWithRuntime, namespace string, opts ...RuntimeManifestBuilderOption) *RuntimeManifestBuilder { b := &RuntimeManifestBuilder{ @@ -237,6 +246,10 @@ func (b *RuntimeManifestBuilder) Deployment(serviceAccount string, overrides ... allOverrides = append(allOverrides, DeploymentRuntimeWithTLSServerSecret(*b.revision.GetTLSServerSecretName())) } + if b.providerIdentity { + allOverrides = append(allOverrides, DeploymentWithUpboundProviderIdentity()) + } + // We append the overrides passed to the function last so that they can // override the above ones. allOverrides = append(allOverrides, overrides...) diff --git a/internal/controller/pkg/revision/uxp_runtime_override_options.go b/internal/controller/pkg/revision/uxp_runtime_override_options.go new file mode 100644 index 000000000..8b988f256 --- /dev/null +++ b/internal/controller/pkg/revision/uxp_runtime_override_options.go @@ -0,0 +1,32 @@ +package revision + +import ( + "github.com/aws/smithy-go/ptr" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" +) + +// DeploymentWithUpboundProviderIdentity mounts the Upbound Provider Identity +// CSI driver as a volume to the runtime container of a Deployment. +func DeploymentWithUpboundProviderIdentity() DeploymentOverride { + proidcVolumeName := "proidc" + proidcDriverName := "proidc.csi.upbound.io" + proidcMountPath := "/var/run/secrets/upbound.io/provider" + + return func(d *appsv1.Deployment) { + d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{ + Name: proidcVolumeName, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: proidcDriverName, + ReadOnly: ptr.Bool(true), + }, + }, + }) + d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{ + Name: proidcVolumeName, + ReadOnly: true, + MountPath: proidcMountPath, + }) + } +} diff --git a/internal/controller/pkg/revision/uxp_runtime_test.go b/internal/controller/pkg/revision/uxp_runtime_test.go new file mode 100644 index 000000000..22075a3db --- /dev/null +++ b/internal/controller/pkg/revision/uxp_runtime_test.go @@ -0,0 +1,70 @@ +/* +Copyright 2023 The Crossplane Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package revision + +import ( + "testing" + + "github.com/google/go-cmp/cmp" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + pkgmetav1 "github.com/crossplane/crossplane/apis/pkg/meta/v1" +) + +func TestUXPRuntimeManifestBuilderDeployment(t *testing.T) { + type args struct { + builder ManifestBuilder + overrides []DeploymentOverride + serviceAccountName string + } + type want struct { + want *appsv1.Deployment + } + cases := map[string]struct { + reason string + args args + want want + }{ + "ProviderDeploymentWithProviderIdentity": { + reason: "If provider identity is enabled, a proidc volume should be added.", + args: args{ + builder: &RuntimeManifestBuilder{ + revision: providerRevision, + namespace: namespace, + providerIdentity: true, + }, + serviceAccountName: providerRevisionName, + overrides: providerDeploymentOverrides(&pkgmetav1.Provider{ObjectMeta: metav1.ObjectMeta{Name: providerMetaName}}, providerRevision, providerImage), + }, + want: want{ + want: deploymentProvider(providerName, providerRevisionName, providerImage, DeploymentWithSelectors(map[string]string{ + "pkg.crossplane.io/provider": providerMetaName, + "pkg.crossplane.io/revision": providerRevisionName, + }), DeploymentWithUpboundProviderIdentity()), + }, + }, + } + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + got := tc.args.builder.Deployment(tc.args.serviceAccountName, tc.args.overrides...) + if diff := cmp.Diff(tc.want.want, got); diff != "" { + t.Errorf("\n%s\nDeployment(...): -want, +got:\n%s\n", tc.reason, diff) + } + }) + } +} diff --git a/internal/features/uxp_features.go b/internal/features/uxp_features.go new file mode 100644 index 000000000..d3bbf3846 --- /dev/null +++ b/internal/features/uxp_features.go @@ -0,0 +1,10 @@ +package features + +import "github.com/crossplane/crossplane-runtime/pkg/feature" + +// Alpha Feature flags. +const ( + // EnableProviderIdentity enables alpha support for Provider identity. This + // feature is only available when running on Upbound. + EnableProviderIdentity feature.Flag = "EnableProviderIdentity" +)