diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1b82fb3a3..7c67194a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,12 +14,10 @@ env: GOLANGCI_VERSION: 'v1.53.3' DOCKER_BUILDX_VERSION: 'v0.10.0' - # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run - # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether + # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run + # a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. DOCKER_USR: ${{ secrets.DOCKER_USR }} - AWS_USR: ${{ secrets.AWS_USR }} - UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} jobs: check-diff: @@ -380,34 +378,15 @@ jobs: username: ${{ secrets.DOCKER_USR }} password: ${{ secrets.DOCKER_PSW }} - - name: Login to Upbound - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' - with: - registry: xpkg.upbound.io - username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} - password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} - - - name: Publish Artifacts to S3, Marketplace, DockerHub + - name: Publish Artifacts to DockerHub run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/} - if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 - GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DOCS_GIT_USR: ${{ secrets.UPBOUND_BOT_GITHUB_USR }} - DOCS_GIT_PSW: ${{ secrets.UPBOUND_BOT_GITHUB_PSW }} - - - name: Promote Artifacts in S3, DockerHub - if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' + + - name: Promote Artifacts in DockerHub + if: github.ref == 'refs/heads/master' && env.DOCKER_USR != '' run: make -j2 promote env: BRANCH_NAME: master CHANNEL: master - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 fuzz-test: runs-on: ubuntu-22.04 diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index 3c331a68f..19639e0f2 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -31,24 +31,3 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} github_workspace: ${{ github.workspace }} version: v0.0.4 - - fresh: - runs-on: ubuntu-22.04 - if: startsWith(github.event.comment.body, '/fresh') - - steps: - - name: Extract Command - id: command - uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - command: fresh - reaction: "true" - reaction-type: "eyes" - allow-edits: "false" - permission-level: read - - name: Handle Command - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - labels: stale diff --git a/.github/workflows/configurations.yml b/.github/workflows/configurations.yml deleted file mode 100644 index 20ee57f67..000000000 --- a/.github/workflows/configurations.yml +++ /dev/null @@ -1,134 +0,0 @@ -name: Configurations - -on: - push: - branches: - - master - - release-* - workflow_dispatch: {} - -env: - DOCKER_USR: ${{ secrets.UPBOUND_XP_ROBOT_USR }} - -jobs: - getting-started-with-aws: - runs-on: ubuntu-22.04 - if: github.repository == 'crossplane/crossplane' - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - with: - submodules: true - fetch-depth: 0 - # The tagger step uses the same logic in the build submodule to generate package tag - # https://github.com/upbound/build/blob/4f64913157a952dbe77cd9e05457d9abe695a1d4/makelib/common.mk#L193 - - name: Set tag - run: echo "VERSION_TAG=$(git describe --dirty --always --tags | sed 's/-/./2' | sed 's/-/./2' )" >> $GITHUB_OUTPUT - id: tagger - - name: Login to Docker - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: env.DOCKER_USR != '' - with: - registry: registry.upbound.io - username: ${{ secrets.UPBOUND_XP_ROBOT_USR }} - password: ${{ secrets.UPBOUND_XP_ROBOT_PSW }} - - name: Build - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - channel: master - version: current - command: build configuration -f cluster/packages/aws --name=getting-started-with-aws.xpkg - - name: Push - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - command: push configuration -f cluster/packages/aws/getting-started-with-aws.xpkg registry.upbound.io/xp/getting-started-with-aws:${{ steps.tagger.outputs.VERSION_TAG }} - - getting-started-with-aws-with-vpc: - runs-on: ubuntu-22.04 - if: github.repository == 'crossplane/crossplane' - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - with: - submodules: true - fetch-depth: 0 - - name: Set tag - run: echo "VERSION_TAG=$(git describe --dirty --always --tags | sed 's/-/./2' | sed 's/-/./2' )" >> $GITHUB_OUTPUT - id: tagger - - name: Login to Docker - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: env.DOCKER_USR != '' - with: - registry: registry.upbound.io - username: ${{ secrets.UPBOUND_XP_ROBOT_USR }} - password: ${{ secrets.UPBOUND_XP_ROBOT_PSW }} - - name: Build - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - channel: master - version: current - command: build configuration -f cluster/packages/aws-with-vpc --name=getting-started-with-aws-with-vpc.xpkg - - name: Push - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - command: push configuration -f cluster/packages/aws-with-vpc/getting-started-with-aws-with-vpc.xpkg registry.upbound.io/xp/getting-started-with-aws-with-vpc:${{ steps.tagger.outputs.VERSION_TAG }} - - getting-started-with-gcp: - runs-on: ubuntu-22.04 - if: github.repository == 'crossplane/crossplane' - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - with: - submodules: true - fetch-depth: 0 - - name: Set tag - run: echo "VERSION_TAG=$(git describe --dirty --always --tags | sed 's/-/./2' | sed 's/-/./2' )" >> $GITHUB_OUTPUT - id: tagger - - name: Login to Docker - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: env.DOCKER_USR != '' - with: - registry: registry.upbound.io - username: ${{ secrets.UPBOUND_XP_ROBOT_USR }} - password: ${{ secrets.UPBOUND_XP_ROBOT_PSW }} - - name: Build - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - channel: master - version: current - command: build configuration -f cluster/packages/gcp --name=getting-started-with-gcp.xpkg - - name: Push - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - command: push configuration -f cluster/packages/gcp/getting-started-with-gcp.xpkg registry.upbound.io/xp/getting-started-with-gcp:${{ steps.tagger.outputs.VERSION_TAG }} - - getting-started-with-azure: - runs-on: ubuntu-22.04 - if: github.repository == 'crossplane/crossplane' - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - with: - submodules: true - fetch-depth: 0 - - name: Set tag - run: echo "VERSION_TAG=$(git describe --dirty --always --tags | sed 's/-/./2' | sed 's/-/./2' )" >> $GITHUB_OUTPUT - id: tagger - - name: Login to Docker - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: env.DOCKER_USR != '' - with: - registry: registry.upbound.io - username: ${{ secrets.UPBOUND_XP_ROBOT_USR }} - password: ${{ secrets.UPBOUND_XP_ROBOT_PSW }} - - name: Build - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - channel: master - version: current - command: build configuration -f cluster/packages/azure --name=getting-started-with-azure.xpkg - - name: Push - uses: crossplane-contrib/xpkg-action@1696d9091687aad2895436cb5656faa956628b0f # v0.2.0 - with: - command: push configuration -f cluster/packages/azure/getting-started-with-azure.xpkg registry.upbound.io/xp/getting-started-with-azure:${{ steps.tagger.outputs.VERSION_TAG }} diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index b52d7c039..aeefdd7c2 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -19,8 +19,6 @@ env: # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. DOCKER_USR: ${{ secrets.DOCKER_USR }} - AWS_USR: ${{ secrets.AWS_USR }} - UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} jobs: promote-artifacts: @@ -47,20 +45,8 @@ jobs: username: ${{ secrets.DOCKER_USR }} password: ${{ secrets.DOCKER_PSW }} - - name: Login to Upbound - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' - with: - registry: xpkg.upbound.io - username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }} - password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }} - - - name: Promote Artifacts in S3, DockerHub, and Upbound Registry - if: env.AWS_USR != '' && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != '' + - name: Promote Artifacts in DockerHub run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/} env: VERSION: ${{ github.event.inputs.version }} CHANNEL: ${{ github.event.inputs.channel }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }} - AWS_DEFAULT_REGION: us-east-1 diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index 6078b36a5..000000000 --- a/CODEOWNERS +++ /dev/null @@ -1,58 +0,0 @@ -# This file controls automatic PR reviewer assignment. See the following docs: -# -# * https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners -# * https://docs.github.com/en/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team -# -# The goal of this file is for most PRs to automatically and fairly have one -# maintainer and two reviewers set as PR reviewers. All maintainers have -# permission to approve and merge PRs, but reviewers do not. Most PRs should be -# reviewed by members of the reviewers group before being passed to a maintainer -# for final review. -# -# This in part depends on how the groups in this file are configured. -# -# @crossplane/steering-committee - Assigns 3 members. Admin perms to this repo. -# @crossplane/crossplane-maintainers - Assigns 1 member. Maintain perms to this repo. -# @crossplane/crossplane-reviewers - Assigns 2 members. Write perms to this repo. -# -# Where possible, prefer explicitly specifying a maintainer who is a subject -# matter expert for a particular part of the codebase rather than using the -# @crossplane/crossplane-maintainers group. -# -# See also OWNERS.md for governance details - -# Fallback owners -* @crossplane/crossplane-maintainers @crossplane/crossplane-reviewers - -# Governance owners - steering committee -/README.md @crossplane/steering-committee -/OWNERS.md @crossplane/steering-committee -/CHARTER.md @crossplane/steering-committee -/CODE_OF_CONDUCT.md @crossplane/steering-committee -/GOVERNANCE.md @crossplane/steering-committee -/ROADMAP.md @crossplane/steering-committee -/LICENSE @crossplane/steering-committee - -# Design documents -/design/ @crossplane/crossplane-maintainers @negz - -# Package manager -/apis/pkg/ @crossplane/crossplane-reviewers @hasheddan -/internal/xpkg/ @crossplane/crossplane-reviewers @hasheddan -/internal/dag/ @crossplane/crossplane-reviewers @hasheddan -/internal/controller/pkg/ @crossplane/crossplane-reviewers @hasheddan - -# Composition -/apis/apiextensions/ @crossplane/crossplane-reviewers @muvaf -/internal/xcrd/ @crossplane/crossplane-reviewers @muvaf -/internal/controller/apiextensions/ @crossplane/crossplane-reviewers @muvaf - -# RBAC -/cmd/crossplane/rbac/ @crossplane/crossplane-reviewers @negz -/internal/controller/rbac/ @crossplane/crossplane-reviewers @negz - -# Misc -/apis/secrets/ @crossplane/crossplane-reviewers @turkenh -/cmd/crank/ @crossplane/crossplane-reviewers @hasheddan -/internal/initializer/ @crossplane/crossplane-reviewers @muvaf -/internal/features/ @crossplane/crossplane-reviewers @negz diff --git a/Makefile b/Makefile index c8d82acb1..ec5920d70 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,6 @@ PLATFORMS ?= linux_amd64 linux_arm64 linux_arm linux_ppc64le darwin_amd64 darwin # ==================================================================================== # Setup Output -S3_BUCKET ?= crossplane.releases -include build/makelib/output.mk # ==================================================================================== @@ -31,7 +30,7 @@ GO_TEST_PARALLEL := $(shell echo $$(( $(NPROCS) / 2 ))) GO_STATIC_PACKAGES = $(GO_PROJECT)/cmd/crossplane $(GO_PROJECT)/cmd/crank $(GO_PROJECT)/cmd/xfn GO_TEST_PACKAGES = $(GO_PROJECT)/test/e2e -GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(VERSION) +GO_LDFLAGS += -X $(GO_PROJECT)/internal/version.version=$(shell echo $(VERSION) | sed 's/[\.,-]up.*//' ) GO_SUBDIRS += cmd internal apis GO111MODULE = on GOLANGCILINT_VERSION = 1.53.3 @@ -45,23 +44,12 @@ HELM3_VERSION = v3.12.2 KIND_VERSION = v0.20.0 -include build/makelib/k8s_tools.mk -# ==================================================================================== -# Setup Helm - -HELM_BASE_URL = https://charts.crossplane.io -HELM_S3_BUCKET = crossplane.charts -HELM_CHARTS = crossplane -HELM_CHART_LINT_ARGS_crossplane = --set nameOverride='',imagePullSecrets='' -HELM_DOCS_ENABLED = true -HELM_VALUES_TEMPLATE_SKIPPED = true --include build/makelib/helm.mk - # ==================================================================================== # Setup Images # Due to the way that the shared build logic works, images should # all be in folders at the same level (no additional levels of nesting). -REGISTRY_ORGS = docker.io/crossplane xpkg.upbound.io/crossplane +REGISTRY_ORGS = docker.io/upbound IMAGES = crossplane xfn -include build/makelib/imagelight.mk diff --git a/README.md b/README.md index e16eed8fc..65569366b 100644 --- a/README.md +++ b/README.md @@ -1,98 +1,14 @@ -![CI](https://github.com/crossplane/crossplane/workflows/CI/badge.svg) [![GitHub release](https://img.shields.io/github/release/crossplane/crossplane/all.svg?style=flat-square)](https://github.com/crossplane/crossplane/releases) [![Docker Pulls](https://img.shields.io/docker/pulls/crossplane/crossplane.svg)](https://hub.docker.com/r/crossplane/crossplane) [![Go Report Card](https://goreportcard.com/badge/github.com/crossplane/crossplane)](https://goreportcard.com/report/github.com/crossplane/crossplane) [![Slack](https://slack.crossplane.io/badge.svg)](https://slack.crossplane.io) [![Twitter Follow](https://img.shields.io/twitter/follow/crossplane_io.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=crossplane_io&user_id=788180534543339520) +# Upbound Crossplane -![Crossplane](banner.png) +This is the [Upbound] maintained version of [Crossplane] which is bundled and +shipped as part of the [Universal Crossplane]. - -Crossplane is a framework for building cloud native control planes without -needing to write code. It has a highly extensible backend that enables you to -build a control plane that can orchestrate applications and infrastructure no -matter where they run, and a highly configurable frontend that puts you in -control of the schema of the declarative API it offers. - -Crossplane is a [Cloud Native Computing Foundation][cncf] project. - -## Releases - -Currently maintained releases, as well as the next few upcoming releases are -listed below. For more information take a look at the Crossplane [release cycle -documentation]. - -| Release | Release Date | EOL | -|:-------:|:------------:|:--------:| -| v1.10 | Oct 18, 2022 | Jul 2023 | -| v1.11 | Jan 31, 2023 | Oct 2023 | -| v1.12 | Apr 25, 2023 | Jan 2024 | -| v1.13 | Late Jul '23 | Apr 2024 | -| v1.14 | Late Oct '23 | Jul 2024 | -| v1.15 | Late Jan '24 | Oct 2024 | - -You can subscribe to the [community calendar] to track all release dates, and -find the most recent releases on the [releases] page. - -## Roadmap - -The public roadmap for Crossplane is published as a GitHub project board. Issues -added to the roadmap have been triaged and identified as valuable to the -community, and therefore a priority for the project that we expect to invest in. - -Milestones assigned to any issues in the roadmap are intended to give a sense of -overall priority and the expected order of delivery. They should be considered -approximate estimations and are **not** a strict commitment to a specific -delivery timeline. - -[Crossplane Roadmap] - -## Get Involved - -Crossplane is a community driven project; we welcome your contribution. To file -a bug, suggest an improvement, or request a new feature please open an [issue -against Crossplane] or the relevant provider. Refer to our [contributing guide] -for more information on how you can help. - -* Discuss Crossplane on [Slack] or our [developer mailing list]. -* Follow us on [Twitter], or contact us via [Email]. -* Join our regular community meetings. -* Provide feedback on our [roadmap and releases board]. - -The Crossplane community meeting takes place every other [Thursday at 10:00am -Pacific Time][community meeting time]. Anyone who wants to discuss the direction -of the project, design and implementation reviews, or raise general questions -with the broader community is encouraged to join. - -* Meeting link: -* [Current agenda and past meeting notes] -* [Past meeting recordings] -* [Community Calendar][community calendar] - -## Adopters - -A list of publicly known users of the Crossplane project can be found in [ADOPTERS.md]. We -encourage all users of Crossplane to add themselves to this list - we want to see the community's -growing success! - -## License - -Crossplane is under the Apache 2.0 license. - -[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcrossplane%2Fcrossplane.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcrossplane%2Fcrossplane?ref=badge_large) +Please check the [Universal Crossplane Github Repo] and [documentation] for further +details. - +[Upbound]: https://www.upbound.io [Crossplane]: https://crossplane.io -[release cycle documentation]: https://docs.crossplane.io/knowledge-base/guides/release-cycle -[install]: https://crossplane.io/docs/latest -[Slack]: https://slack.crossplane.io -[developer mailing list]: https://groups.google.com/forum/#!forum/crossplane-dev -[Twitter]: https://twitter.com/crossplane_io -[Email]: mailto:info@crossplane.io -[issue against Crossplane]: https://github.com/crossplane/crossplane/issues -[contributing guide]: contributing/README.md -[community meeting time]: https://www.thetimezoneconverter.com/?t=10:00&tz=PT%20%28Pacific%20Time%29 -[Current agenda and past meeting notes]: https://docs.google.com/document/d/1q_sp2jLQsDEOX7Yug6TPOv7Fwrys6EwcF5Itxjkno7Y/edit?usp=sharing -[Past meeting recordings]: https://www.youtube.com/playlist?list=PL510POnNVaaYYYDSICFSNWFqNbx1EMr-M -[roadmap and releases board]: https://github.com/orgs/crossplane/projects/20/views/3?pane=info -[cncf]: https://www.cncf.io/ -[community calendar]: https://calendar.google.com/calendar/embed?src=c_2cdn0hs9e2m05rrv1233cjoj1k%40group.calendar.google.com -[releases]: https://github.com/crossplane/crossplane/releases -[ADOPTERS.md]: ADOPTERS.md -[Crossplane Roadmap]: https://github.com/orgs/crossplane/projects/20/views/3?pane=info +[Universal Crossplane]: https://www.upbound.io/uxp +[Universal Crossplane Github Repo]: https://github.com/upbound/universal-crossplane +[documentation]: https://cloud.upbound.io/docs/uxp diff --git a/cluster/charts/crossplane/values.yaml b/cluster/charts/crossplane/values.yaml index 9b8521127..0835b2503 100755 --- a/cluster/charts/crossplane/values.yaml +++ b/cluster/charts/crossplane/values.yaml @@ -9,7 +9,7 @@ deploymentStrategy: RollingUpdate image: # -- Repository for the Crossplane pod image. - repository: crossplane/crossplane + repository: upbound/crossplane # -- The Crossplane image tag. Defaults to the value of `appVersion` in Chart.yaml. tag: "" # -- The image pull policy used for Crossplane and RBAC Manager pods. @@ -171,7 +171,7 @@ xfn: enabled: false image: # -- Composite function runner container image. - repository: crossplane/xfn + repository: upbound/xfn # -- Composite function runner container image tag. Defaults to the value of `appVersion` in Chart.yaml. tag: "" # -- Composite function runner container image pull policy. diff --git a/cmd/crossplane/core/core.go b/cmd/crossplane/core/core.go index 88ada7f27..e930264d1 100644 --- a/cmd/crossplane/core/core.go +++ b/cmd/crossplane/core/core.go @@ -104,6 +104,12 @@ type startCommand struct { // folks who are passing them, but they do nothing. The flags are hidden so // they don't show up in the help output. EnableCompositionRevisions bool `default:"true" hidden:""` + + // NOTE(hasheddan): this feature is unlikely to graduate from alpha status + // and should be removed when a runtime interface is introduced upstream. + // See https://github.com/crossplane/crossplane/issues/2671 for more + // information. + EnableProviderIdentity bool `group:"Alpha Features:" help:"Enable support for Provider identity."` } // Run core Crossplane controllers. @@ -187,6 +193,11 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli log.Info("CompositionRevisions feature is GA and cannot be disabled. The --enable-composition-revisions flag will be removed in a future release.") } + if c.EnableProviderIdentity { + feats.Enable(features.EnableProviderIdentity) + log.Info("Alpha feature enabled", "flag", features.EnableProviderIdentity) + } + o := controller.Options{ Logger: log, MaxConcurrentReconciles: c.MaxReconcileRate, diff --git a/internal/controller/pkg/revision/deployment.go b/internal/controller/pkg/revision/deployment.go index 52dcff308..a85f5ba61 100644 --- a/internal/controller/pkg/revision/deployment.go +++ b/internal/controller/pkg/revision/deployment.go @@ -37,6 +37,7 @@ var ( allowPrivilegeEscalation = false privileged = false runAsNonRoot = true + readOnly = true ) // Providers are expected to use port 8080 if they expose Prometheus metrics, @@ -54,10 +55,14 @@ const ( essTLSCertDirEnvVar = "ESS_TLS_CERTS_DIR" essCertsVolumeName = "ess-client-certs" essCertsDir = "/ess/tls" + + proidcVolumeName = "proidc" + proidcDriverName = "proidc.csi.upbound.io" + proidcMountPath = "/var/run/secrets/upbound.io/provider" ) //nolint:gocyclo // TODO(negz): Can this be refactored for less complexity (and fewer arguments?) -func buildProviderDeployment(provider *pkgmetav1.Provider, revision v1.PackageRevision, cc *v1alpha1.ControllerConfig, namespace string, pullSecrets []corev1.LocalObjectReference) (*corev1.ServiceAccount, *appsv1.Deployment, *corev1.Service) { +func buildProviderDeployment(provider *pkgmetav1.Provider, revision v1.PackageRevision, cc *v1alpha1.ControllerConfig, namespace string, pullSecrets []corev1.LocalObjectReference, providerIdentity bool) (*corev1.ServiceAccount, *appsv1.Deployment, *corev1.Service) { s := &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: revision.GetName(), @@ -293,6 +298,24 @@ func buildProviderDeployment(provider *pkgmetav1.Provider, revision v1.PackageRe append(d.Spec.Template.Spec.Containers[0].VolumeMounts, cc.Spec.VolumeMounts...) } } + + if providerIdentity { + d.Spec.Template.Spec.Volumes = append(d.Spec.Template.Spec.Volumes, corev1.Volume{ + Name: proidcVolumeName, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: proidcDriverName, + ReadOnly: &readOnly, + }, + }, + }) + d.Spec.Template.Spec.Containers[0].VolumeMounts = append(d.Spec.Template.Spec.Containers[0].VolumeMounts, corev1.VolumeMount{ + Name: proidcVolumeName, + ReadOnly: readOnly, + MountPath: proidcMountPath, + }) + } + for k, v := range d.Spec.Selector.MatchLabels { // ensure the template matches the selector templateLabels[k] = v } diff --git a/internal/controller/pkg/revision/deployment_test.go b/internal/controller/pkg/revision/deployment_test.go index a2596761c..55d87689f 100644 --- a/internal/controller/pkg/revision/deployment_test.go +++ b/internal/controller/pkg/revision/deployment_test.go @@ -166,9 +166,10 @@ func deployment(provider *pkgmetav1.Provider, revision string, img string, modif func TestBuildProviderDeployment(t *testing.T) { type args struct { - provider *pkgmetav1.Provider - revision *v1.ProviderRevision - cc *v1alpha1.ControllerConfig + provider *pkgmetav1.Provider + revision *v1.ProviderRevision + cc *v1alpha1.ControllerConfig + providerIdentity bool } type want struct { sa *corev1.ServiceAccount @@ -289,6 +290,35 @@ func TestBuildProviderDeployment(t *testing.T) { svc: service(providerWithoutImage, revisionWithoutCC), }, }, + "NoImgNoCCWithProviderIdentity": { + reason: "If provider identity is enabled, a proidc volume should be added.", + fields: args{ + provider: providerWithoutImage, + revision: revisionWithoutCC, + cc: nil, + providerIdentity: true, + }, + want: want{ + sa: serviceaccount(revisionWithoutCC), + d: deployment(providerWithoutImage, revisionWithCC.GetName(), pkgImg, withAdditionalVolume(corev1.Volume{ + Name: proidcVolumeName, + VolumeSource: corev1.VolumeSource{ + CSI: &corev1.CSIVolumeSource{ + Driver: proidcDriverName, + ReadOnly: &readOnly, + // TODO(hasheddan): set volume attributes based on package + // contents. + }, + }, + }), + withAdditionalVolumeMount(corev1.VolumeMount{ + Name: proidcVolumeName, + ReadOnly: readOnly, + MountPath: proidcMountPath, + })), + svc: service(providerWithoutImage, revisionWithoutCC), + }, + }, "ImgNoCCWithWebhookTLS": { reason: "If the webhook tls secret name is given, then the deployment should be configured to serve behind the given service.", fields: args{ @@ -377,7 +407,7 @@ func TestBuildProviderDeployment(t *testing.T) { for name, tc := range cases { t.Run(name, func(t *testing.T) { - sa, d, svc := buildProviderDeployment(tc.fields.provider, tc.fields.revision, tc.fields.cc, namespace, nil) + sa, d, svc := buildProviderDeployment(tc.fields.provider, tc.fields.revision, tc.fields.cc, namespace, nil, tc.fields.providerIdentity) if diff := cmp.Diff(tc.want.sa, sa, cmpopts.IgnoreTypes([]metav1.OwnerReference{})); diff != "" { t.Errorf("-want, +got:\n%s\n", diff) diff --git a/internal/controller/pkg/revision/hook.go b/internal/controller/pkg/revision/hook.go index feea2a1c6..586774d4d 100644 --- a/internal/controller/pkg/revision/hook.go +++ b/internal/controller/pkg/revision/hook.go @@ -59,17 +59,19 @@ type Hooks interface { // ProviderHooks performs operations for a provider package that requires a // controller before and after the revision establishes objects. type ProviderHooks struct { - client resource.ClientApplicator - namespace string - serviceAccount string + client resource.ClientApplicator + namespace string + serviceAccount string + providerIdentity bool } // NewProviderHooks creates a new ProviderHooks. -func NewProviderHooks(client resource.ClientApplicator, namespace, serviceAccount string) *ProviderHooks { +func NewProviderHooks(client resource.ClientApplicator, namespace, serviceAccount string, providerIdentity bool) *ProviderHooks { return &ProviderHooks{ - client: client, - namespace: namespace, - serviceAccount: serviceAccount, + client: client, + namespace: namespace, + serviceAccount: serviceAccount, + providerIdentity: providerIdentity, } } @@ -98,7 +100,7 @@ func (h *ProviderHooks) Pre(ctx context.Context, pkg runtime.Object, pr v1.Packa // NOTE(hasheddan): we avoid fetching pull secrets and controller config as // they aren't needed to delete Deployment, ServiceAccount, and Service. - s, d, svc := buildProviderDeployment(pkgProvider, pr, nil, h.namespace, []corev1.LocalObjectReference{}) + s, d, svc := buildProviderDeployment(pkgProvider, pr, nil, h.namespace, []corev1.LocalObjectReference{}, h.providerIdentity) if err := h.client.Delete(ctx, d); resource.IgnoreNotFound(err) != nil { return errors.Wrap(err, errDeleteProviderDeployment) } @@ -130,7 +132,7 @@ func (h *ProviderHooks) Post(ctx context.Context, pkg runtime.Object, pr v1.Pack if err != nil { return err } - s, d, svc := buildProviderDeployment(pkgProvider, pr, cc, h.namespace, append(pr.GetPackagePullSecrets(), ps...)) + s, d, svc := buildProviderDeployment(pkgProvider, pr, cc, h.namespace, append(pr.GetPackagePullSecrets(), ps...), h.providerIdentity) if err := h.client.Apply(ctx, s); err != nil { return errors.Wrap(err, errApplyProviderSA) } diff --git a/internal/controller/pkg/revision/reconciler.go b/internal/controller/pkg/revision/reconciler.go index a2069a18a..c8bbcece0 100644 --- a/internal/controller/pkg/revision/reconciler.go +++ b/internal/controller/pkg/revision/reconciler.go @@ -48,6 +48,7 @@ import ( "github.com/crossplane/crossplane/apis/pkg/v1beta1" "github.com/crossplane/crossplane/internal/controller/pkg/controller" "github.com/crossplane/crossplane/internal/dag" + "github.com/crossplane/crossplane/internal/features" "github.com/crossplane/crossplane/internal/version" "github.com/crossplane/crossplane/internal/xpkg" ) @@ -249,7 +250,7 @@ func SetupProviderRevision(mgr ctrl.Manager, o controller.Options) error { WithHooks(NewProviderHooks(resource.ClientApplicator{ Client: mgr.GetClient(), Applicator: resource.NewAPIPatchingApplicator(mgr.GetClient()), - }, o.Namespace, o.ServiceAccount)), + }, o.Namespace, o.ServiceAccount, o.Features.Enabled(features.EnableProviderIdentity))), WithEstablisher(NewAPIEstablisher(mgr.GetClient(), o.Namespace)), WithNewPackageRevisionFn(nr), WithParser(parser.New(metaScheme, objScheme)), diff --git a/internal/features/features.go b/internal/features/features.go index ed10abd5d..3d9f03a27 100644 --- a/internal/features/features.go +++ b/internal/features/features.go @@ -40,4 +40,8 @@ const ( // details. // https://github.com/crossplane/crossplane/blob/f32496bed53a393c8239376fd8266ddf2ef84d61/design/design-doc-composition-validating-webhook.md EnableAlphaCompositionWebhookSchemaValidation feature.Flag = "EnableAlphaCompositionWebhookSchemaValidation" + + // EnableProviderIdentity enables alpha support for Provider identity. This + // feature is only available when running on Upbound. + EnableProviderIdentity feature.Flag = "EnableProviderIdentity" )