From 3517d479024ecd3473700bd1cc5516c82295db75 Mon Sep 17 00:00:00 2001
From: Jason Vigil <jasonvigil@google.com>
Date: Mon, 10 Jun 2024 20:49:31 +0000
Subject: [PATCH] fix: Update contributing guide for running locally

This fixes errors returned by the immutable fields validating webhook
encountered when creating resources using a local controller manager:

```
annotation cnrm.cloud.google.com/state-into-spec is immutable
```

In order to pass the validating webhook, the local controller manager
must use the cnrm-controller-manager service account credentials
(instead of local user credentials) when making requests that modify
resource annotations.
---
 CONTRIBUTING.md | 58 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 56 insertions(+), 2 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index a2e4f83cb2..6321633fe8 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -281,9 +281,63 @@ kubectl --namespace cnrm-system logs cnrm-controller-manager-0
 If you don't want to deploy the controller manager into your dev cluster, you
 can run it locally on your dev machine with the steps below.
 
-1.  `kubectl edit statefulset cnrm-controller-manager -n cnrm-system` and scale
+1.  Get credentials for the cnrm-controller-manager service account.
+
+    First, you need to create a long-lived API token.
+
+    ```shell
+    kubectl -n cnrm-system apply -f - <<EOF
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: cnrm-controller-manager-secret
+      annotations:
+        kubernetes.io/service-account.name: cnrm-controller-manager
+    type: kubernetes.io/service-account-token
+    EOF
+    ```
+
+    Then, create a kubeconfig using the API token.
+
+    ```shell
+    set -o errexit
+
+    kubectx=$(kubectl config current-context)
+    server=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"${kubectx}\")].cluster.server}")
+    clusterName='cnrm-dev'
+    namespace='cnrm-system'
+    serviceAccount='cnrm-controller-manager'
+    secretName='cnrm-controller-manager-secret'
+    ca=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.ca\.crt}')
+    token=$(kubectl --namespace="$namespace" get secret/"$secretName" -o=jsonpath='{.data.token}' | base64 --decode)
+
+    cat << EOF >> ~/.kube/cnrm-dev-controller-manager
+    ---
+    apiVersion: v1
+    kind: Config
+    clusters:
+      - name: ${clusterName}
+        cluster:
+          certificate-authority-data: ${ca}
+          server: ${server}
+    contexts:
+      - name: ${serviceAccount}@${clusterName}
+        context:
+          cluster: ${clusterName}
+          namespace: ${namespace}
+          user: ${serviceAccount}
+    users:
+      - name: ${serviceAccount}
+        user:
+          token: ${token}
+    current-context: ${serviceAccount}@${clusterName}
+    EOF
+    ```
+
+2.  `kubectl edit statefulset cnrm-controller-manager -n cnrm-system` and scale
     down the replica to 0.
-2.  Run `make run` and inspect the output logs.
+
+3.  Run `KUBECONFIG=~/.kube/cnrm-dev-controller-manager make run` and inspect the output logs.
 
 #### Test your changes