Merge pull request #55 from projectsyn/rbac

Change RBAC management policy to Basic by default

.gitignore

@@ -19,3 +19,5 @@
 /_public
 
 # Additional entries
+/.kind
+/.work

Makefile

@@ -12,6 +12,7 @@ SHELL := bash
 .SUFFIXES:
 
 include Makefile.vars.mk
+include kind/kind.mk
 
 .PHONY: help
 help: ## Show this help
@@ -87,6 +88,14 @@ lint_kubent_all: $(test_instances) ## Lint deprecated Kubernetes API versions fo
 $(test_instances):
 	$(MAKE) $(recursive_target) -e instance=$(basename $(@F))
 
+.PHONY: install
+install: export KUBECONFIG = $(KIND_KUBECONFIG)
+install: kind-setup .compile ## Install operator in a local cluster and install Prometheus Operator using the *-bundle.yaml file in the Prometheus Operator GitHub repository
+	kubectl create ns syn-crossplane
+	kubectl create -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/master/bundle.yaml
+	kubectl apply -f kind/prometheus-operator-cluster-role-binding.yaml
+	kubectl apply -R -n syn-crossplane -f compiled/crossplane/crossplane
+
 .PHONY: clean
 clean: ## Clean the project
 	rm -rf .cache compiled dependencies vendor helmcharts jsonnetfile*.json || true

Makefile.vars.mk

@@ -7,6 +7,16 @@
 # The component name is hard-coded from the template
 COMPONENT_NAME ?= crossplane
 
+PROJECT_ROOT_DIR = .
+PROJECT_NAME ?= crossplane
+PROJECT_OWNER ?= projectsyn
+
+## BUILD:go
+BIN_FILENAME ?= $(PROJECT_NAME)
+go_bin ?= $(PWD)/.work/bin
+$(go_bin):
+	@mkdir -p $@
+
 git_dir         ?= $(shell git rev-parse --git-common-dir)
 compiled_path   ?= compiled/$(COMPONENT_NAME)/$(COMPONENT_NAME)
 root_volume     ?= -v "$${PWD}:/$(COMPONENT_NAME)"
@@ -52,9 +62,17 @@ JB_CMD         ?= $(DOCKER_CMD) $(DOCKER_ARGS) --entrypoint /usr/local/bin/jb do
 GOLDEN_FILES    ?= $(shell find tests/golden/$(instance) -type f)
 
 KUBENT_FILES    ?= $(shell echo "$(GOLDEN_FILES)" | sed 's/ /,/g')
-KUBENT_ARGS     ?= -c=false --helm2=false --helm3=false -e
+KUBENT_ARGS     ?= -c=false --helm3=false -e
 KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
 test_instances = tests/defaults.yml tests/defaults-with-provider.yml tests/openshift4.yml tests/openshift4-with-provider.yml
+
+## KIND setup (local testing)
+
+# https://hub.docker.com/r/kindest/node/tags
+KIND_NODE_VERSION ?= v1.24.0
+KIND_IMAGE ?= docker.io/kindest/node:$(KIND_NODE_VERSION)
+KIND_KUBECONFIG ?= $(kind_dir)/kind-kubeconfig-$(KIND_NODE_VERSION)
+KIND_CLUSTER ?= $(PROJECT_NAME)-$(KIND_NODE_VERSION)

README.md

@@ -17,6 +17,14 @@ Run the `make docs-serve` command in the root of the project, and then browse to
 
 After writing the documentation, please use the `make docs-vale` command and correct any warnings raised by the tool.
 
+## Local installation for testing purposes
+
+`make install` allows you to install the operator in a local (kind) cluster.
+
+The target installs the component Crossplane in a local cluster. This component uses [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator#quickstart).
+
+Note: the namespace in the ClusterRoleBinding needs to be updated as we're deploying in a namespace other than the default namespace, that's why we have `kind/prometheus-operator-cluster-role-binding.yaml`
+
 ## Contributing and license
 
 This library is licensed under [BSD-3-Clause](LICENSE).

class/crossplane.yml

@@ -23,11 +23,6 @@ parameters:
           name: ${_instance}
           namespace: ${crossplane:namespace}
         output_path: crossplane/01_helmchart
-      - input_type: jsonnet
-        input_paths:
-          - crossplane/component/upgrade.jsonnet
-        output_type: yaml
-        output_path: crossplane/02_upgrade
   commodore:
     postprocess:
       filters:

class/defaults.yml

@@ -45,3 +45,5 @@ parameters:
         enabled: ${crossplane:monitoring:enabled}
       webhooks:
         enabled: true
+      rbacManager:
+        managementPolicy: Basic

docs/modules/ROOT/pages/how-tos/upgrade-1.1.1-1.7.x.adoc → docs/modules/ROOT/pages/how-tos/upgrade-1.2.x-and-subsequet.adoc

@@ -1,6 +1,6 @@
-= Upgrade from v1.x to v2.x
+= Upgrading to v1.2.x and Subsequent Versions
 
-This guide describes the steps to perform an upgrade of the component from version v1.x to v2.x
+This guide describes the steps to perform an upgrade of the component from version v1.x to v1.2.x and subsequent versions.
 
 == Step-by-step guide
 
@@ -13,4 +13,6 @@ An automated PreSync Hook during migration will ensure that CRDs aren't deleted.
  All CRDs are expected to use api version _v1_ (stored version) while on component version _1.1.1_ with exception to Locks and ControllerConfig.
  The Lock object is no longer managed by the HelmChart in Crossplane 1.7 therefore it will be ignored during migration by ArgoCD.
  ControllerConfig CRD hasn't received any updates.
- ====
+====
+
+For more information, please refer to https://docs.crossplane.io/v1.10/guides/upgrading-to-v1.x/#upgrading-to-v12x-and-subsequent-versions

docs/modules/ROOT/pages/index.adoc

@@ -1,5 +1,13 @@
 = Crossplane
 
+[discrete]
+== Introduction
+
 crossplane is a Commodore component to manage Crossplane.
 
 See the xref:references/parameters.adoc[parameters] reference for further details.
+
+[discrete]
+== Documentation
+
+How-to guides:: _Problem-oriented_: step-by-step guides to achieve a goal.

docs/modules/ROOT/partials/nav.adoc

@@ -1,2 +1,5 @@
 * xref:index.adoc[Home]
 * xref:references/parameters.adoc[Parameters]
+
+.How To
+* xref:how-tos/upgrade-1.2.x-and-subsequet.adoc[Upgrade version]

kind/config.yaml

@@ -0,0 +1,21 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 8081
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 8443
+        protocol: TCP
+      # registry can't be sensibly exposed via Ingress under 127.0.0.0.nip.io host with subpath
+      - containerPort: 30500
+        hostPort: 5000
+        protocol: TCP

kind/kind.mk

@@ -0,0 +1,50 @@
+kind_dir ?= $(PWD)/.kind
+kind_bin = $(go_bin)/kind
+
+# Prepare kind binary
+$(kind_bin): export GOOS = $(shell go env GOOS)
+$(kind_bin): export GOARCH = $(shell go env GOARCH)
+$(kind_bin): export GOBIN = $(go_bin)
+$(kind_bin): | $(go_bin)
+	go install sigs.k8s.io/kind@latest
+
+.PHONY: kind
+kind: export KUBECONFIG = $(KIND_KUBECONFIG)
+kind: kind-setup-ingress kind-load-image ## All-in-one kind target
+
+.PHONY: kind-setup
+kind-setup: export KUBECONFIG = $(KIND_KUBECONFIG)
+kind-setup: $(KIND_KUBECONFIG) ## Creates the kind cluster
+
+.PHONY: kind-setup-ingress
+kind-setup-ingress: export KUBECONFIG = $(KIND_KUBECONFIG)
+kind-setup-ingress: kind-setup ## Install NGINX as ingress controller onto kind cluster (localhost:8081)
+	kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+
+.PHONY: kind-load-image
+# We fix the arch to linux/amd64 since kind runs in amd64 even on Mac/arm.
+kind-load-image: export GOOS = linux
+kind-load-image: export GOARCH = amd64
+kind-load-image: kind-setup build-docker ## Load the container image onto kind cluster
+	@$(kind_bin) load docker-image --name $(KIND_CLUSTER) $(CONTAINER_IMG)
+
+.PHONY: kind-clean
+kind-clean: export KUBECONFIG = $(KIND_KUBECONFIG)
+kind-clean: delete-samples
+kind-clean: ## Removes the kind Cluster
+	@$(kind_bin) delete cluster --name $(KIND_CLUSTER) || true
+	rm -rf $(kind_dir) $(kind_bin)
+
+$(KIND_KUBECONFIG): export KUBECONFIG = $(KIND_KUBECONFIG)
+$(KIND_KUBECONFIG): $(kind_bin)
+	$(kind_bin) create cluster \
+		--name $(KIND_CLUSTER) \
+		--image $(KIND_IMAGE) \
+		--config kind/config.yaml
+	@kubectl version
+	@kubectl cluster-info
+	@kubectl config use-context kind-$(KIND_CLUSTER)
+	@echo =======
+	@echo "Setup finished. To interact with the local dev cluster, set the KUBECONFIG environment variable as follows:"
+	@echo "export KUBECONFIG=$$(realpath "$(KIND_KUBECONFIG)")"
+	@echo =======

kind/prometheus-operator-cluster-role-binding.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: prometheus-operator
+    app.kubernetes.io/version: 0.62.0
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-operator
+    namespace: syn-crossplane

tests/golden/defaults-with-provider/crossplane/crossplane/01_helmchart/crossplane/templates/rbac-manager-deployment.yaml

@@ -41,7 +41,7 @@ spec:
         - args:
             - rbac
             - start
-            - --manage=All
+            - --manage=Basic
             - --provider-clusterrole=crossplane:allowed-provider-permissions
           env:
             - name: LEADER_ELECTION