Initial WorkloadIdentityBinding controller

Setting up a pattern for more controllers, and adding a simple one to
help with setting up WorkloadIdentityBinding.

Author: justinsb

porch/controllers/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.18-bullseye as builder
+FROM golang:1.17-bullseye as builder
 
 WORKDIR /workspace
 COPY go.mod go.sum ./
@@ -44,7 +44,7 @@ COPY porch/api/ porch/api/
 COPY porch/controllers/ porch/controllers/
 COPY porch/pkg/ porch/pkg/
 
-WORKDIR /workspace/porch/controllers/remoterootsync/
+WORKDIR /workspace/porch/controllers/
 RUN CGO_ENABLED=0 go build -o /porch-controllers -v .
 
 FROM gcr.io/distroless/static

porch/controllers/Makefile

@@ -25,3 +25,8 @@ push-image:
 .PHONY: build-image
 build-image:
 	cd ../..; docker buildx build --load --tag $(IMAGE_REPO)/$(IMAGE_NAME):$(IMAGE_TAG) -f porch/controllers/Dockerfile .
+
+
+.PHONY: run-local
+run-local:
+	GCP_PROJECT_ID=${GCP_PROJECT_ID} HACK_ENABLE_LOOPBACK=1 go run .

porch/controllers/remoterootsync/config/crd/bases/config.cloud.google.com_remoterootsyncsets.yaml renamed to porch/controllers/config/crd/bases/config.cloud.google.com_remoterootsyncsets.yaml

@@ -1,17 +1,3 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

porch/controllers/config/crd/bases/porch.kpt.dev_workloadidentitybindings.yaml

@@ -0,0 +1,153 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: workloadidentitybindings.porch.kpt.dev
+spec:
+  group: porch.kpt.dev
+  names:
+    kind: WorkloadIdentityBinding
+    listKind: WorkloadIdentityBindingList
+    plural: workloadidentitybindings
+    singular: workloadidentitybinding
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=='Ready')].reason
+      name: Ready
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: WorkloadIdentityBinding
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: WorkloadIdentityBindingSpec defines the desired state of
+              RemoteRootSync
+            properties:
+              resourceRef:
+                properties:
+                  apiVersion:
+                    type: string
+                  external:
+                    type: string
+                  kind:
+                    type: string
+                  name:
+                    type: string
+                  namespace:
+                    type: string
+                type: object
+              serviceAccountRef:
+                properties:
+                  apiVersion:
+                    type: string
+                  kind:
+                    type: string
+                  name:
+                    type: string
+                  namespace:
+                    type: string
+                type: object
+            type: object
+          status:
+            description: WorkloadIdentityBindingStatus defines the observed state
+              of WorkloadIdentityBinding
+            properties:
+              conditions:
+                description: Conditions describes the reconciliation state of the
+                  object.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    type FooStatus struct{ // Represents the observations of a foo's
+                    current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

porch/controllers/remoterootsync/config/rbac/role.yaml renamed to porch/controllers/config/rbac/role.yaml

@@ -1,17 +1,3 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -52,6 +38,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - config.cloud.google.com
+  resources:
+  - workloadidentitybindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - config.cloud.google.com
+  resources:
+  - workloadidentitybindings/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - config.cloud.google.com
+  resources:
+  - workloadidentitybindings/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - coordination.k8s.io
   resources:

porch/controllers/remoterootsync/main.go renamed to porch/controllers/main.go

@@ -14,7 +14,9 @@
 
 package main
 
-//go:generate go run sigs.k8s.io/controller-tools/cmd/[email protected] crd rbac:roleName=configmanagement-operator webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+//go:generate go run sigs.k8s.io/controller-tools/cmd/[email protected] rbac:roleName=configmanagement-operator webhook paths="./..."
+
+//go:generate go run sigs.k8s.io/controller-tools/cmd/[email protected] crd paths="./..." output:crd:artifacts:config=config/crd/bases
 
 import (
 	"context"
@@ -35,8 +37,10 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 
+	porchapi "github.com/GoogleContainerTools/kpt/porch/api/porch/v1alpha1"
 	api "github.com/GoogleContainerTools/kpt/porch/controllers/remoterootsync/api/v1alpha1"
 	"github.com/GoogleContainerTools/kpt/porch/controllers/remoterootsync/pkg/controllers/remoterootsyncset"
+	"github.com/GoogleContainerTools/kpt/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -52,6 +56,7 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
+	utilruntime.Must(porchapi.AddToScheme(scheme))
 	utilruntime.Must(api.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
@@ -67,27 +72,23 @@ func main() {
 func run(ctx context.Context) error {
 	// var metricsAddr string
 	// var enableLeaderElection bool
-	// var useAutopushEnv bool
 	// var probeAddr string
-	// var reconcilers string
 
 	klog.InitFlags(nil)
 
-	// flag.BoolVar(&useAutopushEnv, "autopush-env", false, "Use autopush environment endpoint.")
 	// flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	// flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	// flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 	// 	"Enable leader election for controller manager. "+
 	// 		"Enabling this will ensure there is only one active controller manager.")
-	// flag.StringVar(&reconcilers, "reconcilers", "hub", "Reconcilers to enable")
 
 	managerOptions := ctrl.Options{
 		Scheme:                     scheme,
 		MetricsBindAddress:         ":8080",
 		Port:                       9443,
 		HealthProbeBindAddress:     ":8081",
 		LeaderElection:             false,
-		LeaderElectionID:           "configmanagement-operator.config.cloud.google.com",
+		LeaderElectionID:           "porch-operators.config.cloud.google.com",
 		LeaderElectionResourceLock: resourcelock.LeasesResourceLock,
 	}
 
@@ -106,6 +107,11 @@ func run(ctx context.Context) error {
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("error creating RemoteRootSyncSetReconciler controller: %w", err)
 	}
+
+	if err = (&workloadidentitybinding.WorkloadIdentityBindingReconciler{}).SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("error creating WorkloadIdentityBindingReconciler controller: %w", err)
+	}
+
 	//+kubebuilder:scaffold:builder
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		return fmt.Errorf("error adding health check: %w", err)

porch/controllers/workloadidentitybinding/api/v1alpha1/groupversion_info.go

@@ -0,0 +1,36 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package v1alpha1 contains API Schema definitions for the porch.kpt.dev v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=porch.kpt.dev
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+//go:generate go run sigs.k8s.io/controller-tools/cmd/[email protected] object object:headerFile="../../../../scripts/boilerplate.go.txt" paths="./..."
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "porch.kpt.dev", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)