upgrade dependencies, go version, controller-runtime, controller-gen (#…

…170)

Signed-off-by: Yu Jiang <yu_jiang@intuit.com>
Co-authored-by: Yu Jiang <yu_jiang@intuit.com>

.github/workflows/unit_test.yaml

@@ -14,15 +14,11 @@ jobs:
       - name: Set up Go 1.x
         uses: actions/setup-go@v4
         with:
-          go-version: 1.17
+          go-version: 1.21
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@v4
 
-      - name: Setup kubebuilder
-        run: |
-          make kubebuilder
-
       - name: Build
         run: |
           make docker-build

.gitignore

@@ -21,3 +21,6 @@ kubebuilder*
 .idea/
 bin/
 .tool-versions
+.DS_Store
+
+manager

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.17 as builder
+FROM golang:1.21 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -10,13 +10,12 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY main.go main.go
+COPY cmd/ cmd/
 COPY api/ api/
-COPY controllers/ controllers/
-COPY pkg pkg/
-COPY internal internal/
+COPY pkg/ pkg/
+COPY internal/ internal/
 # Build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -v -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -v -a -o manager cmd/main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details

Makefile

@@ -3,8 +3,12 @@ IMG         ?= keikoproj/iam-manager:latest
 
 # Tools required to run the full suite of tests properly
 OSNAME           ?= $(shell uname -s | tr A-Z a-z)
-KUBEBUILDER_VER  ?= 2.2.0
 KUBEBUILDER_ARCH ?= amd64
+ENVTEST_K8S_VERSION = 1.28.0
+
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
 
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= "crd:trivialVersions=true"
@@ -22,6 +26,8 @@ CLUSTER_NAME                ?= k8s_test_keiko
 CLUSTER_OIDC_ISSUER_URL     ?= https://google.com/OIDC
 DEFAULT_TRUST_POLICY        ?= '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow","Principal": {"Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/OIDC_PROVIDER"},"Action": "sts:AssumeRoleWithWebIdentity","Condition": {"StringEquals": {"OIDC_PROVIDER:sub": "system:serviceaccount:{{.NamespaceName}}:SERVICE_ACCOUNT_NAME"}}}, {"Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::{{.AccountID}}:role/trust_role"]},"Action": "sts:AssumeRole"}]}'
 
+ENVTEST ?= $(LOCALBIN)/setup-envtest
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 	GOBIN := $(shell go env GOPATH)/bin
@@ -31,23 +37,15 @@ endif
 
 all: manager
 
-.PHONY: kubebuilder
-kubebuilder:
-	@echo "Downloading and installing Kubebuilder - this requires sudo privileges"
-	curl -fsSL -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v$(KUBEBUILDER_VER)/kubebuilder_$(KUBEBUILDER_VER)_$(OSNAME)_$(KUBEBUILDER_ARCH).tar.gz"
-	rm -rf kubebuilder && mkdir -p kubebuilder
-	tar -zxvf kubebuilder_$(KUBEBUILDER_VER)_$(OSNAME)_$(KUBEBUILDER_ARCH).tar.gz --strip-components 1 -C kubebuilder
-	sudo cp -rf kubebuilder /usr/local
-
 mock:
-	go get -u github.com/golang/mock/mockgen
+	go install github.com/golang/mock/mockgen@v1.6.0
 	@echo "mockgen is in progess"
 	@for pkg in $(shell go list ./...) ; do \
 		go generate ./... ;\
 	done
 
 # Run tests
-test: mock generate fmt manifests
+test: mock generate fmt manifests envtest
 	KUBECONFIG=$(KUBECONFIG) \
 	LOCAL=$(LOCAL) \
 	ALLOWED_POLICY_ACTION=$(ALLOWED_POLICY_ACTION) \
@@ -60,15 +58,15 @@ test: mock generate fmt manifests
 	CLUSTER_NAME=$(CLUSTER_NAME) \
 	CLUSTER_OIDC_ISSUER_URL="$(CLUSTER_OIDC_ISSUER_URL)" \
 	DEFAULT_TRUST_POLICY=$(DEFAULT_TRUST_POLICY) \
-	go test ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
 # Build manager binary
 manager: generate fmt vet update
-	go build -o bin/manager main.go
+	go build -o bin/manager cmd/main.go
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
-	go run ./main.go
+	go run ./cmd/main.go
 
 # Install CRDs into a cluster
 install: manifests
@@ -96,8 +94,8 @@ update: manifests
 
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd_no_webhook/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd_no_webhook/bases
 
 
 # Run go fmt against code
@@ -124,8 +122,13 @@ docker-push:
 # download controller-gen if necessary
 controller-gen:
 ifeq (, $(shell which controller-gen))
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5
+	go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0
 CONTROLLER_GEN=$(GOBIN)/controller-gen
 else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif
+
+.PHONY: envtest
+envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
+$(ENVTEST): $(LOCALBIN)
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest

PROJECT

@@ -1,4 +1,4 @@
-version: "2"
+version: "3"
 domain: keikoproj.io
 repo: github.com/keikoproj/iam-manager
 resources:

api/v1alpha1/iamrole_webhook.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	"github.com/keikoproj/iam-manager/internal/config"
 	"github.com/keikoproj/iam-manager/pkg/k8s"
@@ -58,7 +59,7 @@ func (r *Iamrole) SetupWebhookWithManager(mgr ctrl.Manager) error {
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 
-// +kubebuilder:webhook:path=/mutate-iammanager-keikoproj-io-v1alpha1-iamrole,mutating=true,failurePolicy=fail,groups=iammanager.keikoproj.io,resources=iamroles,verbs=create;update,versions=v1alpha1,name=miamrole.kb.io
+// +kubebuilder:webhook:path=/mutate-iammanager-keikoproj-io-v1alpha1-iamrole,mutating=true,failurePolicy=fail,groups=iammanager.keikoproj.io,resources=iamroles,verbs=create;update,versions=v1alpha1,name=miamrole.kb.io,sideEffects=none,admissionReviewVersions=v1
 
 var _ webhook.Defaulter = &Iamrole{}
 
@@ -74,33 +75,33 @@ func (r *Iamrole) Default() {
 }
 
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
-// +kubebuilder:webhook:verbs=create;update,path=/validate-iammanager-keikoproj-io-v1alpha1-iamrole,mutating=false,failurePolicy=fail,groups=iammanager.keikoproj.io,resources=iamroles,versions=v1alpha1,name=viamrole.kb.io
+// +kubebuilder:webhook:verbs=create;update,path=/validate-iammanager-keikoproj-io-v1alpha1-iamrole,mutating=false,failurePolicy=fail,groups=iammanager.keikoproj.io,resources=iamroles,versions=v1alpha1,name=viamrole.kb.io,sideEffects=none,admissionReviewVersions=v1
 
 var _ webhook.Validator = &Iamrole{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *Iamrole) ValidateCreate() error {
+func (r *Iamrole) ValidateCreate() (admission.Warnings, error) {
 	log := logging.Logger(context.Background(), "v1alpha1", "ValidateCreate")
 	log.Info("validating create request", "name", r.Name)
 
-	return r.validateIAMPolicy(false)
+	return []string{}, r.validateIAMPolicy(false)
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *Iamrole) ValidateUpdate(old runtime.Object) error {
+func (r *Iamrole) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
 	log := logging.Logger(context.Background(), "v1alpha1", "ValidateCreate")
 	log.Info("validate update", "name", r.Name)
 
-	return r.validateIAMPolicy(true)
+	return []string{}, r.validateIAMPolicy(true)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *Iamrole) ValidateDelete() error {
+func (r *Iamrole) ValidateDelete() (admission.Warnings, error) {
 	log := logging.Logger(context.Background(), "v1alpha1", "ValidateDelete")
 	log.Info("validate delete", "name", r.Name)
 
 	// TODO(user): fill in your validation logic upon object deletion.
-	return nil
+	return []string{}, nil
 }
 
 func (r *Iamrole) validateIAMPolicy(isItUpdate bool) error {

main.go → cmd/main.go

@@ -27,11 +27,14 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
 	// +kubebuilder:scaffold:imports
 
 	iammanagerv1alpha1 "github.com/keikoproj/iam-manager/api/v1alpha1"
-	"github.com/keikoproj/iam-manager/controllers"
 	"github.com/keikoproj/iam-manager/internal/config"
+	"github.com/keikoproj/iam-manager/internal/controllers"
 	"github.com/keikoproj/iam-manager/internal/utils"
 	"github.com/keikoproj/iam-manager/pkg/awsapi"
 	"github.com/keikoproj/iam-manager/pkg/k8s"
@@ -65,11 +68,11 @@ func main() {
 	go config.RunConfigMapInformer(context.Background())
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:             scheme,
-		MetricsBindAddress: metricsAddr,
-		LeaderElection:     enableLeaderElection,
-		Port:               9443,
-		LeaderElectionID:   "controller-leader-election-helper",
+		Scheme:           scheme,
+		Metrics:          metricsserver.Options{BindAddress: metricsAddr},
+		LeaderElection:   enableLeaderElection,
+		WebhookServer:    webhook.NewServer(webhook.Options{Port: 9443}),
+		LeaderElectionID: "controller-leader-election-helper",
 	})
 
 	if err != nil {