bazel: Move CRD and RBAC generation into bazel

* Add annotations to controllers as required
* New controller_gen build rule for generating CRD and RBAC

Signed-off-by: Naadir Jeewa <[email protected]>

Makefile

@@ -164,6 +164,12 @@ manifests: cmd/clusterctl/examples/aws/out/credentials ## Generate manifests for
 manifests-dev: dep-ensure dep-install binaries-dev ## Builds development manifests
 	MANAGER_IMAGE=$(DEV_MANAGER_IMAGE) MANAGER_IMAGE_PULL_POLICY="Always" $(MAKE) manifests
 
+.PHONY: crds
+crds:
+	bazel build //config
+	cp -R bazel-genfiles/config/crds/* config/crds/
+	cp -R bazel-genfiles/config/rbac/* config/rbac/
+
 # TODO(vincepri): This should move to rebuild Bazel binaries once every
 # make target uses Bazel bins to run operations.
 .PHONY: binaries-dev

build/controller_gen.bzl

@@ -0,0 +1,76 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# TODO: Move this to Kubebuilder repository
+
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_kubernetes_build//defs:go.bzl", "go_genrule")
+
+CONTROLLER_GEN = "//vendor/sigs.k8s.io/controller-tools/cmd/controller-gen"
+
+def _qualified_genfile(label):
+  return "$$GO_GENRULE_EXECROOT/$(location %s)" % label
+
+# controller_gen generates CRD and RBAC manifests for Kubernetes
+# controllers based on controller runtime
+# (https://github.com/kubernetes-sigs/controller-runtime) given
+# Kubebuilder annotations in the Go source code.
+# controller_gen will output manifests to config/crds and config/rbac
+# within the projects genfiles.
+def controller_gen(name, importpath, api, visibility, deps = []):
+    outs = [
+      "rbac/rbac_role.yaml",
+      "rbac/rbac_role_binding.yaml",
+    ]
+
+    real_deps = [
+        "//pkg/apis:go_default_library",
+        "//pkg/cloud/aws/actuators/cluster:go_default_library",
+        "//pkg/cloud/aws/actuators/machine:go_default_library",
+    ] + deps
+
+    for g in api:
+      group = g["group"]
+      version = g["version"].lower()
+      types = g["types"]
+      prefix = group.split(".")[0].lower()
+      real_deps += [ "//pkg/apis/%s:go_default_library" % prefix]
+      for t in types:
+        basename = t.lower()
+        out = "crds/%s_%s_%s.yaml" % (prefix, version, basename)
+        outs += [out]
+
+    cmd = """mkdir -p {source_package} && \\
+             cd {source_package} && \\
+             cp -f {project} {source_package} && \\
+             GENDIR=$$(dirname {gendir})/../.. && \\
+            {controller_gen} all && \\
+            cp -fR config $$GENDIR
+          """.format(
+      controller_gen = _qualified_genfile(CONTROLLER_GEN),
+      project = _qualified_genfile("//:PROJECT"),
+      gendir = _qualified_genfile(outs[0]),
+      source_package =  "$$GOPATH/src/%s" % importpath
+    )
+
+    go_genrule(
+        name = name,
+        outs = outs,
+        srcs = ["//:PROJECT"],
+        cmd = cmd,
+        go_deps = real_deps,
+        visibility = visibility,
+        tools = [CONTROLLER_GEN],
+        tags = [ "generated" ],
+    )

cmd/clusterctl/examples/aws/BUILD

@@ -1,10 +1,9 @@
 genrule(
     name = "example-out",
-    srcs = glob(["*.yaml.template"]) +
-           [
-               "addons.yaml",
-               "//cmd/manager:manager-amd64.digest",
-           ],
+    srcs = glob(["*.yaml.template"]) + [
+        "addons.yaml",
+        "//cmd/manager:manager-amd64.digest",
+    ],
     outs = [
         "out/addons.yaml",
         "out/cluster.yaml",
@@ -27,3 +26,11 @@ genrule(
     ],
     visibility = ["//visibility:public"],
 )
+
+# TODO(EKF/liztio/randomvariable): Extracted from config/build, needs real creds
+genrule(
+    name = "test-credentials",
+    outs = ["out/credentials"],
+    cmd = "mkdir -p out && touch $@",
+    visibility = ["//visibility:public"],
+)

config/BUILD.bazel

@@ -0,0 +1,57 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load("//build:controller_gen.bzl", "controller_gen")
+
+controller_gen(
+    name = "config",
+    api = [
+        {
+            "group": "awsprovider.k8s.io",
+            "version": "v1alpha1",
+            "types": [
+                "AWSClusterProviderSpec",
+                "AWSClusterProviderStatus",
+                "AWSMachineProviderSpec",
+                "AWSMachineProviderStatus",
+            ],
+        },
+    ],
+    importpath = "sigs.k8s.io/cluster-api-provider-aws",
+    visibility = ["//visibility:public"],
+)
+
+genrule(
+    name = "aws-provider-yaml",
+    srcs = [
+        "//config/default:kustomization.yaml",
+        "//config/default:rbac_role_binding_patch.yaml",
+        "//config/manager:manager.yaml",
+        "//cmd/clusterctl/examples/aws:out/aws_manager_image_patch.yaml",
+        "//cmd/clusterctl/examples/aws:test-credentials",
+        "config",
+        "//:WORKSPACE",
+    ],
+    outs = ["aws_provider.yaml"],
+    cmd = """CONFIG_SRCDIR={root_dir}/config && \\
+             cp -R $$CONFIG_SRCDIR/default $(@D)/default && \\
+             cp -R $$CONFIG_SRCDIR/manager $(@D)/manager && \\
+             {kustomize} build $(@D)/default > $@
+    """.format(
+        kustomize = "$(location @io_k8s_sigs_kustomize//:kustomize)",
+        root_dir = "$$(dirname $(location //:WORKSPACE))",
+    ),
+    tools = ["@io_k8s_sigs_kustomize//:kustomize"],
+    visibility = ["//visibility:public"],
+)

config/default/BUILD.bazel

@@ -0,0 +1,21 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+exports_files(
+    [
+        "kustomization.yaml",
+        "rbac_role_binding_patch.yaml",
+    ],
+    visibility = ["//visibility:public"],
+)

config/default/kustomization.yaml

@@ -1,3 +1,17 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 namespace: aws-provider-system
 namePrefix: aws-provider-
 
@@ -12,6 +26,7 @@ resources:
 
 patches:
   - ../../cmd/clusterctl/examples/aws/out/aws_manager_image_patch.yaml
+  - rbac_role_binding_patch.yaml
 
 secretGenerator:
   - name: manager-bootstrap-credentials

config/default/rbac_role_binding_patch.yaml

@@ -0,0 +1,22 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: aws-provider-system

config/manager/BUILD.bazel

@@ -0,0 +1,20 @@
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+exports_files(
+    [
+        "manager.yaml",
+    ],
+    visibility = ["//visibility:public"],
+)

config/rbac/rbac_role.yaml

@@ -1,15 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:
   - awsprovider.k8s.io
   resources:
   - awsclusterproviderconfigs
   - awsclusterproviderstatuses
-  - awsmachineproviderconfigs
-  - awsmachineproviderstatuses
   verbs:
   - get
   - list
@@ -23,6 +22,30 @@ rules:
   resources:
   - clusters
   - clusters/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - awsprovider.k8s.io
+  resources:
+  - awsmachineproviderconfigs
+  - awsmachineproviderstatuses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - cluster.k8s.io
+  resources:
   - machines
   - machines/status
   - machinedeployments
@@ -37,6 +60,15 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - cluster.k8s.io
+  resources:
+  - clusters
+  - clusters/status
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -49,4 +81,4 @@ rules:
   - create
   - update
   - patch
-  - delete
+  - delete

config/rbac/rbac_role_binding.yaml

@@ -10,4 +10,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: default
-  namespace: aws-provider-system
+  namespace: system

pkg/cloud/aws/actuators/cluster/actuator.go

@@ -29,6 +29,9 @@ import (
 	controllerError "sigs.k8s.io/cluster-api/pkg/controller/error"
 )
 
+//+kubebuilder:rbac:groups=awsprovider.k8s.io,resources=awsclusterproviderconfigs;awsclusterproviderstatuses,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=cluster.k8s.io,resources=clusters;clusters/status,verbs=get;list;watch;create;update;patch;delete
+
 // Actuator is responsible for performing cluster reconciliation
 type Actuator struct {
 	*deployer.Deployer

pkg/cloud/aws/actuators/machine/actuator.go

@@ -41,6 +41,11 @@ import (
 	controllerError "sigs.k8s.io/cluster-api/pkg/controller/error"
 )
 
+//+kubebuilder:rbac:groups=awsprovider.k8s.io,resources=awsmachineproviderconfigs;awsmachineproviderstatuses,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=cluster.k8s.io,resources=machines;machines/status;machinedeployments;machinedeployments/status;machinesets;machinesets/status,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=cluster.k8s.io,resources=clusters;clusters/status,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=nodes;events,verbs=get;list;watch;create;update;patch;delete
+
 // Actuator is responsible for performing machine reconciliation.
 type Actuator struct {
 	*deployer.Deployer