Merge remote-tracking branch 'upstream/master' into sync-upstream-master

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.21.6'
+  GO_VERSION: '1.22.0'
   GOLANGCI_VERSION: 'v1.55.2'
   DOCKER_BUILDX_VERSION: 'v0.10.0'
 

.github/workflows/promote.yml

@@ -21,7 +21,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.21.6'
+  GO_VERSION: '1.22.0'
 
   # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
   # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether

ADOPTERS.md

@@ -51,7 +51,7 @@ This list is sorted in the order that organizations were added to it.
 | [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net/) | @pheianox | Declarative configuration and integration with CI/CD pipelines |
 | [NASA Science Cloud](https://smce.nasa.gov/) | [ramon.e.ramirez-linan@nasa.gov](mailto:ramon.e.ramirez-linan@nasa.gov) ([@rezuma](https://github.com/rezuma)) | [NASA Science Cloud](https://smce.nasa.gov) has created compositions to deploy the Open Science Studio, a jupyterhub based platform that connects to HPC in the cloud and foster NASA Open Science Initiative. Navteca ([@navteca](https://github.com/Navteca)) has been helping NASA with this initiative |
 | [Navteca](https://navteca.com/) | [rlinan@navteca.com](mailto:rlinan@navteca.com) ([@navteca](https://github.com/Navteca)) | [Navteca](https://www.navteca.com) is adopting Crossplane to deploy [Voice Atlas](https://www.voiceatlas.com) a cloud based product that let customer connect corporate knowledge with any Large Language Model and offered to be consumed by users through any channel (slack, MS Teams, Website, etc) |
-| [SAP](https://sap.com/) | [d.small@sap.com](mailto:d.small@sap.com)| [SAP](https://sap.com) uses Crossplane as part of a solution that gives teams owning micro-services the ability to provision hyper-scaler hosted backing services such as Redis on demand. |
+| [SAP](https://sap.com/) | [opensource@sap.com](mailto:opensource@sap.com)<br />[@dee0sap](https://github.com/dee0sap)| [SAP](https://sap.com)'s internal Crossplane community is continuously growing and extending the use of Crossplane within SAP in different products. Our teams developed Crossplane providers for internal use and continue contributing new providers to the Crossplane ecosystem. We also contributed a framework that supports end-to-end tests for Crossplane providers to the project. <br /> [SAP Open Source Report 2023](https://dam.sap.com/mac/app/e/pdf/preview/embed/NG3Cg8G?ltr=a&rc=10&includeRelatedAssets=true) <br /> As of February 2024, SAP is ramping up the use of Crossplane with currently 100+ KRM based control planes with Crossplane and other technologies and 1000s of Managed Resources in different qualification grades.
 | [Airnity](https://airnity.com/) | [hello@airnity.com](mailto:hello@airnity.com) | [Airnity](https://airnity.com/) uses Crossplane to deploy a worldwide cellular connectivity platform for the automotive industry. |
 | [Intility](https://intility.com/) | @daniwk @JonasKs | We orchestrate our metacloud's infrastructure in production using Crossplane. |
 | [codecentric](https://www.codecentric.de/) | @jonashackt | Software engineering & Infrastructure automation/GitOps consulting, where the Kubernetes ecosystem is continuously evaluated for best suited tooling for our clients - and Crossplane is a definitive shooting star, which will for sure kick off a broad adoption soon. Currently we're in the process of evaluating and showcasing crossplane to our customers. |

cluster/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml

@@ -187,74 +187,5 @@ rules:
   - apiextensions.crossplane.io
   resources: ["*"]
   verbs: [get, list, watch]
-{{- if .Values.rbacManager.managementPolicy }}
----
-# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
-# the Crossplane RBAC manager when it is running in --manage=All mode.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-admin
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-admin: "true"
-    rbac.crossplane.io/base-of-ns-admin: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace admins have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-# Crossplane namespace admins may need to read or otherwise interact with
-# resource claim connection secrets.
-- apiGroups: [""]
-  resources: [secrets]
-  verbs: ["*"]
-# Crossplane namespace admins have access to view the roles that they may be
-# able to grant to other subjects.
-- apiGroups: [rbac.authorization.k8s.io]
-  resources: [roles]
-  verbs: [get, list, watch]
-# Crossplane namespace admins have access to grant the access they have to other
-# subjects.
-- apiGroups: [rbac.authorization.k8s.io]
-  resources: [rolebindings]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-edit
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-edit: "true"
-    rbac.crossplane.io/base-of-ns-edit: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace editors have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-# Crossplane namespace editors may need to read or otherwise interact with
-# resource claim connection secrets.
-- apiGroups: [""]
-  resources: [secrets]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-view
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-view: "true"
-    rbac.crossplane.io/base-of-ns-view: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace viewers have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-{{- end }}
 {{- end }}
 {{- end }}

cmd/crank/xpkg/push.go

@@ -36,6 +36,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/logging"
 
 	"github.com/crossplane/crossplane/internal/xpkg"
+	"github.com/crossplane/crossplane/internal/xpkg/upbound"
 	"github.com/crossplane/crossplane/internal/xpkg/upbound/credhelper"
 )
 
@@ -62,6 +63,9 @@ type pushCmd struct {
 	// Flags. Keep sorted alphabetically.
 	PackageFiles []string `short:"f" type:"existingfile" placeholder:"PATH" help:"A comma-separated list of xpkg files to push."`
 
+	// Common Upbound API configuration.
+	upbound.Flags `embed:""`
+
 	// Internal state. These aren't part of the user-exposed CLI structure.
 	fs afero.Fs
 }
@@ -91,6 +95,11 @@ func (c *pushCmd) AfterApply() error {
 
 // Run runs the push cmd.
 func (c *pushCmd) Run(logger logging.Logger) error { //nolint:gocyclo // This feels easier to read as-is.
+	upCtx, err := upbound.NewFromFlags(c.Flags, upbound.AllowMissingProfile())
+	if err != nil {
+		return err
+	}
+
 	tag, err := name.NewTag(c.Package, name.WithDefaultRegistry(xpkg.DefaultRegistry))
 	if err != nil {
 		return errors.Wrapf(err, errFmtNewTag, c.Package)
@@ -112,7 +121,11 @@ func (c *pushCmd) Run(logger logging.Logger) error { //nolint:gocyclo // This fe
 	}
 
 	kc := authn.NewMultiKeychain(
-		authn.NewKeychainFromHelper(credhelper.New()),
+		authn.NewKeychainFromHelper(credhelper.New(
+			credhelper.WithLogger(logger),
+			credhelper.WithProfile(upCtx.ProfileName),
+			credhelper.WithDomain(upCtx.Domain.Hostname()),
+		)),
 		authn.DefaultKeychain,
 	)
 

internal/controller/apiextensions/composite/composition_render.go

@@ -32,8 +32,8 @@ const (
 	errMarshalProtoStruct = "cannot marshal protobuf Struct to JSON"
 	errSetControllerRef   = "cannot set controller reference"
 
-	errFmtKindChanged     = "cannot change the kind of a composed resource from %s to %s (possible composed resource template mismatch)"
-	errFmtNamePrefixLabel = "cannot find top-level composite resource name label %q in composite resource metadata"
+	errFmtKindOrGroupChanged = "cannot change the kind or group of a composed resource from %s to %s (possible composed resource template mismatch)"
+	errFmtNamePrefixLabel    = "cannot find top-level composite resource name label %q in composite resource metadata"
 
 	// TODO(negz): Include more detail such as field paths if they exist.
 	// Perhaps require each patch type to have a String() method to help
@@ -61,13 +61,16 @@ func RenderFromJSON(o resource.Object, data []byte) error {
 	o.SetName(name)
 	o.SetNamespace(namespace)
 
-	// This resource already had a GVK (probably because it already exists), but
+	// This resource already had a GK (probably because it already exists), but
 	// when we rendered its template it changed. This shouldn't happen. Either
-	// someone changed the kind in the template or we're trying to use the wrong
-	// template (e.g. because the order of an array of anonymous templates
+	// someone changed the kind or group in the template, or we're trying to use the
+	// wrong template (e.g. because the order of an array of anonymous templates
 	// changed).
-	if !gvk.Empty() && o.GetObjectKind().GroupVersionKind() != gvk {
-		return errors.Errorf(errFmtKindChanged, gvk, o.GetObjectKind().GroupVersionKind())
+	// Please note, we don't check for version changes, as versions can change. For example,
+	// if a composed resource was created with a template that has a version of "v1alpha1",
+	// and then the template is updated to "v1beta1", the composed resource will still be valid.
+	if !gvk.Empty() && o.GetObjectKind().GroupVersionKind().GroupKind() != gvk.GroupKind() {
+		return errors.Errorf(errFmtKindOrGroupChanged, gvk, o.GetObjectKind().GroupVersionKind())
 	}
 
 	return nil

internal/controller/apiextensions/composite/composition_render_test.go

@@ -62,8 +62,25 @@ func TestRenderFromJSON(t *testing.T) {
 				err: errors.Wrap(errInvalidChar, errUnmarshalJSON),
 			},
 		},
-		"ExistingGVKChanged": {
-			reason: "We should return an error if unmarshalling the base template changed the composed resource's group, version, or kind",
+		"ExistingGroupChanged": {
+			reason: "We should return an error if unmarshalling the base template changed the composed resource's group.",
+			args: args{
+				o: composed.New(composed.FromReference(corev1.ObjectReference{
+					APIVersion: "example.org/v1",
+					Kind:       "Potato",
+				})),
+				data: []byte(`{"apiVersion": "foo.io/v1", "kind": "Potato"}`),
+			},
+			want: want{
+				o: composed.New(composed.FromReference(corev1.ObjectReference{
+					APIVersion: "foo.io/v1",
+					Kind:       "Potato",
+				})),
+				err: errors.Errorf(errFmtKindOrGroupChanged, "example.org/v1, Kind=Potato", "foo.io/v1, Kind=Potato"),
+			},
+		},
+		"ExistingKindChanged": {
+			reason: "We should return an error if unmarshalling the base template changed the composed resource's kind.",
 			args: args{
 				o: composed.New(composed.FromReference(corev1.ObjectReference{
 					APIVersion: "example.org/v1",
@@ -76,7 +93,23 @@ func TestRenderFromJSON(t *testing.T) {
 					APIVersion: "example.org/v1",
 					Kind:       "Different",
 				})),
-				err: errors.Errorf(errFmtKindChanged, "example.org/v1, Kind=Potato", "example.org/v1, Kind=Different"),
+				err: errors.Errorf(errFmtKindOrGroupChanged, "example.org/v1, Kind=Potato", "example.org/v1, Kind=Different"),
+			},
+		},
+		"VersionCanChange": {
+			reason: "We should accept version changes in the base template.",
+			args: args{
+				o: composed.New(composed.FromReference(corev1.ObjectReference{
+					APIVersion: "example.org/v1alpha1",
+					Kind:       "Potato",
+				})),
+				data: []byte(`{"apiVersion": "example.org/v1beta1", "kind": "Potato"}`),
+			},
+			want: want{
+				o: composed.New(composed.FromReference(corev1.ObjectReference{
+					APIVersion: "example.org/v1beta1",
+					Kind:       "Potato",
+				})),
 			},
 		},
 		"NewComposedResource": {

internal/xpkg/upbound/credhelper/credhelper.go

@@ -113,8 +113,10 @@ func (h *Helper) List() (map[string]string, error) {
 // Get gets credentials for the supplied server.
 func (h *Helper) Get(serverURL string) (string, string, error) {
 	if !strings.Contains(serverURL, h.domain) {
+		h.log.Debug("Supplied server URL is not supported by this credentials helper", "serverURL", serverURL, "domain", h.domain)
 		return "", "", errors.New(errUnsupportedDomain)
 	}
+	h.log.Debug("Getting credentials for server", "serverURL", serverURL)
 	if err := h.src.Initialize(); err != nil {
 		return "", "", errors.Wrap(err, errInitializeSource)
 	}
@@ -124,11 +126,13 @@ func (h *Helper) Get(serverURL string) (string, string, error) {
 	}
 	var p config.Profile
 	if h.profile == "" {
+		h.log.Debug("No profile specified, using default profile")
 		_, p, err = conf.GetDefaultUpboundProfile()
 		if err != nil {
 			return "", "", errors.Wrap(err, errGetDefaultProfile)
 		}
 	} else {
+		h.log.Debug("Using specified profile", "profile", h.profile)
 		p, err = conf.GetUpboundProfile(h.profile)
 		if err != nil {
 			return "", "", errors.Wrap(err, errGetProfile)

test/e2e/manifests/apiextensions/composition/bind-existing-xr/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/composition-selection/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/functions/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/minimal/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/patch-and-transform/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/propagate-field-removals/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/realtime-compositions/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/realtime-revision-selection/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/composition/validation/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/apiextensions/environment/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/lifecycle/upgrade/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/pkg/deployment-runtime-config/setup/provider.yaml

@@ -3,5 +3,5 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true

test/e2e/manifests/pkg/externally-managed-service-account/setup/provider.yaml

@@ -3,7 +3,7 @@ kind: Provider
 metadata:
   name: provider-nop
 spec:
-  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.0
+  package: xpkg.upbound.io/crossplane-contrib/provider-nop:v0.2.1
   ignoreCrossplaneConstraints: true
   runtimeConfigRef:
     name: provider-external-sa