WIP: Do not submit

experiments/compositions/composition/Makefile

@@ -173,7 +173,7 @@ release-test-kind-manifests: common-test-manifests
 .PHONY: deploy-kind
 deploy-kind: release-test-kind-manifests docker-build docker-build-inline docker-build-expander-jinja2 docker-build-expander-getter 
 	kind delete clusters ${KIND_CLUSTER} || true
-	kind create cluster --name ${KIND_CLUSTER}
+	kind create cluster --name ${KIND_CLUSTER} --config release/kind-config.yaml
 	kind load docker-image ${IMG} --name ${KIND_CLUSTER}
 	kind load docker-image ${INLINE_IMG} --name ${KIND_CLUSTER}
 	kind load docker-image ${JINJA_IMG} --name ${KIND_CLUSTER}

experiments/compositions/composition/config/rbac/role.yaml

@@ -57,6 +57,11 @@ rules:
   - composition.google.com
   resources:
   - compositions
+  - contexts
+  - expanderversions
+  - facades
+  - getterconfigurations
+  - plans
   verbs:
   - create
   - delete
@@ -209,6 +214,25 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - facade.compositions.google.com
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - facade.compositions.google.com
+  resources:
+  - '*/status'
+  verbs:
+  - get
+  - update
 - apiGroups:
   - facade.facade
   resources:

experiments/compositions/composition/internal/controller/composition_controller.go

@@ -56,7 +56,8 @@ type CompositionReconciler struct {
 	handoffChannels map[schema.GroupVersionKind]chan event.GenericEvent
 }
 
-//+kubebuilder:rbac:groups=composition.google.com,resources=compositions,verbs=get;list;watch;create;update;patch;delete
+// TODO: audit2rbac only listed get, list, watch for these, so this can maybe be split up and reduced?
+//+kubebuilder:rbac:groups=composition.google.com,resources=compositions;contexts;expanderversions;facades;getterconfigurations;plans,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=composition.google.com,resources=compositions/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=composition.google.com,resources=compositions/finalizers,verbs=update
 //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch
@@ -66,6 +67,8 @@ type CompositionReconciler struct {
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;create;patch;delete
 //+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=create;get;patch;list;delete
 //+kubebuilder:rbac:groups="batch",resources=jobs,verbs=create;get;patch;list;delete
+//+kubebuilder:rbac:groups=facade.compositions.google.com,resources=*,verbs=get;list;patch;update;watch;create;delete
+//+kubebuilder:rbac:groups=facade.compositions.google.com,resources=*/status,verbs=get;update
 
 // /
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
@@ -361,7 +364,7 @@ func (r *CompositionReconciler) processComposition(
 		InputGVR:                  gvk.GroupVersion().WithResource(crd.Spec.Names.Plural),
 		RESTMapper:                r.mgr.GetRESTMapper(),
 		Config:                    r.mgr.GetConfig(),
-		ComopsitionChangedWatcher: r.handoffChannels[gvk],
+		CompositionChangedWatcher: r.handoffChannels[gvk],
 	}
 
 	if err := expanderController.SetupWithManager(r.mgr, cr); err != nil {

experiments/compositions/composition/internal/controller/expander_reconciler.go

@@ -62,7 +62,7 @@ type ExpanderReconciler struct {
 	InputGVK                  schema.GroupVersionKind
 	InputGVR                  schema.GroupVersionResource
 	Composition               types.NamespacedName
-	ComopsitionChangedWatcher chan event.GenericEvent
+	CompositionChangedWatcher chan event.GenericEvent
 }
 
 type EvaluateWaitError struct {
@@ -628,7 +628,7 @@ func (r *ExpanderReconciler) SetupWithManager(mgr ctrl.Manager, cr *unstructured
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(cr).
-		WatchesRawSource(&source.Channel{Source: r.ComopsitionChangedWatcher}, handler.EnqueueRequestsFromMapFunc(r.enqueueAllFromGVK)).
+		WatchesRawSource(&source.Channel{Source: r.CompositionChangedWatcher}, handler.EnqueueRequestsFromMapFunc(r.enqueueAllFromGVK)).
 		WithOptions(controller.Options{RateLimiter: ratelimiter}).
 		Complete(r)
 }

experiments/compositions/composition/release/audit-policy.yaml

@@ -0,0 +1,18 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: audit.k8s.io/v1
+kind: Policy
+rules:
+- level: RequestResponse

experiments/compositions/composition/release/crds.yaml

@@ -184,6 +184,21 @@ spec:
                   - type
                   type: object
                 type: array
+              generation:
+                format: int64
+                type: integer
+              stages:
+                additionalProperties:
+                  description: StageStatus captures the status of a stage
+                  properties:
+                    message:
+                      type: string
+                    reason:
+                      type: string
+                    validationStatus:
+                      type: string
+                  type: object
+                type: object
             type: object
         type: object
     served: true
@@ -755,6 +770,13 @@ spec:
           status:
             description: PlanStatus defines the observed state of Plan
             properties:
+              compositionGeneration:
+                description: Composition generation last succesfully reconciled
+                format: int64
+                type: integer
+              compositionUID:
+                description: Composition UID
+                type: string
               conditions:
                 items:
                   description: "Condition contains details for one aspect of the current
@@ -829,19 +851,68 @@ spec:
                 format: int64
                 type: integer
               inputGeneration:
-                description: Facade's generation last we successfully reconciled
+                description: Facade's generation last succesfully reconciled
                 format: int64
                 type: integer
+              lastPruned:
+                items:
+                  properties:
+                    group:
+                      type: string
+                    health:
+                      type: string
+                    kind:
+                      type: string
+                    name:
+                      type: string
+                    namespace:
+                      type: string
+                    status:
+                      type: string
+                    version:
+                      type: string
+                  required:
+                  - health
+                  - kind
+                  type: object
+                type: array
               stages:
                 additionalProperties:
                   description: StageStatus captures the status of a stage
                   properties:
+                    appliedCount:
+                      type: integer
+                    lastApplied:
+                      items:
+                        properties:
+                          group:
+                            type: string
+                          health:
+                            type: string
+                          kind:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                          status:
+                            type: string
+                          version:
+                            type: string
+                        required:
+                        - health
+                        - kind
+                        type: object
+                      type: array
                     resourceCount:
                       type: integer
                   required:
                   - resourceCount
                   type: object
                 type: object
+            required:
+            - compositionGeneration
+            - inputGeneration
             type: object
         type: object
     served: true

experiments/compositions/composition/release/kind-config.yaml

@@ -0,0 +1,43 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+        # enable auditing flags on the API server
+        extraArgs:
+          audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
+          audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
+        # mount new files / directories on the control plane
+        extraVolumes:
+          - name: audit-policies
+            hostPath: /etc/kubernetes/policies
+            mountPath: /etc/kubernetes/policies
+            readOnly: true
+            pathType: "DirectoryOrCreate"
+          - name: "audit-logs"
+            hostPath: "/var/log/kubernetes"
+            mountPath: "/var/log/kubernetes"
+            readOnly: false
+            pathType: DirectoryOrCreate
+  # mount the local file on the control plane
+  extraMounts:
+  - hostPath: release/audit-policy.yaml
+    containerPath: /etc/kubernetes/policies/audit-policy.yaml
+    readOnly: true