Merge pull request #123529 from thockin/go-workspaces

 Go workspaces for k/k and k/staging/*

.gitignore

@@ -1,7 +1,3 @@
-# gopls gets indigestion without go.work, CI gets indigestion WITH go.work
-/go.work
-/go.work.sum
-
 # OSX leaves these everywhere on SMB shares
 ._*
 

README.md

@@ -43,8 +43,6 @@ If you want to build Kubernetes right away there are two options:
 ##### You have a working [Go environment].
 
 ```
-mkdir -p $GOPATH/src/k8s.io
-cd $GOPATH/src/k8s.io
 git clone https://github.com/kubernetes/kubernetes
 cd kubernetes
 make

api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json

@@ -124,7 +124,8 @@
         "required": [
           "type",
           "status",
-          "reason"
+          "reason",
+          "message"
         ],
         "type": "object"
       },

api/openapi-spec/v3/apis__networking.k8s.io__v1alpha1_openapi.json

@@ -97,6 +97,9 @@
             "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object."
           }
         },
+        "required": [
+          "parentRef"
+        ],
         "type": "object"
       },
       "io.k8s.api.networking.v1alpha1.ParentReference": {
@@ -119,6 +122,10 @@
             "type": "string"
           }
         },
+        "required": [
+          "resource",
+          "name"
+        ],
         "type": "object"
       },
       "io.k8s.api.networking.v1alpha1.ServiceCIDR": {

build/common.sh

@@ -81,6 +81,7 @@ readonly LOCAL_OUTPUT_IMAGE_STAGING="${LOCAL_OUTPUT_ROOT}/images"
 # This is a symlink to binaries for "this platform" (e.g. build tools).
 readonly THIS_PLATFORM_BIN="${LOCAL_OUTPUT_ROOT}/bin"
 
+readonly KUBE_GO_PACKAGE=k8s.io/kubernetes
 readonly REMOTE_ROOT="/go/src/${KUBE_GO_PACKAGE}"
 readonly REMOTE_OUTPUT_ROOT="${REMOTE_ROOT}/_output"
 readonly REMOTE_OUTPUT_SUBPATH="${REMOTE_OUTPUT_ROOT}/dockerized"

build/root/Makefile

@@ -48,7 +48,6 @@ MAKEFLAGS += --warn-undefined-variables
 .EXPORT_ALL_VARIABLES:
 OUT_DIR ?= _output
 BIN_DIR := $(OUT_DIR)/bin
-PRJ_SRC_PATH := k8s.io/kubernetes
 
 ifdef KUBE_GOFLAGS
 $(info KUBE_GOFLAGS is now deprecated. Please use GOFLAGS instead.)
@@ -67,9 +66,9 @@ define ALL_HELP_INFO
 # Build code.
 #
 # Args:
-#   WHAT: Directory names to build.  If any of these directories has a 'main'
-#     package, the build will produce executable files under $(OUT_DIR)/bin.
-#     If not specified, "everything" will be built.
+#   WHAT: Directory or Go package names to build.  If any of these directories
+#   has a 'main' package, the build will produce executable files under
+#   $(OUT_DIR)/bin.  If not specified, "everything" will be built.
 #     "vendor/<module>/<path>" is accepted as alias for "<module>/<path>".
 #     "ginkgo" is an alias for the ginkgo CLI.
 #   GOFLAGS: Extra flags to pass to 'go' when building.
@@ -83,9 +82,9 @@ define ALL_HELP_INFO
 #   make all
 #   make all WHAT=cmd/kubelet GOFLAGS=-v
 #   make all DBG=1
-#     Note: Specify DBG=1 for building unstripped binaries, which allows you to use code debugging
-#           tools like delve. When DBG is unspecified, it defaults to "-s -w" which strips debug
-#           information.
+#     Note: Specify DBG=1 for building unstripped binaries, which allows you to
+#     use code debugging tools like delve. When DBG is unspecified, it defaults
+#     to "-s -w" which strips debug information.
 endef
 .PHONY: all
 ifeq ($(PRINT_HELP),y)

build/tools.go

@@ -23,12 +23,10 @@ package tools
 import (
 	// build script dependencies
 	_ "github.com/onsi/ginkgo/v2/ginkgo"
+	_ "k8s.io/code-generator/cmd/deepcopy-gen"
+	_ "k8s.io/code-generator/cmd/defaulter-gen"
 	_ "k8s.io/code-generator/cmd/go-to-protobuf"
 	_ "k8s.io/code-generator/cmd/go-to-protobuf/protoc-gen-gogo"
-	_ "k8s.io/gengo/examples/deepcopy-gen/generators"
-	_ "k8s.io/gengo/examples/defaulter-gen/generators"
-	_ "k8s.io/gengo/examples/import-boss/generators"
-	_ "k8s.io/gengo/examples/set-gen/generators"
 	_ "k8s.io/kube-openapi/cmd/openapi-gen"
 
 	// submodule test dependencies

cmd/import-boss/README.md

@@ -0,0 +1,104 @@
+## Purpose
+
+`import-boss` enforces optional import restrictions between packages.  This is
+useful to manage the dependency graph within a large repository, such as
+[kubernetes](https://github.com/kubernetes/kubernetes).
+
+## How does it work?
+
+When a package is verified, `import-boss` looks for a file called
+`.import-restrictions` in the same directory and all parent directories, up to
+the module root (defined by the presence of a go.mod file).  These files
+contain rules which are evaluated against each dependency of the package in
+question.
+
+Evaluation starts with the rules file closest to the package.  If that file
+makes a determination to allow or forbid the import, evaluation is done.  If
+the import does not match any rule, the next-closest rules file is consulted,
+and so forth.  If the rules files are exhausted and no determination has been
+made, the import will be flagged as an error.
+
+### What are rules files?
+
+A rules file is a JSON or YAML document with two top-level keys, both optional:
+* `Rules`
+* `InverseRules`
+
+### What are Rules?
+
+A `rule` defines a policy to be enforced on packages which are depended on by
+the package in question.  It consists of three parts:
+  - A `SelectorRegexp`, to select the import paths that the rule applies to.
+  - A list of `AllowedPrefixes`
+  - A list of `ForbiddenPrefixes`
+
+An import is allowed if it matches at least one allowed prefix and does not
+match any forbidden prefixes.
+
+Rules also have a boolean `Transitive` option. When this option is true, the
+rule is applied to transitive imports.
+
+Example:
+
+```json
+{
+  "Rules": [
+    {
+      "SelectorRegexp": "example[.]com",
+      "AllowedPrefixes": [
+        "example.com/project/package",
+        "example.com/other/package"
+      ],
+      "ForbiddenPrefixes": [
+        "example.com/legacy/package"
+      ]
+    },
+    {
+      "SelectorRegexp": "^unsafe$",
+      "AllowedPrefixes": [],
+      "ForbiddenPrefixes": [ "" ],
+      "Transitive": true
+    }
+  ]
+}
+```
+
+The `SelectorRegexp` specifies that this rule applies only to imports which
+match that regex.
+
+Note: an empty list (`[]`) matches nothing, and an empty string (`""`) is a
+prefix of everything.
+
+### What are InverseRules?
+
+In contrast to rules, which are defined in terms of "things this package
+depends on", inverse rules are defined in terms of "things which import this
+package".  This allows for fine-grained import restrictions for "semi-private
+packages" which are more sophisticated than Go's `internal` convention.
+
+If inverse rules are found, then all known imports of the package are checked
+against each such rule, in the same fashion as regular rules.  Note that this
+can only handle known imports, which is defined as any package which is also
+being considered by this `import-boss` run.  For most repositories, `./...` will
+suffice.
+
+Example:
+
+```yaml
+inverseRules:
+  - selectorRegexp: example[.]com
+    allowedPrefixes:
+      - example.com/this-same-repo
+      - example.com/close-friend/legacy
+    forbiddenPrefixes:
+      - example.com/other-project
+  - selectorRegexp: example[.]com
+    transitive: true
+    forbiddenPrefixes:
+      - example.com/other-team
+```
+
+## How do I run import-boss?
+
+For most scenarios, simply running `import-boss ./...` will work.  For projects
+which use Go workspaces, this can even span multiple modules.