[WIP] remove sensitive data from MR and resolve references just before use to not leak secrets data in to MR after resolved.

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.20.12'
+  GO_VERSION: '1.21.7'
   GOLANGCI_VERSION: 'v1.55.2'
   DOCKER_BUILDX_VERSION: 'v0.8.2'
 

Makefile

@@ -35,8 +35,8 @@ GOLANGCILINT_VERSION = 1.55.2
 
 # ====================================================================================
 # Setup Kubernetes tools
-KIND_VERSION = v0.18.0
-UP_VERSION = v0.21.0
+KIND_VERSION = v0.22.0
+UP_VERSION = v0.28.0
 UPTEST_VERSION = v0.9.0
 UP_CHANNEL = stable
 USE_HELM3 = true
@@ -89,7 +89,7 @@ CROSSPLANE_NAMESPACE = crossplane-system
 -include build/makelib/local.xpkg.mk
 -include build/makelib/controlplane.mk
 
-UPTEST_EXAMPLE_LIST ?= "examples/object/object.yaml"
+UPTEST_EXAMPLE_LIST ?= "examples/object/object.yaml,examples/object/object-watching.yaml"
 uptest: $(UPTEST) $(KUBECTL) $(KUTTL)
 	@$(INFO) running automated tests
 	@KUBECTL=$(KUBECTL) KUTTL=$(KUTTL) CROSSPLANE_NAMESPACE=${CROSSPLANE_NAMESPACE} $(UPTEST) e2e "$(UPTEST_EXAMPLE_LIST)" --setup-script=cluster/test/setup.sh || $(FAIL)

README.md

@@ -14,7 +14,7 @@ so using the Crossplane CLI in a Kubernetes cluster where Crossplane is
 installed:
 
 ```console
-kubectl crossplane install provider crossplanecontrib/provider-kubernetes:main
+crossplane xpkg install provider xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.13.0
 ```
 
 You may also manually install `provider-kubernetes` by creating a `Provider` directly:
@@ -25,7 +25,7 @@ kind: Provider
 metadata:
   name: provider-kubernetes
 spec:
-  package: "crossplanecontrib/provider-kubernetes:main"
+  package: xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.13.0
 ```
 
 ## Developing locally

apis/kubernetes.go

@@ -22,6 +22,7 @@ import (
 
 	objectv1alpha1 "github.com/crossplane-contrib/provider-kubernetes/apis/object/v1alpha1"
 	objectv1alhpa2 "github.com/crossplane-contrib/provider-kubernetes/apis/object/v1alpha2"
+	observedobjectcollectionv1alpha1 "github.com/crossplane-contrib/provider-kubernetes/apis/observedobjectcollection/v1alpha1"
 	templatev1alpha1 "github.com/crossplane-contrib/provider-kubernetes/apis/v1alpha1"
 )
 
@@ -31,6 +32,7 @@ func init() {
 		templatev1alpha1.SchemeBuilder.AddToScheme,
 		objectv1alpha1.SchemeBuilder.AddToScheme,
 		objectv1alhpa2.SchemeBuilder.AddToScheme,
+		observedobjectcollectionv1alpha1.SchemeBuilder.AddToScheme,
 	)
 }
 

apis/object/v1alpha1/conversion.go

@@ -43,7 +43,8 @@ func (src *Object) ConvertTo(dstRaw conversion.Hub) error { // nolint:golint //
 	connectionDetails := []v1alpha2.ConnectionDetail{}
 	for _, cd := range src.Spec.ConnectionDetails {
 		connectionDetails = append(connectionDetails, v1alpha2.ConnectionDetail{
-			ObjectReference: cd.ObjectReference,
+			ObjectReference:       cd.ObjectReference,
+			ToConnectionSecretKey: cd.ToConnectionSecretKey,
 		})
 	}
 
@@ -123,7 +124,8 @@ func (dst *Object) ConvertFrom(srcRaw conversion.Hub) error { // nolint:golint,
 	connectionDetails := []ConnectionDetail{}
 	for _, cd := range src.Spec.ConnectionDetails {
 		connectionDetails = append(connectionDetails, ConnectionDetail{
-			ObjectReference: cd.ObjectReference,
+			ObjectReference:       cd.ObjectReference,
+			ToConnectionSecretKey: cd.ToConnectionSecretKey,
 		})
 	}
 

apis/object/v1alpha1/conversion_test.go

@@ -24,7 +24,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
@@ -64,7 +64,9 @@ func TestConvertTo(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha1.ObjectParameters{
@@ -86,9 +88,9 @@ func TestConvertTo(t *testing.T) {
 										Name:       "topsecret",
 										Namespace:  "coolns",
 									},
-									FieldPath: pointer.String("data.password"),
+									FieldPath: ptr.To("data.password"),
 								},
-								ToFieldPath: pointer.String("data"),
+								ToFieldPath: ptr.To("data"),
 							},
 						},
 						Readiness: v1alpha1.Readiness{Policy: v1alpha1.ReadinessPolicySuccessfulCreate},
@@ -111,7 +113,9 @@ func TestConvertTo(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha2.ObjectParameters{
@@ -132,9 +136,9 @@ func TestConvertTo(t *testing.T) {
 										Name:       "topsecret",
 										Namespace:  "coolns",
 									},
-									FieldPath: pointer.String("data.password"),
+									FieldPath: ptr.To("data.password"),
 								},
-								ToFieldPath: pointer.String("data"),
+								ToFieldPath: ptr.To("data"),
 							},
 						},
 						Readiness: v1alpha2.Readiness{Policy: v1alpha2.ReadinessPolicySuccessfulCreate},
@@ -196,7 +200,9 @@ func TestConvertTo(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha1.ObjectParameters{
@@ -229,7 +235,9 @@ func TestConvertTo(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha2.ObjectParameters{
@@ -312,7 +320,9 @@ func TestConvertFrom(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha2.ObjectParameters{
@@ -333,9 +343,9 @@ func TestConvertFrom(t *testing.T) {
 										Name:       "topsecret",
 										Namespace:  "coolns",
 									},
-									FieldPath: pointer.String("data.password"),
+									FieldPath: ptr.To("data.password"),
 								},
-								ToFieldPath: pointer.String("data"),
+								ToFieldPath: ptr.To("data"),
 							},
 						},
 						Readiness: v1alpha2.Readiness{Policy: v1alpha2.ReadinessPolicySuccessfulCreate},
@@ -357,7 +367,9 @@ func TestConvertFrom(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha1.ObjectParameters{
@@ -379,9 +391,9 @@ func TestConvertFrom(t *testing.T) {
 										Name:       "topsecret",
 										Namespace:  "coolns",
 									},
-									FieldPath: pointer.String("data.password"),
+									FieldPath: ptr.To("data.password"),
 								},
-								ToFieldPath: pointer.String("data"),
+								ToFieldPath: ptr.To("data"),
 							},
 						},
 						Readiness: v1alpha1.Readiness{Policy: v1alpha1.ReadinessPolicySuccessfulCreate},
@@ -407,7 +419,9 @@ func TestConvertFrom(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha2.ObjectParameters{
@@ -438,7 +452,9 @@ func TestConvertFrom(t *testing.T) {
 									APIVersion: "v1",
 									Kind:       "Secret",
 									Name:       "topsecret",
+									FieldPath:  "data.token",
 								},
+								ToConnectionSecretKey: "token",
 							},
 						},
 						ForProvider: v1alpha1.ObjectParameters{

apis/object/v1alpha1/types.go

@@ -124,6 +124,14 @@ type ObjectSpec struct {
 	ManagementPolicy `json:"managementPolicy,omitempty"`
 	References       []Reference `json:"references,omitempty"`
 	Readiness        Readiness   `json:"readiness,omitempty"`
+	// Watch enables watching the referenced or managed kubernetes resources.
+	//
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless "watches" feature gate is enabled, and may be changed or removed
+	// without notice.
+	// +optional
+	// +kubebuilder:default=false
+	Watch bool `json:"watch,omitempty"`
 }
 
 // ReadinessPolicy defines how the Object's readiness condition should be computed.

apis/object/v1alpha2/types.go

@@ -97,6 +97,14 @@ type ObjectSpec struct {
 	ForProvider       ObjectParameters   `json:"forProvider"`
 	References        []Reference        `json:"references,omitempty"`
 	Readiness         Readiness          `json:"readiness,omitempty"`
+	// Watch enables watching the referenced or managed kubernetes resources.
+	//
+	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
+	// unless "watches" feature gate is enabled, and may be changed or removed
+	// without notice.
+	// +optional
+	// +kubebuilder:default=false
+	Watch bool `json:"watch,omitempty"`
 }
 
 // ReadinessPolicy defines how the Object's readiness condition should be computed.

apis/observedobjectcollection/v1alpha1/doc.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2024 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains the v1alpha1 group ObservedObjectCollection resources of the Kubernetes provider.
+// +kubebuilder:ac:generate=true
+// +kubebuilder:object:generate=true
+// +groupName=kubernetes.crossplane.io
+// +versionName=v1alpha1
+package v1alpha1

apis/observedobjectcollection/v1alpha1/register.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2024 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+// Package type metadata.
+const (
+	Group   = "kubernetes.crossplane.io"
+	Version = "v1alpha1"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+)
+
+// ProviderConfig type metadata.
+var (
+	ObservedObjectCollectionKind             = reflect.TypeOf(ObservedObjectCollection{}).Name()
+	ObservedObjectCollectionGroupKind        = schema.GroupKind{Group: Group, Kind: ObservedObjectCollectionKind}.String()
+	ObservedObjectCollectionAPIVersion       = ObservedObjectCollectionKind + "." + SchemeGroupVersion.String()
+	ObservedObjectCollectionGroupVersionKind = SchemeGroupVersion.WithKind(ObservedObjectCollectionKind)
+)
+
+func init() {
+	SchemeBuilder.Register(&ObservedObjectCollection{}, &ObservedObjectCollectionList{})
+}