Implement partial cleanups (#25)

Author: liam-mackie

.dockerignore

@@ -1,3 +1,11 @@
 # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
-# Ignore build and test binaries.
-bin/
+# Ignore everything by default and re-include only needed files
+**
+
+# Re-include Go source files (but not *_test.go)
+!**/*.go
+**/*_test.go
+
+# Re-include Go module files
+!go.mod
+!go.sum

.github/workflows/lint.yml

@@ -20,4 +20,4 @@ jobs:
       - name: Run linter
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.1.6
+          version: v2.4.0

Dockerfile

@@ -1,23 +1,31 @@
-# Build
-FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS build
-WORKDIR /build
+# Build the manager binary
+FROM golang:1.25 AS builder
+ARG TARGETOS
+ARG TARGETARCH
 
-# Dependency installation
-COPY go.mod go.sum ./
-RUN --mount=type=cache,target=/go/pkg/mod go mod download
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
 
-# Build the app from source
+# Copy the Go source (relies on .dockerignore to filter)
 COPY . .
-ARG TARGETOS TARGETARCH
-RUN --mount=type=cache,target=/root/.cache/go-build \
-    --mount=type=cache,target=/go/pkg \
-    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o manager cmd/main.go
 
-# Runtime image
-FROM gcr.io/distroless/static:nonroot
+# Build
+# the GOARCH has no default value to allow the binary to be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
 
-# Copy only the binary from the build stage to the final image
-COPY --from=build /build/manager /
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+USER 65532:65532
 
-# Set the entry point for the container
 ENTRYPOINT ["/manager"]

Makefile

@@ -83,7 +83,7 @@ setup-test-e2e: ## Set up a Kind cluster for e2e tests if it does not exist
 
 .PHONY: test-e2e
 test-e2e: setup-test-e2e manifests generate fmt vet ## Run the e2e tests. Expected an isolated environment using Kind.
-	KIND_CLUSTER=$(KIND_CLUSTER) go test ./test/e2e/ -v -ginkgo.v
+	KIND=$(KIND) KIND_CLUSTER=$(KIND_CLUSTER) go test -tags=e2e ./test/e2e/ -v -ginkgo.v
 	$(MAKE) cleanup-test-e2e
 
 .PHONY: install-cert-manager
@@ -179,11 +179,13 @@ endif
 
 .PHONY: install
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | $(KUBECTL) apply -f -
+	@out="$$( $(KUSTOMIZE) build config/crd 2>/dev/null || true )"; \
+	if [ -n "$$out" ]; then echo "$$out" | $(KUBECTL) apply -f -; else echo "No CRDs to install; skipping."; fi
 
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/crd | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -
+	@out="$$( $(KUSTOMIZE) build config/crd 2>/dev/null || true )"; \
+	if [ -n "$$out" ]; then echo "$$out" | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f -; else echo "No CRDs to delete; skipping."; fi
 
 .PHONY: deploy
 deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
@@ -214,13 +216,13 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.6.0
-CONTROLLER_TOOLS_VERSION ?= v0.18.0
+KUSTOMIZE_VERSION ?= v5.7.1
+CONTROLLER_TOOLS_VERSION ?= v0.19.0
 #ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20)
 ENVTEST_VERSION ?= $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}')
 #ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31)
 ENVTEST_K8S_VERSION ?= $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}')
-GOLANGCI_LINT_VERSION ?= v2.1.6
+GOLANGCI_LINT_VERSION ?= v2.4.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -255,13 +257,13 @@ $(GOLANGCI_LINT): $(LOCALBIN)
 # $2 - package url which can be installed
 # $3 - specific version of package
 define go-install-tool
-@[ -f "$(1)-$(3)" ] || { \
+@[ -f "$(1)-$(3)" ] && [ "$$(readlink -- "$(1)" 2>/dev/null)" = "$(1)-$(3)" ] || { \
 set -e; \
 package=$(2)@$(3) ;\
 echo "Downloading $${package}" ;\
-rm -f $(1) || true ;\
+rm -f $(1) ;\
 GOBIN=$(LOCALBIN) go install $${package} ;\
 mv $(1) $(1)-$(3) ;\
 } ;\
-ln -sf $(1)-$(3) $(1)
+ln -sf $$(realpath $(1)-$(3)) $(1)
 endef

PROJECT

@@ -2,7 +2,7 @@
 # This file is used to track the info used to scaffold your project
 # and allow the plugins properly work.
 # More info: https://book.kubebuilder.io/reference/project-config.html
-cliVersion: 4.7.1
+cliVersion: 4.9.0
 domain: agent.octopus.com
 layout:
 - go.kubebuilder.io/v4

api/v1beta1/clusterworkloadserviceaccount_types.go

@@ -99,6 +99,10 @@ type ClusterWorkloadServiceAccountList struct {
 	Items           []ClusterWorkloadServiceAccount `json:"items"`
 }
 
+func (cwsa *ClusterWorkloadServiceAccount) GetConditions() *[]metav1.Condition {
+	return &cwsa.Status.Conditions
+}
+
 func init() {
 	SchemeBuilder.Register(&ClusterWorkloadServiceAccount{}, &ClusterWorkloadServiceAccountList{})
 }

api/v1beta1/workloadserviceaccount_types.go

@@ -113,6 +113,10 @@ type WorkloadServiceAccountList struct {
 	Items           []WorkloadServiceAccount `json:"items"`
 }
 
+func (wsa *WorkloadServiceAccount) GetConditions() *[]metav1.Condition {
+	return &wsa.Status.Conditions
+}
+
 func init() {
 	SchemeBuilder.Register(&WorkloadServiceAccount{}, &WorkloadServiceAccountList{})
 }

cmd/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"flag"
 	"os"
@@ -50,6 +51,24 @@ import (
 	// +kubebuilder:scaffold:imports
 )
 
+type StartupReconciler struct {
+	engine *rules.InMemoryEngine
+}
+
+func (s *StartupReconciler) Start(ctx context.Context) error {
+	setupLog.Info("Running initial full reconciliation")
+	if err := s.engine.Reconcile(ctx); err != nil {
+		setupLog.Error(err, "failed to run initial reconciliation")
+		return err
+	}
+	setupLog.Info("Initial reconciliation completed successfully")
+	return nil
+}
+
+func (s *StartupReconciler) NeedLeaderElection() bool {
+	return true
+}
+
 var (
 	scheme                = runtime.NewScheme()
 	setupLog              = ctrl.Log.WithName("setup")
@@ -144,7 +163,7 @@ func main() {
 
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
-	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/server
+	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.22.1/pkg/metrics/server
 	// - https://book.kubebuilder.io/reference/metrics.html
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:   metricsAddr,
@@ -156,7 +175,7 @@ func main() {
 		// FilterProvider is used to protect the metrics endpoint with authn/authz.
 		// These configurations ensure that only authorized users and service accounts
 		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info:
-		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/filters#WithAuthenticationAndAuthorization
+		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.22.1/pkg/metrics/filters#WithAuthenticationAndAuthorization
 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
 	}
 
@@ -232,12 +251,16 @@ func main() {
 
 	var engine rules.InMemoryEngine
 	if len(targetNamespaces) > 0 {
-		engine = rules.NewInMemoryEngineWithNamespaces(mgr.GetClient(), targetNamespaces)
+		engine = rules.NewInMemoryEngineWithNamespaces(mgr.GetClient(), mgr.GetScheme(), targetNamespaces)
 	} else {
-		engine = rules.NewInMemoryEngine(mgr.GetClient(), targetNamespaceRegex)
+		engine = rules.NewInMemoryEngine(mgr.GetClient(), mgr.GetScheme(), targetNamespaceRegex)
 	}
 
-	// Create the rules engine instance
+	// Add startup runnable to perform initial full reconciliation
+	if err := mgr.Add(&StartupReconciler{engine: &engine}); err != nil {
+		setupLog.Error(err, "unable to add startup reconciler")
+		os.Exit(1)
+	}
 
 	// Create new prometheus metrics collector instance
 	octopusMetricsCollector := metrics.NewOctopusMetricsCollector(mgr.GetClient(), &engine)

config/certificates-only/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
 - ./namespace.yaml
 - ../webhook
 - ../certmanager
+- ../local-debug
 
 replacements:
  - source: # Uncomment the following block if you have any webhook

config/crd/bases/agent.octopus.com_clusterworkloadserviceaccounts.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.18.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: clusterworkloadserviceaccounts.agent.octopus.com
 spec:
   group: agent.octopus.com