klippy: a controller that auto-instantiates packages

porch/controllers/klippy/README.md

@@ -0,0 +1,44 @@
+# Overview
+
+klippy is a controller that proposes creating packages as a child of a
+parent package, where all the bindings can be satisfied.
+
+The idea is that packages in this "proposed by robot" state can
+provide a guided authoring experience, and we can communicate these
+paths through the existing API.
+
+The controller and the idea of package proposals should be considered
+exploration / experimental.
+
+# Bindings
+
+The idea of bindings is that a blueprint author can include some
+objects that are specially marked with the
+`config.kubernetes.io/local-config` = `binding` annotation.  Those are
+binding objects.
+
+Because those binding objects are `local-config`, they will not be
+applied to the cluster as part of the package.  Instead, those objects
+normally come from a parent package.
+
+The value of a binding object comes when we replace the placeholder
+values with the actual values from the parent.  We do a semantically
+aware rename, so - for example - if a binding objects is a namespace,
+all the objects in the binding placeholder namespace would be changed
+to be in the newly bound namespace.
+
+If the object is something like a ConfigMap, we would update all the
+references to that ConfigMap, for example in pod volumes.
+
+# klippy: auto-binding
+
+The idea of the klippy controller therefore is to eagerly look for
+places where we can instantiate a child package under a parent
+package, where all the bindings can be satisfied.
+
+We match bindings based on the Group/Version/Kind.  Additionally, if
+the binding object has labels, we'll look for those labels on the
+parent package object (this was needed because otherwise we were
+over-proposing on common objects like Namespaces, in practice we need
+some sort of "intent" label on Namespaces or GCP Projects/Folders,
+that indicates what we expect them to contain)

porch/controllers/klippy/config/rbac/role.yaml

@@ -0,0 +1,61 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: porch-controllers-klippy
+rules:
+- apiGroups:
+  - porch.kpt.dev
+  resources:
+  - packagerevisionresources
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - porch.kpt.dev
+  resources:
+  - packagerevisionresources/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - porch.kpt.dev
+  resources:
+  - packagerevisions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - porch.kpt.dev
+  resources:
+  - packagerevisions/status
+  verbs:
+  - get
+  - patch
+  - update

porch/controllers/klippy/config/rbac/rolebinding.yaml

@@ -0,0 +1,26 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: porch-system:porch-controllers-klippy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: porch-controllers-klippy
+subjects:
+- kind: ServiceAccount
+  name: porch-controllers
+  namespace: porch-system

porch/controllers/klippy/doc.go

@@ -0,0 +1,17 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package klippy
+
+//go:generate go run sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0 rbac:roleName=porch-controllers-klippy webhook paths="./..." output:rbac:artifacts:config=config/rbac