cncf
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.golangci.yml‎
Lines changed: 3 additions & 0 deletions b/‎.golangci.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 125 additions & 22 deletions b/‎Makefile‎
Lines changed: 125 additions & 22 deletions
diff --git a/‎apis/maintainers/v1alpha1/groupversion_info.go‎
Lines changed: 0 additions & 6 deletions b/‎apis/maintainers/v1alpha1/groupversion_info.go‎
Lines changed: 0 additions & 6 deletions
@@ -9,4 +9,5 @@ demo.db
 .dirlocals.el
 ./db/db
 .gocache/
+.modcache/
 coverage.out
@@ -2,6 +2,9 @@ version: "2"
 run:
   modules-download-mode: readonly
   tests: true
+  skip-dirs:
+    - .modcache
+    - .gocache
 linters:
   enable:
     - bodyclose
 
@@ -1,23 +1,52 @@
 TOPDIR=$(PWD)
-GH_ORG_LC="robertkielty"
+GH_ORG_LC=robertkielty
 REGISTRY ?= ghcr.io
 IMAGE ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd:latest
+SYNC_IMAGE ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd-sync:latest
 WHOAMI=$(shell whoami)
 
 # Helpful context string for logs
 CTX_STR := $(if $(KUBECONTEXT),$(KUBECONTEXT),$(shell kubectl config current-context 2>/dev/null || echo current))
 
+# kcp release download settings
+KCP_VERSION ?= 0.28.3
+KCP_TAG ?= v$(KCP_VERSION)
+KCP_OS ?= $(shell uname | tr '[:upper:]' '[:lower:]')
+KCP_ARCH ?= $(shell uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/')
+KCP_TAR ?= kcp_$(KCP_VERSION)_$(KCP_OS)_$(KCP_ARCH).tar.gz
+APIGEN_TAR ?= apigen_$(KCP_VERSION)_$(KCP_OS)_$(KCP_ARCH).tar.gz
+KCP_CHECKSUMS ?= kcp_$(KCP_VERSION)_checksums.txt
+KCP_RELEASE_URL ?= https://github.com/kcp-dev/kcp/releases/download/$(KCP_TAG)
+BIN_DIR ?= $(TOPDIR)/bin
+KCP_BIN := $(BIN_DIR)/kcp
+APIGEN_BIN := $(BIN_DIR)/apigen
+CONTROLLER_GEN ?= $(BIN_DIR)/controller-gen
+APIGEN ?= $(APIGEN_BIN)
+GOCACHE_DIR ?= $(TOPDIR)/.gocache
+KCP_CRD_DIR ?= $(TOPDIR)/config/crd/bases
+KCP_SCHEMA_DIR ?= $(TOPDIR)/config/kcp
+KCP_RESOURCES := $(shell ls $(KCP_CRD_DIR)/maintainer-d.cncf.io_*.yaml 2>/dev/null | sed -E 's@.*/maintainer-d\.cncf\.io_([^.]*)\.yaml@\1@')
+GOFMT_PATHS ?= $(shell go list -f '{{.Dir}}' ./...)
+
 # GHCR auth (optional for push). If set, we will docker login before push.
 GHCR_USER  ?= $(DOCKER_REGISTRY_USERNAME)
 GHCR_TOKEN ?= $(GITHUB_GHCR_TOKEN)
 
 
 
 # ---- Image ----
-.PHONY: image
-image:
+.PHONY: image-build
+image-build:
 	@echo "Building container image: $(IMAGE)"
 	@docker buildx build -t $(IMAGE) -f Dockerfile .
+
+.PHONY: sync-image-build
+sync-image-build:
+	@echo "Building sync image: $(SYNC_IMAGE)"
+	@docker buildx build -t $(SYNC_IMAGE) -f deploy/sync/Dockerfile .
+
+.PHONY: image-push
+image-push: image-build
 	@echo "Ensuring docker is logged in to $(REGISTRY) (uses GHCR_TOKEN if set)"
 	@if [ -n "$(GHCR_TOKEN)" ]; then \
 		echo "Logging into $(REGISTRY) as $(GHCR_USER) using token from GHCR_TOKEN"; \
@@ -27,6 +56,9 @@ image:
 	fi
 	@echo "Pushing image: $(IMAGE)"
 	@docker push $(IMAGE)
+
+.PHONY: image-deploy
+image-deploy: image-push
 	@echo "Image pushed. Attempting rollout on context $(CTX_STR)."
 	@CTX_FLAG="$(if $(KUBECONTEXT),--context $(KUBECONTEXT))" ; \
 	if kubectl $$CTX_FLAG config current-context >/dev/null 2>&1; then \
@@ -40,8 +72,41 @@ image:
 		echo "kubectl context $(CTX_STR) unavailable; skipping rollout"; \
 	fi
 
-.PHONY: image-push
-image-push: image
+.PHONY: sync-image-push
+sync-image-push: sync-image-build
+	@echo "Ensuring docker is logged in to $(REGISTRY) (uses GHCR_TOKEN if set)"
+	@if [ -n "$(GHCR_TOKEN)" ]; then \
+		echo "Logging into $(REGISTRY) as $(GHCR_USER) using token from GHCR_TOKEN"; \
+		echo "$(GHCR_TOKEN)" | docker login $(REGISTRY) -u "$(GHCR_USER)" --password-stdin; \
+	else \
+		echo "GHCR_TOKEN not set; attempting push with existing docker auth"; \
+	fi
+	@echo "Pushing image: $(SYNC_IMAGE)"
+	@docker push $(SYNC_IMAGE)
+
+.PHONY: sync-image-deploy
+sync-image-deploy: sync-image-push
+	@echo "Image pushed. Updating CronJob/maintainer-sync in $(NAMESPACE) [ctx=$(CTX_STR)]"
+	@CTX_FLAG="$(if $(KUBECONTEXT),--context $(KUBECONTEXT))" ; \
+	if ! kubectl $$CTX_FLAG config current-context >/dev/null 2>&1; then \
+		echo "kubectl context $(CTX_STR) unavailable; skipping rollout"; exit 0; \
+	fi ; \
+	if ! kubectl -n $(NAMESPACE) $$CTX_FLAG get cronjob/maintainer-sync >/dev/null 2>&1; then \
+		echo "CronJob/maintainer-sync not found in namespace $(NAMESPACE)."; \
+		echo "Hint: apply deploy/manifests/sync.yaml or run 'make sync-apply' (or 'make manifests-apply')."; \
+		exit 1; \
+	fi ; \
+	kubectl -n $(NAMESPACE) $$CTX_FLAG set image cronjob/maintainer-sync '*=$(SYNC_IMAGE)'; \
+	kubectl -n $(NAMESPACE) $$CTX_FLAG delete job -l job-name=maintainer-sync --ignore-not-found; \
+	echo "Next scheduled run will pull $(SYNC_IMAGE)."
+
+.PHONY: sync-apply
+sync-apply:
+	@echo "Applying sync resources in namespace $(NAMESPACE) [ctx=$(CTX_STR)]"
+	@kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) apply -f deploy/manifests/sync.yaml
+
+.PHONY: image
+image: image-build
 	@true
 
 .PHONY: image-run
@@ -52,7 +117,7 @@ image-run: image
 NAMESPACE ?= maintainerd
 ENVSRC    ?= .envrc
 ENVOUT    ?= bootstrap.env
-KUBECONTEXT ?=context-cdv2c4jfn5q
+KUBECONTEXT ?=
 
 
 # Secret names (keep these stable across clusters)
@@ -87,8 +152,9 @@ help:
 	@echo "make apply-creds     -> create/update $(CREDS_SECRET_NAME) from $(CREDS_FILE)"
 	@echo "make clean-env       -> remove $(ENVOUT)"
 	@echo "make print           -> show which keys would be loaded (without values)"
-	@echo "make image           -> build+push $(IMAGE), then restart Deployment in $(NAMESPACE)"
-	@echo "                      (uses GHCR_TOKEN/GITHUB_GHCR_TOKEN + GHCR_USER/DOCKER_REGISTRY_USERNAME for ghcr login)"
+	@echo "make image-build     -> build container image $(IMAGE) locally"
+	@echo "make image-push      -> build and push $(IMAGE) (uses GHCR_TOKEN/GITHUB_GHCR_TOKEN + GHCR_USER/DOCKER_REGISTRY_USERNAME for ghcr login)"
+	@echo "make image-deploy    -> build, push, and restart Deployment in $(NAMESPACE)"
 	@echo "make ensure-ns       -> ensure namespace $(NAMESPACE) exists"
 	@echo "make apply-ghcr-secret -> create/update docker-registry Secret 'ghcr-secret'"
 	@echo "make manifests-apply -> kubectl apply -f deploy/manifests (prod-only)"
@@ -99,6 +165,7 @@ help:
 	@echo "make maintainerd-drain   -> scale Deployment/maintainerd to 0 and wait for pods to exit"
 	@echo "make maintainerd-port-forward -> forward :2525 -> svc/maintainerd:2525"
 	@echo "make cluster-down    -> delete manifests applied via deploy/manifests"
+	@echo "make kcp-install     -> download kcp $(KCP_VERSION) binaries into $(BIN_DIR)"
 
 # Convert .envrc (export FOO=bar) to KEY=VALUE lines
 # - drops comments/blank lines
@@ -208,6 +275,47 @@ maintainerd-port-forward:
 	@echo "Port-forwarding localhost:2525 -> service/maintainerd:2525 [ctx=$(CTX_STR)]"
 	@kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) port-forward svc/maintainerd 2525:2525
 
+.PHONY: kcp-install
+kcp-install:
+	@mkdir -p $(BIN_DIR)
+	@echo "Fetching kcp $(KCP_VERSION) for $(KCP_OS)/$(KCP_ARCH)"
+	@TMP_DIR=$$(mktemp -d); \
+	set -euo pipefail; \
+	echo "+ curl -sSL $(KCP_RELEASE_URL)/$(KCP_CHECKSUMS)"; \
+	curl -sSL -o $$TMP_DIR/$(KCP_CHECKSUMS) $(KCP_RELEASE_URL)/$(KCP_CHECKSUMS); \
+	for tarball in $(KCP_TAR) $(APIGEN_TAR); do \
+		echo "+ curl -sSL $(KCP_RELEASE_URL)/$$tarball -o $$TMP_DIR/$$tarball"; \
+		curl -sSL -o $$TMP_DIR/$$tarball $(KCP_RELEASE_URL)/$$tarball; \
+		grep " $$tarball$$" $$TMP_DIR/$(KCP_CHECKSUMS) > $$TMP_DIR/$$tarball.sha256; \
+		SUM=$$(cut -d' ' -f1 $$TMP_DIR/$$tarball.sha256); \
+		( cd $$TMP_DIR && sha256sum --check $$tarball.sha256 ); \
+		echo "Verified $$tarball (sha256=$$SUM)"; \
+	done; \
+	tar -xzf $$TMP_DIR/$(KCP_TAR) -C $(BIN_DIR) --strip-components=1 bin/kcp; \
+	tar -xzf $$TMP_DIR/$(APIGEN_TAR) -C $(BIN_DIR) --strip-components=1 bin/apigen; \
+	chmod +x $(KCP_BIN) $(APIGEN_BIN); \
+	rm -rf $$TMP_DIR; \
+	echo "Installed kcp and apigen into $(BIN_DIR)"
+
+.PHONY: kcp-generate
+kcp-generate:
+	@[ -x "$(CONTROLLER_GEN)" ] || { echo "Missing controller-gen binary at $(CONTROLLER_GEN). Install it or set CONTROLLER_GEN to the binary path."; exit 1; }
+	@[ -x "$(APIGEN)" ] || { echo "Missing apigen binary at $(APIGEN). Run 'make kcp-install' or download it manually."; exit 1; }
+	@mkdir -p $(GOCACHE_DIR) $(KCP_CRD_DIR) $(KCP_SCHEMA_DIR)
+	@echo "Generating CustomResourceDefinitions in $(KCP_CRD_DIR)"
+	@GOCACHE=$(GOCACHE_DIR) $(CONTROLLER_GEN) crd paths=./apis/... output:crd:dir=$(KCP_CRD_DIR)
+	@rm -f $(KCP_CRD_DIR)/_.yaml
+	@TMP_DIR=$$(mktemp -d); \
+		set -euo pipefail; \
+		echo "Rendering APIResourceSchemas with apigen"; \
+		$(APIGEN) --input-dir $(KCP_CRD_DIR) --output-dir $$TMP_DIR; \
+		for resource in $(KCP_RESOURCES); do \
+			cp $$TMP_DIR/apiresourceschema-$$resource.maintainer-d.cncf.io.yaml $(KCP_SCHEMA_DIR)/schema-$$resource.yaml; \
+		done; \
+		cp $$TMP_DIR/apiexport-maintainer-d.cncf.io.yaml $(KCP_SCHEMA_DIR)/api-export.yaml; \
+		rm -rf $$TMP_DIR; \
+		echo "Updated APIExport and APIResourceSchemas in $(KCP_SCHEMA_DIR)"
+
 # ---- Testing and CI ----
 .PHONY: test
 test:
@@ -247,25 +355,20 @@ ci-local:
 	@echo "→ Verifying dependencies..."
 	@go mod verify
 	@echo "→ Running go fmt..."
-	@if [ "$$(gofmt -s -l . | wc -l)" -gt 0 ]; then \
-		echo "❌ Code needs formatting. Run: go fmt ./..."; \
-		gofmt -s -l .; \
+	@GOFILES="$$(find . -path './.modcache' -prune -o -path './.gocache' -prune -o -path './.git' -prune -o -name '*.go' -print)"; \
+	if [ "$$(gofmt -s -l $$GOFILES | wc -l)" -gt 0 ]; then \
+		echo "❌ Code needs formatting. Run: gofmt -w $$(echo $$GOFILES)"; \
+		gofmt -s -l $$GOFILES; \
 		exit 1; \
 	fi
 	@echo "→ Running go vet..."
-	@go vet ./...
+	@go vet # ./...
 	@echo "→ Running staticcheck..."
-	@if command -v staticcheck >/dev/null 2>&1; then \
-		staticcheck ./...; \
-	else \
-		echo "⚠️  staticcheck not installed. Run: go install honnef.co/go/tools/cmd/staticcheck@latest"; \
-	fi
+	@command -v staticcheck >/dev/null 2>&1 || { echo "staticcheck not installed. Run: go install honnef.co/go/tools/cmd/staticcheck@latest"; exit 1; }
+	@staticcheck # ./...
 	@echo "→ Running golangci-lint..."
-	@if command -v golangci-lint >/dev/null 2>&1; then \
-		golangci-lint run ./...; \
-	else \
-		echo "⚠️  golangci-lint not installed. Run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest"; \
-	fi
+	@command -v golangci-lint >/dev/null 2>&1 || { echo "golangci-lint not installed. Run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest"; exit 1; }
+	@golangci-lint run ./...
 	@echo "→ Running tests with race detector..."
 	@go test -race -coverprofile=coverage.out -covermode=atomic ./...
 	@echo "→ Coverage report:"
 
@@ -24,12 +24,6 @@ var SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
 // AddToScheme adds the types in this group-version to the given scheme.
 var AddToScheme = SchemeBuilder.AddToScheme
 
-// addKnownTypes adds the set of types defined in this package to the supplied scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion)
-	return nil
-}
-
 // Resource takes an unqualified resource and returns a Group qualified GroupResource.
 func Resource(resource string) schema.GroupResource {
 	return SchemeGroupVersion.WithResource(resource).GroupResource()