make test-extension config compliant with the clusterctl contract

Author: fabriziopandini

Makefile

@@ -612,8 +612,8 @@ docker-capd-build-all: $(addprefix docker-capd-build-,$(ALL_ARCH)) ## Build capd
 .PHONY: docker-build-test-extension
 docker-build-test-extension: ## Build the docker image for core controller manager
 	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(TEST_EXTENSION_IMG)-$(ARCH):$(TAG) --file ./test/extension/Dockerfile
-	$(MAKE) set-manifest-image MANIFEST_IMG=$(TEST_EXTENSION_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./test/extension/config/default/extension_image_patch.yaml"
-	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./test/extension/config/default/extension_pull_policy.yaml"
+	$(MAKE) set-manifest-image MANIFEST_IMG=$(TEST_EXTENSION_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./test/extension/config/default/manager_image_patch.yaml"
+	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./test/extension/config/default/manager_pull_policy.yaml"
 
 .PHONY: e2e-framework
 e2e-framework: ## Builds the CAPI e2e framework
@@ -710,6 +710,7 @@ tilt-up: kind-cluster ## Start tilt and build kind cluster if needed.
 docker-build-e2e: ## Rebuild all Cluster API provider images to be used in the e2e tests
 	$(MAKE) docker-build REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent
 	$(MAKE) docker-capd-build REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent
+	$(MAKE) docker-build-test-extension REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent
 
 ## --------------------------------------
 ## Release

docs/book/src/clusterctl/provider-contract.md

@@ -160,6 +160,8 @@ It is strongly recommended that:
 * Infrastructure providers release a file called `infrastructure-components.yaml`
 * Bootstrap providers release a file called ` bootstrap-components.yaml`
 * Control plane providers release a file called `control-plane-components.yaml`
+* IPAM providers release a file called `ipam-components.yaml`
+* Runtime extensions providers release a file called `runtime-extension-components.yaml`
 
 #### Target namespace
 
@@ -183,15 +185,17 @@ the provider installation.
 
 #### Controllers & Watching namespace
 
-Each provider is expected to deploy controllers using a Deployment.
+Each provider is expected to deploy controllers/runtime extension server using a Deployment.
 
-While defining the Deployment Spec, the container that executes the controller binary MUST be called `manager`.
+While defining the Deployment Spec, the container that executes the controller/runtime extension server binary MUST be called `manager`.
 
-The manager MUST support a `--namespace` flag for specifying the namespace where the controller
+For controllers only, the manager MUST support a `--namespace` flag for specifying the namespace where the controller
 will look for objects to reconcile; however, clusterctl will always install providers watching for all namespaces
 (`--namespace=""`); for more details see [support for multiple instances](../developer/architecture/controllers/support-multiple-instances.md)
 for more context.
 
+While defining Pods for Deployments, canonical names should be used for images.
+
 #### Variables
 
 The components YAML can contain environment variables matching the format ${VAR}; it is highly

test/extension/Dockerfile

@@ -63,12 +63,12 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
     go build -trimpath -ldflags "${ldflags} -extldflags '-static'" \
-    -o /workspace/extension ${package}
+    -o /workspace/manager ${package}
 
 # Production image
 FROM gcr.io/distroless/static:nonroot-${ARCH}
 WORKDIR /
-COPY --from=builder /workspace/extension .
+COPY --from=builder /workspace/manager .
 # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
 USER 65532
-ENTRYPOINT ["/extension"]
+ENTRYPOINT ["/manager"]

test/extension/config/certmanager/certificate.yaml

@@ -12,11 +12,10 @@ kind: Certificate
 metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
 spec:
-  # $(TEST_EXTENSION_SERVICE_NAMESPACE) will be substituted by kustomize
-  # $(TEST_EXTENSION_SERVICE_NAMESPACE) will be substituted on deployment
+  # $(SERVICE_NAMESPACE) will be substituted by kustomize
   dnsNames:
-  - $(SERVICE_NAME).${TEST_EXTENSION_SERVICE_NAMESPACE}.svc
-  - $(SERVICE_NAME).${TEST_EXTENSION_SERVICE_NAMESPACE}.svc.cluster.local
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
   # for local testing.
   - localhost
   issuerRef:

test/extension/config/default/kustomization.yaml

@@ -1,23 +1,38 @@
+namespace: test-extension-system
+
+namePrefix: test-extension-
+
 commonLabels:
+  # Label to identify all the providers objects; As per the clusterctl contract the value should be unique.
+  cluster.x-k8s.io/provider: "runtime-extension-test"
 
 resources:
-- extension.yaml
+- namespace.yaml
+- manager.yaml
 - service.yaml
+- service_account.yaml
+# Note: resources specific of the CAPI test-extension, other Runtime extensions provider might want to drop this
 - role.yaml
 - rolebinding.yaml
-- service_account.yaml
 
 bases:
 - ../certmanager
 
 patchesStrategicMerge:
+# Enable webhook with corresponding certificate mount.
+- manager_webhook_patch.yaml
 # Provide customizable hook for make targets.
-- extension_image_patch.yaml
-- extension_pull_policy.yaml
-# Enable webhook.
-- extension_webhook_patch.yaml
+- manager_image_patch.yaml
+- manager_pull_policy.yaml
 
 vars:
+  - name: SERVICE_NAMESPACE
+    objref:
+      kind: Service
+      version: v1
+      name: webhook-service
+    fieldref:
+      fieldpath: metadata.namespace
   - name: SERVICE_NAME
     objref:
       kind: Service

test/extension/config/default/extension.yaml renamed to test/extension/config/default/manager.yaml

@@ -2,24 +2,24 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-extension
+  name: manager
 spec:
   selector:
     matchLabels:
-      app: test-extension
+      app: test-extension-manager
   replicas: 1
   template:
     metadata:
       labels:
-        app: test-extension
+        app: test-extension-manager
     spec:
       containers:
       - command:
-        - /extension
+        - /manager
         image: controller:latest
-        name: extension
+        name: manager
       terminationGracePeriodSeconds: 10
-      serviceAccountName: test-extension
+      serviceAccountName: manager
       tolerations:
         - effect: NoSchedule
           key: node-role.kubernetes.io/master

test/extension/config/default/extension_image_patch.yaml renamed to test/extension/config/default/manager_image_patch.yaml

@@ -1,10 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-extension
+  name: manager
 spec:
   template:
     spec:
       containers:
       - image: gcr.io/k8s-staging-cluster-api/test-extension:main
-        name: extension
+        name: manager

test/extension/config/default/extension_pull_policy.yaml renamed to test/extension/config/default/manager_pull_policy.yaml

@@ -1,10 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-extension
+  name: manager
 spec:
   template:
     spec:
       containers:
-      - name: extension
+      - name: manager
         imagePullPolicy: Always

test/extension/config/default/extension_webhook_patch.yaml renamed to test/extension/config/default/manager_webhook_patch.yaml

@@ -1,12 +1,12 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-extension
+  name: manager
 spec:
   template:
     spec:
       containers:
-      - name: extension
+      - name: manager
         ports:
         - containerPort: 9443
           name: webhook-server

test/extension/config/default/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system