Merge branch 'main' into renovate/sigs.k8s.io-controller-runtime-0.x

Author: reshnm

.github/workflows/ci.yaml

@@ -1,4 +1,5 @@
-name: ci
+name: CI
+
 on:
   push:
     tags:
@@ -8,33 +9,10 @@ on:
       - main
   pull_request:
 
-jobs:
-  build:
-    runs-on: ubuntu-24.04
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          submodules: recursive
-
-      - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
-        with:
-          go-version-file: go.mod
+permissions:
+  contents: read
 
-      - name: Install Task
-        uses: arduino/setup-task@v2
-        with:
-          version: 3.42.1
-
-      - name: task generate
-        run: |
-          task generate --verbose
-          git diff --exit-code
-
-      - name: task validate
-        run: task validate --verbose
-
-      - name: task test
-        run: task test --verbose
+jobs:
+  build_validate_test:
+    uses: openmcp-project/build/.github/workflows/ci.lib.yaml@main
+    secrets: inherit

.github/workflows/release.yaml

@@ -4,124 +4,12 @@ on:
   push:
     branches:
       - main
-      
+
 permissions:
   contents: write # we need this to be able to push tags
+  pull-requests: read
 
 jobs:
   release_tag:
-    name: Release version
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          ssh-key: ${{ secrets.PUSH_KEY }}
-          fetch-tags: true
-          fetch-depth: 0
-          submodules: recursive
-
-      - name: Install Task
-        uses: arduino/setup-task@v2
-        with:
-          version: 3.42.1
-
-      - name: Read and validate VERSION
-        id: version
-        run: |
-          VERSION=$(task version)
-          if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-dev(-[0-9a-f]*)?)?$ ]]; then
-            echo "Invalid version format: $VERSION"
-            exit 1
-          fi
-          echo "New version: $VERSION"
-          echo "version=$VERSION" >> $GITHUB_ENV
-
-      - name: Skip release if version is a dev version
-        if: contains(env.version, '-dev')
-        run: |
-          echo "Skipping development version release: ${{ env.version }}"
-          echo "SKIP=true" >> $GITHUB_ENV
-          exit 0
-    
-      - name: Check if VERSION is already tagged
-        id: check_tag
-        run: |
-          if git rev-parse "refs/tags/${{ env.version }}" >/dev/null 2>&1; then
-            echo "Tag ${{ env.version }} already exists. Skipping release."
-            echo "SKIP=true" >> $GITHUB_ENV
-            exit 0
-          fi
-          echo "Tag ${{ env.version }} doesn't exists. Proceeding with release."
-
-      - name: Create Git tag
-        if: ${{ env.SKIP != 'true' }}
-        run: |
-          AUTHOR_NAME=$(git log -1 --pretty=format:'%an')
-          AUTHOR_EMAIL=$(git log -1 --pretty=format:'%ae')
-          echo "Tagging as $AUTHOR_NAME <$AUTHOR_EMAIL>"
-
-          echo "AUTHOR_NAME=$AUTHOR_NAME" >> $GITHUB_ENV
-          echo "AUTHOR_EMAIL=$AUTHOR_EMAIL" >> $GITHUB_ENV
-
-          git config user.name "$AUTHOR_NAME"
-          git config user.email "$AUTHOR_EMAIL"
-
-          git tag -a "${{ env.version }}" -m "Release ${{ env.version }}"
-          git push origin "${{ env.version }}"
-
-      - name: Build Changelog
-        id: github_release
-        uses: mikepenz/release-changelog-builder-action@e92187bd633e680ebfdd15961a7c30b2d097e7ad # v5
-        with:
-          mode: "PR"
-          configurationJson: |
-            {
-              "template": "#{{CHANGELOG}}",
-              "pr_template": "- #{{TITLE}}: ##{{NUMBER}}",
-              "categories": [
-                {
-                    "title": "## Feature",
-                    "labels": ["feat", "feature"]
-                },
-                {
-                    "title": "## Fix",
-                    "labels": ["fix", "bug"]
-                },
-                {
-                    "title": "## Other",
-                    "labels": []
-                }
-              ],
-              "label_extractor": [
-                {
-                  "pattern": "^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test){1}(\\([\\w\\-\\.]+\\))?(!)?: ([\\w ])+([\\s\\S]*)",
-                  "on_property": "title",
-                  "target": "$1"
-                }
-              ]
-            }
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create GitHub release
-        if: ${{ env.SKIP != 'true' }}
-        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2
-        with:
-          tag_name: ${{ env.version }}
-          name: Release ${{ env.version }}
-          body: "Automated release for version ${{ env.version }}"
-          draft: false
-          prerelease: false
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Push dev VERSION
-        if: ${{ env.SKIP != 'true' }}
-        run: |
-          task release:set-version --verbose -- "${{ env.version }}-dev"
-          git config user.name "${{ env.AUTHOR_NAME }}"
-          git config user.email "${{ env.AUTHOR_EMAIL }}"
-          git add VERSION
-          git commit -m "Update VERSION to ${{ env.version }}-dev"
-          git push origin main
+    uses: openmcp-project/build/.github/workflows/release.lib.yaml@main
+    secrets: inherit

.github/workflows/reuse.yaml

@@ -2,10 +2,10 @@ name: REUSE Compliance Check
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps: 
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-    - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5
+  run_reuse:
+    uses: openmcp-project/build/.github/workflows/reuse.lib.yaml@main
+    secrets: inherit

.github/workflows/validate-pr-content.yaml

@@ -0,0 +1,15 @@
+name: Validate Pull Request Content
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+
+permissions:
+  contents: read
+
+jobs:
+  validate_pr_content:
+    uses: openmcp-project/build/.github/workflows/validate-pr-content.lib.yaml@main
+    secrets: inherit

VERSION

@@ -1 +1 @@
-v0.9.0-dev
+v0.10.0

pkg/clusteraccess/access.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"time"
 
+	"sigs.k8s.io/yaml"
+
 	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -341,3 +343,138 @@ func ComputeTokenRenewalTimeWithRatio(creationTime, expirationTime time.Time, ra
 	renewalAt := creationTime.Add(renewalAfter)
 	return renewalAt
 }
+
+// oidcTrustConfig represents the configuration for an OIDC trust relationship.
+// It includes the host of the Kubernetes API server, CA data for TLS verification,
+// and the audience for the OIDC tokens.
+type oidcTrustConfig struct {
+	// Host is the URL of the Kubernetes API server.
+	Host string `json:"host,omitempty"`
+	// CAData is the base64-encoded CA certificate data used to verify the server's TLS certificate.
+	CAData []byte `json:"caData,omitempty"`
+}
+
+// WriteOIDCConfigFromRESTConfig converts a RESTConfig to an OIDC trust configuration format.
+// When creating a Kubernetes deployment, this configuration is used to set up the trust relationship to
+// the target cluster.
+// Example:
+//
+// spec:
+//
+//	template:
+//	  spec:
+//	    volumes:
+//	    - name: oidc-trust-config
+//	      projected:
+//	        sources:
+//	        - secret:
+//	          name: oidc-trust-config
+//	          items:
+//	          - key: host
+//	            path: cluster/host
+//	          - key: caData
+//	            path: cluster/ca.crt
+//	        - serviceAccountToken:
+//	            audience: target-cluster
+//	            path: cluster/token
+//	            expirationSeconds: 3600
+//
+//	    volumeMounts:
+//	    - name: oidc-trust-config
+//	      mountPath: /var/run/secrets/oidc-trust-config
+//	      readOnly: true
+func WriteOIDCConfigFromRESTConfig(restConfig *rest.Config) ([]byte, error) {
+	oidcConfig := &oidcTrustConfig{
+		Host:   restConfig.Host,
+		CAData: restConfig.CAData,
+	}
+
+	configMarshaled, err := yaml.Marshal(oidcConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to write OIDC trust config: %w", err)
+	}
+
+	return configMarshaled, nil
+}
+
+// WriteKubeconfigFromRESTConfig converts the RESTConfig to a kubeconfig format.
+// Supported authentication methods are Bearer Token, Username/Password and Client Certificate.
+func WriteKubeconfigFromRESTConfig(restConfig *rest.Config) ([]byte, error) {
+	var authInfo *clientcmdapi.AuthInfo
+
+	id := "cluster"
+
+	type authType string
+	const (
+		authTypeBearerToken authType = "BearerToken"
+		authTypeBasicAuth   authType = "BasicAuth"
+		authTypeClientCert  authType = "ClientCert"
+	)
+	availableAuthTypes := make(map[authType]interface{})
+	if restConfig.BearerToken != "" {
+		availableAuthTypes[authTypeBearerToken] = nil
+	}
+
+	if restConfig.Username != "" && restConfig.Password != "" {
+		availableAuthTypes[authTypeBasicAuth] = nil
+	}
+
+	if restConfig.CertData != nil && restConfig.KeyData != nil {
+		availableAuthTypes[authTypeClientCert] = nil
+	}
+
+	if len(availableAuthTypes) == 0 {
+		return nil, fmt.Errorf("cannot write to kubeconfig when RESTConfig does not contain any supported authentication information")
+	}
+
+	if _, ok := availableAuthTypes[authTypeBearerToken]; ok {
+		authInfo = &clientcmdapi.AuthInfo{
+			Token: restConfig.BearerToken,
+		}
+	}
+
+	if _, ok := availableAuthTypes[authTypeBasicAuth]; ok {
+		authInfo = &clientcmdapi.AuthInfo{
+			Username: restConfig.Username,
+			Password: restConfig.Password,
+		}
+	}
+
+	if _, ok := availableAuthTypes[authTypeClientCert]; ok {
+		authInfo = &clientcmdapi.AuthInfo{
+			ClientCertificateData: restConfig.CertData,
+			ClientKeyData:         restConfig.KeyData,
+		}
+	}
+
+	server := restConfig.Host
+	if restConfig.APIPath != "" {
+		server = fmt.Sprint(server, "/", restConfig.APIPath)
+	}
+
+	kubeConfig := clientcmdapi.Config{
+		CurrentContext: id,
+		Contexts: map[string]*clientcmdapi.Context{
+			id: {
+				AuthInfo: id,
+				Cluster:  id,
+			},
+		},
+		Clusters: map[string]*clientcmdapi.Cluster{
+			id: {
+				Server:                   server,
+				CertificateAuthorityData: restConfig.CAData,
+			},
+		},
+		AuthInfos: map[string]*clientcmdapi.AuthInfo{
+			id: authInfo,
+		},
+	}
+
+	configMarshaled, err := clientcmd.Write(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to write RESTConfig to kubeconfig: %w", err)
+	}
+
+	return configMarshaled, nil
+}