Skip to content

Add kcp backend example #231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mjudeikis wants to merge 8 commits into from
Closed

Add kcp backend example #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7816acb
init kcp backend example
mjudeikis Jan 2, 2025
dc577dc
docker-compose poc
mjudeikis Jan 3, 2025
7fc7eba
nit updates
mjudeikis Jan 4, 2025
a91a998
Fix local make build targets
mjudeikis Jan 4, 2025
07570ec
fix docker compose
mjudeikis Jan 4, 2025
33e7137
sdk
mjudeikis Aug 6, 2025
5e4667a
add headers
mjudeikis Aug 7, 2025
462c528
add mkdir
mjudeikis Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/workflows/unit-runtime.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
jobs:
unit:
runs-on: [ubuntu-latest]
timeout-minutes: 8
steps:
- name: Set up Go 1.x
uses: actions/setup-go@v2
with:
# If you thinking to upgrade - don't. https://github.com/creack/pty/pull/109
# We would lose windows ssh support :/ windows agent stops building on windows
go-version: v1.23.4
id: go
- name: Check out code
uses: actions/checkout@v2

- name: Unit tests RUNTIME
id: coverage
shell: bash
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
run: |
make test-runtime
COVERAGE=$(go tool cover -func profile.cov | grep total: | awk '{print $3}')
echo "\n\nCoverage will be $COVERAGE"
echo "::set-env name=COVERAGE::$COVERAGE"
- run: |
echo "${{env.COVERAGE}}"
echo $COVERAGE
- name: 'Comment PR'
if: ${{ github.ref != 'refs/heads/main' }}
uses: actions/github-script@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `${{env.COVERAGE}}`
})
4 changes: 4 additions & 0 deletions .ko.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,7 @@ builds:
dir: ./cmd/example-backend
ldflags:
- "{{ .Env.LDFLAGS }}"
- id: example-backend-kcp
dir: ./contrib/example-backend-kcp/cmd/backend
ldflags:
- "{{ .Env.LDFLAGS }}"
4 changes: 3 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ GO_INSTALL = ./hack/go-install.sh

ROOT_DIR=$(abspath .)
TOOLS_DIR=hack/tools
ROOT_DIR=$(abspath .)
TOOLS_GOBIN_DIR := $(abspath $(TOOLS_DIR))
GOBIN_DIR=$(abspath ./bin )
PATH := $(GOBIN_DIR):$(TOOLS_GOBIN_DIR):$(PATH)
Expand Down Expand Up @@ -124,7 +125,7 @@ require-%:

build: WHAT ?= ./cmd/... ./cli/cmd/...
build: require-jq require-go require-git verify-go-versions ## Build the project
mkdir -p $(GOBIN_DIR)
mkdir -p $(GOBIN_DIR)$(MAKE) imports
set -x; for W in $(WHAT); do \
pushd . && cd $${W%..}; \
GOOS=$(OS) GOARCH=$(ARCH) CGO_ENABLED=0 go build $(BUILDFLAGS) -ldflags="$(LDFLAGS)" -o $(GOBIN_DIR) ./...; \
Expand All @@ -134,6 +135,7 @@ build: require-jq require-go require-git verify-go-versions ## Build the project

.PHONY: build-all
build-all:
mkdir -p bin
GOOS=$(OS) GOARCH=$(ARCH) $(MAKE) build WHAT=./cmd/...

install: WHAT ?= ./cmd/... ./cli/cmd/...
Expand Down
4 changes: 4 additions & 0 deletions contrib/example-backend-kcp/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
/kube-bind
/kcp
/bin
/hack/tools/bin/
Binary file added contrib/example-backend-kcp/127.0.0.1.crt
View file
Open in desktop
Binary file not shown.
Binary file added contrib/example-backend-kcp/127.0.0.1.key
View file
Open in desktop
Binary file not shown.
47 changes: 47 additions & 0 deletions contrib/example-backend-kcp/127.0.0.1.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDiAn745rejtzx8
KYLaSKxupt54BqpCF0DngkK1iOxThfTFuyPnRDmRczsEsaRdbzxfBw43ucF93JFF
8yMUjOh99nu3Bi3DvApmbIle09RJ0N3L3EXsR/skjiCzbbNpR+HcvQqLIXYx3PT4
Wsu5RG0d8ytNd5ccJNxI6usRm6UfO3RAek3TxU6lF2N0jjNjOSTJTV0zEFtuPQNP
q3QXW/ZJoSq+GP94aCPxLwl/g25pCX9DuRmxZYsCA2iMOw2WY5+VH+OkzgCRbfpw
pWRjkiFwuNJABmITxenLbGXYqyowvOeibGrJSXSOQIaSlkF+IIikm+71lharcyB4
fsUR2JYvAgMBAAECggEBALnv7cAeKATDsjo/+IxW762VET/T0+zNrrMIIpOxEyRf
95FZNd+E7IuyLmLdNuk7o4JWjqbf5sUCWm4e6sR0bK18xCk+JxZ6NGAxeQ6P3X3h
HSgjj08lpQNc/qA/ZzP9VF9DE1KFc/Tv4IYWRLamCdNzBDQWaDZaSPSgeEYjM8St
nCDM+WGei2d1f9oWAyf+MlFTKpz7kylEb1OuwbmGINL1Hew3KU7CUfdh/42j8WB2
FT+GODduPiu/Ecs238j0QBhCGst0f4OPH68x0UY3XvvVFM358g2SBotghhmrXGq9
BNWcqb2/BoxPHu+gSwrdtJNeLlwrbtfvkMOuj6GMgekCgYEA+PIxZ07ICq37FqKQ
+NJDDKaKl7ZdoUK1dmFMqrlhyMBl0Q1O+qoPnlAQMtILvvmn/8SGk85mFhJndPqJ
dpOzhybup32lR6k7D69dcvS8DxY+e0a4oB3Pmsv3lni8CN9Wytg7pyYCY77BCtMa
CF3LXYFkw90viZAda1mJaIL1D2MCgYEA6GntZ6dhNPOzsJfAGLyISidluXM6y7vZ
GZnIlwbtaxH6+h2gxlr/qyKzCOAmhbFyl6R7Qmn7gOkbpINPCOvoF/QGO1L7aXLF
qdpA2h/qfy6obkDR5AQZ9z9Zrqe0CSBQ+yDCVSiTPK+B3GodSt09RjccZnLp1tK0
9F+FTm1u9cUCgYEAiYjMsIV+0R+jm7K+oykO7/tGkGCpQ8FmHXvN7ngyxMU+uws+
OhAgRtd2y4zt/llRbmW18AzUq5cJX0BXF5KsWZuxuAkbegbN4XGCEFOTXkZsyJCe
yZ8OpjfPlmsnf0NcYP6rnkHKii7F2eQc+shO5V7qO6eEbtyW1EsINhw7pX8CgYEA
iY+Y6s8RJAxSgOVw17NPX8St2vQvCsNmnlZ9eZaqE8OSr1O2A3F8/kgNe+VgJ6V9
0++Q3SBpskVHDTqDHx6yQus2fQqCsEk0YXJDDFfzrc9p9cf781/SFpuyc0Pjtbsg
82LSYyEe9L5UuKc+Kz+DsvmPn7vIWFRisnmPJ3pyQJkCgYBHk3odpZt1jMxuw5qH
I1DJ01CloFCHRRkJoNZk0mZXplsAqp3WI0mC3gHJt7NNTwn6vXOQER5kKyFtokO8
zv1B6stp9dBvWAyjTZpKYSgEjxWHivOwONjSJbaPbWibeVj59yRLsN8I3lClOg5o
2Pfz+CR2vRuPUqsJBUwvhvmtEA==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDBDCCAeygAwIBAgIRAMYVxM+pEs43owdvQLqVyTUwDQYJKoZIhvcNAQELBQAw
FDESMBAGA1UEAxMJMTI3LjAuMC4xMB4XDTI1MDExODE5MTYzNloXDTI2MDExODE5
MTYzNlowFDESMBAGA1UEAxMJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA4gJ++Oa3o7c8fCmC2kisbqbeeAaqQhdA54JCtYjsU4X0xbsj
50Q5kXM7BLGkXW88XwcON7nBfdyRRfMjFIzoffZ7twYtw7wKZmyJXtPUSdDdy9xF
7Ef7JI4gs22zaUfh3L0KiyF2Mdz0+FrLuURtHfMrTXeXHCTcSOrrEZulHzt0QHpN
08VOpRdjdI4zYzkkyU1dMxBbbj0DT6t0F1v2SaEqvhj/eGgj8S8Jf4NuaQl/Q7kZ
sWWLAgNojDsNlmOflR/jpM4AkW36cKVkY5IhcLjSQAZiE8Xpy2xl2KsqMLznomxq
yUl0jkCGkpZBfiCIpJvu9ZYWq3MgeH7FEdiWLwIDAQABo1EwTzAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAaBgNVHREE
EzARggkxMjcuMC4wLjGHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBADtSl4SwIE/T
wn40UjqRGUHuB8q2OrP6sickhIzkRBFco57WkC9HqxrSjncnCiD84f893YVBIpiz
1HeNW2i7AWeobHQeEc5t2bUecqZmy1MbiTmPpoxvMOrKu7rdgF7KV8wtSg1+5wW4
2EskbqjIDSVdykDfg+d/FQPmgvhBIqDfY8o2CpLrkR+nbGcIqe5iHSDMcYBDLJFe
LSB+MuA7VHcAkqnZUKwHSYZKOU8DNICbcCH/7gryAxlVTpNioUFMEZefFAWO/Hzf
B9Xe7sO3qVYPm9n/LtN9+eYuK9sNRwcVusYhOZrjetfEbTA7NG/JgDINUUIvEUQH
qTm8Nla/+To=
-----END CERTIFICATE-----
130 changes: 130 additions & 0 deletions contrib/example-backend-kcp/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
# Copyright 2025 The Kube Bind Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

TOOLS_DIR=hack/tools
TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR))/bin
export TOOLS_BIN_DIR # so hack scripts can use it

GO_INSTALL = ./hack/go-install.sh

KCP_VERSION ?= 0.23.0
CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
export CONTROLLER_GEN # so hack scripts can use it

CODE_GENERATOR_VER := v2.1.0
CODE_GENERATOR_BIN := code-generator
CODE_GENERATOR := $(TOOLS_BIN_DIR)/$(CODE_GENERATOR_BIN)-$(CODE_GENERATOR_VER)
export CODE_GENERATOR # so hack scripts can use itßß

KCP_APIGEN_VER := v0.26.0
KCP_APIGEN_BIN := apigen
KCP_APIGEN_GEN := $(TOOLS_BIN_DIR)/$(KCP_APIGEN_BIN)-$(KCP_APIGEN_VER)
export KCP_APIGEN_GEN # so hack scripts can use it

OPENSHIFT_GOIMPORTS_VER := c72f1dc2e3aacfa00aece3391d938c9bc734e791
OPENSHIFT_GOIMPORTS_BIN := openshift-goimports
OPENSHIFT_GOIMPORTS := $(TOOLS_BIN_DIR)/$(OPENSHIFT_GOIMPORTS_BIN)-$(OPENSHIFT_GOIMPORTS_VER)
export OPENSHIFT_GOIMPORTS # so hack scripts can use it

export KCP_REPO_DIR=${GOPATH}/src/github.com/kcp-dev/kcp/
export KCP_KUBECONFIG=${KCP_REPO_DIR}.kcp/admin.kubeconfig

$(KCP_APIGEN_GEN):
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/kcp-dev/kcp/sdk/cmd/apigen $(KCP_APIGEN_BIN) $(KCP_APIGEN_VER)

$(CONTROLLER_GEN): # Build controller-gen from tools folder.
cd $(TOOLS_BIN_DIR) && go build -tags=tools -o bin/controller-gen sigs.k8s.io/controller-tools/cmd/controller-gen

$(CODE_GENERATOR):
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/kcp-dev/code-generator/v2 $(CODE_GENERATOR_BIN) $(CODE_GENERATOR_VER)

$(OPENSHIFT_GOIMPORTS):
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/openshift-eng/openshift-goimports $(OPENSHIFT_GOIMPORTS_BIN) $(OPENSHIFT_GOIMPORTS_VER)


tools: $(CONTROLLER_GEN) $(KCP_APIGEN_GEN) $ $(CODE_GENERATOR $(OPENSHIFT_GOIMPORTS)) ## Install tools
.PHONY: tools


KUBE_MAJOR_VERSION := 1
KUBE_MINOR_VERSION := $(shell go mod edit -json | jq '.Require[] | select(.Path == "k8s.io/client-go") | .Version' --raw-output | sed "s/v[0-9]*\.\([0-9]*\).*/\1/")
GIT_COMMIT := $(shell git rev-parse --short HEAD || echo 'local')
GIT_DIRTY := $(shell git diff --quiet && echo 'clean' || echo 'dirty')
GIT_VERSION := $(shell go mod edit -json | jq '.Require[] | select(.Path == "k8s.io/client-go") | .Version' --raw-output | sed 's/v0/v1/')+kube-bind-$(shell git describe --tags --match='v*' --abbrev=14 "$(GIT_COMMIT)^{commit}" 2>/dev/null || echo v0.0.0-$(GIT_COMMIT))

BUILD_DATE := $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
LDFLAGS := \
-X k8s.io/client-go/pkg/version.gitCommit=${GIT_COMMIT} \
-X k8s.io/client-go/pkg/version.gitTreeState=${GIT_DIRTY} \
-X k8s.io/client-go/pkg/version.gitVersion=${GIT_VERSION} \
-X k8s.io/client-go/pkg/version.gitMajor=${KUBE_MAJOR_VERSION} \
-X k8s.io/client-go/pkg/version.gitMinor=${KUBE_MINOR_VERSION} \
-X k8s.io/client-go/pkg/version.buildDate=${BUILD_DATE} \
\
-X k8s.io/component-base/version.gitCommit=${GIT_COMMIT} \
-X k8s.io/component-base/version.gitTreeState=${GIT_DIRTY} \
-X k8s.io/component-base/version.gitVersion=${GIT_VERSION} \
-X k8s.io/component-base/version.gitMajor=${KUBE_MAJOR_VERSION} \
-X k8s.io/component-base/version.gitMinor=${KUBE_MINOR_VERSION} \
-X k8s.io/component-base/version.buildDate=${BUILD_DATE}
build: WHAT ?= ./cmd/...
build: clean
GOOS=$(OS) GOARCH=$(ARCH) go build $(BUILDFLAGS) -ldflags="$(LDFLAGS)" -o bin/ $(WHAT)
.PHONY: build

clean:
rm -rf bin/*

run-dev-init: build
bin/bootstrap init --kcp-kubeconfig=${KCP_KUBECONFIG}

run-dev: build
bin/backend start \
-v 4 \
--tls-cert-file=${KCP_REPO_DIR}/127.0.0.1.pem \
--tls-key-file=${KCP_REPO_DIR}/127.0.0.1.pem \
--listen-address=127.0.0.1:6443 \
--oidc-issuer-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
--oidc-issuer-client-id=kcp-dev \
--oidc-issuer-url=https://127.0.0.1:5556/dex \
--oidc-callback-url=https://127.0.0.1:6443/callback \
--oidc-authorize-url=https://127.0.0.1:6443/authorize \
--oidc-ca-file=${KCP_REPO_DIR}/127.0.0.1.pem \
--pretty-name="CorpAAA.com" \
--namespace-prefix="kube-bind-" \
--cookie-signing-key=bGMHz7SR9XcI9JdDB68VmjQErrjbrAR9JdVqjAOKHzE= \
--cookie-encryption-key=wadqi4u+w0bqnSrVFtM38Pz2ykYVIeeadhzT34XlC1Y= \
--workspace-path="root:kube-bind" \
--apiexport-name="kube-bind.io" \
--kubeconfig=${KCP_KUBECONFIG} \
--dev-mode=true

crds: $(CONTROLLER_GEN) ## Generate crds
./hack/update-codegen-crds.sh
.PHONY: crds

codegen: crds
$(MAKE) imports
.PHONY: codegen

.PHONY: imports
imports: $(OPENSHIFT_GOIMPORTS)
$(OPENSHIFT_GOIMPORTS) -m github.com/kube-bind/kube-bind/contrib/example-backend-kcp

run-docker-compose:
docker-compose -f ./hack/docker-compose/docker-compose.yaml up --build

rm-docker-compose:
docker-compose -f ./hack/docker-compose/docker-compose.yaml down -v
docker volume rm docker-compose_kcp_config docker-compose_kube_bind_data
95 changes: 95 additions & 0 deletions contrib/example-backend-kcp/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# Kube-Bind for KCP

This is example backend for KCP that uses [kube-bind](https://github.com/kube-bind/kube-bind) to bind api-exports.

Values here should match the values used to start kcp with so that the oidc tokens are valid.
We use kcp from [kcp-dev/kcp/contrib/kcp-dex](https://github.com/kcp-dev/kcp/tree/main/contrib/kcp-dex) as an example.


## Quickstart

1. Start kcp instance with dex IDP provider:

Follow [README](https://github.com/kcp-dev/kcp/blob/main/contrib/kcp-dex/README.md) in kcp repository to have kcp with IDP running.
Just use `docs/dex-config.yaml` instead of one in kcp repistory. kube-bind version contains required callback urls for kube-bind to work.

Once this is done you should have `dex` running with custom configuration in one terminal, and kcp using this dex as IDP in another.

2. Start kube-bind backend.

```bash
make build

# bootstrap kcp instance with required workspaces and exports:
# `make run-dev-init` is make target for command below.
export KCP_REPO_DIR=${GOPATH}/src/github.com/kcp-dev/kcp/
export KCP_KUBECONFIG=${KCP_REPO_DIR}/.kcp/admin.kubeconfig
bin/bootstrap init --kcp-kubeconfig=$KCP_KUBECONFIG

# once it boostrap, start kube-bind backend. Make sure `oidc-issuer-client-secret` matches one, used in dex.
# `make run-dev` is make target for command below.

bin/backend start \
-v 4 \
--tls-cert-file=${KCP_REPO_DIR}127.0.0.1.pem \
--tls-key-file=../../127.0.0.1.pem \
--listen-address=127.0.0.1:6443 \
--oidc-issuer-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
--oidc-issuer-client-id=kcp-dev \
--oidc-issuer-url=https://127.0.0.1:5556/dex \
--oidc-callback-url=https://127.0.0.1:6443/callback \
--oidc-authorize-url=https://127.0.0.1:6443/authorize \
--oidc-ca-file=../../127.0.0.1.pem \
--pretty-name="CorpAAA.com" \
--namespace-prefix="kube-bind-" \
--cookie-signing-key=bGMHz7SR9XcI9JdDB68VmjQErrjbrAR9JdVqjAOKHzE= \
--cookie-encryption-key=wadqi4u+w0bqnSrVFtM38Pz2ykYVIeeadhzT34XlC1Y= \
--workspace-path="root:kube-bind" \
--apiexport-name="kube-bind.io" \
--kubeconfig=${KCP_KUBECONFIG} \
--dev-mode=true
```

3. Try example `mangodb` as consumer.

Exec init `kube-bind` backend:

```
docker exec -it docker-compose-kube-bind-1 sh

kubectl ws create mangodb --enter
kubectl kcp bind apiexport root:kube-bind:kube-bind.io --name kube-bind.io
```

Create crd for mangodb:
```
kubectl create -f https://raw.githubusercontent.com/kube-bind/kube-bind/refs/heads/main/deploy/examples/crd-mangodb.yaml
```

At this point you will need to restart kube-bind backend to get it running.
TODO(mjudeikis): Fix this.

From outside create separete kind cluster to be consumer

```
kubectl bind --insecure-skip-tls-verify https://0.0.0.0:6444/export
```







# Raodmap & limitations

Current implementation works same way as existing `example-backend`. It allows export `crds` from worksapce to
external Kubernetes clusters. In a way this example now makes `kube-bind` to be usable as kcp enabled service.
This should change with roadmap being implemented.

1. Add e2e tests for kcp backend to test basic behaviour.
2. Extend `kcp` and `kube-bind` to be able to export `APIBinding` resources. After this is done, you should be able to
export native `kcp` bindings via `kube-bind`. This will allow more native `kcp` to `k8s` integration.
3. Extend `kcp` APIBindings/PermissionsClaims to be more extendable for `kube-bind` use.
4. Implement kcp native `konnector` agent. After this is done, you will be able to do `kcp` to `kcp` bindings. Currently this is
not possible due to need to run connector agents on the consumer end.
Loading