This guide provides instructions for developers who want to contribute to the iam-manager project.
IAM Manager is built using Kubebuilder, a framework for building Kubernetes APIs using custom resource definitions (CRDs). Kubebuilder provides scaffolding tools to quickly create new APIs, controllers, and webhook components. Understanding Kubebuilder will greatly help in comprehending the iam-manager codebase structure and development workflow.
- Go 1.19+ (check the current version in go.mod)
- Kubernetes cluster for testing (minikube, kind, or a remote cluster)
- Docker for building images
- kubectl CLI
- kustomize
- controller-gen
- AWS account with IAM permissions for testing
git clone https://github.com/keikoproj/iam-manager.git
cd iam-managerThe Makefile can help install required development tools:
# Install controller-gen
make controller-gen
# Install kustomize
make kustomize
# Install mockgen (for tests)
make mockgenNote for ARM64 users: There are known issues with some versions of controller-gen on ARM64 architecture. If you encounter issues, try specifying a compatible version in the Makefile:
# Try version v0.13.0 or v0.17.0 for ARM64
controller-gen:
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.13.0)# Build the manager binary
make
# Run the manager locally (outside the cluster)
make runFor local development, you'll need to set up the necessary AWS resources:
# Set environment variables
export AWS_ACCOUNT_ID=123456789012
export AWS_REGION=us-west-2
export CLUSTER_NAME=my-cluster
# Create the AWS resources using CloudFormation
aws cloudformation create-stack \
--stack-name iam-manager-dev-resources \
--template-body file://hack/iam-manager-cfn.yaml \
--capabilities CAPABILITY_NAMED_IAM \
--parameters ParameterKey=ClusterName,ParameterValue=$CLUSTER_NAME# Run unit tests
make testFor integration tests, you need a Kubernetes cluster and AWS access:
# Set up environment variables for integration tests
export KUBECONFIG=~/.kube/config
export AWS_REGION=us-west-2
export AWS_PROFILE=your-aws-profile
# Run integration tests
make integration-testTo build a custom Docker image:
# Build the controller image
make docker-build IMG=your-registry/iam-manager:your-tag
# Push the image to your registry
make docker-push IMG=your-registry/iam-manager:your-tagDeploy your custom build to a cluster:
# Deploy with your custom image
make deploy IMG=your-registry/iam-manager:your-tagHere's an overview of the project structure:
.
├── api/ # API definitions (CRDs)
│ └── v1alpha1/ # API version
├── cmd/ # Entry points
├── config/ # Kubernetes YAML manifests
├── controllers/ # Reconciliation logic
│ └── iamrole_controller.go # Main controller logic
├── pkg/ # Shared packages
│ ├── awsapi/ # AWS API client wrapper
│ └── k8s/ # Kubernetes helpers
└── hack/ # Development scripts
- api/v1alpha1: Contains the CRD definitions, including the Iamrole type.
- controllers: Contains the controller that reconciles the Iamrole custom resources.
- pkg/awsapi: Implements the AWS API client for IAM operations.
- Create a new branch:
git checkout -b feature/your-feature-name - Make your changes
- Add tests for your changes
- Run tests:
make test - Build and verify:
make - Commit changes with DCO signature:
git commit -s -m "Your commit message" - Push changes:
git push origin feature/your-feature-name - Create a pull request
To add new fields to the Iamrole CRD:
- Modify the
api/v1alpha1/iamrole_types.gofile - Run code generation:
make generate - Update CRDs:
make manifests - Update the controller reconciliation logic to handle the new fields
For easier debugging, you can run the controller outside the cluster:
# Run the controller locally
make runYou can use Delve for remote debugging:
# Install Delve if you don't have it
go install github.com/go-delve/delve/cmd/dlv@latest
# Run with Delve
dlv debug ./cmd/manager/main.go -- --kubeconfig=$HOME/.kube/configTo enable debug logs:
# When running locally
make run ARGS="--zap-log-level=debug"
# In a deployed controller
kubectl edit deployment iam-manager-controller-manager -n iam-manager-system
# Add environment variable LOG_LEVEL=debugiam-manager uses kubebuilder and controller-gen for code generation.
IAM Manager follows the Kubebuilder project structure and conventions. The project was initially scaffolded using Kubebuilder, which set up:
- API types in
api/v1alpha1/ - Controller logic in
controllers/ - Configuration files in
config/ - Main entry point in
cmd/manager/main.go
When you make changes to the API types, you need to regenerate various files:
# Generate CRDs
make manifests
# Generate code (deepcopy methods, etc.)
make generateTo add a new Custom Resource Definition:
# Use kubebuilder to scaffold a new API
kubebuilder create api --group iammanager --version v1alpha1 --kind YourNewResource
# This will create:
# - api/v1alpha1/yournewresource_types.go
# - controllers/yournewresource_controller.go
# - And update main.go to include the new controllerAfter scaffolding, you'll need to:
- Define your API schema in the
_types.gofile - Implement the reconciliation logic in the controller
- Regenerate the manifests and code as described above
iam-manager uses validating webhooks to enforce security policies. To modify webhook logic:
- Edit the validation logic in
api/v1alpha1/iamrole_webhook.go - Regenerate manifests:
make manifests - Deploy the changes:
make deploy
The project uses GitHub Actions for CI. When you submit a PR, the CI will:
- Run unit tests
- Build the controller image
- Verify code generation is up-to-date
- Check code style
Make sure all CI checks pass before requesting a review.
To create a new release:
- Update version tags in all relevant files
- Run tests and ensure they pass
- Create a git tag:
git tag -a v0.x.y -m "Release v0.x.y" - Push the tag:
git push origin v0.x.y - Create a release on GitHub with release notes