add v2 apis

[erhancagirici]

Description of your changes

New V2 apis and removals to facilitate namespaced MRs.

v2 ManagedResourceSpec API:

• writeConnectionSecretToRef drops namespace field and accepts local secret references.
• providerConfigRef becomes typed and requires kind. apiGroup is intentionally left out, it is expected to be inferred by the provider code. Namespaced
• deletionPolicy is removed. New resources should rely on managementPolicies to control external resource deletion.

External Secret Store support is removed
publishConnectionDetailsTo is removed from both cluster-scoped (legacy) and namespace-scoped (modern) MR specs.
ConnectionDetailsPublisherTo interface is removed.

Cross-namespace cross-resource references:
Introduced NamespacedResolutionRequest, NamespacedResolutionResponse, NamespacedMultiResolutionRequest, NamespacedMultiResolutionResponse types along with APINamespacedResolver . In the new types, references and selectors in the resolution requests can include optional namespace parameter. Otherwise, they will default to MR namespaces.

I have:

• Read and followed Crossplane's contribution process.
• Run earthly +reviewable to ensure this PR is ready for review.
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

Need help with this checklist? See the cheat sheet.

[negz]

This looks great overall - I like the direction. Thanks @erhancagirici!

[negz]

Is there a way to avoid having the v2 package depend on v1 types?

[erhancagirici]

Technically yes, but I see two ways, both having its own drawback:
most of apis/common/v1 actually has many shared constructs not particularly "v1", like ManagementPolicies, Conditions, Selector, Reference types etc.

• If we duplicate them, we end up with same but different structs, which needs superfluous handling in various places.
• One option can be to refactor common stuff mentioned above to its own package, but that also kind of breaks existing imports in the ecosystem.
  Open to ideas here

[negz]

Maybe we could:

• Move the shared stuff to apis/common/common.go
• Have both common/v1 and common/v2 import common
• Add type aliases in the v1 package to avoid breaking folks

I think I prefer that approach. I agree that v1 is a bit of a misnomer in the first place.

The other options I considered are:

• Duplicate the types in both places. I like that this decouples the two APIs, but it forces us to have two implementations of any function that uses these types, which I think is a non-starter.
• Duplicate the types in both places, also add internal versions, update our functions to work on the internal versions, and generate code to translate between v1/v2 and internal. This seems like the best approach in theory, but it's a ton of work for these little utility types.

[turkenh]

We just had an offline sync with @erhancagirici on this and the above proposal sounds good in general. We discussed some details like linter complaining about common as a package name and whether we should put a deprecation notice on v1 aliased types/consts/funcs.

At the end, we feel good about suppressing linter on package name and going with common as suggested. apis/common is there since the begining and we're fine for it as a package name. Regarding the deprecation notice, we believe it would be good not to force consumers to immediately switch to the new place to minimize the required changes for now. So, if linter complains and forces consumers to migrate, then we should better not do it now (and track with an issue to do it later). This is something @erhancagirici will check and see.

[erhancagirici]

I have pushed the changes with the type aliasing approach.
One side note: I had to bump the controller-tools to 0.18.0 to consume following fixes about type aliases.

kubernetes-sigs/controller-tools#1061
kubernetes-sigs/controller-tools#1122
This bump transitively upgraded google.golang.org/protobuf to v1.36.5 which had some minor changes in the generated protobuf files (backward-compatible).

I haven't added the depreciation notices to aliased types in apis/common/v1 yet, as they cause large amount of linter warnings. I'll create a follow-up issue for this.

[negz]

iirc this'll always be a no-op now that external secret stores are gone.

No strong feelings about removing it now though - we could follow up later.

[erhancagirici]

let's have this as a follow-up

[negz]

Do we still need this with external secret stores gone? I think we'll always publish to one secret.

(Again not urgent to remove it though.)

[erhancagirici]

Agreed, this was needed for the WithLocalConnectionPublishers(p ...ConnectionPublisher) reconciler option, which is already irrelevant.

A question is, the original(legacy) one of becomes irrelevant too. Should we remove this one to make our intention clear? or keep it for the sake of not causing a code changes in the (native) providers for existing legacy resources?

crossplane-runtime/pkg/reconciler/managed/reconciler.go

Lines 702 to 706 in f5f608c

	func WithConnectionPublishers(p ...ConnectionPublisher) ReconcilerOption {
	return func(r *Reconciler) {
	r.managed.ConnectionPublisher = PublisherChain(p)
	}
	}

Maybe make it no-op with deprecated comment?

[negz]

I'd lean toward just removing it. Either way it's going to be work for upstream provider authors. If it's gone, it's more obvious they need to do that work.

I don't feel strongly though.

[erhancagirici]

I'll remove this and PublisherChain and keep an unexported version for unit testing purposes for cases we need to mock.

[erhancagirici]

done

[negz]

Great work @erhancagirici! This is a smaller diff overall than I expected, which is good. None of my comments are blocking.

[negz]

Nit: Some of these long var names are a bit redundant. Not blocking though, and I can see it matches the existing implementation.

[negz]

I'd lean toward just removing it. Either way it's going to be work for upstream provider authors. If it's gone, it's more obvious they need to do that work.

I don't feel strongly though.

[negz]

I do wonder whether there's diminishing returns in completely duplicating the test file. I imagine a lot of these subtest scenarios use the same code regardless of whether it's a legacy or a modern MR, right?

It seems like having two test files could be a bit of a pain - we'll need to add and update them both whenever we update the tests. On the other hand it does seem like the most defensive/conservative approach to make sure both legacy and modern MRs work with all parts of the reconciler.

[erhancagirici]

As you mentioned, this was mostly for being defensive. I tried to pinpoint the "common" tests ( relying only on the "base" managed functional), though ended up duplicating most already to cover some unvisited codepaths.
We might consider following up later with a refactored test setup, that runs the tests as a matrix for legacy vs modern maybe?

[negz]

Officially deferring my reviewer powers to @turkenh if there's any other questions or concerns while I'm out on vacation. 😉

[turkenh]

Could we add a //nolint directive instead? https://github.com/crossplane/crossplane/tree/main/contributing#explain-nolint-directives

[erhancagirici]

opted for this, because had to repeat this for all the new files, and nolint directives were appearing at the very top and potentially in godoc. not strongly opinionated though

[turkenh]

Looks good to me, thanks @erhancagirici 🙌

[turkenh]

Should this use ns instead of req.Namespace ?

[erhancagirici]

good catch, fixed