Add Notification Contacts CRDs and admission webhooks (#294)

## Overview
This pull-request introduces the first set of **Notification Contacts**
building blocks.
It adds CustomResourceDefinitions (CRDs) and admission webhooks that
allow the platform to manage e-mail contacts and their grouping in a
safe and extensible way.

### What’s included
1. **CRDs**
* `Contact` – stores the personal data and preferred e-mail of a subject
* `ContactGroup` – logical grouping of contacts (e.g. _Admins_,
_Owners_)
   * `ContactGroupMembership` – joins a `Contact` to a `ContactGroup`
* `ContactGroupMembershipRemoval` – request object used to remove a
membership through approval flow
2. **Admission Webhooks**
* **Validation** webhooks for *create* / *update* ensuring schema
coherence, referential integrity and immutability guarantees
* **Mutation** webhooks adding defaults and calculated
labels/annotations (e.g. `spec.displayName` fallback, owner references)
3. **ProtectedResource Manifests**
* Added `ProtectedResource` objects for each new kind to wire them into
IAM RBAC

Author: JoseSzycho

cmd/milo/controller-manager/controllermanager.go

@@ -432,6 +432,22 @@ func Run(ctx context.Context, c *config.CompletedConfig, opts *Options) error {
 				logger.Error(err, "Error setting up user invitation webhook")
 				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 			}
+			if err := notificationv1alpha1webhook.SetupContactWebhooksWithManager(ctrl); err != nil {
+				logger.Error(err, "Error setting up contact webhook")
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
+			if err := notificationv1alpha1webhook.SetupContactGroupWebhooksWithManager(ctrl); err != nil {
+				logger.Error(err, "Error setting up contactgroup webhook")
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
+			if err := notificationv1alpha1webhook.SetupContactGroupMembershipWebhooksWithManager(ctrl); err != nil {
+				logger.Error(err, "Error setting up contactgroupmembership webhook")
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
+			if err := notificationv1alpha1webhook.SetupContactGroupMembershipRemovalWebhooksWithManager(ctrl); err != nil {
+				logger.Error(err, "Error setting up contactgroupmembershipremoval webhook")
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
 
 			projectCtrl := resourcemanagercontroller.ProjectController{
 				ControlPlaneClient: ctrl.GetClient(),

config/crd/bases/notification/kustomization.yaml

@@ -1,4 +1,8 @@
 resources:
 - notification.miloapis.com_emails.yaml
 - notification.miloapis.com_emailtemplates.yaml
+- notification.miloapis.com_contacts.yaml
+- notification.miloapis.com_contactgroups.yaml
+- notification.miloapis.com_contactgroupmemberships.yaml
+- notification.miloapis.com_contactgroupmembershipremovals.yaml
 

config/crd/bases/notification/notification.miloapis.com_contactgroupmembershipremovals.yaml

@@ -0,0 +1,164 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: contactgroupmembershipremovals.notification.miloapis.com
+spec:
+  group: notification.miloapis.com
+  names:
+    kind: ContactGroupMembershipRemoval
+    listKind: ContactGroupMembershipRemovalList
+    plural: contactgroupmembershipremovals
+    singular: contactgroupmembershipremoval
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.contactRef.name
+      name: Contact
+      type: string
+    - jsonPath: .spec.contactGroupRef.name
+      name: ContactGroup
+      type: string
+    - jsonPath: .status.conditions[?(@.type=='Ready')].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ContactGroupMembershipRemoval is the Schema for the contactgroupmembershipremovals API.
+          It represents a removal of a Contact from a ContactGroup, it also prevents the Contact from being added to the ContactGroup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              contactGroupRef:
+                description: ContactGroupRef is a reference to the ContactGroup that
+                  the Contact does not want to be a member of.
+                properties:
+                  name:
+                    description: Name is the name of the ContactGroup being referenced.
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the ContactGroup being
+                      referenced.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+              contactRef:
+                description: ContactRef is a reference to the Contact that prevents
+                  the Contact from being part of the ContactGroup.
+                properties:
+                  name:
+                    description: Name is the name of the Contact being referenced.
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the Contact being referenced.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+            required:
+            - contactGroupRef
+            - contactRef
+            type: object
+            x-kubernetes-validations:
+            - message: spec is immutable
+              rule: self == oldSelf
+          status:
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for contact group membership removal to be created
+                  reason: CreatePending
+                  status: Unknown
+                  type: Ready
+                description: |-
+                  Conditions represent the latest available observations of an object's current state.
+                  Standard condition is "Ready" which tracks contact group membership removal creation status.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/bases/notification/notification.miloapis.com_contactgroupmemberships.yaml

@@ -0,0 +1,171 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: contactgroupmemberships.notification.miloapis.com
+spec:
+  group: notification.miloapis.com
+  names:
+    kind: ContactGroupMembership
+    listKind: ContactGroupMembershipList
+    plural: contactgroupmemberships
+    singular: contactgroupmembership
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.contactRef.name
+      name: Contact
+      type: string
+    - jsonPath: .spec.contactGroupRef.name
+      name: ContactGroup
+      type: string
+    - jsonPath: .status.conditions[?(@.type=='Ready')].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ContactGroupMembership is the Schema for the contactgroupmemberships API.
+          It represents a membership of a Contact in a ContactGroup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ContactGroupMembershipSpec defines the desired state of ContactGroupMembership.
+            properties:
+              contactGroupRef:
+                description: ContactGroupRef is a reference to the ContactGroup that
+                  the Contact is a member of.
+                properties:
+                  name:
+                    description: Name is the name of the ContactGroup being referenced.
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the ContactGroup being
+                      referenced.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+              contactRef:
+                description: ContactRef is a reference to the Contact that is a member
+                  of the ContactGroup.
+                properties:
+                  name:
+                    description: Name is the name of the Contact being referenced.
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the Contact being referenced.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
+            required:
+            - contactGroupRef
+            - contactRef
+            type: object
+            x-kubernetes-validations:
+            - message: spec is immutable
+              rule: self == oldSelf
+          status:
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for contact group membership to be created
+                  reason: CreatePending
+                  status: Unknown
+                  type: Ready
+                description: |-
+                  Conditions represent the latest available observations of an object's current state.
+                  Standard condition is "Ready" which tracks contact group membership creation status and sync to the contact group membership provider.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              providerID:
+                description: |-
+                  ProviderID is the identifier returned by the underlying contact provider
+                  (e.g. Resend) when the membership is created in the associated audience. It is usually
+                  used to track the contact-group membership creation status (e.g. provider webhooks).
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}