feat: graduate Notes API to dedicated notes.miloapis.com group (#488)

- Create new notes.miloapis.com API group with Note (namespaced) and
ClusterNote (cluster-scoped)
- Implement controllers with PolicyBinding support for both resource
types
- Add validation and mutation webhooks for Note and ClusterNote
- Generate CRDs for notes.miloapis.com/v1alpha1
- Configure ProtectedResources for IAM integration
- Add domain note examples demonstrating all use cases
- Remove Notes from crm.miloapis.com (graduated to dedicated group)
- Clean up CRM API group structure for future CRM-specific resources
- Update all kustomizations and configurations

This allows Notes to be attached to any resource (including
networking.datumapis.com/Domain) while keeping CRM API group available
for future CRM-specific resources like Leads, Opportunities, and
Accounts.

Needed for datum-cloud/enhancements#501

Author: OscarLlamas6

cmd/milo/controller-manager/controllermanager.go

@@ -78,21 +78,22 @@ import (
 	_ "k8s.io/component-base/logs/json/register"
 
 	controlplane "go.miloapis.com/milo/internal/control-plane"
-	crmcontroller "go.miloapis.com/milo/internal/controllers/crm"
 	iamcontroller "go.miloapis.com/milo/internal/controllers/iam"
+	notescontroller "go.miloapis.com/milo/internal/controllers/notes"
 	remoteapiservicecontroller "go.miloapis.com/milo/internal/controllers/remoteapiservice"
 	resourcemanagercontroller "go.miloapis.com/milo/internal/controllers/resourcemanager"
 	infracluster "go.miloapis.com/milo/internal/infra-cluster"
 	quotacontroller "go.miloapis.com/milo/internal/quota/controllers"
-	crmv1alpha1webhook "go.miloapis.com/milo/internal/webhooks/crm/v1alpha1"
 	iamv1alpha1webhook "go.miloapis.com/milo/internal/webhooks/iam/v1alpha1"
 	identityv1alpha1webhook "go.miloapis.com/milo/internal/webhooks/identity/v1alpha1"
+	notesv1alpha1webhook "go.miloapis.com/milo/internal/webhooks/notes/v1alpha1"
 	notificationv1alpha1webhook "go.miloapis.com/milo/internal/webhooks/notification/v1alpha1"
 	resourcemanagerv1alpha1webhook "go.miloapis.com/milo/internal/webhooks/resourcemanager/v1alpha1"
 	crmv1alpha1 "go.miloapis.com/milo/pkg/apis/crm/v1alpha1"
 	iamv1alpha1 "go.miloapis.com/milo/pkg/apis/iam/v1alpha1"
 	identityv1alpha1 "go.miloapis.com/milo/pkg/apis/identity/v1alpha1"
 	infrastructurev1alpha1 "go.miloapis.com/milo/pkg/apis/infrastructure/v1alpha1"
+	notesv1alpha1 "go.miloapis.com/milo/pkg/apis/notes/v1alpha1"
 	notificationv1alpha1 "go.miloapis.com/milo/pkg/apis/notification/v1alpha1"
 	quotav1alpha1 "go.miloapis.com/milo/pkg/apis/quota/v1alpha1"
 	resourcemanagerv1alpha1 "go.miloapis.com/milo/pkg/apis/resourcemanager/v1alpha1"
@@ -176,6 +177,7 @@ func init() {
 	utilruntime.Must(infrastructurev1alpha1.AddToScheme(Scheme))
 	utilruntime.Must(iamv1alpha1.AddToScheme(Scheme))
 	utilruntime.Must(identityv1alpha1.AddToScheme(Scheme))
+	utilruntime.Must(notesv1alpha1.AddToScheme(Scheme))
 	utilruntime.Must(notificationv1alpha1.AddToScheme(Scheme))
 	utilruntime.Must(crmv1alpha1.AddToScheme(Scheme))
 	utilruntime.Must(quotav1alpha1.AddToScheme(Scheme))
@@ -297,7 +299,7 @@ func NewCommand() *cobra.Command {
 	fs.StringVar(&PlatformInvitationEmailVariableActionUrl, "platform-invitation-email-variable-action-url", "https://cloud.datum.net", "The action url for the platform invitation email.")
 	fs.StringVar(&OrganizationMembershipSelfDeleteRoleName, "organization-membership-self-delete-role-name", "organizationmembership-self-delete", "The name of the role that will be used to grant organization membership self delete actions.")
 	fs.StringVar(&OrganizationMembershipSelfDeleteRoleNamespace, "organization-membership-self-delete-role-namespace", "milo-system", "The namespace where the organization membership self delete role is located. Defaults to system-namespace if not specified.")
-	fs.StringVar(&NoteCreatorEditorRoleName, "note-creator-editor-role-name", "crm-note-creator-editor", "The name of the role that will be used to grant note creator edit permissions.")
+	fs.StringVar(&NoteCreatorEditorRoleName, "note-creator-editor-role-name", "notes-creator-editor", "The name of the role that will be used to grant note creator edit permissions.")
 
 	fs.IntVar(&s.ControllerRuntimeWebhookPort, "controller-runtime-webhook-port", 9443, "The port to use for the controller-runtime webhook server.")
 
@@ -546,10 +548,14 @@ func Run(ctx context.Context, c *config.CompletedConfig, opts *Options) error {
 				logger.Error(err, "Error setting up platform access rejection webhook")
 				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 			}
-			if err := crmv1alpha1webhook.SetupNoteWebhooksWithManager(ctrl); err != nil {
+			if err := notesv1alpha1webhook.SetupNoteWebhooksWithManager(ctrl); err != nil {
 				logger.Error(err, "Error setting up note webhook")
 				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 			}
+			if err := notesv1alpha1webhook.SetupClusterNoteWebhooksWithManager(ctrl); err != nil {
+				logger.Error(err, "Error setting up clusternote webhook")
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
 
 			projectCtrl := resourcemanagercontroller.ProjectController{
 				ControlPlaneClient: ctrl.GetClient(),
@@ -734,7 +740,7 @@ func Run(ctx context.Context, c *config.CompletedConfig, opts *Options) error {
 				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 			}
 
-			noteCtrl := crmcontroller.NoteController{
+			noteCtrl := notescontroller.NoteController{
 				Client:                     ctrl.GetClient(),
 				CreatorEditorRoleName:      NoteCreatorEditorRoleName,
 				CreatorEditorRoleNamespace: SystemNamespace,
@@ -744,6 +750,16 @@ func Run(ctx context.Context, c *config.CompletedConfig, opts *Options) error {
 				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 			}
 
+			clusterNoteCtrl := notescontroller.ClusterNoteController{
+				Client:                     ctrl.GetClient(),
+				CreatorEditorRoleName:      NoteCreatorEditorRoleName,
+				CreatorEditorRoleNamespace: SystemNamespace,
+			}
+			if err := clusterNoteCtrl.SetupWithManager(ctrl); err != nil {
+				logger.Error(err, "Error setting up clusternote controller")
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
+
 			reconciler := &remoteapiservicecontroller.RemoteAPIServiceAvailabilityReconciler{
 				Client:      ctrl.GetClient(),
 				Reason:      "Remote",

config/controller-manager/overlays/core-control-plane/rbac/role.yaml

@@ -45,25 +45,6 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
-- apiGroups:
-  - crm.miloapis.com
-  resources:
-  - notes
-  verbs:
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - crm.miloapis.com
-  resources:
-  - notes/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
   - dns.networking.miloapis.com
   resources:
@@ -212,6 +193,27 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - notes.miloapis.com
+  resources:
+  - clusternotes
+  - notes
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - notes.miloapis.com
+  resources:
+  - clusternotes/status
+  - notes/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - notification.miloapis.com
   resources:

config/crd/bases/crm/kustomization.yaml

@@ -1,2 +1 @@
-resources:
-- crm.miloapis.com_notes.yaml
+resources: []

config/crd/bases/notes/notes.miloapis.com_clusternotes.yaml

@@ -0,0 +1,207 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: clusternotes.notes.miloapis.com
+spec:
+  group: notes.miloapis.com
+  names:
+    kind: ClusterNote
+    listKind: ClusterNoteList
+    plural: clusternotes
+    singular: clusternote
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.subjectRef.kind
+      name: Subject Kind
+      type: string
+    - jsonPath: .spec.subjectRef.name
+      name: Subject Name
+      type: string
+    - jsonPath: .spec.creatorRef.name
+      name: Creator
+      type: string
+    - jsonPath: .status.conditions[?(@.type=='Ready')].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ClusterNote is the Schema for the cluster-scoped notes API.
+          It represents a note attached to a cluster-scoped subject resource.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NoteSpec defines the desired state of Note.
+            properties:
+              content:
+                description: Content is the text content of the note.
+                maxLength: 1000
+                type: string
+              creatorRef:
+                description: |-
+                  CreatorRef is a reference to the user that created the note.
+                  Defaults to the user that created the note.
+                properties:
+                  name:
+                    description: Name is the name of the User being referenced.
+                    type: string
+                required:
+                - name
+                type: object
+                x-kubernetes-validations:
+                - message: creatorRef type is immutable
+                  rule: type(oldSelf) == null_type || self == oldSelf
+              followUp:
+                default: false
+                description: |-
+                  FollowUp indicates whether this note requires follow-up.
+                  When true, the note is being actively tracked for further action.
+                type: boolean
+              interactionTime:
+                description: InteractionTime is the timestamp of the interaction with
+                  the subject.
+                format: date-time
+                type: string
+              nextAction:
+                description: NextAction is an optional follow-up action.
+                type: string
+              nextActionTime:
+                description: NextActionTime is the timestamp for the follow-up action.
+                format: date-time
+                type: string
+              subjectRef:
+                description: Subject is a reference to the subject of the note.
+                properties:
+                  apiGroup:
+                    description: APIGroup is the group for the resource being referenced.
+                    type: string
+                  kind:
+                    description: Kind is the type of resource being referenced.
+                    type: string
+                  name:
+                    description: Name is the name of resource being referenced.
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace is the namespace of resource being referenced.
+                      Required for namespace-scoped resources. Omitted for cluster-scoped resources.
+                    type: string
+                required:
+                - apiGroup
+                - kind
+                - name
+                type: object
+                x-kubernetes-validations:
+                - message: subject type is immutable
+                  rule: type(oldSelf) == null_type || self == oldSelf
+            required:
+            - content
+            - subjectRef
+            type: object
+          status:
+            description: NoteStatus defines the observed state of Note
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for control plane to reconcile
+                  reason: Unknown
+                  status: Unknown
+                  type: Ready
+                description: Conditions provide conditions that represent the current
+                  status of the Note.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              createdBy:
+                description: CreatedBy is the email of the user that created the note.
+                type: string
+            type: object
+        type: object
+    selectableFields:
+    - jsonPath: .spec.creatorRef.name
+    - jsonPath: .spec.subjectRef.name
+    - jsonPath: .spec.subjectRef.kind
+    - jsonPath: .spec.nextActionTime
+    - jsonPath: .spec.followUp
+    - jsonPath: .status.createdBy
+    served: true
+    storage: true
+    subresources:
+      status: {}

…rd/bases/crm/crm.miloapis.com_notes.yaml …ases/notes/notes.miloapis.com_notes.yamlconfig/crd/bases/crm/crm.miloapis.com_notes.yaml renamed to config/crd/bases/notes/notes.miloapis.com_notes.yaml config/crd/bases/crm/crm.miloapis.com_notes.yaml renamed to config/crd/bases/notes/notes.miloapis.com_notes.yaml

@@ -4,15 +4,15 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.18.0
-  name: notes.crm.miloapis.com
+  name: notes.notes.miloapis.com
 spec:
-  group: crm.miloapis.com
+  group: notes.miloapis.com
   names:
     kind: Note
     listKind: NoteList
     plural: notes
     singular: note
-  scope: Cluster
+  scope: Namespaced
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.subjectRef.kind
@@ -35,7 +35,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Note is the Schema for the notes API.
-          It represents a note attached to a subject (e.g. Contact or User).
+          It represents a namespaced note attached to a subject resource.
         properties:
           apiVersion:
             description: |-
@@ -98,15 +98,9 @@ spec:
                 properties:
                   apiGroup:
                     description: APIGroup is the group for the resource being referenced.
-                    enum:
-                    - iam.miloapis.com
-                    - notification.miloapis.com
                     type: string
                   kind:
                     description: Kind is the type of resource being referenced.
-                    enum:
-                    - User
-                    - Contact
                     type: string
                   name:
                     description: Name is the name of resource being referenced.