cert-manager
diff --git a/‎.dockerignore
+5 b/‎.dockerignore
+5
diff --git a/‎.gitignore
+2 b/‎.gitignore
+2
diff --git a/‎Dockerfile
+9-2 b/‎Dockerfile
+9-2
diff --git a/‎Makefile
+156-94 b/‎Makefile
+156-94
diff --git a/‎PROJECT
+8 b/‎PROJECT
+8
diff --git a/‎README.md
+2-6 b/‎README.md
+2-6
@@ -0,0 +1,5 @@
+# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Ignore build and test binaries.
+bin/
+testbin/
+build/
@@ -6,6 +6,8 @@
 *.so
 *.dylib
 bin
+testbin/*
+Dockerfile.cross
 
 # Test binary, build with `go test -c`
 *.test
 
@@ -1,5 +1,7 @@
 # Build the manager binary
 FROM golang:1.20 as builder
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -14,9 +16,13 @@ COPY main.go main.go
 COPY api/ api/
 COPY internal/ internal/
 
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 ENV CGO_ENABLED=0
-ENV GOOS=linux
-ENV GOARCH=amd64
+ENV GOOS=${TARGETOS:-linux}
+ENV GOARCH=${TARGETARCH}
 ENV GO111MODULE=on
 
 # Do an initial compilation before setting the version so that there is less to
@@ -36,5 +42,6 @@ RUN go build \
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
+USER 65532:65532
 
 ENTRYPOINT ["/manager"]
@@ -14,133 +14,79 @@ DOCKER_IMAGE_NAME ?= cert-manager/sample-external-issuer/controller
 # Image URL to use all building/pushing image targets
 IMG ?= ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${VERSION}
 
-# BIN is the directory where tools will be installed
-export BIN ?= ${CURDIR}/bin
-
-OS := $(shell go env GOOS)
-ARCH := $(shell go env GOARCH)
-
-# Kind
-KIND_VERSION := 0.18.0
-KIND := ${BIN}/kind-${KIND_VERSION}
-K8S_CLUSTER_NAME := sample-external-issuer-e2e
 
 # cert-manager
 CERT_MANAGER_VERSION ?= 1.11.1
 
-# Controller tools
-CONTROLLER_GEN_VERSION := 0.11.3
-CONTROLLER_GEN := ${BIN}/controller-gen
 
 INSTALL_YAML ?= build/install.yaml
 
 .PHONY: all
-all: manager
+all: build
 
-# Run tests
-.PHONY: test
-test: generate fmt vet manifests
-	go test ./... -coverprofile cover.out
+##@ General
 
-# Build manager binary
-.PHONY: manager
-manager: generate fmt vet
-	go build -o bin/manager main.go
+# The help target prints out all targets with their descriptions organized
+# beneath their categories. The categories are represented by '##@' and the
+# target descriptions by '##'. The awk commands is responsible for reading the
+# entire set of makefiles included in this invocation, looking for lines of the
+# file as xyz: ## something, and then pretty-format the target and help. Then,
+# if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info on the usage of ANSI control characters for terminal formatting:
+# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info on the awk command:
+# http://linuxcommand.org/lc3_adv_awk.php
 
-# Run against the configured Kubernetes cluster in ~/.kube/config
-.PHONY: run
-run: generate fmt vet manifests
-	go run ./main.go
-
-# Install CRDs into a cluster
-.PHONY: install
-install: manifests
-	kustomize build config/crd | kubectl apply -f -
-
-# Uninstall CRDs from a cluster
-.PHONY: uninstall
-uninstall: manifests
-	kustomize build config/crd | kubectl delete -f -
-
-# TODO(wallrj): .PHONY ensures that the install file is always regenerated,
-# because I this really depends on the checksum of the Docker image and all the
-# base Kustomize files.
-.PHONY: ${INSTALL_YAML}
-${INSTALL_YAML}:
-	mkdir -p $(dir $@)
-	rm -rf build/kustomize
-	mkdir -p build/kustomize
-	cd build/kustomize
-	kustomize create --resources ../../config/default
-	kustomize edit set image controller=${IMG}
-	cd ${CURDIR}
-	kustomize build build/kustomize > $@
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
-# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
-.PHONY: deploy
-deploy: ${INSTALL_YAML}
-	 kubectl apply -f ${INSTALL_YAML}
+##@ Development
 
-# Generate manifests e.g. CRD, RBAC etc.
 .PHONY: manifests
-manifests: ${CONTROLLER_GEN}
-	$(CONTROLLER_GEN) rbac:roleName=manager-role webhook crd paths="./..." output:crd:artifacts:config=config/crd/bases
+manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+
+.PHONY: generate
+generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
+	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
-# Run go fmt against code
 .PHONY: fmt
-fmt:
+fmt: ## Run go fmt against code.
 	go fmt ./...
 
-# Run go vet against code
 .PHONY: vet
-vet:
+vet: ## Run go vet against code.
 	go vet ./...
 
-# Generate code
-generate: ${CONTROLLER_GEN}
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
-
-# Build the docker image
-.PHONY: docker-build
-docker-build:
-	docker build \
-		--build-arg VERSION=$(VERSION) \
-		--tag ${IMG} \
-		--file Dockerfile \
-		${CURDIR}
+.PHONY: test
+test: manifests generate fmt vet ## Run tests
+	go test ./... -coverprofile cover.out
 
-# Push the docker image
-.PHONY: docker-push
-docker-push:
-	docker push ${IMG}
+##@ E2E testing
 
-${CONTROLLER_GEN}: | ${BIN}
-	GOBIN=${BIN} go install sigs.k8s.io/controller-tools/cmd/controller-gen@v${CONTROLLER_GEN_VERSION}
+K8S_CLUSTER_NAME := sample-external-issuer-e2e
 
-# ==================================
-# E2E testing
-# ==================================
 .PHONY: kind-cluster
 kind-cluster: ## Use Kind to create a Kubernetes cluster for E2E tests
-kind-cluster: ${KIND}
+kind-cluster: kind
 	 ${KIND} get clusters | grep ${K8S_CLUSTER_NAME} || ${KIND} create cluster --name ${K8S_CLUSTER_NAME}
 
 .PHONY: kind-load
-kind-load: ## Load all the Docker images into Kind
+kind-load: kind ## Load all the Docker images into Kind
 	${KIND} load docker-image --name ${K8S_CLUSTER_NAME} ${IMG}
 
 .PHONY: kind-export-logs
-kind-export-logs:
+kind-export-logs: kind ## Export Kind logs
 	${KIND} export logs --name ${K8S_CLUSTER_NAME} ${E2E_ARTIFACTS_DIRECTORY}
 
-
 .PHONY: deploy-cert-manager
 deploy-cert-manager: ## Deploy cert-manager in the configured Kubernetes cluster in ~/.kube/config
 	kubectl apply --filename=https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VERSION}/cert-manager.yaml
 	kubectl wait --for=condition=Available --timeout=300s apiservice v1.cert-manager.io
 
 .PHONY: e2e
-e2e:
+e2e: ## Run E2E tests
 	kubectl apply --filename config/samples
 
 	kubectl wait --for=condition=Ready --timeout=5s issuers.sample-issuer.example.com issuer-sample
@@ -153,12 +99,128 @@ e2e:
 
 	kubectl delete --filename config/samples
 
-# ==================================
-# Download: tools in ${BIN}
-# ==================================
-${BIN}:
-	mkdir -p ${BIN}
+##@ Build
+
+.PHONY: build
+build: manifests generate fmt vet ## Build manager binary
+	go build -o bin/manager main.go
+
+.PHONY: run
+run: manifests generate fmt vet ## Run a controller from your host.
+	go run ./main.go
+
+# If you wish built the manager image targeting other platforms you can use the --platform flag.
+# (i.e. docker build --platform linux/arm64 ). However, you must enable docker buildKit for it.
+# More info: https://docs.docker.com/develop/develop-images/build_enhancements/
+.PHONY: docker-build
+docker-build:  ## Build docker image with the manager.
+	docker build \
+		--build-arg VERSION=$(VERSION) \
+		--tag ${IMG} \
+		--file Dockerfile \
+		${CURDIR}
+
+# Push the docker image
+.PHONY: docker-push
+docker-push: ## Push docker image with the manager.
+	docker push ${IMG}
+
+# PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
+# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
+# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
+# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
+# - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> then the export will fail)
+# To properly provided solutions that supports more than one platform you should use this option.
+PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
+.PHONY: docker-buildx
+docker-buildx: test ## Build and push docker image for the manager for cross-platform support
+	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
+	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
+	- docker buildx create --name project-v3-builder
+	docker buildx use project-v3-builder
+	- docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross .
+	- docker buildx rm project-v3-builder
+	rm Dockerfile.cross
+
+##@ Deployment
+
+ifndef ignore-not-found
+  ignore-not-found = false
+endif
+
+.PHONY: install
+install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
+	$(KUSTOMIZE) build config/crd | kubectl apply -f -
+
+.PHONY: uninstall
+uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+
+# TODO(wallrj): .PHONY ensures that the install file is always regenerated,
+# because I this really depends on the checksum of the Docker image and all the
+# base Kustomize files.
+.PHONY: ${INSTALL_YAML}
+${INSTALL_YAML}: manifests kustomize
+	mkdir -p $(dir $@)
+	rm -rf build/kustomize
+	mkdir -p build/kustomize
+	cd build/kustomize
+	$(KUSTOMIZE) create --resources ../../config/default
+	$(KUSTOMIZE) edit set image controller=${IMG}
+	cd ${CURDIR}
+	$(KUSTOMIZE) build build/kustomize > $@
+
+.PHONY: deploy
+deploy: ${INSTALL_YAML}  ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	 kubectl apply -f ${INSTALL_YAML}
+
+.PHONY: undeploy
+undeploy: ${INSTALL_YAML} ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	 kubectl delete -f ${INSTALL_YAML}  --ignore-not-found=$(ignore-not-found)
+
+##@ Build Dependencies
+
+LOCAL_OS := $(shell go env GOOS)
+LOCAL_ARCH := $(shell go env GOARCH)
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+## Tool Binaries
+KUSTOMIZE ?= $(LOCALBIN)/kustomize
+CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
+ENVTEST ?= $(LOCALBIN)/setup-envtest
+KIND ?= $(LOCALBIN)/kind
+
+## Tool Versions
+KUSTOMIZE_VERSION ?= v3.8.7
+CONTROLLER_TOOLS_VERSION ?= v0.11.3
+KIND_VERSION := 0.18.0
 
-${KIND}: ${BIN}
-	curl -fsSL -o ${KIND} https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-${OS}-${ARCH}
+KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
+.PHONY: kustomize
+kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading.
+$(KUSTOMIZE): $(LOCALBIN)
+	@if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \
+		echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \
+		rm -rf $(LOCALBIN)/kustomize; \
+	fi
+	test -s $(LOCALBIN)/kustomize || { curl -Ss $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN); }
+
+.PHONY: controller-gen
+controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten.
+$(CONTROLLER_GEN): $(LOCALBIN)
+	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
+	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION)
+
+.PHONY: envtest
+envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
+$(ENVTEST): $(LOCALBIN)
+	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+
+.PHONY: kind
+kind: $(LOCALBIN) ## Download Kind locally if necessary.
+	curl -fsSL -o ${KIND} https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-${LOCAL_OS}-${LOCAL_ARCH}
 	chmod +x ${KIND}
@@ -1,4 +1,11 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: example.com
+layout:
+- go.kubebuilder.io/v3
+projectName: sample-external-issuer
 repo: github.com/cert-manager/sample-external-issuer
 resources:
 - group: sample-issuer
@@ -8,3 +15,4 @@ resources:
   kind: ClusterIssuer
   version: v1alpha1
 version: "2"
+version: "3"
@@ -37,7 +37,7 @@ You will need the following command line tools installed on your PATH:
 * [Docker v17.03+](https://docs.docker.com/install/)
 * [Kind v0.18.0+](https://kind.sigs.k8s.io/docs/user/quick-start/)
 * [Kubectl v1.26.3+](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-* [Kubebuilder v2.3.1+](https://book.kubebuilder.io/quick-start.html#installation)
+* [Kubebuilder v3.9.1+](https://book.kubebuilder.io/quick-start.html#installation)
 * [Kustomize v3.8.1+](https://kustomize.io/)
 
 You may also want to read: the [Kubebuilder Book] and the [cert-manager Concepts Documentation] for further background
@@ -126,10 +126,6 @@ The values we pass to these commands specify the GVK (group, version, kind):
 These commands will have created some boilerplate files and directories: `api/` and `controllers/`,
 which we now need to edit as follows:
 
-* `api/v1alpha1/{cluster}issuer_types.go`:
-   Add [Kubebuilder CRD Markers](https://book.kubebuilder.io/reference/markers/crd.html) to allow modification of IssuerStatus
-   as a [Status Subresource](https://book-v1.book.kubebuilder.io/basics/status_subresource.html): `// +kubebuilder:subresource:status`
-
 * `api/v1alpha1/clusterissuer_types.go`:
    Remove the `ClusterIssuerSpec` and `ClusterIssuerStatus` and replace them with `IssuerSpec` and `IssuerStatus`.
    This is because both types of issuers share the same configuration and status reporting.
@@ -181,7 +177,7 @@ You will also need to add the cert-manager API types to the `Scheme`:
 ```go
 func init() {
 ...
-    _ = cmapi.AddToScheme(scheme)
+	utilruntime.Must(cmapi.AddToScheme(scheme))
 ...
 }
 ```