Migrate remaining files from the old version of the repo

- Migrate `CHANGELOG.md`, `.VERSION`, `LICENSE`, GitHub pipelines, release script, GitHub issue templates.
- Add in Makefile the commands to prepare release and make the release tag.

.VERSION

@@ -0,0 +1 @@
+1.5.0

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Report bugs and errors found while using the Operator.
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+### Your environment
+
+<!-- Version of the Operator when the error occurred -->
+Operator Version:
+
+<!-- What version of the Connect server are you running?
+You can get this information from the Integrations section in 1Password
+https://start.1password.com/integrations/active
+-->
+Connect Server Version:
+
+<!-- What version of Kubernetes have you deployed the operator to? -->
+Kubernetes Version:
+
+## What happened?
+<!-- Describe the bug or error -->
+
+## What did you expect to happen?
+<!-- Describe what should have happened -->
+
+## Steps to reproduce
+1. <!-- Describe Steps to reproduce the issue -->
+
+
+## Notes & Logs
+<!-- Paste any logs here that may help with debugging.
+Remember to remove any sensitive information before sharing! -->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,9 @@
+# docs: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: 1Password Community
+    url: https://1password.community/categories/secrets-automation
+    about: Please ask general Secrets Automation questions here.
+  - name: 1Password Security Bug Bounty
+    url: https://bugcrowd.com/agilebits
+    about: Please report security vulnerabilities here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,32 @@
+---
+name: Feature request
+about: Suggest an idea for the Operator
+title: ''
+labels: feature-request
+assignees: ''
+
+---
+
+### Summary
+<!-- Briefly describe the feature in one or two sentences. You can include more details later. -->
+
+### Use cases
+<!-- Describe the use cases that make this feature useful to others.
+The description should help the reader understand why the feature is necessary.
+The better we understand your use case, the better we can help create an appropriate solution. -->
+
+### Proposed solution
+<!-- If you already have an idea for how the feature should work, use this space to describe it.
+We'll work with you to find a workable approach, and any implementation details are appreciated.
+-->
+
+### Is there a workaround to accomplish this today?
+<!-- If there's a way to accomplish this feature request without changes to the codebase, we'd like to hear it.
+-->
+
+### References & Prior Work
+<!-- If a similar feature was implemented in another project or tool, add a link so we can better understand your request.
+Links to relevant documentation or RFCs are also appreciated. -->
+
+* <!-- Reference 1 -->
+* <!-- Reference 2, etc -->

.github/workflows/build.yml

@@ -0,0 +1,21 @@
+name: Build and Test
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v2
+      with:
+        go-version: ^1.18
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    - name: Build
+      run: go build -v ./...
+
+    - name: Test
+      run: make test

.github/workflows/release-pr.yml

@@ -0,0 +1,85 @@
+on:
+  create:
+    branches:
+
+name: Open Release PR for review
+
+jobs:
+  # This job is necessary because GitHub does not (yet) support
+  # filtering `create` triggers by branch name.
+  # See: https://github.community/t/trigger-job-on-branch-created/16878/5
+  should_create_pr:
+    name: Check if PR for branch already exists
+    runs-on: ubuntu-latest
+    outputs:
+      result: ${{ steps.is_release_branch_without_pr.outputs.result }}
+    steps:
+      - id: is_release_branch_without_pr
+        name: Find matching PR
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            // Search for an existing PR with head & base
+            //  that match the created branch
+
+            const [releaseBranchName] = context.ref.match("release/v[0-9]+\.[0-9]+\.[0-9]+") || []
+
+            if(!releaseBranchName) { return false }
+
+            const {data: prs} = await github.pulls.list({
+                ...context.repo,
+                state: 'open',
+                head: `1Password:${releaseBranchName}`,
+                base: context.payload.master_branch
+            })
+
+            return prs.length === 0
+
+  create_pr:
+    needs: should_create_pr
+    if: needs.should_create_pr.outputs.result == 'true'
+    name: Create Release Pull Request
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Parse release version
+        id: get_version
+        run: echo "::set-output name=version::$(echo $GITHUB_REF | sed 's|^refs/heads/release/v?*||g')"
+
+      - name: Prepare Pull Request
+        id: prep_pr
+        run: |
+          CHANGELOG_PATH=$(printf "%s/CHANGELOG.md" "${GITHUB_WORKSPACE}")
+
+          LOG_ENTRY=$(awk '/START\/v[0-9]+\.[0-9]+\.[0-9]+*/{f=1; next} /---/{if (f == 1) exit} f' "${CHANGELOG_PATH}")
+          export PR_BODY=$(cat <<EOF
+          This is an automated PR for a new release.
+
+          Please check the following before approving:
+          - [ ] Changelog is accurate. The documented changes for this release are printed below.
+          - [ ] Any files referencing a version number. Confirm it matches the version number in the branch name.
+          ---
+          ## Release Changelog Preview
+          ${LOG_ENTRY}
+          EOF
+          )
+
+          # Sanitizes multiline strings for action outputs (https://medium.com/agorapulse-stories/23f56447d209)
+          PR_BODY="${PR_BODY//'%'/'%25'}"
+          PR_BODY="${PR_BODY//$'\n'/'%0A'}"
+          PR_BODY="${PR_BODY//$'\r'/'%0D'}"
+          echo "::set-output name=pr_body::$(echo "$PR_BODY")"
+
+      - name: Create Pull Request via API
+        id: post_pr
+        uses: octokit/request-action@v2.x
+        with:
+          route: POST /repos/${{ github.repository }}/pulls
+          title: ${{ format('Prepare Release - v{0}', steps.get_version.outputs.version) }}
+          head: ${{ github.ref }}
+          base: ${{ github.event.master_branch }}
+          body: ${{ toJson(steps.prep_pr.outputs.pr_body) }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,57 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release-docker:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Docker meta
+        id: meta
+        uses: crazy-max/ghaction-docker-meta@v2
+        with:
+          images: |
+            1password/onepassword-operator
+          # Publish image for x.y.z and x.y
+          # The latest tag is automatically added for semver tags
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Get the version from tag
+        id: get_version
+        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/v}
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Docker Login
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            operator_version=${{ steps.get_version.outputs.VERSION }}

CHANGELOG.md

@@ -0,0 +1,147 @@
+[//]: # (START/LATEST)
+# Latest
+
+## Features
+  * A user-friendly description of a new feature. {issue-number}
+
+## Fixes
+ * A user-friendly description of a fix. {issue-number}
+
+## Security
+ * A user-friendly description of a security fix. {issue-number}
+
+---
+
+[//]: # (START/v1.5.0)
+# v1.5.0
+
+## Features
+ * `OnePasswordItem` now contains a `status` which contains the status of creating the kubernetes secret for a OnePasswordItem. {#52}
+
+## Fixes
+ * The operator no longer logs an error about changing the secret type if the secret type is not actually being changed.
+ * Annotations on a deployment are no longer removed when the operator triggers a restart. {#112}
+
+---
+
+[//]: # "START/v1.4.1"
+
+# v1.4.1
+
+## Fixes
+
+- OwnerReferences on secrets are now persisted after an item is updated. {#101}
+- Annotations from a Deployment or OnePasswordItem are no longer applied to Secrets that are created for it. {#102}
+
+---
+
+[//]: # "START/v1.4.0"
+
+# v1.4.0
+
+## Features
+
+- The operator now declares the an OwnerReference for the secrets it manages. This should stop secrets from getting pruned by tools like Argo CD. {#51,#84,#96}
+
+---
+
+[//]: # "START/v1.3.0"
+
+# v1.3.0
+
+## Features
+
+- Added support for loading secrets from files stored in 1Password. {#47}
+
+---
+
+[//]: # "START/v1.2.0"
+
+# v1.2.0
+
+## Features
+
+- Support secrets provisioned through FromEnv. {#74}
+- Support configuration of Kubernetes Secret type. {#87}
+- Improved logging. (#72)
+
+---
+
+[//]: # "START/v1.1.0"
+
+# v1.1.0
+
+## Fixes
+
+- Fix normalization for keys in a Secret's `data` section to allow upper- and lower-case alphanumeric characters. {#66}
+
+---
+
+[//]: # "START/v1.0.2"
+
+# v1.0.2
+
+## Fixes
+
+- Name normalizer added to handle non-conforming item names.
+
+---
+
+[//]: # "START/v1.0.1"
+
+# v1.0.1
+
+## Features
+
+- This release also contains an arm64 Docker image. {#20}
+- Docker images are also pushed to the :latest and :<major>.<minor> tags.
+
+---
+
+[//]: # "START/v1.0.0"
+
+# v1.0.0
+
+## Features:
+
+- Option to automatically deploy 1Password Connect via the operator
+- Ignore restart annotation when looking for 1Password annotations
+- Release Automation
+- Upgrading apiextensions.k8s.io/v1beta apiversion from the operator custom resource
+- Adding configuration for auto rolling restart on deployments
+- Configure Auto Restarts for a OnePasswordItem Custom Resource
+- Update Connect Dependencies to latest
+- Add Github action for building and testing operator
+
+## Fixes:
+
+- Fix spec field example for OnePasswordItem in readme
+- Casing of annotations are now consistent
+
+---
+
+[//]: # "START/v0.0.2"
+
+# v0.0.2
+
+## Features:
+
+- Items can now be accessed by either `vaults/<vault_id>/items/<item_id>` or `vaults/<vault_title>/items/<item_title>`
+
+---
+
+[//]: # "START/v0.0.1"
+
+# v0.0.1
+
+Initial 1Password Operator release
+
+## Features
+
+- watches for deployment creations with `onepassword` annotations and creates an associated kubernetes secret
+- watches for `onepasswordsecret` crd creations and creates an associated kubernetes secrets
+- watches for changes to 1Password secrets associated with kubernetes secrets and updates the kubernetes secret with changes
+- restart pods when secret has been updated
+- cleanup of kubernetes secrets when deployment or `onepasswordsecret` is deleted
+
+---

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 1Password
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -233,3 +233,31 @@ catalog-build: opm ## Build a catalog image.
 .PHONY: catalog-push
 catalog-push: ## Push a catalog image.
 	$(MAKE) docker-push IMG=$(CATALOG_IMG)
+
+## Release functions =====================
+
+release/prepare: .check_git_clean	## Updates changelog and creates release branch (call with 'release/prepare version=<new_version_number>')
+
+	@test $(version) || (echo "[ERROR] version argument not set."; exit 1)
+	@git fetch --quiet origin $(MAIN_BRANCH)
+
+	@echo $(version) | tr -d '\n' | tee $(versionFile) &>/dev/null
+
+	@NEW_VERSION=$(version) $(SCRIPTS_DIR)/prepare-release.sh
+
+release/tag: .check_git_clean	## Creates git tag
+	@git pull --ff-only
+	@echo "Applying tag 'v$(curVersion)' to HEAD..."
+	@git tag --sign "v$(curVersion)" -m "Release v$(curVersion)"
+	@echo "[OK] Success!"
+	@echo "Remember to call 'git push --tags' to persist the tag."
+
+## Helper functions =====================
+
+.check_git_clean:
+ifneq ($(GIT_BRANCH), $(MAIN_BRANCH))
+	@echo "[ERROR] Please checkout default branch '$(MAIN_BRANCH)' and re-run this command."; exit 1;
+endif
+ifneq ($(WORKTREE_CLEAN), 0)
+	@echo "[ERROR] Uncommitted changes found in worktree. Address them and try again."; exit 1;
+endif

scripts/prepare-release.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+#
+# prepare-release.sh
+# (Note: This should be called by `make release/prepare` because it depends
+#   on several variables set by the Makefile)
+#
+# Performs release preparation tasks:
+#   - Creates a release branch
+#   - Renames "LATEST" section to the new version number
+#   - Adds new "LATEST" entry to the changelog
+#
+##############################################
+set -Eeuo pipefail
+
+if [[ -z "${NEW_VERSION:-}" ]]; then
+    echo "[ERROR] NEW_VERSION environment variable not defined." >&2
+    exit 1
+fi
+
+# Script called from within a git repo?
+if [[ $(git rev-parse --is-inside-work-tree &>/dev/null) -ne 0 ]]; then
+    echo "[ERROR] Current directory (${SRCDIR}) is not a git repository" >&2
+    exit 1
+fi
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+CHANGELOG_FILENAME=${CHANGELOG:-"CHANGELOG.md"}
+
+# normalize version by removing `v` prefix
+VERSION_NUM=${NEW_VERSION/#v/}
+RELEASE_BRANCH=$(printf "release/v%s" "${VERSION_NUM}")
+
+function updateChangelog() {
+    local tmpfile
+
+    trap '[ -e "${tmpfile}" ] && rm "${tmpfile}"' RETURN
+
+    local changelogFile
+    changelogFile=$(printf "%s/%s" "${REPO_ROOT}" "${CHANGELOG_FILENAME}")
+
+    # create Changelog file if not exists
+    if ! [[ -f "${REPO_ROOT}/${CHANGELOG_FILENAME}" ]]; then
+        touch "${REPO_ROOT}/${CHANGELOG_FILENAME}" && \
+        git add "${REPO_ROOT}/${CHANGELOG_FILENAME}"
+    fi
+
+    tmpfile=$(mktemp)
+
+    # Replace "Latest" in the top-most changelog block with new version
+    # Then push a new "latest" block to top of the changelog
+    awk 'NR==1, /---/{ sub(/START\/LATEST/, "START/v'${VERSION_NUM}'"); sub(/# Latest/, "# v'${VERSION_NUM}'") } {print}' \
+     "${changelogFile}" > "${tmpfile}"
+
+    # Inserts "Latest" changelog HEREDOC at the top of the file
+    cat - "${tmpfile}" << EOF > "${REPO_ROOT}/${CHANGELOG_FILENAME}"
+[//]: # (START/LATEST)
+# Latest
+
+## Features
+  * A user-friendly description of a new feature. {issue-number}
+
+## Fixes
+ * A user-friendly description of a fix. {issue-number}
+
+## Security
+ * A user-friendly description of a security fix. {issue-number}
+
+---
+
+EOF
+}
+
+function _main() {
+
+    # Stash version changes
+    git stash push &>/dev/null
+
+    if ! git checkout -b "${RELEASE_BRANCH}" origin/"${MAIN_BRANCH:-main}"; then
+        echo "[ERROR] Could not check out release branch." >&2
+        git stash pop &>/dev/null
+        exit 1
+    fi
+
+    # Add the version changes to release branch
+    git stash pop &>/dev/null
+
+    updateChangelog
+
+    cat << EOF
+
+[SUCCESS] Changelog updated & release branch created:
+    New Version:    ${NEW_VERSION}
+    Release Branch: ${RELEASE_BRANCH}
+
+Next steps:
+    1. Edit the changelog notes in ${CHANGELOG_FILENAME}
+    2. Commit changes to the release branch
+    3. Push changes to remote => git push origin ${RELEASE_BRANCH}
+
+EOF
+    exit 0
+}
+
+_main