Merge pull request #59 from open-component-model/target-ctrl

Adding a target reconciler

Makefile

@@ -4,6 +4,9 @@ IMG ?= open-component-model/mpas-product-controller:latest
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.26.0
 
+# Allows for defining additional Go test args, e.g. '-tags integration'.
+GO_TEST_ARGS ?= -race
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -56,7 +59,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... $(GO_TEST_ARGS) -coverprofile cover.out
 
 ##@ Build
 

api/v1alpha1/condition_types.go

@@ -61,6 +61,18 @@ const (
 
 	// GitRepositoryCleanUpFailedReason is used when we couldn't delete the GitRepository.
 	GitRepositoryCleanUpFailedReason = "GitRepositoryCleanUpFailed"
+
+	// NamespaceCreateOrUpdateFailedReason indicates that the project namespace could not be reconciled.
+	NamespaceCreateOrUpdateFailedReason string = "NamespaceCreateOrUpdateFailed"
+
+	// SecretRetrievalFailedReason indicates that the project namespace could not be retrieved from the namespace.
+	SecretRetrievalFailedReason = "SecretRetrievalFailed"
+
+	// ServiceAccountCreateOrUpdateFailedReason indicates that the project service account could not be reconciled.
+	ServiceAccountCreateOrUpdateFailedReason string = "ServiceAccountCreateOrUpdateFailed"
+
+	// AccessInvalidReason indicates that the access credentials or target are invalid.
+	AccessInvalidReason = "AccessInvalid"
 )
 
 const (

api/v1alpha1/target_types.go

@@ -5,6 +5,8 @@
 package v1alpha1
 
 import (
+	"time"
+
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -25,12 +27,52 @@ var (
 type TargetSpec struct {
 	// +required
 	Type TargetType `json:"type"`
+
 	// +optional
 	Access *apiextensionsv1.JSON `json:"access,omitempty"`
+
+	// Interval is the reconciliation interval, i.e. at what interval shall a reconciliation happen.
+	// This is used to requeue objects for reconciliation in case the related subscription hasn't been finished yet.
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// ServiceAccountName is the name of the ServiceAccount to be created in the target namespace.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName"`
+
+	// selector is a label query over secrets that should be used for target access.
+	// If found, the secrets will added to the target ServiceAccount as image pull secrets.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	SecretsSelector *metav1.LabelSelector `json:"selector,omitempty"`
 }
 
 // TargetStatus defines the observed state of Target
 type TargetStatus struct {
+	// ObservedGeneration is the last reconciled generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// +optional
+	// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+	// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// GetConditions returns the conditions of the ComponentVersion.
+func (in *Target) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the conditions of the ComponentVersion.
+func (in *Target) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the ComponentVersion must be
+// reconciled again.
+func (in Target) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
 }
 
 //+kubebuilder:object:root=true

config/crd/bases/mpas.ocm.software_targets.yaml

@@ -37,14 +37,145 @@ spec:
             properties:
               access:
                 x-kubernetes-preserve-unknown-fields: true
+              interval:
+                description: Interval is the reconciliation interval, i.e. at what
+                  interval shall a reconciliation happen. This is used to requeue
+                  objects for reconciliation in case the related subscription hasn't
+                  been finished yet.
+                type: string
+              selector:
+                description: 'selector is a label query over secrets that should be
+                  used for target access. If found, the secrets will added to the
+                  target ServiceAccount as image pull secrets. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              serviceAccountName:
+                description: ServiceAccountName is the name of the ServiceAccount
+                  to be created in the target namespace.
+                type: string
               type:
                 description: TargetType defines valid types for Targets.
                 type: string
             required:
+            - interval
             - type
             type: object
           status:
             description: TargetStatus defines the observed state of Target
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration is the last reconciled generation.
+                format: int64
+                type: integer
             type: object
         type: object
     served: true

config/manager/kustomization.yaml

@@ -1,14 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - manager.yaml
+- manager.yaml
 images:
-  - name: controller
-    newName: controller
-    newTag: latest
-  - name: open-component-model/mpas-product-controller
-    newName: ghcr.io/open-component-model/mpas-product-controller
-    newTag: latest
+- name: controller
+  newName: open-component-model/mpas-product-controller
+  newTag: latest
+- name: open-component-model/mpas-product-controller
+  newName: ghcr.io/open-component-model/mpas-product-controller
+  newTag: latest
 
 # Uncomment to enable HTTPS for the registry
 patches:

config/manager/manager.yaml

@@ -46,6 +46,7 @@ spec:
         - --leader-elect
         - --oci-registry-addr=registry.ocm-system.svc.cluster.local:5000
         image: open-component-model/mpas-product-controller:latest
+        imagePullPolicy: IfNotPresent
         name: manager
         securityContext:
           allowPrivilegeEscalation: false

config/rbac/role.yaml

@@ -5,6 +5,13 @@ metadata:
   creationTimestamp: null
   name: mpas-product-controller-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - ""
   resources:
@@ -19,6 +26,27 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - delivery.ocm.software
   resources:
@@ -229,6 +257,20 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mpas.ocm.software
+  resources:
+  - targets/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - mpas.ocm.software
+  resources:
+  - targets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - mpas.ocm.software
   resources:

config/samples/mpas_v1alpha1_target.yaml

@@ -11,5 +11,6 @@ metadata:
 spec:
   type: Kubernetes
   access:
-    secretRef:
-      name: kube-config
+    targetNamespace: target-sample
+  serviceAccountName: target-sample
+  interval: 10s