GoogleContainerTools
diff --git a/‎cmd/reconciler-manager/main.go
Lines changed: 15 additions & 9 deletions b/‎cmd/reconciler-manager/main.go
Lines changed: 15 additions & 9 deletions
diff --git a/‎manifests/base/kustomization.yaml
Lines changed: 1 addition & 0 deletions b/‎manifests/base/kustomization.yaml
Lines changed: 1 addition & 0 deletions
diff --git a/‎manifests/ns-reconciler-cluster-scope-cluster-role.yaml
Lines changed: 27 additions & 0 deletions b/‎manifests/ns-reconciler-cluster-scope-cluster-role.yaml
Lines changed: 27 additions & 0 deletions
diff --git a/‎manifests/root-reconciler-base-cluster-role.yaml
Lines changed: 3 additions & 0 deletions b/‎manifests/root-reconciler-base-cluster-role.yaml
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/reconciler/reconciler.go
Lines changed: 36 additions & 29 deletions b/‎pkg/reconciler/reconciler.go
Lines changed: 36 additions & 29 deletions
diff --git a/‎pkg/reconcilermanager/controllers/build_names.go
Lines changed: 12 additions & 2 deletions b/‎pkg/reconcilermanager/controllers/build_names.go
Lines changed: 12 additions & 2 deletions
diff --git a/‎pkg/reconcilermanager/controllers/crd_controller.go
Lines changed: 66 additions & 55 deletions b/‎pkg/reconcilermanager/controllers/crd_controller.go
Lines changed: 66 additions & 55 deletions
@@ -95,7 +95,7 @@ func main() {
 	}
 	watchFleetMembership := fleetMembershipCRDExists(dynamicClient, mgr.GetRESTMapper(), &setupLog)
 
-	crdController := controllers.NewCRDReconciler(
+	crdController := controllers.NewCRDController(mgr.GetCache(),
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName("CRD"))
 	if err := crdController.Register(mgr); err != nil {
 		setupLog.Error(err, "failed to register controller", "controller", "CRD")
@@ -108,11 +108,14 @@ func main() {
 		mgr.GetClient(), watcher, dynamicClient,
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName(configsync.RepoSyncKind),
 		mgr.GetScheme())
-	crdController.SetCRDHandler(configsync.RepoSyncCRDName, func() error {
-		if err := repoSyncController.Register(mgr, watchFleetMembership); err != nil {
-			return fmt.Errorf("registering %s controller: %w", configsync.RepoSyncKind, err)
+	crdController.SetCRDHandler(configsync.RepoSyncCRDName, func(_ context.Context, established bool) error {
+		if established {
+			if err := repoSyncController.Register(mgr, watchFleetMembership); err != nil {
+				return fmt.Errorf("registering %s controller: %w", configsync.RepoSyncKind, err)
+			}
+			setupLog.Info("RepoSync controller registration successful")
 		}
-		setupLog.Info("RepoSync controller registration successful")
+		// TODO: unregister RepoSync controller if CRD is deleted?
 		return nil
 	})
 	setupLog.Info("RepoSync controller registration scheduled")
@@ -122,11 +125,14 @@ func main() {
 		mgr.GetClient(), watcher, dynamicClient,
 		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName(configsync.RootSyncKind),
 		mgr.GetScheme())
-	crdController.SetCRDHandler(configsync.RootSyncCRDName, func() error {
-		if err := rootSyncController.Register(mgr, watchFleetMembership); err != nil {
-			return fmt.Errorf("registering %s controller: %w", configsync.RootSyncKind, err)
+	crdController.SetCRDHandler(configsync.RootSyncCRDName, func(_ context.Context, established bool) error {
+		if established {
+			if err := rootSyncController.Register(mgr, watchFleetMembership); err != nil {
+				return fmt.Errorf("registering %s controller: %w", configsync.RootSyncKind, err)
+			}
+			setupLog.Info("RootSync controller registration successful")
 		}
-		setupLog.Info("RootSync controller registration successful")
+		// TODO: unregister RootSync controller if CRD is deleted?
 		return nil
 	})
 	setupLog.Info("RootSync controller registration scheduled")
 
@@ -19,6 +19,7 @@ resources:
 # Applying hierarchyconfig-crd.yaml allows client-side validation of the HierarchyConfig resources.
 - ../hierarchyconfig-crd.yaml
 - ../namespace-selector-crd.yaml
+- ../ns-reconciler-cluster-scope-cluster-role.yaml
 - ../ns-reconciler-base-cluster-role.yaml
 - ../root-reconciler-base-cluster-role.yaml
 - ../otel-agent-cm.yaml
 
@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This ClusterRole is used by both root-reconcilers and ns-reconcilers.
+# It includes read access for cluster-scope resources.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: configsync.gke.io:ns-reconciler:cluster-scope
+  labels:
+    configmanagement.gke.io/system: "true"
+    configmanagement.gke.io/arch: "csmr"
+rules:
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get","list","watch"]
@@ -32,3 +32,6 @@ rules:
 - apiGroups: ["kpt.dev"]
   resources: ["resourcegroups/status"]
   verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get","list","watch"]
@@ -37,6 +37,7 @@ import (
 	"kpt.dev/configsync/pkg/parse/events"
 	"kpt.dev/configsync/pkg/reconciler/finalizer"
 	"kpt.dev/configsync/pkg/reconciler/namespacecontroller"
+	"kpt.dev/configsync/pkg/reconcilermanager/controllers"
 	"kpt.dev/configsync/pkg/remediator"
 	"kpt.dev/configsync/pkg/remediator/conflict"
 	"kpt.dev/configsync/pkg/remediator/watch"
@@ -219,10 +220,44 @@ func Run(opts Options) {
 		klog.Fatalf("Error creating rest config for the remediator: %v", err)
 	}
 
+	// Start listening to signals
+	signalCtx := signals.SetupSignalHandler()
+
+	// Create the ControllerManager
+	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
+	mgrOptions := ctrl.Options{
+		Scheme: core.Scheme,
+		MapperProvider: func(_ *rest.Config, _ *http.Client) (meta.RESTMapper, error) {
+			return mapper, nil
+		},
+		BaseContext: func() context.Context {
+			return signalCtx
+		},
+	}
+	// For Namespaced Reconcilers, set the default namespace to watch.
+	// Otherwise, all namespaced informers will watch at the cluster-scope.
+	// This prevents Namespaced Reconcilers from needing cluster-scoped read
+	// permissions.
+	if opts.ReconcilerScope != declared.RootScope {
+		mgrOptions.Cache.DefaultNamespaces = map[string]cache.Config{
+			string(opts.ReconcilerScope): {},
+		}
+	}
+	mgr, err := ctrl.NewManager(cfgForWatch, mgrOptions)
+	if err != nil {
+		klog.Fatalf("Instantiating Controller Manager: %v", err)
+	}
+
+	crdController := controllers.NewCRDController(mgr.GetCache(),
+		textlogger.NewLogger(textlogger.NewConfig()).WithName("controllers").WithName("CRD"))
+	if err := crdController.Register(mgr); err != nil {
+		klog.Fatalf("Instantiating CRD Controller: %v", err)
+	}
+
 	conflictHandler := conflict.NewHandler()
 	fightHandler := fight.NewHandler()
 
-	rem, err := remediator.New(opts.ReconcilerScope, opts.SyncName, cfgForWatch, baseApplier, conflictHandler, fightHandler, decls, opts.NumWorkers)
+	rem, err := remediator.New(opts.ReconcilerScope, opts.SyncName, cfgForWatch, baseApplier, conflictHandler, fightHandler, crdController, decls, opts.NumWorkers)
 	if err != nil {
 		klog.Fatalf("Instantiating Remediator: %v", err)
 	}
@@ -303,34 +338,6 @@ func Run(opts Options) {
 		parser = parse.NewNamespaceRunner(parseOpts)
 	}
 
-	// Start listening to signals
-	signalCtx := signals.SetupSignalHandler()
-
-	// Create the ControllerManager
-	ctrl.SetLogger(textlogger.NewLogger(textlogger.NewConfig()))
-	mgrOptions := ctrl.Options{
-		Scheme: core.Scheme,
-		MapperProvider: func(_ *rest.Config, _ *http.Client) (meta.RESTMapper, error) {
-			return mapper, nil
-		},
-		BaseContext: func() context.Context {
-			return signalCtx
-		},
-	}
-	// For Namespaced Reconcilers, set the default namespace to watch.
-	// Otherwise, all namespaced informers will watch at the cluster-scope.
-	// This prevents Namespaced Reconcilers from needing cluster-scoped read
-	// permissions.
-	if opts.ReconcilerScope != declared.RootScope {
-		mgrOptions.Cache.DefaultNamespaces = map[string]cache.Config{
-			string(opts.ReconcilerScope): {},
-		}
-	}
-	mgr, err := ctrl.NewManager(cfgForWatch, mgrOptions)
-	if err != nil {
-		klog.Fatalf("Instantiating Controller Manager: %v", err)
-	}
-
 	// This cancelFunc will be used by the Finalizer to stop all the other
 	// controllers (Parser & Remediator).
 	ctx, stopControllers := context.WithCancel(signalCtx)
 
@@ -22,15 +22,25 @@ import (
 )
 
 const (
+	// RepoSyncClusterScopeClusterRoleName is the name of the ClusterRole with
+	// cluster-scoped read permissions for the namespace reconciler.
+	// e.g. configsync.gke.io:ns-reconciler:cluster-scope
+	RepoSyncClusterScopeClusterRoleName = configsync.GroupName + ":" + core.NsReconcilerPrefix + ":cluster-scope"
 	// RepoSyncBaseClusterRoleName is the namespace reconciler permissions name.
 	// e.g. configsync.gke.io:ns-reconciler
 	RepoSyncBaseClusterRoleName = configsync.GroupName + ":" + core.NsReconcilerPrefix
 	// RootSyncBaseClusterRoleName is the root reconciler base ClusterRole name.
 	// e.g. configsync.gke.io:root-reconciler
 	RootSyncBaseClusterRoleName = configsync.GroupName + ":" + core.RootReconcilerPrefix
+	// RepoSyncClusterScopeClusterRoleBindingName is the name of the default
+	// ClusterRoleBinding created for RepoSync objects. This contains basic
+	// cluster-scoped permissions for RepoSync reconcilers
+	// (e.g. CustomResourceDefinition watch).
+	RepoSyncClusterScopeClusterRoleBindingName = RepoSyncClusterScopeClusterRoleName
 	// RepoSyncBaseRoleBindingName is the name of the default RoleBinding created
-	// for RepoSync objects. This contains basic permissions for RepoSync reconcilers
-	//(e.g. RepoSync status update).
+	// for RepoSync objects. This contains basic namespace-scoped permissions
+	// for RepoSync reconcilers
+	// (e.g. RepoSync status update).
 	RepoSyncBaseRoleBindingName = RepoSyncBaseClusterRoleName
 	// RootSyncLegacyClusterRoleBindingName is the name of the legacy ClusterRoleBinding created
 	// for RootSync objects. It is always bound to cluster-admin.
 
@@ -22,57 +22,90 @@ import (
 	"github.com/go-logr/logr"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	controllerruntime "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 // CRDHandler is called by the CRDReconciler to handle establishment of a CRD.
-type CRDHandler func() error
+type CRDHandler func(ctx context.Context, established bool) error
 
-var _ reconcile.Reconciler = &CRDReconciler{}
+// CRDWatcher allows callers to add CRDHandlers for specific CRDs by name.
+type CRDWatcher interface {
+	SetCRDHandler(crdName string, handler CRDHandler)
+	RemoveCRDHandler(crdName string)
+}
+
+var _ reconcile.Reconciler = &CRDController{}
+var _ CRDWatcher = &CRDController{}
 
-// CRDReconciler watches CRDs and calls handlers once they are established.
-type CRDReconciler struct {
+// CRDController watches CRDs and calls handlers once they are established.
+type CRDController struct {
 	loggingController
+	cache cache.Cache
 
-	registerLock sync.Mutex
-	handlers     map[string]CRDHandler
-	handledCRDs  map[string]struct{}
+	registerLock    sync.Mutex
+	handlers        map[string]CRDHandler
+	handledCRDState map[string]bool
 }
 
-// NewCRDReconciler constructs a new CRDReconciler.
-func NewCRDReconciler(log logr.Logger) *CRDReconciler {
-	return &CRDReconciler{
+// NewCRDController constructs a new CRDReconciler.
+func NewCRDController(cache cache.Cache, log logr.Logger) *CRDController {
+	return &CRDController{
 		loggingController: loggingController{
 			log: log,
 		},
-		handlers:    make(map[string]CRDHandler),
-		handledCRDs: make(map[string]struct{}),
+		cache:           cache,
+		handlers:        make(map[string]CRDHandler),
+		handledCRDState: make(map[string]bool),
 	}
 }
 
 // SetCRDHandler adds an handler for the specified CRD.
 // The handler will be called when the CRD becomes established.
 // If the handler errors, it will be retried with backoff until success.
-// One the handler succeeds, it will not be called again, unless SetCRDHandler
-// is called again.
-func (r *CRDReconciler) SetCRDHandler(crdName string, crdHandler CRDHandler) {
+// One the handler succeeds as established, it will not be called again, unless
+// SetCRDHandler is called again or the CRD becomes unestablished or is deleted.
+func (r *CRDController) SetCRDHandler(crdName string, crdHandler CRDHandler) {
 	r.registerLock.Lock()
 	defer r.registerLock.Unlock()
 
 	r.handlers[crdName] = crdHandler
-	delete(r.handledCRDs, crdName)
+	delete(r.handledCRDState, crdName)
+}
+
+// RemoveCRDHandler removes the handler for the specified CRD.
+func (r *CRDController) RemoveCRDHandler(crdName string) {
+	r.registerLock.Lock()
+	defer r.registerLock.Unlock()
+
+	delete(r.handlers, crdName)
+	delete(r.handledCRDState, crdName)
 }
 
 // Reconcile the otel ConfigMap and update the Deployment annotation.
-func (r *CRDReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
+func (r *CRDController) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
 	crdName := req.Name
 	ctx = r.setLoggerValues(ctx, "crd", crdName)
 
+	// Established if CRD exists and .status.conditions[type="Established"].status = "True"
+	var established bool
+	crdObj := &apiextensionsv1.CustomResourceDefinition{}
+	if err := r.cache.Get(ctx, req.NamespacedName, crdObj); err != nil {
+		switch {
+		// Should never run into NoMatchFound, since CRD is a built-in resource.
+		case apierrors.IsNotFound(err):
+			established = false
+		default:
+			// Retry with backoff
+			return reconcile.Result{},
+				fmt.Errorf("getting CRD from cache: %s: %w", crdName, err)
+		}
+	} else {
+		established = crdIsEstablished(crdObj)
+	}
+
 	r.registerLock.Lock()
 	defer r.registerLock.Unlock()
 
@@ -81,57 +114,35 @@ func (r *CRDReconciler) Reconcile(ctx context.Context, req reconcile.Request) (r
 		// No handler for this CRD
 		return reconcile.Result{}, nil
 	}
-	if _, handled := r.handledCRDs[crdName]; handled {
-		// Already handled
-		return reconcile.Result{}, nil
+	if lastHandledState, found := r.handledCRDState[crdName]; found {
+		if lastHandledState == established {
+			// Already handled latest state
+			return reconcile.Result{}, nil
+		}
 	}
 
-	r.logger(ctx).V(3).Info("reconciling CRD", "crd", crdName)
+	r.logger(ctx).V(3).Info("reconciling CRD", "crd", crdName, "established", established)
 
-	if err := handler(); err != nil {
+	if err := handler(ctx, established); err != nil {
 		// Retry with backoff
 		return reconcile.Result{},
 			fmt.Errorf("reconciling CRD %s: %w", crdName, err)
 	}
-	// Mark CRD as handled
-	r.handledCRDs[crdName] = struct{}{}
+	// Record latest handled CRD state
+	r.handledCRDState[crdName] = established
 
-	r.logger(ctx).V(3).Info("reconciling CRD successful", "crd", crdName)
+	r.logger(ctx).V(3).Info("reconciling CRD successful", "crd", crdName, "established", established)
 
 	return controllerruntime.Result{}, nil
 }
 
 // Register the CRD controller with reconciler-manager.
-func (r *CRDReconciler) Register(mgr controllerruntime.Manager) error {
+func (r *CRDController) Register(mgr controllerruntime.Manager) error {
 	return controllerruntime.NewControllerManagedBy(mgr).
-		For(&apiextensionsv1.CustomResourceDefinition{},
-			builder.WithPredicates(
-				ignoreDeletesPredicate(),
-				crdIsEstablishedPredicate())).
+		For(&apiextensionsv1.CustomResourceDefinition{}).
 		Complete(r)
 }
 
-// ignoreDeletesPredicate returns a predicate that handles CREATE, UPDATE, and
-// GENERIC events, but not DELETE events.
-func ignoreDeletesPredicate() predicate.Predicate {
-	return predicate.Funcs{
-		DeleteFunc: func(_ event.DeleteEvent) bool {
-			return false
-		},
-	}
-}
-
-// crdIsEstablishedPredicate returns a predicate that only processes events for
-// established CRDs.
-func crdIsEstablishedPredicate() predicate.Predicate {
-	return predicate.NewPredicateFuncs(func(obj client.Object) bool {
-		if crd, ok := obj.(*apiextensionsv1.CustomResourceDefinition); ok {
-			return crdIsEstablished(crd)
-		}
-		return false
-	})
-}
-
 // crdIsEstablished returns true if the given CRD is established on the cluster,
 // which indicates if discovery knows about it yet. For more info see
 // https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#create-a-customresourcedefinition