merge

Author: cbarbian-sap

.github/workflows/build.yaml

@@ -24,7 +24,7 @@ defaults:
 jobs:
   test:
     name: Run tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
     - name: Checkout repository
@@ -74,7 +74,7 @@ jobs:
 
   build-docker:
     name: Build Docker image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: test
     permissions:
       contents: read
@@ -128,7 +128,7 @@ jobs:
 
   test-helm:
     name: Run Helm chart tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: build-docker
 
     steps:

.github/workflows/publish.yaml

@@ -19,7 +19,7 @@ defaults:
 jobs:
   publish-go-module:
     name: Publish go module
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
     - name: Trigger registration on sum.golang.org
@@ -34,7 +34,7 @@ jobs:
 
   validate:
     name: Run validations
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
     - name: Checkout repository
@@ -55,7 +55,7 @@ jobs:
 
   publish-docker:
     name: Publish Docker image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: validate
     permissions:
       contents: read
@@ -106,7 +106,7 @@ jobs:
 
   publish-crds:
     name: Publish CRD image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: validate
     permissions:
       contents: read
@@ -140,7 +140,7 @@ jobs:
 
   publish-chart:
     name: Publish chart to github packages
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: validate
     permissions:
       contents: read

.github/workflows/release.yaml

@@ -37,7 +37,7 @@ defaults:
 jobs:
   release:
     name: Trigger release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
 

Dockerfile

@@ -25,7 +25,7 @@ RUN make envtest \
  && CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
 
 # Create final image
-FROM alpine:3.20
+FROM alpine:3.21
 WORKDIR /
 ENV GNUPGHOME=/tmp
 ENTRYPOINT ["/usr/local/bin/manager"]

README.md

@@ -12,7 +12,7 @@ Here, components are understood as sets of Kubernetes resources (such as deploym
 
 Thus, components are similar to flux kustomizations, but have some important advantages:
 - They use the [component-operator-runtime](https://github.com/sap/component-operator-runtime) framework to render and deploy dependent objects; therefore the manifest source can be any input that is understood by component-operator-runtime's [KustomizeGenerator](https://sap.github.io/component-operator-runtime/docs/generators/kustomize/) or [HelmGenerator](https://sap.github.io/component-operator-runtime/docs/generators/helm/). In particular, go-templatized kustomizations are allowed; check the [component-operator-runtime documentation](https://sap.github.io/component-operator-runtime/docs) for details.
-- It is possible to pin components to a specific source revision through the `spec.revision` field.
+- It is possible to pin components to a specific source revision or digest through the `spec.revision` and `spec.digest` fields, respectively.
 - Dependencies (as specified in `spec.dependencies`) are not only honored at creation/update, but also on deletion.
 
 A sample component could look like this:
@@ -111,12 +111,12 @@ sourceRef:
 
 Cross-namespace references are allowed; if namespace is not provided, the source will be assumed to exist in the component's namespace.
 
-### Source revision
+### Source revision and digest
 
-It is possible to pin a `Component` resource to a specific revision of the source artifact by setting `spec.revision`.
-Pinning means that the component will remain in a `Pending` state, until the used source object's revision matches the the value
-specified in `spec.revision`. More precisely, in case of flux source resources, the field refers to `status.artifact.revision` of the flux object.
-It should be noted that a revision mismatch in the above sense never blocks the deletion of the component.
+It is possible to pin a `Component` resource to a specific revision or digest of the source artifact by setting `spec.revision` and `spec.digest`, respectively.
+Pinning means that the component will remain in a `Pending` state, until the used source object's revision or digest matches the the value
+specified in `spec.revision` or `spec.digest`. In case of flux sources, revision and digest refer to `status.artifact.revision` and `status.artifact.digest` of the according flux object.
+It should be noted that a revision or digest mismatch in the above sense never blocks the deletion of the component.
 
 ### Source path
 
@@ -154,6 +154,33 @@ The replacements may be defined either inline in `spec.postBuild.substitute` as
 the keys of the secrets will be interpreted as variable names (and therefore have to be valid bash variable names). If multiple secrets, and
 maybe inline substitutions are provided, they will be merged in the usual order (secrets in order of appearance, and then inline content). 
 
+### Adoption policy
+
+It can happen that a dependent object exists in the cluster already, but is not managed by the component object being reconciled (the ownership is determined through the label `component-operator.cs.sap.com/owner-id`). The behaviour of component-operator in that situation can be configured by setting `spec.adoptionPolicy`. The following values are possible:
+- `IfUnowned` (which is also the default behaviour if the adoption policy attribute is unset): adopt existing objects, unless they have the above label set, but with a value pointing to a different owning component; in that case, a failure will occur
+- `Never`:  always fail if an object already exists (not owned by the current component of course)
+- `Always`: always adopt existing objects.
+
+The adoption policy can be overridden on a per-object level by setting annotation `component-operator.cs.sap.com/adoption-policy`.
+
+### Update policy
+
+It is possible to tweak how component-operator performs updates of dependent objects by setting `spec.updatePolicy`. The following values are supported:
+- `Replace`: use a PUT request to update the object; this corresponds to `kubectl replace`
+- `Recreate`: delete and recreate objects which are to be updated
+- `SsaMerge`: use a server-side-apply PATCH request to update the object; this corresponds to `kubectl apply --server-side --force-conflicts`
+- `SsaOverride` (which is the default behaviour if the update policy is not specified): same as `SsaMerge` and, in addition, claim all existing fields that have a field owner starting with prefix `kubectl` or `helm`; this reverts changes done by these field managers, respectively drops affected fields if not specified by the submitted intent and not owned by somebody else.
+
+The update policy can be overridden on a per-object level by setting annotation `component-operator.cs.sap.com/update-policy`.
+
+### Delete policy
+
+It is possible to tweak what happens with dependents objects when the owning component is deleted. By default objects are deleted.
+By setting `spec.deletePolicy` to `Orphan`, dependent objects will not be deleted in that case, but just left around in the cluster.
+Note that this affects only the case when the component is deleted. If a depdendent object becomes obsolete because a new revision
+of the component manifests does no longer contain it, it will still be removed from the cluster.
+The delete policy can be overridden on a per-object level by setting annotation `component-operator.cs.sap.com/delete-policy`.
+
 ### Dependencies
 
 As with flux kustomizations, it is possible to declare dependencies between `Component` objects, that means, to list other components,

api/v1alpha1/types.go

@@ -24,8 +24,10 @@ type ComponentSpec struct {
 	component.RequeueSpec   `json:",inline"`
 	component.RetrySpec     `json:",inline"`
 	component.TimeoutSpec   `json:",inline"`
+	component.PolicySpec    `json:",inline"`
 	// +required
 	SourceRef    SourceReference                `json:"sourceRef"`
+	Digest       string                         `json:"digest,omitempty"`
 	Revision     string                         `json:"revision,omitempty"`
 	Path         string                         `json:"path,omitempty"`
 	Values       *apiextensionsv1.JSON          `json:"values,omitempty"`
@@ -36,26 +38,29 @@ type ComponentSpec struct {
 }
 
 // SourceReference models the source of the templates used to render the dependent resources.
-// Exactly one of the options must be provided. Before accessing the Url() or Revision() methods,
-// a SourceReference must be loaded by calling LoadSourceReference().
+// Exactly one of the options must be provided. Before accessing the Url(), Digest() or Revision() methods,
+// a SourceReference must be loaded by calling Init().
 type SourceReference struct {
+	HttpRepository    *HttpRepository    `json:"httpRepository,omitempty"`
 	FluxGitRepository *FluxGitRepository `json:"fluxGitRepository,omitempty"`
 	FluxOciRepository *FluxOciRepository `json:"fluxOciRepository,omitempty"`
 	FluxBucket        *FluxBucket        `json:"fluxBucket,omitempty"`
 	FluxHelmChart     *FluxHelmChart     `json:"fluxHelmChart,omitempty"`
 	url               string             `json:"-"`
+	digest            string             `json:"-"`
 	revision          string             `json:"-"`
 	loaded            bool               `json:"-"`
 }
 
 // Initialize source reference. This is meant to be called by the reconciler.
 // Other consumers should probably not (need to) call this.
-func (r *SourceReference) Init(url string, revision string) {
+func (r *SourceReference) Init(url string, digest string, revision string) {
 	if r.loaded {
 		// note: this panic indicates a programmatic error on the consumer side
 		panic("reference already initialized")
 	}
 	r.url = url
+	r.digest = digest
 	r.revision = revision
 	r.loaded = true
 }
@@ -71,8 +76,18 @@ func (r *SourceReference) Url() string {
 	return r.url
 }
 
+// Get the digest of a loaded source reference. Calling Digest() on a not-loaded source reference will panic.
+// The returned digest uniquely identifies the content of the referenced archive.
+func (r *SourceReference) Digest() string {
+	if !r.loaded {
+		// note: this panic indicates a programmatic error on the consumer side
+		panic("access to unloaded reference")
+	}
+	return r.digest
+}
+
 // Get the revision of a loaded source reference. Calling Revision() on a not-loaded source reference will panic.
-// The returned revision is unique for the referenced archive (usually a Git SHA or hash or digest).
+// The returned revision is often but not always unique for the referenced archive (usually a Git SHA or hash or digest).
 func (r *SourceReference) Revision() string {
 	if !r.loaded {
 		// note: this panic indicates a programmatic error on the consumer side
@@ -83,12 +98,27 @@ func (r *SourceReference) Revision() string {
 
 // Check if source reference equals other given source reference.
 func (r *SourceReference) Equals(s *SourceReference) bool {
-	return equal(r.FluxGitRepository, s.FluxGitRepository) &&
+	return equal(r.HttpRepository, s.HttpRepository) &&
+		equal(r.FluxGitRepository, s.FluxGitRepository) &&
 		equal(r.FluxOciRepository, s.FluxOciRepository) &&
 		equal(r.FluxBucket, s.FluxBucket) &&
 		equal(r.FluxHelmChart, s.FluxHelmChart)
 }
 
+// Reference to a generic http repository.
+type HttpRepository struct {
+	// URL of the source. Authentication is currently not supported. The operator will make HEAD requests to retrieve the digest/revision
+	// and a potentially redirected actual location of the source artifact. Redirects will be followed as long as the response does not
+	// contain the specified digest header.
+	Url string `json:"url,omitempty"`
+	// Name of the header containing the digest of the source artifact. The returned header value can be any format, but must uniquely identify the
+	// content of the source artifact. Defaults to the ETag header.
+	DigestHeader string `json:"digestHeader,omitempty"`
+	// Name of the header containing the revision of the source artifact. The returned header value can be any format.
+	// Defaults to the header specified in DigestHeader.
+	RevisionHeader string `json:"revisionHeader,omitempty"`
+}
+
 // Reference to a flux GitRepository.
 type FluxGitRepository struct {
 	NamespacedName `json:",inline"`
@@ -163,7 +193,9 @@ func (n NamespacedName) String() string {
 // ComponentStatus defines the observed state of Component.
 type ComponentStatus struct {
 	component.Status      `json:",inline"`
+	LastAttemptedDigest   string `json:"lastAttemptedDigest,omitempty"`
 	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`
+	LastAppliedDigest     string `json:"lastAppliedDigest,omitempty"`
 	LastAppliedRevision   string `json:"lastAppliedRevision,omitempty"`
 }
 
@@ -195,7 +227,7 @@ func (c *Component) NamespacedName() apitypes.NamespacedName {
 
 // Reports the readiness of the component.
 func (c *Component) IsReady() bool {
-	return c.Status.IsReady()
+	return c.Status.ObservedGeneration == c.Generation && c.Status.IsReady()
 }
 
 // +kubebuilder:object:root=true

api/v1alpha1/zz_generated.deepcopy.go

@@ -2,5 +2,5 @@ apiVersion: v2
 name: component-operator
 description: A Helm chart for https://github.com/sap/component-operator
 type: application
-version: 0.1.8
-appVersion: v0.1.8
+version: 0.1.13
+appVersion: v0.1.13

chart/Chart.yaml

@@ -1,6 +1,6 @@
 # component-operator
 
-![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.8](https://img.shields.io/badge/AppVersion-v0.1.8-informational?style=flat-square)
+![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.13](https://img.shields.io/badge/AppVersion-v0.1.13-informational?style=flat-square)
 
 A Helm chart for https://github.com/sap/component-operator