Bootstrap root workspace with pre-defined identities

Adds a new --root-identities-file kcp cmd flag to read
the APIExport-identity pairs from a file.

On-behalf-of: @SAP [email protected]
Signed-off-by: Robert Vasek <[email protected]>

Author: gman0

config/root-identities/bootstrap.go

@@ -0,0 +1,71 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rootidentities
+
+import (
+	"context"
+	"embed"
+	"fmt"
+
+	"sigs.k8s.io/yaml"
+
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+
+	confighelpers "github.com/kcp-dev/kcp/config/helpers"
+)
+
+//go:embed *.yaml
+var fs embed.FS
+
+// bootstrapIdentities is the structure we expect to receive
+// from --root-identities-file in YAML format.
+type bootstrapIdentities struct {
+	Identities []struct {
+		Export   string `json:"export"`
+		Identity string `json:"identity"`
+	} `json:"identities"`
+}
+
+// Bootstrap creates resources in this package by continuously retrying the list.
+// This is blocking, i.e. it only returns (with error) when the context is closed or with nil when
+// the bootstrapping is successfully completed.
+func Bootstrap(
+	ctx context.Context,
+	rootDiscoveryClient discovery.DiscoveryInterface,
+	rootDynamicClient dynamic.Interface,
+	kubeClient kubernetes.Interface,
+	bootstrapIdentitiesBytes []byte,
+) error {
+	var identities bootstrapIdentities
+	if err := yaml.UnmarshalStrict(bootstrapIdentitiesBytes, &identities); err != nil {
+		return fmt.Errorf("failed to parse bootstrap identities: %v", err)
+	}
+
+	for _, identity := range identities.Identities {
+		err := confighelpers.Bootstrap(ctx, kubeClient.Discovery(), rootDynamicClient, nil, fs, confighelpers.ReplaceOption(
+			"IDENTITY_APIEXPORT", identity.Export,
+			"IDENTITY_KEY", identity.Identity,
+		))
+		if err != nil {
+			return fmt.Errorf("failed to bootstrap identity secret for %s: %v", identity.Export, err)
+		}
+	}
+
+	return nil
+}

config/root-identities/namespace/bootstrap.go

@@ -0,0 +1,43 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package namespace
+
+import (
+	"context"
+	"embed"
+
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+
+	confighelpers "github.com/kcp-dev/kcp/config/helpers"
+)
+
+//go:embed *.yaml
+var fs embed.FS
+
+// Bootstrap creates resources in this package by continuously retrying the list.
+// This is blocking, i.e. it only returns (with error) when the context is closed or with nil when
+// the bootstrapping is successfully completed.
+func Bootstrap(
+	ctx context.Context,
+	rootDiscoveryClient discovery.DiscoveryInterface,
+	rootDynamicClient dynamic.Interface,
+	kubeClient kubernetes.Interface,
+) error {
+	return confighelpers.Bootstrap(ctx, kubeClient.Discovery(), rootDynamicClient, nil, fs)
+}

config/root-identities/namespace/namespace-kcp-system.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kcp-system
+  annotations:
+    bootstrap.kcp.io/create-only: "true"
+    kcp.io/cluster: root

config/root-identities/secret-identity.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: IDENTITY_APIEXPORT
+  namespace: kcp-system
+  annotations:
+    bootstrap.kcp.io/create-only: "true"
+stringData:
+  key: IDENTITY_KEY

pkg/server/options/options.go

@@ -67,6 +67,7 @@ type ExtraOptions struct {
 	LogicalClusterAdminKubeconfig         string
 	ExternalLogicalClusterAdminKubeconfig string
 	ConversionCELTransformationTimeout    time.Duration
+	RootIdentitiesFile                    string
 	BatteriesIncluded                     []string
 	// DEVELOPMENT ONLY. AdditionalMappingsFile is the path to a file that contains additional mappings
 	// for the mini-front-proxy to use. The file should be in the format of the
@@ -166,6 +167,7 @@ func (o *Options) AddFlags(fss *cliflag.NamedFlagSets) {
 	fs.StringVar(&o.Extra.ShardClientKeyFile, "shard-client-key-file", o.Extra.ShardClientKeyFile, "Path to a client certificate key file the shard uses to communicate with other system components.")
 	fs.StringVar(&o.Extra.LogicalClusterAdminKubeconfig, "logical-cluster-admin-kubeconfig", o.Extra.LogicalClusterAdminKubeconfig, "Kubeconfig holding system:kcp:logical-cluster-admin credentials for connecting to other shards. Defaults to the loopback client")
 	fs.StringVar(&o.Extra.ExternalLogicalClusterAdminKubeconfig, "external-logical-cluster-admin-kubeconfig", o.Extra.ExternalLogicalClusterAdminKubeconfig, "Kubeconfig holding system:kcp:external-logical-cluster-admin credentials for connecting to the external address (e.g. the front-proxy). Defaults to the loopback client")
+	fs.StringVar(&o.Extra.RootIdentitiesFile, "root-identities-file", "", "Path to a YAML file used to bootstrap APIExport identities inside the root workspace. The YAML file must be structured as {\"identities\": [ {\"export\": \"<APIExport name>\", \"identity\": \"<APIExport identity>\"}, ... ]}. If a secret with matching APIExport name already exists inside kcp-system namespace, it will be left unchanged. Defaults to empty, i.e. no identities are bootstrapped.")
 
 	fs.BoolVar(&o.Extra.ExperimentalBindFreePort, "experimental-bind-free-port", o.Extra.ExperimentalBindFreePort, "Bind to a free port. --secure-port must be 0. Use the admin.kubeconfig to extract the chosen port.")
 	fs.MarkHidden("experimental-bind-free-port") //nolint:errcheck

pkg/server/server.go

@@ -47,6 +47,8 @@ import (
 	"github.com/kcp-dev/logicalcluster/v3"
 
 	configroot "github.com/kcp-dev/kcp/config/root"
+	configrootidentities "github.com/kcp-dev/kcp/config/root-identities"
+	configrootidentitiesns "github.com/kcp-dev/kcp/config/root-identities/namespace"
 	configrootphase0 "github.com/kcp-dev/kcp/config/root-phase0"
 	configshard "github.com/kcp-dev/kcp/config/shard"
 	systemcrds "github.com/kcp-dev/kcp/config/system-crds"
@@ -434,6 +436,36 @@ func (s *Server) Run(ctx context.Context) error {
 			logger.Info("bootstrapping root workspace phase 0")
 			s.RootShardKcpClusterClient = s.KcpClusterClient
 
+			if s.Options.Extra.RootIdentitiesFile != "" {
+				logger.Info("bootstrapping identities into root workspace", "file", s.Options.Extra.RootIdentitiesFile)
+				logger.Info("creating system namespace in root workspace")
+				if err := configrootidentitiesns.Bootstrap(hookCtx,
+					s.BootstrapApiExtensionsClusterClient.Cluster(core.RootCluster.Path()).Discovery(),
+					s.DynamicClusterClient.Cluster(core.RootCluster.Path()),
+					s.KubeClusterClient.Cluster(core.RootCluster.Path()),
+				); err != nil {
+					logger.Error(err, "failed to bootstrap identity secrets namespace")
+					return nil // don't klog.Fatal. This only happens when context is cancelled.
+				}
+				logger.Info("created system namespace in root workspace")
+				logger.Info("bootstrapping root workspace with identities", "file", s.Options.Extra.RootIdentitiesFile)
+				identitiesBytes, err := os.ReadFile(s.Options.Extra.RootIdentitiesFile)
+				if err != nil {
+					logger.Error(err, "failed to read root identities file")
+					return nil // don't klog.Fatal. This only happens when context is cancelled.
+				}
+				if err := configrootidentities.Bootstrap(hookCtx,
+					s.BootstrapApiExtensionsClusterClient.Cluster(core.RootCluster.Path()).Discovery(),
+					s.DynamicClusterClient.Cluster(core.RootCluster.Path()),
+					s.KubeClusterClient.Cluster(core.RootCluster.Path()),
+					identitiesBytes,
+				); err != nil {
+					logger.Error(err, "failed to bootstrap root workspace with identities")
+					return nil // don't klog.Fatal. This only happens when context is cancelled.
+				}
+				logger.Info("bootstrapped root workspace with identities", "file", s.Options.Extra.RootIdentitiesFile)
+			}
+
 			// bootstrap root workspace phase 0 only if we are on the root shard, no APIBinding resources yet
 			if err := configrootphase0.Bootstrap(hookCtx,
 				s.KcpClusterClient.Cluster(core.RootCluster.Path()),