✨ implement addon create and delete reconcile on the hub (#28)

* refactor: standardize API conventions (#31)

* refactor: use pointers only for optional fields, use +optional in conjunction with all omitemptys, tidy code

Signed-off-by: Tyler Gillson <[email protected]>

* chore: clarify webhook for hosted mode

Signed-off-by: Tyler Gillson <[email protected]>

* fix: force specification of either clusterManager or singleton

Signed-off-by: Tyler Gillson <[email protected]>

* chore: make reviewable

Signed-off-by: Tyler Gillson <[email protected]>

---------

Signed-off-by: Tyler Gillson <[email protected]>

* feat: implement addon create and delete reconcile on the hub

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: address review comments

Signed-off-by: Artur Shad Nik <[email protected]>

* refactor: do all CMA purging at the end

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: clarify comment

Signed-off-by: Artur Shad Nik <[email protected]>

* fix: update manager rbac

Signed-off-by: Artur Shad Nik <[email protected]>

* feat: use separate CM for each addon's manifests

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: error wording

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: try to delete all addons before returning errors

Signed-off-by: Artur Shad Nik <[email protected]>

* fix: move err return to prevent orphaning addon CRs

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: parse URLs using lib; use different keys depending on manifest source

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: make reviewable

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: make reviewable

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: add annotations and labels to CMs

Signed-off-by: Artur Shad Nik <[email protected]>

* feat: add addon manifest validation to fcc webhook

Signed-off-by: Artur Shad Nik <[email protected]>

* chore: readibility

Signed-off-by: Artur Shad Nik <[email protected]>

* fix: dont generate deepcopy methods for custom validator

Signed-off-by: Artur Shad Nik <[email protected]>

* fix: dont use pointer for addonconfig

Signed-off-by: Artur Shad Nik <[email protected]>

---------

Signed-off-by: Tyler Gillson <[email protected]>
Signed-off-by: Artur Shad Nik <[email protected]>
Co-authored-by: Tyler Gillson <[email protected]>

Author: arturshadnik

fleetconfig-controller/api/v1alpha1/constants.go

@@ -62,3 +62,18 @@ const (
 	// AWSIRSARegistrationDriver is the AWS IAM Role for Service Accounts (IRSA) registration driver.
 	AWSIRSARegistrationDriver = "awsirsa"
 )
+
+// Addon ConfigMap constants
+const (
+	// AddonConfigMapNamePrefix is the common name prefix for all configmaps containing addon configurations.
+	AddonConfigMapNamePrefix = "fleet-addon"
+
+	// AddonConfigMapManifestRawKey is the data key containing raw manifests.
+	AddonConfigMapManifestRawKey = "manifestsRaw"
+
+	// AddonConfigMapManifestRawKey is the data key containing a URL to download manifests.
+	AddonConfigMapManifestURLKey = "manifestsURL"
+)
+
+// AllowedAddonURLSchemes are the URL schemes which can be used to provide manifests for configuring addons.
+var AllowedAddonURLSchemes = []string{"http", "https"}

fleetconfig-controller/api/v1alpha1/fleetconfig_webhook.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	operatorv1 "open-cluster-management.io/api/operator/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -37,7 +38,7 @@ var log = logf.Log.WithName("fleetconfig-resource")
 func SetupFleetConfigWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).For(&FleetConfig{}).
 		WithDefaulter(&FleetConfigCustomDefaulter{}).
-		WithValidator(&FleetConfigCustomValidator{}).
+		WithValidator(&FleetConfigCustomValidator{client: mgr.GetClient()}).
 		Complete()
 }
 
@@ -69,20 +70,21 @@ func (d *FleetConfigCustomDefaulter) Default(_ context.Context, obj runtime.Obje
 // NOTE: The 'path' attribute must follow a specific pattern and should not be modified directly here.
 // Modifying the path for an invalid path can cause API server errors; failing to locate the webhook.
 // +kubebuilder:webhook:path=/validate-fleetconfig-open-cluster-management-io-v1alpha1-fleetconfig,mutating=false,failurePolicy=fail,sideEffects=None,groups=fleetconfig.open-cluster-management.io,resources=fleetconfigs,verbs=create;update;delete,versions=v1alpha1,name=vfleetconfig-v1alpha1.open-cluster-management.io,admissionReviewVersions=v1
+// +kubebuilder:object:generate=false
 
 // FleetConfigCustomValidator struct is responsible for validating the FleetConfig resource
 // when it is created, updated, or deleted.
 //
 // NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods,
 // as this struct is used only for temporary operations and does not need to be deeply copied.
 type FleetConfigCustomValidator struct {
-	// TODO(user): Add more fields as needed for validation
+	client client.Client
 }
 
 var _ webhook.CustomValidator = &FleetConfigCustomValidator{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (v *FleetConfigCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+func (v *FleetConfigCustomValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	fc, ok := obj.(*FleetConfig)
 	if !ok {
 		return nil, fmt.Errorf("expected a FleetConfig object but got %T", obj)
@@ -128,6 +130,8 @@ func (v *FleetConfigCustomValidator) ValidateCreate(_ context.Context, obj runti
 		}
 	}
 
+	allErrs = append(allErrs, validateAddonConfigs(ctx, v.client, fc)...)
+
 	if len(allErrs) > 0 {
 		return warnings, errors.NewInvalid(GroupKind, fc.Name, allErrs)
 	}
@@ -146,7 +150,7 @@ func isKubeconfigValid(kubeconfig Kubeconfig) (bool, string) {
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (v *FleetConfigCustomValidator) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+func (v *FleetConfigCustomValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
 	fc, ok := newObj.(*FleetConfig)
 	if !ok {
 		return nil, fmt.Errorf("expected a FleetConfig object for the newObj but got %T", newObj)
@@ -162,6 +166,11 @@ func (v *FleetConfigCustomValidator) ValidateUpdate(_ context.Context, oldObj, n
 		return nil, err
 	}
 
+	errs := validateAddonConfigs(ctx, v.client, fc)
+	if len(errs) > 0 {
+		return nil, errors.NewInvalid(GroupKind, fc.Name, errs)
+	}
+
 	log.Info("validation for FleetConfig update allowed", "name", fc.GetName())
 	return nil, nil
 }

fleetconfig-controller/api/v1alpha1/validation.go

@@ -1,16 +1,26 @@
 package v1alpha1
 
 import (
+	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"reflect"
+	"slices"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 // allowFleetConfigUpdate validates the FleetConfig update object to determine if the update action is valid.
 // Only the following updates are allowed:
+//   - spec.addOnConfig
 //   - spec.registrationAuth.*
 //   - spec.hub.clusterManager.source.*
 //   - spec.spokes[*].klusterlet.source.*
+//   - spec.spokes[*].addOns
 func allowFleetConfigUpdate(newObject *FleetConfig, oldObject *FleetConfig) error {
 
 	// Hub check
@@ -55,3 +65,40 @@ func allowFleetConfigUpdate(newObject *FleetConfig, oldObject *FleetConfig) erro
 
 	return nil
 }
+
+func validateAddonConfigs(ctx context.Context, client client.Client, newObject *FleetConfig) field.ErrorList {
+	errs := field.ErrorList{}
+	for i, a := range newObject.Spec.AddOnConfigs {
+		cm := corev1.ConfigMap{}
+		cmName := fmt.Sprintf("%s-%s-%s", AddonConfigMapNamePrefix, a.Name, a.Version)
+		err := client.Get(ctx, types.NamespacedName{Name: cmName, Namespace: newObject.Namespace}, &cm)
+		if err != nil {
+			errs = append(errs, field.InternalError(field.NewPath("addOnConfigs").Index(i), err))
+		}
+		// Extract manifest configuration from ConfigMap
+		_, hasRaw := cm.Data[AddonConfigMapManifestRawKey]
+		manifestsURL, hasURL := cm.Data[AddonConfigMapManifestURLKey]
+
+		// Validate manifest configuration
+		if !hasRaw && !hasURL {
+			// return fmt.Errorf("no inline manifests or URL found for addon %s version %s", a.Name, a.Version)
+			errs = append(errs, field.Invalid(field.NewPath("addOnConfigs").Index(i), a.Name, fmt.Sprintf("no inline manifests or URL found for addon %s version %s", a.Name, a.Version)))
+		}
+		if hasRaw && hasURL {
+			errs = append(errs, field.Invalid(field.NewPath("addOnConfigs").Index(i), a.Name, fmt.Sprintf("only 1 of inline manifests or URL can be set for addon %s version %s", a.Name, a.Version)))
+		}
+
+		if hasURL {
+			url, err := url.Parse(manifestsURL)
+			if err != nil {
+				errs = append(errs, field.Invalid(field.NewPath("addOnConfigs").Index(i), a.Name, fmt.Sprintf("invalid URL '%s' for addon %s version %s. %v", manifestsURL, a.Name, a.Version, err.Error())))
+				continue
+			}
+			if !slices.Contains(AllowedAddonURLSchemes, url.Scheme) {
+				errs = append(errs, field.Invalid(field.NewPath("addOnConfigs").Index(i), a.Name, fmt.Sprintf("unsupported URL scheme %s for addon %s version %s. Must be one of %v", manifestsURL, a.Name, a.Version, AllowedAddonURLSchemes)))
+			}
+		}
+	}
+
+	return errs
+}

fleetconfig-controller/api/v1alpha1/zz_generated.deepcopy.go

@@ -1,17 +1,24 @@
-{{- if .Values.fleetConfig.addOns }}
-{{ $addOns := .Values.fleetConfig.addOns }}
+{{- if .Values.fleetConfig.addOnConfigs }}
+{{- $namespace := .Release.Namespace }}
+{{- range .Values.fleetConfig.addOnConfigs }}
+{{ $versionedName := printf "%s-%s" .name .version }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: fleet-add-ons
-  namespace: {{ .Release.Namespace }}
+  name: fleet-addon-{{ $versionedName }}
+  namespace: {{ $namespace }}
+  annotations:
+    {{- include "chart.annotations" . | nindent 4 }}
+    helm.sh/hook: pre-install,pre-upgrade
+  labels:
+  {{- include "chart.labels" . | nindent 4 }}
 data:
-  {{- range $addOns }}
-  {{- if or (hasPrefix "http://" .manifests) (hasPrefix "https://" .manifests) (hasPrefix "oci://" .manifests) }}
-  {{ .name }}: {{ .manifests }}
+  {{- if or (hasPrefix "http://" .manifests) (hasPrefix "https://" .manifests) }}
+  manifestsURL: {{ .manifests }}
   {{- else }}
-  {{ .name }}: |-
+  manifestsRaw: |-
     {{- .manifests | nindent 4 }}
   {{- end }}
-  {{- end }}
+---
+{{- end }}
 {{- end }}

fleetconfig-controller/charts/fleetconfig-controller/templates/ocm/add-ons.yaml

@@ -88,7 +88,7 @@ rules:
   resources:
   - "addondeploymentconfigs"
   - "addontemplates"
-  verbs: ["get", "list", "watch"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: ["addon.open-cluster-management.io"]
   resources:
   - "clustermanagementaddons"

fleetconfig-controller/charts/fleetconfig-controller/templates/rbac/manager-rbac.yaml

@@ -9,6 +9,7 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/openshift/build-machinery-go v0.0.0-20250602125535-1b6d00b8c37c
 	github.com/openshift/imagebuilder v1.2.16
+	github.com/pkg/errors v0.9.1
 	k8s.io/api v0.33.1
 	k8s.io/apimachinery v0.33.1
 	k8s.io/client-go v0.33.1
@@ -76,7 +77,6 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect