Epic: ManagedControlPlaneTemplate PlatformService

[n3rdc4ptn]

Understand the Epic

Implement a robust Kubernetes backend where a specialized ManagedControlPlaneTemplate PlatformService dynamically creates new, "flavor-specific" Custom Resource Definitions (CRDs) based on ManagedControlPlaneTemplate resources.
These templates can be defined by Platform Administrators for global use or by Platform Users for use within their specific namespaces. This enables both administrators and users to define and consume highly customized Managed Control Planes (MCPs), complete with IAM, Crossplane, and other essential Service Providers, through a governed, API-driven templating mechanism.

User Stories or tasks

• As a Platform Administrator, I want to define a cluster-scoped ManagedControlPlaneTemplate CR specifying global policies for naming, IAM, Crossplane versions/providers, and other Service Providers.
• As a Platform User, I want to define a namespace-scoped ManagedControlPlaneTemplate CR within my project namespace, specifying policies relevant to my team's MCP provisioning needs.
• The ManagedControlPlaneTemplate PlatformService:
  • Monitor for both cluster-scoped and namespace-scoped ManagedControlPlaneTemplate CRs.
  • Dynamically generate and register a new, dedicated Custom Resource Definition (CRD) in Kubernetes for each approved template (either cluster-scoped or namespace-scoped, matching the template's scope). This new CRD will define the API for creating instances of that specific template.
  • Act as the controller for instances of these dynamically generated CRDs, reconciling them into actual ManagedControlPlane resources, configuring IAM, and installing specified Service Providers according to the template's policies and scope.
• As a Customer (or via the UI), once a template is active, I want to create an instance of its corresponding dynamically generated CR (e.g., a DevSandboxManagedControlPlane resource) in the appropriate namespace, providing only the necessary instance-specific details, and have the PlatformService provision a fully configured MCP according to the template's rules.

What is required to accept the Epic as finished.

• MCPTemplate PlatformService is created
• Operator & User Documentation for interacting with the MCPTemplates exists

Scope:

• ManagedControlPlaneTemplate CRD Definition: Define the primary CRD that captures the comprehensive policy configuration. This CRD must support being deployed as either:
  • Cluster-scoped resource: For templates defined by Platform Administrators for global consumption.
  • Namespace-scoped resource: For templates defined by Platform Users for use within their specific namespace.
    The CRD will include fields for:
  • metadata: name (of the template), namespace, templateVersion, templateEngineVersion, descriptionText.
  • spec.namingPolicy: Defines prefix and suffix for generated MCP instance names.
  • spec.chargingTarget: Defines type (optional/enforced) and value.
  • spec.userPolicies:
    • defaultUsers: List of users (email, kind, namespace, role) with a removable boolean flag.
    • allowAdditionalUsers: Boolean to permit instance creators to add more users.
  • spec.serviceProviderConfig:
    • crossplane: enforcedVersion, allowedVersions, deniedVersions for Crossplane itself, and providers (forced, allowed, denied with removable and versionChangeable flags).
    • additionalServiceProviders: Lists forced, allowed, denied other Service Providers with removable and versionChangeable flags.
• ClusterManagedControlPlaneTemplate CRD Definition: A nother CRD which has the same fields as the normal ManagedControlPlaneTemplate. It should be cluster scoped. If this template is created, the resulting Resource is then creatable in the whole cluster.
• PlatformService (Operator) Core Logic: Develop the Kubernetes operator that implements the following backend functions:
  • Template Reconciliation & Dynamic CRD Generation: The operator will monitor for ManagedControlPlaneTemplate CRs (both cluster-scoped and namespace-scoped). Upon creation or update, the operator will:
    • Validate the template definition.
    • Dynamically generate and register a new Custom Resource Definition (CRD) in the Kubernetes API server.
      • If the source ManagedControlPlaneTemplate is cluster-scoped, the generated CRD will also be cluster-scoped.
      • If the source ManagedControlPlaneTemplate is namespace-scoped, the generated CRD will be namespace-scoped (and its instances can only be created in the same namespace as the template).
    • The kind of this generated CRD will be derived from the ManagedControlPlaneTemplate's name (e.g., MyDevTemplateManagedControlPlane).
    • The schema of this generated CRD will expose parameters controllable by the end-user, while implicitly enforcing template-defined policies and defaults.
  • Instance Reconciliation (for generated CRDs): The operator will act as the controller for instances of these dynamically generated CRDs. For each instance, the operator will:
    • Validate user-provided inputs against the generated CRD's schema and the original ManagedControlPlaneTemplate's policies.
    • Orchestrate the creation of the underlying ManagedControlPlane resource (applying name prefixes/suffixes).
    • Apply IAM configurations (default users, and any allowed additional users).
    • Install and configure specified Service Providers (including versioning).
  • RBAC for Templates and Instances: Implement Kubernetes Role-Based Access Control (RBAC) to ensure:
    • Platform Administrators can create/manage cluster-scoped ManagedControlPlaneTemplates.
    • Platform Users can create/manage namespace-scoped ManagedControlPlaneTemplates in their authorized namespaces.
    • Users can create instances of generated CRDs in namespaces appropriate to the template's scope.
  • Status Reporting: The operator will provide comprehensive status updates on the generated CRD instances (e.g., provisioning progress, errors, deployed versions) via their .status fields.

Out of Scope (for this Epic):

• User Interface (UI) for Template Management & Instance Creation: This Epic strictly focuses on the Kubernetes backend implementation. The UI for defining ManagedControlPlaneTemplate resources, browsing available dynamically generated CRDs, and creating instances of these generated CRDs (e.g., a "New MCP" wizard with template selection, prefilling, validation, etc.) is tracked separately in:
  • UI Templates MCPs: Enable Templates for Platform-Flavored ManagedControlPlanes via UI #167
• Advanced UI-specific template functionalities like validationRegex or validationMessage for names/display names, authentication system definitions (unless explicitly decided as backend responsibility later), or granular allow/disallow by prefix/suffix for users/components – these are assumed to be handled at the API schema definition level within the backend scope.
• Complex, arbitrary scripting or advanced conditional logic within templates beyond the defined policy types.
• Automatic remediation of existing MCPs that fall out of compliance with a template after it's been updated.

Dependencies of this Epic

• Stable and well-defined ManagedControlPlane CRD and its controller.
• Existing Service Providers, their CRDs.
• Robust IAM integration for user/group/permission management.
• Kubernetes API server availability, including dynamic admission controllers (Mutating/Validating Webhooks) for CRD validation.
• Controller-runtime or similar operator framework for building the PlatformService.

Assumptions:

• Platform Administrators will define cluster-scoped ManagedControlPlaneTemplate resources via YAML manifests or a basic CLI.
• Platform Users will define namespace-scoped ManagedControlPlaneTemplate resources via YAML manifests or a basic CLI.
• Customers (or the UI, which leverages this backend) will interact with the dynamically generated Custom Resources (e.g., MyDevTemplateManagedControlPlane instances) via YAML manifests or a basic CLI for this backend Epic's scope.
• The underlying infrastructure for creating ManagedControlPlane and installing various Service Providers is reliable and can handle version constraints.

[n3rdc4ptn]

asked @ValentinGerlach for feedback for this Epic.