feat: add deploy-eso command, read eso resources from ocm root component, deploy OCIRepositories for image and chart, deploy HelmRelease, add tests.

On-behalf-of: Radek Schekalla (SAP) <[email protected]>
Signed-off-by: Radek Schekalla (SAP) <[email protected]>

Author: rdksap

cmd/deploy_eso.go

@@ -0,0 +1,49 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	cfg "github.com/openmcp-project/bootstrapper/internal/config"
+
+	esodeployer "github.com/openmcp-project/bootstrapper/internal/eso-deployer"
+	logging "github.com/openmcp-project/bootstrapper/internal/log"
+	"github.com/openmcp-project/bootstrapper/internal/scheme"
+	"github.com/openmcp-project/bootstrapper/internal/util"
+)
+
+// deployEsoCmd represents the deploy-eso command
+var deployEsoCmd = &cobra.Command{
+	Use:   "deploy-eso",
+	Short: "Deploys External Secrets Operator controllers on the target cluster",
+	Long:  "Deploys External Secrets Operator controllers on the target cluster",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		configFilePath := args[0]
+		config := &cfg.BootstrapperConfig{}
+		err := config.ReadFromFile(configFilePath)
+		if err != nil {
+			return fmt.Errorf("failed to read config file: %w", err)
+		}
+		log := logging.GetLogger()
+		log.Info("Starting deployment of external secrets operator controllers.")
+
+		targetCluster, err := util.GetCluster(cmd.Flag(FlagKubeConfig).Value.String(), "target-cluster", scheme.NewFluxScheme())
+		if err != nil {
+			return fmt.Errorf("failed to get platform cluster: %w", err)
+		}
+
+		if err = esodeployer.NewEsoDeployer(config, cmd.Flag(FlagOcmConfig).Value.String(), targetCluster, log).Deploy(cmd.Context()); err != nil {
+			return fmt.Errorf("failed deploying eso: %w", err)
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	RootCmd.AddCommand(deployEsoCmd)
+	deployEsoCmd.Flags().SortFlags = false
+	deployEsoCmd.Flags().String(FlagOcmConfig, "", "OCM configuration file")
+	deployEsoCmd.Flags().String(FlagKubeConfig, "", "Kubernetes configuration file")
+}

go.mod

@@ -1,10 +1,12 @@
 module github.com/openmcp-project/bootstrapper
 
-go 1.25.3
+go 1.25.1
 
 require (
 	github.com/Masterminds/sprig/v3 v3.3.0
+	github.com/fluxcd/helm-controller/api v1.4.2
 	github.com/fluxcd/kustomize-controller/api v1.7.1
+	github.com/fluxcd/source-controller/api v1.7.2
 	github.com/go-git/go-billy/v5 v5.6.2
 	github.com/go-git/go-git/v5 v5.16.3
 	github.com/go-logr/logr v1.4.3
@@ -13,6 +15,7 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	k8s.io/api v0.34.1
+	k8s.io/apiextensions-apiserver v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/controller-runtime v0.22.3
@@ -36,6 +39,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fluxcd/pkg/apis/acl v0.9.0 // indirect
 	github.com/fluxcd/pkg/apis/kustomize v1.13.0 // indirect
 	github.com/fluxcd/pkg/apis/meta v1.22.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
@@ -94,7 +98,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.34.1 // indirect
 	k8s.io/client-go v0.34.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect

go.sum

@@ -40,12 +40,18 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
+github.com/fluxcd/helm-controller/api v1.4.2 h1:2+D3kX3UJhYlr+1rzOkQ/YbIQ96R/olmdfjaYS+okNg=
+github.com/fluxcd/helm-controller/api v1.4.2/go.mod h1:0XrBhKEaqvxyDj/FziG1Q8Fmx2UATdaqLgYqmZh6wW4=
 github.com/fluxcd/kustomize-controller/api v1.7.1 h1:wFevRoziJcQEcJtNL2/NrQfAA1lrrOnFSmFIZrBBfBc=
 github.com/fluxcd/kustomize-controller/api v1.7.1/go.mod h1:77OSly9kxQli7Nmcln0OqZDjVpRMc6eLKED0CiJHYz8=
+github.com/fluxcd/pkg/apis/acl v0.9.0 h1:wBpgsKT+jcyZEcM//OmZr9RiF8klL3ebrDp2u2ThsnA=
+github.com/fluxcd/pkg/apis/acl v0.9.0/go.mod h1:TttNS+gocsGLwnvmgVi3/Yscwqrjc17+vhgYfqkfrV4=
 github.com/fluxcd/pkg/apis/kustomize v1.13.0 h1:GGf0UBVRIku+gebY944icVeEIhyg1P/KE3IrhOyJJnE=
 github.com/fluxcd/pkg/apis/kustomize v1.13.0/go.mod h1:TLKVqbtnzkhDuhWnAsN35977HvRfIjs+lgMuNro/LEc=
 github.com/fluxcd/pkg/apis/meta v1.22.0 h1:EHWQH5ZWml7i8eZ/AMjm1jxid3j/PQ31p+hIwCt6crM=
 github.com/fluxcd/pkg/apis/meta v1.22.0/go.mod h1:Kc1+bWe5p0doROzuV9XiTfV/oL3ddsemYXt8ZYWdVVg=
+github.com/fluxcd/source-controller/api v1.7.2 h1:/lg/xoyRjxwdhHKqjTxQS2o1cp+DMKJ8W4rpm+ZLemQ=
+github.com/fluxcd/source-controller/api v1.7.2/go.mod h1:2JtCeUVpl0aqKImS19jUz9EEnMdzgqNWHkllrIhV004=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=

internal/flux_deployer/component_manager.go renamed to internal/component/component_manager.go

@@ -1,4 +1,4 @@
-package flux_deployer
+package component
 
 import (
 	"context"
@@ -9,7 +9,7 @@ import (
 
 // ComponentManager bundles the OCM logic required by the FluxDeployer.
 type ComponentManager interface {
-	GetComponentWithImageResources(ctx context.Context) (*ocm_cli.ComponentVersion, error)
+	GetComponentWithImageResources(ctx context.Context, resourceName string) (*ocm_cli.ComponentVersion, error)
 	DownloadTemplatesResource(ctx context.Context, downloadDir string) error
 }
 
@@ -35,8 +35,8 @@ func NewComponentManager(ctx context.Context, config *cfg.BootstrapperConfig, oc
 	return m, nil
 }
 
-func (m *ComponentManagerImpl) GetComponentWithImageResources(ctx context.Context) (*ocm_cli.ComponentVersion, error) {
-	return m.ComponentGetter.GetComponentVersionForResourceRecursive(ctx, m.ComponentGetter.RootComponentVersion(), FluxCDSourceControllerResourceName)
+func (m *ComponentManagerImpl) GetComponentWithImageResources(ctx context.Context, resourceName string) (*ocm_cli.ComponentVersion, error) {
+	return m.ComponentGetter.GetComponentVersionForResourceRecursive(ctx, m.ComponentGetter.RootComponentVersion(), resourceName)
 }
 
 func (m *ComponentManagerImpl) DownloadTemplatesResource(ctx context.Context, downloadDir string) error {

internal/flux_deployer/component_manager_test.go renamed to internal/component/component_manager_mock.go

@@ -1,4 +1,4 @@
-package flux_deployer_test
+package component
 
 import (
 	"context"
@@ -7,7 +7,6 @@ import (
 
 	"sigs.k8s.io/yaml"
 
-	"github.com/openmcp-project/bootstrapper/internal/flux_deployer"
 	ocmcli "github.com/openmcp-project/bootstrapper/internal/ocm-cli"
 	"github.com/openmcp-project/bootstrapper/internal/util"
 )
@@ -18,13 +17,13 @@ type MockComponentManager struct {
 	TemplatesPath string
 }
 
-var _ flux_deployer.ComponentManager = (*MockComponentManager)(nil)
+var _ ComponentManager = (*MockComponentManager)(nil)
 
-func (m MockComponentManager) GetComponentWithImageResources(_ context.Context) (*ocmcli.ComponentVersion, error) {
+func (m MockComponentManager) GetComponentWithImageResources(_ context.Context, _ string) (*ocmcli.ComponentVersion, error) {
 	return loadComponentVersion(m.ComponentPath)
 }
 
-func (m MockComponentManager) DownloadTemplatesResource(ctx context.Context, downloadDir string) error {
+func (m MockComponentManager) DownloadTemplatesResource(_ context.Context, downloadDir string) error {
 	return util.CopyDir(m.TemplatesPath, downloadDir)
 }
 

internal/deployment-repo/deploymentRepoManager.go

@@ -599,7 +599,7 @@ func (m *DeploymentRepoManager) RunKustomizeAndApply(ctx context.Context) error
 	for _, manifest := range manifests {
 		if manifest.GetKind() == "Kustomization" && strings.Contains(manifest.GetAPIVersion(), "kustomize.toolkit.fluxcd.io") {
 			logger.Infof("Applying Kustomization manifest: %s/%s", manifest.GetNamespace(), manifest.GetName())
-			err = util.ApplyUnstructuredObject(ctx, m.TargetCluster, manifest)
+			err = util.CreateOrUpdate(ctx, m.TargetCluster, manifest)
 			if err != nil {
 				return fmt.Errorf("failed to apply Kustomization manifest %s/%s: %w", manifest.GetNamespace(), manifest.GetName(), err)
 			}

internal/eso-deployer/constants.go

@@ -0,0 +1,8 @@
+package eso_deployer
+
+const (
+	esoNamespace       = "external-secrets-system"
+	esoImageRepoName   = "external-secrets-image"
+	esoChartRepoName   = "external-secrets-chart"
+	esoHelmReleaseName = "external-secrets-operator"
+)

internal/eso-deployer/deployer.go

@@ -0,0 +1,146 @@
+package eso_deployer
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	"github.com/openmcp-project/controller-utils/pkg/clusters"
+	"github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	ocmcli "github.com/openmcp-project/bootstrapper/internal/ocm-cli"
+
+	"github.com/openmcp-project/bootstrapper/internal/component"
+	cfg "github.com/openmcp-project/bootstrapper/internal/config"
+
+	"github.com/openmcp-project/bootstrapper/internal/flux_deployer"
+	"github.com/openmcp-project/bootstrapper/internal/util"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+type EsoDeployer struct {
+	Config *cfg.BootstrapperConfig
+
+	// OcmConfigPath is the path to the OCM configuration file
+	OcmConfigPath string
+
+	platformCluster *clusters.Cluster
+	log             *logrus.Logger
+}
+
+func NewEsoDeployer(config *cfg.BootstrapperConfig, ocmConfigPath string, platformCluster *clusters.Cluster, log *logrus.Logger) *EsoDeployer {
+	return &EsoDeployer{
+		Config:          config,
+		OcmConfigPath:   ocmConfigPath,
+		platformCluster: platformCluster,
+		log:             log,
+	}
+}
+
+func (d *EsoDeployer) Deploy(ctx context.Context) error {
+	componentManager, err := component.NewComponentManager(ctx, d.Config, d.OcmConfigPath)
+	if err != nil {
+		return fmt.Errorf("error creating component manager: %w", err)
+	}
+
+	return d.DeployWithComponentManager(ctx, componentManager)
+}
+
+func (d *EsoDeployer) DeployWithComponentManager(ctx context.Context, componentManager component.ComponentManager) error {
+	d.log.Info("Getting OCM component containing ESO resources.")
+	esoComponent, err := componentManager.GetComponentWithImageResources(ctx, "external-secrets-operator-image")
+	if err != nil {
+		return fmt.Errorf("failed to get external-secrets-operator-image component: %w", err)
+	}
+
+	esoChartRes, err := esoComponent.GetResource("external-secrets-operator-chart")
+	if err != nil {
+		return fmt.Errorf("failed to get external-secrets-operator-chart resource: %w", err)
+	}
+	d.log.Info("Deploying OCIRepo for ESO chart.")
+	if err = deployRepo(ctx, d, esoChartRes, esoChartRepoName); err != nil {
+		return fmt.Errorf("failed to create helm chart repo: %w", err)
+	}
+
+	esoImageRes, err := esoComponent.GetResource("external-secrets-operator-image")
+	if err != nil {
+		return fmt.Errorf("failed to get external-secrets-operator-image resource: %w", err)
+	}
+	d.log.Info("Deploying OCIRepo for ESO image.")
+	if err = deployRepo(ctx, d, esoImageRes, esoImageRepoName); err != nil {
+		return fmt.Errorf("failed to create helm image repo: %w", err)
+	}
+
+	d.log.Info("Deploying HelmRelease for ESO.")
+	if err = deployHelmRelease(ctx, d, esoImageRes); err != nil {
+		return fmt.Errorf("failed to deploy helm release: %w", err)
+	}
+
+	d.log.Info("Done.")
+	return nil
+}
+
+func deployHelmRelease(ctx context.Context, d *EsoDeployer, res *ocmcli.Resource) error {
+	name, _, _, err := util.ParseImageVersionAndTag(*res.Access.ImageReference)
+	if err != nil {
+		return fmt.Errorf("failed to parse image resource: %w", err)
+	}
+
+	values := map[string]any{
+		"image": map[string]any{"repository": name},
+	}
+	encoded, err := json.Marshal(values)
+	if err != nil {
+		return fmt.Errorf("failed to marshal ESO Helm values: %w", err)
+	}
+	jsonVals := &apiextensionsv1.JSON{Raw: encoded}
+
+	helmRelease := &helmv2.HelmRelease{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      esoHelmReleaseName,
+			Namespace: flux_deployer.FluxSystemNamespace,
+		},
+		Spec: helmv2.HelmReleaseSpec{
+			ChartRef: &helmv2.CrossNamespaceSourceReference{
+				Kind:      "OCIRepository",
+				Name:      esoChartRepoName,
+				Namespace: flux_deployer.FluxSystemNamespace,
+			},
+			ReleaseName:     "eso",
+			TargetNamespace: esoNamespace,
+			Install: &helmv2.Install{
+				CreateNamespace: true,
+			},
+			Values: jsonVals,
+		},
+	}
+	return util.CreateOrUpdate(ctx, d.platformCluster, helmRelease)
+}
+
+func deployRepo(ctx context.Context, d *EsoDeployer, res *ocmcli.Resource, repoName string) error {
+	imageName, tag, digest, err := util.ParseImageVersionAndTag(*res.Access.ImageReference)
+	if err != nil {
+		return err
+	}
+
+	ociRepo := &sourcev1.OCIRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      repoName,
+			Namespace: flux_deployer.FluxSystemNamespace,
+		},
+		Spec: sourcev1.OCIRepositorySpec{
+			URL: fmt.Sprintf("oci://%s", imageName),
+			Reference: &sourcev1.OCIRepositoryRef{
+				Tag:    tag,
+				Digest: digest,
+			},
+			Timeout: &metav1.Duration{Duration: 1 * time.Minute},
+		},
+	}
+	return util.CreateOrUpdate(ctx, d.platformCluster, ociRepo)
+}