feat: improve controller logic (#51)

* fix: update `PROJECT` file

* chore: remove kubebuilder markers

* feat: check if `Cluster` has profile `kind` configured

* fix: update sample files

* feat(controller): add logic to accessrequest controller

* fix(accessrequest): error handling

* chore(accessrequest): update sample file

* fix(accessrequest): improve error message

* feat(accessrequest): enhance create/update/delete logic

* chore: add TODO

* fix(feedback): introduce shared function to check if cluster-provider-kind is responsible to reconcile `Cluster` resource

* feat: release v0.0.7

Author: maximiliantech

PROJECT

@@ -10,10 +10,10 @@ repo: github.com/openmcp-project/cluster-provider-kind
 resources:
 - api:
     crdVersion: v1
-    namespaced: true
-  controller: true
+    namespaced: false
+  controller: false
   domain: kind.clusters.openmcp.cloud
-  kind: Cluster
+  kind: ProviderConfig
   path: github.com/openmcp-project/cluster-provider-kind/api/v1alpha1
   version: v1alpha1
 version: "3"

VERSION

@@ -1 +1 @@
-v0.0.6-dev
+v0.0.7

config/samples/v1alpha1_accessrequest.yaml

@@ -5,4 +5,5 @@ metadata:
 spec:
   clusterRef:
     name: one
-  rules: []
+    namespace: default
+  permissions: []

config/samples/v1alpha1_cluster.yaml

@@ -1,18 +1,24 @@
-apiVersion: kind.clusters.openmcp.cloud/v1alpha1
+apiVersion: clusters.openmcp.cloud/v1alpha1
 kind: Cluster
 metadata:
   name: one
-spec: {}
+spec:
+  profile: kind
+  tenancy: Exclusive
 ---
-apiVersion: kind.clusters.openmcp.cloud/v1alpha1
+apiVersion: clusters.openmcp.cloud/v1alpha1
 kind: Cluster
 metadata:
   name: two
-spec: {}
+spec:
+  profile: kind
+  tenancy: Exclusive
 ---
-apiVersion: kind.clusters.openmcp.cloud/v1alpha1
+apiVersion: clusters.openmcp.cloud/v1alpha1
 kind: Cluster
 metadata:
   name: three
   namespace: kube-system
-spec: {}
+spec:
+  profile: kind
+  tenancy: Exclusive

internal/controller/accessrequest_controller.go

@@ -19,6 +19,7 @@ package controller
 import (
 	"context"
 	"errors"
+	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -31,6 +32,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
+	commonapi "github.com/openmcp-project/openmcp-operator/api/common"
 
 	"github.com/openmcp-project/cluster-provider-kind/pkg/kind"
 )
@@ -46,14 +48,12 @@ type AccessRequestReconciler struct {
 	Provider kind.Provider
 }
 
-// +kubebuilder:rbac:groups=kind.clusters.openmcp.cloud,resources=accessrequests,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=kind.clusters.openmcp.cloud,resources=accessrequests/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=kind.clusters.openmcp.cloud,resources=accessrequests/finalizers,verbs=update
-
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 func (r *AccessRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	_ = logf.FromContext(ctx)
+	log := logf.FromContext(ctx)
+	log.Info("Reconcile")
+	defer log.Info("Done")
 
 	ar := &clustersv1alpha1.AccessRequest{}
 	if err := r.Get(ctx, req.NamespacedName, ar); err != nil {
@@ -63,22 +63,47 @@ func (r *AccessRequestReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		return ctrl.Result{}, err
 	}
 
+	ar.Status.Phase = clustersv1alpha1.AccessRequestPending
+
+	defer r.Status().Update(ctx, ar) //nolint:errcheck
+
 	clusterRef := types.NamespacedName{Name: ar.Spec.ClusterRef.Name, Namespace: ar.Namespace}
 	cluster := &clustersv1alpha1.Cluster{}
 	if err := r.Get(ctx, clusterRef, cluster); err != nil {
+		// TODO: report event or status condition?
 		return ctrl.Result{}, errors.Join(err, errFailedToGetReferencedCluster)
 	}
 
+	if !isClusterProviderResponsible(cluster) {
+		return ctrl.Result{}, fmt.Errorf("profile '%s' is not supported by kind controller", cluster.Spec.Profile)
+	}
+
+	// handle deletion
+	if !ar.DeletionTimestamp.IsZero() {
+		return r.handleDelete(ctx, ar)
+	}
+
+	return r.handleCreateOrUpdate(ctx, ar, cluster)
+}
+
+func (r *AccessRequestReconciler) handleCreateOrUpdate(ctx context.Context, ar *clustersv1alpha1.AccessRequest, cluster *clustersv1alpha1.Cluster) (ctrl.Result, error) {
+	if controllerutil.AddFinalizer(ar, Finalizer) {
+		if err := r.Update(ctx, ar); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	name := kindName(cluster)
 	kubeconfigStr, err := r.Provider.KubeConfig(name)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
 
+	s := getSecretNamespacedName(ar)
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      ar.Name + ".kubeconfig",
-			Namespace: ar.Namespace,
+			Name:      s.Name,
+			Namespace: s.Namespace,
 		},
 	}
 	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, secret, func() error {
@@ -89,11 +114,35 @@ func (r *AccessRequestReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		}
 		secret.Data["kubeconfig"] = []byte(kubeconfigStr)
 		return controllerutil.SetOwnerReference(ar, secret, r.Scheme)
-
-		// TODO: write kubeconfig to secret and reference secret in status of AccessRequest resource
-		// ignore clusterrequest ref
 	})
-	return ctrl.Result{}, err
+
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to create or update secret for access request %q/%q: %w", ar.Namespace, ar.Name, err)
+	}
+
+	ar.Status.Phase = clustersv1alpha1.AccessRequestGranted
+	ar.Status.SecretRef = &commonapi.ObjectReference{
+		Name:      secret.Name,
+		Namespace: secret.Namespace,
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *AccessRequestReconciler) handleDelete(ctx context.Context, ar *clustersv1alpha1.AccessRequest) (ctrl.Result, error) {
+	// remove finalizer - Secret will automatically get deleted because of OwnerReference
+	controllerutil.RemoveFinalizer(ar, Finalizer)
+	if err := r.Update(ctx, ar); err != nil {
+		return ctrl.Result{}, err
+	}
+	return ctrl.Result{}, nil
+}
+
+func getSecretNamespacedName(ar *clustersv1alpha1.AccessRequest) types.NamespacedName {
+	return types.NamespacedName{
+		Name:      ar.Name + ".kubeconfig",
+		Namespace: ar.Namespace,
+	}
 }
 
 // SetupWithManager sets up the controller with the Manager.

internal/controller/cluster_controller.go

@@ -43,6 +43,10 @@ var (
 	Finalizer = clustersv1alpha1.GroupVersion.Group + "/finalizer"
 )
 
+const (
+	profileKind = "kind"
+)
+
 // ClusterReconciler reconciles a Cluster object
 type ClusterReconciler struct {
 	client.Client
@@ -51,10 +55,6 @@ type ClusterReconciler struct {
 	Provider     kind.Provider
 }
 
-// +kubebuilder:rbac:groups=kind.clusters.openmcp.cloud,resources=clusters,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=kind.clusters.openmcp.cloud,resources=clusters/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=kind.clusters.openmcp.cloud,resources=clusters/finalizers,verbs=update
-
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 func (r *ClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -71,9 +71,12 @@ func (r *ClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 	}
 
 	// Always try to update the status
-	// FIXME: error handling at the end?
 	defer r.Status().Update(ctx, cluster) //nolint:errcheck
 
+	if !isClusterProviderResponsible(cluster) {
+		return ctrl.Result{}, fmt.Errorf("profile '%s' is not supported by kind controller", cluster.Spec.Profile)
+	}
+
 	ctx = smartrequeue.NewContext(ctx, r.RequeueStore.For(cluster))
 
 	if !cluster.DeletionTimestamp.IsZero() {
@@ -231,3 +234,7 @@ func namespaceOrDefault(namespace string) string {
 	}
 	return namespace
 }
+
+func isClusterProviderResponsible(cluster *clustersv1alpha1.Cluster) bool {
+	return cluster.Spec.Profile == profileKind
+}