feat: add Landscaper v2 bridge (#115)

* implement landscaper v2 bridge

* add tests for landscaper v2 bridge logic

* fix bug

* fix missing scheme

* add landscaper architecture config to helm chart

* improve debuggability

* fix docs and apiserver key

* fix rbac

Author: Diaphteiros

api/constants/conditions.go

@@ -9,4 +9,7 @@ const (
 	ConditionAccessRequestGranted  = "AccessRequestGranted"
 	ConditionAccessRequestDeleted  = "AccessRequestDeleted"
 	ConditionClusterRequestDeleted = "ClusterRequestDeleted"
+
+	ConditionLandscaperV2ResourceCreatedOrUpdated = "LandscaperV2ResourceCreatedOrUpdated"
+	ConditionLandscaperV2ResourceDeleted          = "LandscaperV2ResourceDeleted"
 )

charts/mcp-operator/templates/configmap-mcp-operator-config.yaml

@@ -14,7 +14,11 @@ data:
       {{- .Values.architecture.immutability | toYaml | nindent 8 }}
       {{- end }}
       {{- if and .Values.apiserver .Values.apiserver.architecture }}
-      apiserver:
+      apiServer:
         version: {{ .Values.apiserver.architecture.version | default "v1" }}
         allowOverride: {{ .Values.apiserver.architecture.allowOverride | default false }}
       {{- end }}
+      landscaper:
+        version: {{ .Values.landscaper.architecture.version | default "v1" }}
+        allowOverride: {{ .Values.landscaper.architecture.allowOverride | default false }}
+      {{- end }}

charts/mcp-operator/templates/rbac.yaml

@@ -116,6 +116,43 @@ roleRef:
   name: {{ include "mcp-operator.landscaper.clusterrole" . }}
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: {{ include "rbacversion" . }}
+kind: ClusterRole
+metadata:
+  name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
+  labels:
+    {{- include "mcp-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - clusters.openmcp.cloud
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+kind: ClusterRoleBinding
+apiVersion: {{ include "rbacversion" . }}
+metadata:
+  name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
+  labels:
+    {{- include "mcp-operator.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: mcp-operator
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
+  apiGroup: rbac.authorization.k8s.io
+---
 {{- end }}
 {{- end }}
 {{- if has "cloudorchestrator" ( include "mcp-operator.activeControllers" .Values | fromYamlArray ) }}
@@ -181,32 +218,3 @@ subjects:
   namespace: {{ .Release.Namespace }}
 ---
 {{- end }}
-apiVersion: {{ include "rbacversion" . }}
-kind: ClusterRole
-metadata:
-  name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
-  labels:
-    {{- include "mcp-operator.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - clusters.openmcp.cloud
-  resources:
-  - "*"
-  verbs:
-  - "*"
----
-kind: ClusterRoleBinding
-apiVersion: {{ include "rbacversion" . }}
-metadata:
-  name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
-  labels:
-    {{- include "mcp-operator.labels" . | nindent 4 }}
-subjects:
-- kind: ServiceAccount
-  name: mcp-operator
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "mcp-operator.v2bridge.clusterrole" . }}
-  apiGroup: rbac.authorization.k8s.io
----

charts/mcp-operator/values.yaml

@@ -109,6 +109,9 @@ apiserver:
 
 landscaper:
   disabled: false
+  # architecture:
+  #   version: v1
+  #   allowOverride: false
   clusters:
     # core:
     #   # specify either kubeconfig or host, audience, and one of caData or caConfigMapName.

cmd/mcp-operator/app/app.go

@@ -22,6 +22,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/cluster"
 
 	v2install "github.com/openmcp-project/openmcp-operator/api/install"
+	lsv2install "github.com/openmcp-project/service-provider-landscaper/api/install"
 
 	laasinstall "github.com/gardener/landscaper-service/pkg/apis/core/install"
 	cocorev1beta1 "github.com/openmcp-project/control-plane-operator/api/v1beta1"
@@ -290,6 +291,7 @@ func (o *Options) run(ctx context.Context) error {
 	sc := runtime.NewScheme()
 	openmcpinstall.Install(sc)
 	utilruntime.Must(clientgoscheme.AddToScheme(sc))
+	lsv2install.InstallProviderAPIs(sc)
 	mgr, err := ctrl.NewManager(o.CrateClusterConfig, ctrl.Options{
 		Scheme: sc,
 		Metrics: server.Options{

docs/architecture-v2/bridge.md

@@ -4,6 +4,7 @@ In order to migrate an existing MCP landscape to the new v2 architecture step by
 
 The bridge is currently implemented for the following components:
 - `APIServer`
+- `Landscaper`
 
 ## Architecture Configuration
 
@@ -12,7 +13,10 @@ To configure for which components the bridge is enabled, set the architecture co
 immutability:
   policyName: mcp-architecture-immutability
   disabled: false
-apiServer:
+apiserver:
+  version: v1
+  allowOverride: false
+landscaper:
   version: v1
   allowOverride: false
 # more components are to follow

go.mod

@@ -17,8 +17,9 @@ require (
 	github.com/openmcp-project/control-plane-operator v0.1.10
 	github.com/openmcp-project/controller-utils v0.13.1
 	github.com/openmcp-project/mcp-operator/api v0.33.1
-	github.com/openmcp-project/openmcp-operator/api v0.7.0
-	github.com/openmcp-project/openmcp-operator/lib v0.8.3
+	github.com/openmcp-project/openmcp-operator/api v0.9.0
+	github.com/openmcp-project/openmcp-operator/lib v0.9.0
+	github.com/openmcp-project/service-provider-landscaper v0.4.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.7
 	github.com/stretchr/testify v1.10.0
@@ -85,7 +86,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.3 // indirect
-	golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
 	golang.org/x/mod v0.26.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/oauth2 v0.29.0 // indirect

go.sum

@@ -115,10 +115,12 @@ github.com/openmcp-project/control-plane-operator v0.1.10 h1:5ticEP3llBmIHQkBzkZ
 github.com/openmcp-project/control-plane-operator v0.1.10/go.mod h1:GNu9LBTPWoE3dKsBo2kS+SeKSLU2qLtu3VjpaznsB2o=
 github.com/openmcp-project/controller-utils v0.13.1 h1:+06c0bs1BIO+hBsTcuiEK5y8vpDFoZPml59WNm8fagM=
 github.com/openmcp-project/controller-utils v0.13.1/go.mod h1:Z1ytVshYcgJq3VQVGqkuZsjO/BCr4UYAaVpHl6JSIMI=
-github.com/openmcp-project/openmcp-operator/api v0.7.0 h1:DvaMS3xtAvahGOQm9sI26aotupa8XkwZP52HfOhZ9K0=
-github.com/openmcp-project/openmcp-operator/api v0.7.0/go.mod h1:TuAq8Fbrzuykxw/h589M8+QfHotwero5MPWVzdFAqkw=
-github.com/openmcp-project/openmcp-operator/lib v0.8.3 h1:2bb1zbP6Si7/fUfXT9M5B0xQnd7O4zGJXaUoe9pDmcA=
-github.com/openmcp-project/openmcp-operator/lib v0.8.3/go.mod h1:oydIXRZoNDxtI4DI/JBUB08UPzvfdaKLqHvC4S4HXHQ=
+github.com/openmcp-project/openmcp-operator/api v0.9.0 h1:Ss2XTHci3QDwtVQ9QCpAez68WPJNHpabpwMTpFYn0NE=
+github.com/openmcp-project/openmcp-operator/api v0.9.0/go.mod h1:cqSmw3+8QJ2Va15aeCmISKIqcWnTpPSb8kch6eyfa6U=
+github.com/openmcp-project/openmcp-operator/lib v0.9.0 h1:jbuuZ2HlR0T1wO+Ty8AEaswNeoUK7eGUIw+8zEaicJo=
+github.com/openmcp-project/openmcp-operator/lib v0.9.0/go.mod h1:ILD0kCivVMZM5G38GJXflN1AXuQZX4wfH1FgNAcrXo0=
+github.com/openmcp-project/service-provider-landscaper v0.4.0 h1:H55q5whlcb1fyhY7/dkeigcp9UPXZQj+WDI57XVY4vY=
+github.com/openmcp-project/service-provider-landscaper v0.4.0/go.mod h1:5VU8eJ5nA2Kz0Kc4qbmw6ocMNCgLKzDu5mX6w5hOHa8=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -181,8 +183,8 @@ go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc h1:TS73t7x3KarrNd5qAipmspBDS1rkMcgVG/fS1aRb4Rc=
-golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=

internal/controller/core/apiserver/controller_test.go

@@ -27,6 +27,7 @@ import (
 
 	"github.com/openmcp-project/controller-utils/pkg/testing"
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
+	commonapi "github.com/openmcp-project/openmcp-operator/api/common"
 	openmcpclusterutils "github.com/openmcp-project/openmcp-operator/lib/utils"
 
 	gardenv1beta1 "github.com/openmcp-project/mcp-operator/api/external/gardener/pkg/apis/core/v1beta1"
@@ -383,10 +384,8 @@ var _ = Describe("CO-1153 APIServer Controller", func() {
 			Expect(env.Client(testutils.LaaSCoreCluster).Create(env.Ctx, cluster)).To(Succeed())
 
 			cr.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
-			cr.Status.Cluster = &clustersv1alpha1.NamespacedObjectReference{
-				ObjectReference: clustersv1alpha1.ObjectReference{
-					Name: cluster.Name,
-				},
+			cr.Status.Cluster = &commonapi.ObjectReference{
+				Name:      cluster.Name,
 				Namespace: cluster.Namespace,
 			}
 			Expect(env.Client(testutils.LaaSCoreCluster).Status().Update(env.Ctx, cr)).To(Succeed())
@@ -426,11 +425,11 @@ var _ = Describe("CO-1153 APIServer Controller", func() {
 			dummyShootJson, err := json.Marshal(dummyShoot)
 			Expect(err).NotTo(HaveOccurred())
 			cluster.Status = clustersv1alpha1.ClusterStatus{
-				Phase: clustersv1alpha1.CLUSTER_PHASE_READY,
 				ProviderStatus: &runtime.RawExtension{
 					Raw: dummyShootJson,
 				},
 			}
+			cluster.Status.Phase = clustersv1alpha1.CLUSTER_PHASE_READY
 			Expect(env.Client(testutils.LaaSCoreCluster).Status().Update(env.Ctx, cluster)).To(Succeed())
 
 			// reconcile again, should now get further
@@ -472,10 +471,8 @@ var _ = Describe("CO-1153 APIServer Controller", func() {
 			Expect(env.Client(testutils.LaaSCoreCluster).Create(env.Ctx, access)).To(Succeed())
 
 			ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
-			ar.Status.SecretRef = &clustersv1alpha1.NamespacedObjectReference{
-				ObjectReference: clustersv1alpha1.ObjectReference{
-					Name: access.Name,
-				},
+			ar.Status.SecretRef = &commonapi.ObjectReference{
+				Name:      access.Name,
 				Namespace: access.Namespace,
 			}
 			Expect(env.Client(testutils.LaaSCoreCluster).Status().Update(env.Ctx, ar)).To(Succeed())

internal/controller/core/apiserver/v2.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
+	"github.com/openmcp-project/controller-utils/pkg/collections"
 	"github.com/openmcp-project/controller-utils/pkg/logging"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -22,6 +24,7 @@ import (
 	gcpv1alpha1 "github.com/openmcp-project/cluster-provider-gardener/api/core/v1alpha1"
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
 	clustersconst "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1/constants"
+	commonapi "github.com/openmcp-project/openmcp-operator/api/common"
 	openmcpclusterutils "github.com/openmcp-project/openmcp-operator/lib/utils"
 
 	gardenv1beta1 "github.com/openmcp-project/mcp-operator/api/external/gardener/pkg/apis/core/v1beta1"
@@ -107,7 +110,9 @@ func v2HandleCreateOrUpdate(ctx context.Context, as *openmcpv1alpha1.APIServer,
 		clusterReadyCon.Status = openmcpv1alpha1.ComponentConditionStatusFromBool(cluster.Status.Phase == clustersv1alpha1.CLUSTER_PHASE_READY)
 		if clusterReadyCon.Status != openmcpv1alpha1.ComponentConditionStatusTrue {
 			clusterReadyCon.Reason = cconst.ReasonClusterNotReady
-			clusterReadyCon.Message = cluster.Status.Message
+			clusterReadyCon.Message = strings.Join(collections.ProjectSlice(cluster.Status.Conditions, func(con metav1.Condition) string {
+				return fmt.Sprintf("[%s] %s", con.Reason, con.Message)
+			}), "\n")
 			if clusterReadyCon.Message == "" {
 				clusterReadyCon.Message = "Cluster is not ready yet, no further information available"
 			}
@@ -160,11 +165,10 @@ func v2HandleCreateOrUpdate(ctx context.Context, as *openmcpv1alpha1.APIServer,
 	} else {
 		clusterRequestGrantedCon.Status = openmcpv1alpha1.ComponentConditionStatusFalse
 		clusterRequestGrantedCon.Reason = cconst.ReasonClusterRequestNotGranted
-		crReason := cr.Status.Reason
-		crMessage := cr.Status.Message
-		if crReason == "" {
-			crReason = "<NoReason>"
-		}
+		crReason := cconst.ReasonClusterRequestNotGranted
+		crMessage := strings.Join(collections.ProjectSlice(cr.Status.Conditions, func(con metav1.Condition) string {
+			return fmt.Sprintf("[%s] %s", con.Reason, con.Message)
+		}), "\n")
 		if crMessage == "" {
 			crMessage = "<NoMessage>"
 		}
@@ -228,11 +232,10 @@ func v2HandleCreateOrUpdate(ctx context.Context, as *openmcpv1alpha1.APIServer,
 		if ar.Status.Phase != clustersv1alpha1.REQUEST_GRANTED && ar.Status.SecretRef == nil {
 			accessRequestGrantedCon.Status = openmcpv1alpha1.ComponentConditionStatusFalse
 			accessRequestGrantedCon.Reason = cconst.ReasonAccessRequestNotGranted
-			arReason := cr.Status.Reason
-			arMessage := cr.Status.Message
-			if arReason == "" {
-				arReason = "<NoReason>"
-			}
+			arReason := cconst.ReasonAccessRequestNotGranted
+			arMessage := strings.Join(collections.ProjectSlice(ar.Status.Conditions, func(con metav1.Condition) string {
+				return fmt.Sprintf("[%s] %s", con.Reason, con.Message)
+			}), "\n")
 			if arMessage == "" {
 				arMessage = "<NoMessage>"
 			}
@@ -472,11 +475,11 @@ func (m *AccessRequestMutator) MetadataMutator() resources.MetadataMutator {
 // Mutate implements resources.Mutator.
 func (m *AccessRequestMutator) Mutate(r *clustersv1alpha1.AccessRequest) error {
 	if m.isClusterRef && r.Spec.ClusterRef == nil {
-		r.Spec.ClusterRef = &clustersv1alpha1.NamespacedObjectReference{}
+		r.Spec.ClusterRef = &commonapi.ObjectReference{}
 		r.Spec.ClusterRef.Name = m.refName
 		r.Spec.ClusterRef.Namespace = m.refNamespace
 	} else if !m.isClusterRef && r.Spec.RequestRef == nil {
-		r.Spec.RequestRef = &clustersv1alpha1.NamespacedObjectReference{}
+		r.Spec.RequestRef = &commonapi.ObjectReference{}
 		r.Spec.RequestRef.Name = m.refName
 		r.Spec.RequestRef.Namespace = m.refNamespace
 	}