implement accessrequest controller

Author: Diaphteiros

api/clusters/v1alpha1/clusterrequest_types.go

@@ -11,7 +11,7 @@ type ClusterRequestSpec struct {
 	Purpose string `json:"purpose"`
 }
 
-// +kubebuilder:validation:XValidation:rule="!has(oldSelf.clusterRef) || has(self.clusterRef)", message="clusterRef may not be removed once set"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.cluster) || has(self.cluster)", message="cluster may not be removed once set"
 type ClusterRequestStatus struct {
 	CommonStatus `json:",inline"`
 
@@ -23,8 +23,8 @@ type ClusterRequestStatus struct {
 	// Cluster is the reference to the Cluster that was returned as a result of a granted request.
 	// Note that this information needs to be recoverable in case this status is lost, e.g. by adding a back reference in form of a finalizer to the Cluster resource.
 	// +optional
-	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="clusterRef is immutable"
-	Cluster *NamespacedObjectReference `json:"clusterRef,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="cluster is immutable"
+	Cluster *NamespacedObjectReference `json:"cluster,omitempty"`
 }
 
 type RequestPhase string
@@ -49,6 +49,8 @@ func (p RequestPhase) IsPending() bool {
 // +kubebuilder:selectablefield:JSONPath=".status.phase"
 // +kubebuilder:printcolumn:JSONPath=".spec.purpose",name="Purpose",type=string
 // +kubebuilder:printcolumn:JSONPath=".status.phase",name="Phase",type=string
+// +kubebuilder:printcolumn:JSONPath=".status.cluster.name",name="Cluster",type=string
+// +kubebuilder:printcolumn:JSONPath=".status.cluster.namespace",name="Cluster-NS",type=string
 
 // ClusterRequest is the Schema for the clusters API
 type ClusterRequest struct {

api/clusters/v1alpha1/constants.go

@@ -57,28 +57,30 @@ const (
 
 const (
 	// ClusterLabel can be used on CRDs to indicate onto which cluster they should be deployed.
-	ClusterLabel = "openmcp.cloud/cluster"
+	ClusterLabel = ParentGroupName + "/cluster"
 	// OperationAnnotation is used to trigger specific operations on resources.
-	OperationAnnotation = "openmcp.cloud/operation"
+	OperationAnnotation = ParentGroupName + "/operation"
 	// OperationAnnotationValueIgnore is used to ignore the resource.
 	OperationAnnotationValueIgnore = "ignore"
 	// OperationAnnotationValueReconcile is used to trigger a reconcile on the resource.
 	OperationAnnotationValueReconcile = "reconcile"
 
 	// K8sVersionAnnotation can be used to display the k8s version of the cluster.
-	K8sVersionAnnotation = "clusters.openmcp.cloud/k8sversion"
+	K8sVersionAnnotation = GroupName + "/k8sversion"
 	// ProviderInfoAnnotation can be used to display provider-specific information about the cluster.
-	ProviderInfoAnnotation = "clusters.openmcp.cloud/providerinfo"
+	ProviderInfoAnnotation = GroupName + "/providerinfo"
 	// ProfileNameAnnotation can be used to display the actual name (not the hash) of the cluster profile.
-	ProfileNameAnnotation = "clusters.openmcp.cloud/profile"
+	ProfileNameAnnotation = GroupName + "/profile"
 	// EnvironmentAnnotation can be used to display the environment of the cluster.
-	EnvironmentAnnotation = "clusters.openmcp.cloud/environment"
+	EnvironmentAnnotation = GroupName + "/environment"
 	// ProviderAnnotation can be used to display the provider of the cluster.
-	ProviderAnnotation = "clusters.openmcp.cloud/provider"
+	ProviderAnnotation = GroupName + "/provider"
 
 	// DeleteWithoutRequestsLabel marks that the corresponding cluster can be deleted if the scheduler removes the last request pointing to it.
 	// Its value must be "true" for the label to take effect.
-	DeleteWithoutRequestsLabel = "clusters.openmcp.cloud/delete-without-requests"
+	DeleteWithoutRequestsLabel = GroupName + "/delete-without-requests"
+	// ProviderLabel is used to indicate the provider that is responsible for an AccessRequest.
+	ProviderLabel = "provider." + GroupName
 )
 
 const (

api/clusters/v1alpha1/constants/reasons.go

@@ -5,6 +5,8 @@ const (
 	ReasonOnboardingClusterInteractionProblem = "OnboardingClusterInteractionProblem"
 	// ReasonPlatformClusterInteractionProblem is used when the platform cluster cannot be reached.
 	ReasonPlatformClusterInteractionProblem = "PlatformClusterInteractionProblem"
+	// ReasonInvalidReference means that a reference points to a non-existing or otherwise invalid object.
+	ReasonInvalidReference = "InvalidReference"
 	// ReasonConfigurationProblem indicates that something is configured incorrectly.
 	ReasonConfigurationProblem = "ConfigurationProblem"
 	// ReasonInternalError indicates that something went wrong internally.

api/clusters/v1alpha1/groupversion_info.go

@@ -7,7 +7,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
 )
 
-const GroupName = "clusters.openmcp.cloud"
+const ParentGroupName = "openmcp.cloud"
+const GroupName = "clusters." + ParentGroupName
 
 var (
 	// GroupVersion is group version used to register these objects

api/crds/manifests/clusters.openmcp.cloud_clusterrequests.yaml

@@ -26,6 +26,12 @@ spec:
     - jsonPath: .status.phase
       name: Phase
       type: string
+    - jsonPath: .status.cluster.name
+      name: Cluster
+      type: string
+    - jsonPath: .status.cluster.namespace
+      name: Cluster-NS
+      type: string
     name: v1alpha1
     schema:
       openAPIV3Schema:
@@ -62,7 +68,7 @@ spec:
               rule: self == oldSelf
           status:
             properties:
-              clusterRef:
+              cluster:
                 description: |-
                   Cluster is the reference to the Cluster that was returned as a result of a granted request.
                   Note that this information needs to be recoverable in case this status is lost, e.g. by adding a back reference in form of a finalizer to the Cluster resource.
@@ -79,7 +85,7 @@ spec:
                 - namespace
                 type: object
                 x-kubernetes-validations:
-                - message: clusterRef is immutable
+                - message: cluster is immutable
                   rule: self == oldSelf
               conditions:
                 description: Conditions contains the conditions.
@@ -147,8 +153,8 @@ spec:
             - phase
             type: object
             x-kubernetes-validations:
-            - message: clusterRef may not be removed once set
-              rule: '!has(oldSelf.clusterRef) || has(self.clusterRef)'
+            - message: cluster may not be removed once set
+              rule: '!has(oldSelf.cluster) || has(self.cluster)'
         type: object
     selectableFields:
     - jsonPath: .spec.purpose

cmd/openmcp-operator/app/init.go

@@ -80,7 +80,7 @@ func (o *InitOptions) Run(ctx context.Context) error {
 	crdManager.AddCRDLabelToClusterMapping(clustersv1alpha1.PURPOSE_ONBOARDING, o.Clusters.Onboarding)
 	crdManager.AddCRDLabelToClusterMapping(clustersv1alpha1.PURPOSE_PLATFORM, o.Clusters.Platform)
 
-	if err := crdManager.CreateOrUpdateCRDs(ctx, nil); err != nil {
+	if err := crdManager.CreateOrUpdateCRDs(ctx, &log); err != nil {
 		return fmt.Errorf("error creating/updating CRDs: %w", err)
 	}
 

cmd/openmcp-operator/app/run.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/openmcp-project/openmcp-operator/api/install"
 	"github.com/openmcp-project/openmcp-operator/api/provider/v1alpha1"
+	"github.com/openmcp-project/openmcp-operator/internal/controllers/accessrequest"
 	"github.com/openmcp-project/openmcp-operator/internal/controllers/provider"
 	"github.com/openmcp-project/openmcp-operator/internal/controllers/scheduler"
 )
@@ -33,6 +34,7 @@ var setupLog logging.Logger
 var allControllers = []string{
 	strings.ToLower(scheduler.ControllerName),
 	strings.ToLower(provider.ControllerName),
+	strings.ToLower(accessrequest.ControllerName),
 }
 
 func NewRunCommand(so *SharedOptions) *cobra.Command {
@@ -299,6 +301,13 @@ func (o *RunOptions) Run(ctx context.Context) error {
 		}
 	}
 
+	// setup accessrequest controller
+	if slices.Contains(o.Controllers, strings.ToLower(accessrequest.ControllerName)) {
+		if err := accessrequest.NewAccessRequestReconciler(o.Clusters.Platform, o.Config.AccessRequest).SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("unable to setup accessrequest controller: %w", err)
+		}
+	}
+
 	// setup deployment controller
 	if slices.Contains(o.Controllers, strings.ToLower(provider.ControllerName)) {
 		utilruntime.Must(clientgoscheme.AddToScheme(mgr.GetScheme()))

docs/controller/accessrequest.md

@@ -0,0 +1,25 @@
+# AccessRequest Controller
+
+The _AccessRequest Controller_ is responsible for labelling `AccessRequest` resources with the name of the ClusterProvider that is responsible for them.
+
+This is needed because the information, which ClusterProvider is responsible for answering the `AccessRequest` is contained in the referenced `ClusterProfile`. Depending on `AccessRequest`'s spec, a `Cluster` and potentially also a `ClusterRequest` must be fetched before the `ClusterProfile` is known, which then has to be fetched too. If multiple ClusterProviders are running in the cluster, all of them would need to fetch these resources, only for all but one of them to notice that they are not responsible and don't have to do anything.
+
+To increase performance and simplify reconciliation logic in the individual ClusterProviders, this central AccessRequest controller takes over the task of figuring out the responsible ClusterProvider and adds a `provider.clusters.openmcp.cloud` label with its name to the `AccessRequest` resource. It reacts only on resources which do not yet have this label, so it should reconcile each `AccessRequest` only once (excluding repeated reconciliations due to errors).
+
+ClusterProviders should only reconcile `AccessRequest` resources where the value of the `provider.clusters.openmcp.cloud` label matches their own provider name and ignore resources with other values or if the label is missing completely.
+
+## Configuration
+
+The AccessRequest controller is run as long as `accessrequest` is included in the `--controllers` flag. It is included by default.
+
+The entire configuration for the AccessRequest controller is optional.
+```yaml
+accessRequest:              # optional
+  selector:                 # optional
+    matchLabels: <...>      # optional
+    matchExpressions: <...> # optional
+```
+
+The following fields can be specified inside the `accessRequest` node:
+- `selector` _(optional)_
+  - A standard k8s label selector, as it is also used in Deployments, for example. If specified, only `AccessRequest` resources matching the selector are reconciled by the controller. This can be used to distribute resources between multiple instances of the AccessRequest controller watching the same cluster.

internal/config/config.go

@@ -26,6 +26,9 @@ type Config struct {
 
 	// Scheduler is the configuration for the cluster scheduler.
 	Scheduler *SchedulerConfig `json:"scheduler,omitempty"`
+
+	// AccessRequest is the configuration for the access request controller.
+	AccessRequest *AccessRequestConfig `json:"accessRequest,omitempty"`
 }
 
 // Dump is used for logging and debugging purposes.

internal/config/config_accessrequest.go

@@ -0,0 +1,24 @@
+package config
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+type AccessRequestConfig struct {
+	// If set, only AccessRequests that match the selector will be reconciled.
+	Selector *Selector `json:"selector,omitempty"`
+}
+
+func (c *AccessRequestConfig) Validate(fldPath *field.Path) error {
+	return c.Selector.Validate(fldPath.Child("selector"))
+}
+
+func (c *AccessRequestConfig) Complete(fldPath *field.Path) error {
+	if err := c.Selector.Complete(fldPath.Child("selector")); err != nil {
+		return fmt.Errorf("error completing selector: %w", err)
+	}
+
+	return nil
+}