fix: bug fixes and secret copying (#21)

* fix helm values type

* fix storage namespace

* extend secrety copying mechanism

* fix secret copy target requirement

* check for namespace creation

* fix access creation

* add platformservice task

* fix oci source use-case

* add config examples to docs

* feat: release v0.0.2

Author: Diaphteiros

Taskfile.yaml

@@ -16,3 +16,25 @@ includes:
       CHART_COMPONENTS: "[]"
       CRDS_COMPONENTS: platform-service-dns
       CRDS_PATH: '{{.ROOT_DIR}}/api/crds/manifests'
+
+tasks:
+  platformservice:
+    desc: "  Generates a PlatformService manifest for the current version. Set the VERBOSITY env var to overwrite the default verbosity level (INFO)."
+    requires:
+      vars:
+      - VERSION
+    vars:
+      VERBOSITY:
+        sh: echo "${VERBOSITY:-INFO}"
+    cmds:
+    - cmd: |
+        cat << EOF
+        apiVersion: openmcp.cloud/v1alpha1
+        kind: PlatformService
+        metadata:
+          name: dns
+        spec:
+          image: ghcr.io/openmcp-project/images/platform-service-dns:{{.VERSION}}
+          verbosity: {{.VERBOSITY}}
+        EOF
+      silent: true

VERSION

@@ -1 +1 @@
-v0.0.1-dev
+v0.0.2

api/crds/manifests/dns.openmcp.cloud_dnsserviceconfigs.yaml

@@ -67,7 +67,8 @@ spec:
                         - <environment> will be replaced with the environment name of the operator.
                         - <cluster.name> will be replaced with the name of the reconciled Cluster.
                         - <cluster.namespace> will be replaced with the namespace of the reconciled Cluster.
-                      type: string
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
                     name:
                       description: |-
                         Name is an optional name.
@@ -102,9 +103,9 @@ spec:
                   chartName:
                     description: |-
                       ChartName specifies the name of the external-dns chart.
-                      Depending on the source, this can also be a relative path within the repository.
-                      When using a source that needs a version (helm or oci), append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
-                    minLength: 1
+                      Can be omitted for oci sources, required for git and helm sources.
+                      For git sources, this is the path within the git repository to the chart.
+                      For helm sources, append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
                     type: string
                   git:
                     description: |-
@@ -638,10 +639,11 @@ spec:
                     - interval
                     - url
                     type: object
-                required:
-                - chartName
                 type: object
                 x-kubernetes-validations:
+                - message: chartName must be set if git is used as source
+                  rule: '(has(self.git) || has(self.helm)) ? (has(self.chartName)
+                    && size(self.chartName) > 0) : true'
                 - message: exactly one of the fields in [helm git oci] must be set
                   rule: '[has(self.helm),has(self.git),has(self.oci)].filter(x,x==true).size()
                     == 1'
@@ -653,48 +655,100 @@ spec:
                 type: string
               secretsToCopy:
                 description: |-
-                  SecretsToCopy specifies an optional list of secrets which will be copied from the provider namespace into the namespaces of the reconciled Clusters.
-                  This can, for example, be used to distribute credentials for the registry holding the external-dns helm chart.
-                items:
-                  description: |-
-                    SecretCopy defines the name of the secret to copy and the name of the copied secret.
-                    If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
-                  properties:
-                    source:
-                      description: LocalObjectReference is a reference to an object
-                        in the same namespace as the resource referencing it.
+                  SecretsToCopy specifies secrets that should be copied to either the cluster's namespace on the platform cluster,
+                  or the namespace on the target cluster where the helm chart will be installed into.
+                properties:
+                  toPlatformCluster:
+                    description: |-
+                      ToPlatformCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the platform cluster.
+                      This is useful e.g. for pull secrets for the helm chart registry.
+                    items:
+                      description: |-
+                        SecretCopy defines the name of the secret to copy and the name of the copied secret.
+                        If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
                       properties:
-                        name:
-                          default: ""
+                        source:
                           description: |-
-                            Name of the referent.
-                            This field is effectively required, but due to backwards compatibility is
-                            allowed to be empty. Instances of this type with an empty value here are
-                            almost certainly wrong.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
+                            Source references the source secret to copy.
+                            It has to be in the namespace the provider pod is running in.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        target:
+                          description: |-
+                            Target is the name of the copied secret.
+                            If not set, the secret will be copied with the same name as the source secret.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                      required:
+                      - source
                       type: object
-                      x-kubernetes-map-type: atomic
-                    target:
-                      description: LocalObjectReference is a reference to an object
-                        in the same namespace as the resource referencing it.
+                    type: array
+                  toTargetCluster:
+                    description: |-
+                      ToTargetCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the target cluster.
+                      This allows propagating secrets that are required by the helm chart to the target cluster.
+                    items:
+                      description: |-
+                        SecretCopy defines the name of the secret to copy and the name of the copied secret.
+                        If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
                       properties:
-                        name:
-                          default: ""
+                        source:
                           description: |-
-                            Name of the referent.
-                            This field is effectively required, but due to backwards compatibility is
-                            allowed to be empty. Instances of this type with an empty value here are
-                            almost certainly wrong.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
+                            Source references the source secret to copy.
+                            It has to be in the namespace the provider pod is running in.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        target:
+                          description: |-
+                            Target is the name of the copied secret.
+                            If not set, the secret will be copied with the same name as the source secret.
+                          properties:
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                      required:
+                      - source
                       type: object
-                      x-kubernetes-map-type: atomic
-                  required:
-                  - source
-                  - target
-                  type: object
-                type: array
+                    type: array
+                type: object
             required:
             - externalDNSSource
             type: object

api/dns/v1alpha1/config_types.go

@@ -16,10 +16,10 @@ type DNSServiceConfigSpec struct {
 	// ExternalDNSSource is the source of the external-dns helm chart.
 	ExternalDNSSource ExternalDNSSource `json:"externalDNSSource"`
 
-	// SecretsToCopy specifies an optional list of secrets which will be copied from the provider namespace into the namespaces of the reconciled Clusters.
-	// This can, for example, be used to distribute credentials for the registry holding the external-dns helm chart.
+	// SecretsToCopy specifies secrets that should be copied to either the cluster's namespace on the platform cluster,
+	// or the namespace on the target cluster where the helm chart will be installed into.
 	// +optional
-	SecretsToCopy []SecretCopy `json:"secretsToCopy,omitempty"`
+	SecretsToCopy *SecretsToCopy `json:"secretsToCopy,omitempty"`
 
 	// HelmReleaseReconciliationInterval is the interval at which the HelmRelease for external-dns is reconciled.
 	// The value can be overwritten for specific purposes using ExternalDNSForPurposes.
@@ -34,15 +34,28 @@ type DNSServiceConfigSpec struct {
 	ExternalDNSForPurposes []ExternalDNSPurposeConfig `json:"externalDNSForPurposes,omitempty"`
 }
 
+type SecretsToCopy struct {
+	// ToPlatformCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the platform cluster.
+	// This is useful e.g. for pull secrets for the helm chart registry.
+	// +optional
+	ToPlatformCluster []SecretCopy `json:"toPlatformCluster,omitempty"`
+	// ToTargetCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the target cluster.
+	// This allows propagating secrets that are required by the helm chart to the target cluster.
+	// +optional
+	ToTargetCluster []SecretCopy `json:"toTargetCluster,omitempty"`
+}
+
 // ExternalDNSSource defines the source of the external-dns helm chart in form of a Flux source.
 // Exactly one of 'HelmRepository', 'GitRepository' or 'OCIRepository' must be set.
 // If 'copyAuthSecret' is set, the referenced source secret is copied into the namespace where the Flux resources are created with the specified target name.
 // +kubebuilder:validation:ExactlyOneOf=helm;git;oci
+// +kubebuilder:validation:XValidation:rule="(has(self.git) || has(self.helm)) ? (has(self.chartName) && size(self.chartName) > 0) : true", message="chartName must be set if git is used as source"
 type ExternalDNSSource struct {
 	// ChartName specifies the name of the external-dns chart.
-	// Depending on the source, this can also be a relative path within the repository.
-	// When using a source that needs a version (helm or oci), append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
-	// +kubebuilder:validation:MinLength=1
+	// Can be omitted for oci sources, required for git and helm sources.
+	// For git sources, this is the path within the git repository to the chart.
+	// For helm sources, append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
+	// +optional
 	ChartName string                     `json:"chartName"`
 	Helm      *fluxv1.HelmRepositorySpec `json:"helm,omitempty"`
 	Git       *fluxv1.GitRepositorySpec  `json:"git,omitempty"`
@@ -52,7 +65,12 @@ type ExternalDNSSource struct {
 // SecretCopy defines the name of the secret to copy and the name of the copied secret.
 // If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
 type SecretCopy struct {
-	Source commonapi.LocalObjectReference  `json:"source"`
+	// Source references the source secret to copy.
+	// It has to be in the namespace the provider pod is running in.
+	Source commonapi.LocalObjectReference `json:"source"`
+	// Target is the name of the copied secret.
+	// If not set, the secret will be copied with the same name as the source secret.
+	// +optional
 	Target *commonapi.LocalObjectReference `json:"target"`
 }
 
@@ -80,8 +98,9 @@ type ExternalDNSPurposeConfig struct {
 	// - <environment> will be replaced with the environment name of the operator.
 	// - <cluster.name> will be replaced with the name of the reconciled Cluster.
 	// - <cluster.namespace> will be replaced with the namespace of the reconciled Cluster.
-	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Type=object
 	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
 	HelmValues *apiextensionsv1.JSON `json:"helmValues"`
 }
 

api/dns/v1alpha1/constants.go

@@ -8,4 +8,6 @@ const (
 	OperationAnnotation = "dns." + openmcpconst.OperationAnnotation
 
 	ExternalDNSFinalizerOnCluster = "platformservice." + openmcpconst.OpenMCPGroupName + "/dns"
+
+	ReasonTargetClusterInteractionProblem = "TargetClusterInteractionProblem"
 )