Skip to content

bug fixes and secret copying #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 15, 2025
Merged

bug fixes and secret copying #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d07937b
fix helm values type
Diaphteiros Oct 6, 2025
7205866
fix storage namespace
Diaphteiros Oct 6, 2025
1b4b010
extend secrety copying mechanism
Diaphteiros Oct 8, 2025
5f665f5
fix secret copy target requirement
Diaphteiros Oct 8, 2025
78a670a
check for namespace creation
Diaphteiros Oct 8, 2025
6984326
fix access creation
Diaphteiros Oct 8, 2025
5145b5e
add platformservice task
Diaphteiros Oct 8, 2025
dcbf202
fix oci source use-case
Diaphteiros Oct 13, 2025
febb784
add config examples to docs
Diaphteiros Oct 13, 2025
7704928
feat: release v0.0.2
Diaphteiros Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions Taskfile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,25 @@ includes:
CHART_COMPONENTS: "[]"
CRDS_COMPONENTS: platform-service-dns
CRDS_PATH: '{{.ROOT_DIR}}/api/crds/manifests'

tasks:
platformservice:
desc: " Generates a PlatformService manifest for the current version. Set the VERBOSITY env var to overwrite the default verbosity level (INFO)."
requires:
vars:
- VERSION
vars:
VERBOSITY:
sh: echo "${VERBOSITY:-INFO}"
cmds:
- cmd: |
cat << EOF
apiVersion: openmcp.cloud/v1alpha1
kind: PlatformService
metadata:
name: dns
spec:
image: ghcr.io/openmcp-project/images/platform-service-dns:{{.VERSION}}
verbosity: {{.VERBOSITY}}
EOF
silent: true
2 changes: 1 addition & 1 deletion VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v0.0.1-dev
v0.0.2
138 changes: 96 additions & 42 deletions api/crds/manifests/dns.openmcp.cloud_dnsserviceconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ spec:
- <environment> will be replaced with the environment name of the operator.
- <cluster.name> will be replaced with the name of the reconciled Cluster.
- <cluster.namespace> will be replaced with the namespace of the reconciled Cluster.
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
name:
description: |-
Name is an optional name.
Expand Down Expand Up @@ -102,9 +103,9 @@ spec:
chartName:
description: |-
ChartName specifies the name of the external-dns chart.
Depending on the source, this can also be a relative path within the repository.
When using a source that needs a version (helm or oci), append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
minLength: 1
Can be omitted for oci sources, required for git and helm sources.
For git sources, this is the path within the git repository to the chart.
For helm sources, append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
type: string
git:
description: |-
Expand Down Expand Up @@ -638,10 +639,11 @@ spec:
- interval
- url
type: object
required:
- chartName
type: object
x-kubernetes-validations:
- message: chartName must be set if git is used as source
rule: '(has(self.git) || has(self.helm)) ? (has(self.chartName)
&& size(self.chartName) > 0) : true'
- message: exactly one of the fields in [helm git oci] must be set
rule: '[has(self.helm),has(self.git),has(self.oci)].filter(x,x==true).size()
== 1'
Expand All @@ -653,48 +655,100 @@ spec:
type: string
secretsToCopy:
description: |-
SecretsToCopy specifies an optional list of secrets which will be copied from the provider namespace into the namespaces of the reconciled Clusters.
This can, for example, be used to distribute credentials for the registry holding the external-dns helm chart.
items:
description: |-
SecretCopy defines the name of the secret to copy and the name of the copied secret.
If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
properties:
source:
description: LocalObjectReference is a reference to an object
in the same namespace as the resource referencing it.
SecretsToCopy specifies secrets that should be copied to either the cluster's namespace on the platform cluster,
or the namespace on the target cluster where the helm chart will be installed into.
properties:
toPlatformCluster:
description: |-
ToPlatformCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the platform cluster.
This is useful e.g. for pull secrets for the helm chart registry.
items:
description: |-
SecretCopy defines the name of the secret to copy and the name of the copied secret.
If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
properties:
name:
default: ""
source:
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
Source references the source secret to copy.
It has to be in the namespace the provider pod is running in.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
target:
description: |-
Target is the name of the copied secret.
If not set, the secret will be copied with the same name as the source secret.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- source
type: object
x-kubernetes-map-type: atomic
target:
description: LocalObjectReference is a reference to an object
in the same namespace as the resource referencing it.
type: array
toTargetCluster:
description: |-
ToTargetCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the target cluster.
This allows propagating secrets that are required by the helm chart to the target cluster.
items:
description: |-
SecretCopy defines the name of the secret to copy and the name of the copied secret.
If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
properties:
name:
default: ""
source:
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
Source references the source secret to copy.
It has to be in the namespace the provider pod is running in.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
target:
description: |-
Target is the name of the copied secret.
If not set, the secret will be copied with the same name as the source secret.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- source
type: object
x-kubernetes-map-type: atomic
required:
- source
- target
type: object
type: array
type: array
type: object
required:
- externalDNSSource
type: object
Expand Down
35 changes: 27 additions & 8 deletions api/dns/v1alpha1/config_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ type DNSServiceConfigSpec struct {
// ExternalDNSSource is the source of the external-dns helm chart.
ExternalDNSSource ExternalDNSSource `json:"externalDNSSource"`

// SecretsToCopy specifies an optional list of secrets which will be copied from the provider namespace into the namespaces of the reconciled Clusters.
// This can, for example, be used to distribute credentials for the registry holding the external-dns helm chart.
// SecretsToCopy specifies secrets that should be copied to either the cluster's namespace on the platform cluster,
// or the namespace on the target cluster where the helm chart will be installed into.
// +optional
SecretsToCopy []SecretCopy `json:"secretsToCopy,omitempty"`
SecretsToCopy *SecretsToCopy `json:"secretsToCopy,omitempty"`

// HelmReleaseReconciliationInterval is the interval at which the HelmRelease for external-dns is reconciled.
// The value can be overwritten for specific purposes using ExternalDNSForPurposes.
Expand All @@ -34,15 +34,28 @@ type DNSServiceConfigSpec struct {
ExternalDNSForPurposes []ExternalDNSPurposeConfig `json:"externalDNSForPurposes,omitempty"`
}

type SecretsToCopy struct {
// ToPlatformCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the platform cluster.
// This is useful e.g. for pull secrets for the helm chart registry.
// +optional
ToPlatformCluster []SecretCopy `json:"toPlatformCluster,omitempty"`
// ToTargetCluster lists secrets from the provider namespace that should be copied into the cluster's namespace on the target cluster.
// This allows propagating secrets that are required by the helm chart to the target cluster.
// +optional
ToTargetCluster []SecretCopy `json:"toTargetCluster,omitempty"`
}

// ExternalDNSSource defines the source of the external-dns helm chart in form of a Flux source.
// Exactly one of 'HelmRepository', 'GitRepository' or 'OCIRepository' must be set.
// If 'copyAuthSecret' is set, the referenced source secret is copied into the namespace where the Flux resources are created with the specified target name.
// +kubebuilder:validation:ExactlyOneOf=helm;git;oci
// +kubebuilder:validation:XValidation:rule="(has(self.git) || has(self.helm)) ? (has(self.chartName) && size(self.chartName) > 0) : true", message="chartName must be set if git is used as source"
type ExternalDNSSource struct {
// ChartName specifies the name of the external-dns chart.
// Depending on the source, this can also be a relative path within the repository.
// When using a source that needs a version (helm or oci), append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
// +kubebuilder:validation:MinLength=1
// Can be omitted for oci sources, required for git and helm sources.
// For git sources, this is the path within the git repository to the chart.
// For helm sources, append the version to the chart name using '@', e.g. '[email protected]' or omit for latest version.
// +optional
ChartName string `json:"chartName"`
Helm *fluxv1.HelmRepositorySpec `json:"helm,omitempty"`
Git *fluxv1.GitRepositorySpec `json:"git,omitempty"`
Expand All @@ -52,7 +65,12 @@ type ExternalDNSSource struct {
// SecretCopy defines the name of the secret to copy and the name of the copied secret.
// If target is nil or target.name is empty, the secret will be copied with the same name as the source secret.
type SecretCopy struct {
Source commonapi.LocalObjectReference `json:"source"`
// Source references the source secret to copy.
// It has to be in the namespace the provider pod is running in.
Source commonapi.LocalObjectReference `json:"source"`
// Target is the name of the copied secret.
// If not set, the secret will be copied with the same name as the source secret.
// +optional
Target *commonapi.LocalObjectReference `json:"target"`
}

Expand Down Expand Up @@ -80,8 +98,9 @@ type ExternalDNSPurposeConfig struct {
// - <environment> will be replaced with the environment name of the operator.
// - <cluster.name> will be replaced with the name of the reconciled Cluster.
// - <cluster.namespace> will be replaced with the namespace of the reconciled Cluster.
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Type=object
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
HelmValues *apiextensionsv1.JSON `json:"helmValues"`
}

Expand Down
2 changes: 2 additions & 0 deletions api/dns/v1alpha1/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,6 @@ const (
OperationAnnotation = "dns." + openmcpconst.OperationAnnotation

ExternalDNSFinalizerOnCluster = "platformservice." + openmcpconst.OpenMCPGroupName + "/dns"

ReasonTargetClusterInteractionProblem = "TargetClusterInteractionProblem"
)
35 changes: 31 additions & 4 deletions api/dns/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading