✨ Add FrontProxy controller

README.md

@@ -29,3 +29,46 @@ $ kubectl apply -f ./config/samples/v1alpha1_rootshard.yaml
 ```
 
 kcp-operator will create the necessary resources to start a `Deployment` of a kcp root shard.
+
+## Architecture
+
+### Certificate Management
+
+The placeholders `$rootshard` and `$frontproxy` in the chart are used to denote the name of the corresponding operator resource.
+
+```mermaid
+graph TB
+    A([kcp-pki-bootstrap]):::issuer --> B(kcp-pki-ca):::ca
+    B --> C([$rootshard-ca]):::issuer
+
+    C --> D(kcp-etcd-client-ca):::ca
+    C --> E(kcp-etcd-peer-ca):::ca
+    C --> F($rootshard-fp-client-ca):::ca
+    C --> G($rootshard-server-ca):::ca
+    C --> H($rootshard-requestheaer-client-ca):::ca
+    C --> I($rootshard-client-ca):::ca
+    C --> J(kcp-service-account-ca):::ca
+
+    D --> K([kcp-etcd-client-issuer]):::issuer
+    E --> L([kcp-etcd-peer-issuer]):::issuer
+    F --> M([$rootshard-fp-client-ca]):::issuer
+    G --> N([$rootshard-server-ca]):::issuer
+    H --> O([$rootshard-requestheader-client-ca]):::issuer
+    I --> P([$rootshard-client-ca]):::issuer
+    J --> Q([kcp-service-account-issuer]):::issuer
+
+    K --- K1(kcp-etcd):::cert --> K2(kcp-etcd-client):::cert
+    L --> L1(kcp-etcd-peer):::cert
+    M --> M1($rootshard-$frontproxy-admin-kubeconfig):::cert
+    N --- N1(kcp):::cert --- N2($rootshard-$frontproxy-server):::cert --> N3(kcp-virtual-workspaces):::cert
+    O --- O1($rootshard-$frontproxy-requestheader):::cert --> O2("(kcp-front-proxy-vw-client)"):::cert
+    P --- P1($rootshard-$frontproxy-kubeconfig):::cert --> P2(kcp-internal-admin-kubeconfig):::cert
+    Q --> Q1(kcp-service-account):::cert
+
+    B --> R([$rootshard2-ca]):::issuer
+    R --> S(...):::ca
+
+    classDef issuer color:#77F
+    classDef ca color:#F77
+    classDef cert color:orange
+```

config/crd/bases/operator.kcp.io_frontproxies.yaml

@@ -14,7 +14,17 @@ spec:
     singular: frontproxy
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.rootShard.ref.name
+      name: RootShard
+      type: string
+    - jsonPath: .status.phase
+      name: Phase
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: FrontProxy is the Schema for the frontproxies API
@@ -39,12 +49,36 @@ spec:
           spec:
             description: FrontProxySpec defines the desired state of FrontProxy.
             properties:
+              additionalPathMappings:
+                description: 'Optional: AdditionalPathMappings configures // TODO
+                  ?'
+                items:
+                  description: so we have to copy the struct type
+                  properties:
+                    backend:
+                      type: string
+                    backend_server_ca:
+                      type: string
+                    path:
+                      type: string
+                    proxy_client_cert:
+                      type: string
+                    proxy_client_key:
+                      type: string
+                  required:
+                  - backend
+                  - backend_server_ca
+                  - path
+                  - proxy_client_cert
+                  - proxy_client_key
+                  type: object
+                type: array
               auth:
                 description: 'Optional: Auth configures various aspects of Authentication
                   and Authorization for this front-proxy instance.'
                 properties:
                   oidc:
-                    description: 'Optional: OIDC configures OpenID Connect Authentication'
+                    description: 'Optional: OIDC configures OpenID Connect Authentication.'
                     properties:
                       clientID:
                         description: ClientID is the OIDC client ID configured on
@@ -86,6 +120,45 @@ spec:
                     - issuerURL
                     type: object
                 type: object
+              externalHostname:
+                description: 'Optional: ExternalHostname under which the FrontProxy
+                  can be reached. If empty, the RootShard''s external hostname will
+                  be used only.'
+                type: string
+              image:
+                description: 'Optional: Image defines the image to use. Defaults to
+                  the latest versioned image during the release of kcp-operator.'
+                properties:
+                  imagePullSecrets:
+                    description: 'Optional: ImagePullSecrets is a list of secret references
+                      that should be used as image pull secrets (e.g. when a private
+                      registry is used).'
+                    items:
+                      description: |-
+                        LocalObjectReference contains enough information to let you locate the
+                        referenced object inside the same namespace.
+                      properties:
+                        name:
+                          default: ""
+                          description: |-
+                            Name of the referent.
+                            This field is effectively required, but due to backwards compatibility is
+                            allowed to be empty. Instances of this type with an empty value here are
+                            almost certainly wrong.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    type: array
+                  repository:
+                    description: Repository is the container image repository to use
+                      for KCP containers. Defaults to `ghcr.io/kcp-dev/kcp`.
+                    type: string
+                  tag:
+                    description: Tag is the container image tag to use for KCP containers.
+                      Defaults to the latest kcp release that the operator supports.
+                    type: string
+                type: object
               replicas:
                 description: 'Optional: Replicas configures the replica count for
                   the front-proxy Deployment.'
@@ -110,11 +183,82 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                 type: object
+              service:
+                description: 'Optional: Service configures the Kubernetes Service
+                  created for this front-proxy instance.'
+                properties:
+                  type:
+                    description: Service Type string describes ingress methods for
+                      a service
+                    type: string
+                type: object
             required:
             - rootShard
             type: object
           status:
             description: FrontProxyStatus defines the observed state of FrontProxy
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              phase:
+                type: string
             type: object
         type: object
     served: true

config/manager/kustomization.yaml

@@ -1,2 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
 - manager.yaml
+images:
+- name: controller
+  newName: ghcr.io/kcp-dev/kcp-operator

config/rbac/role.yaml

@@ -32,6 +32,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - secrets
   - services
   verbs:

config/samples/v1alpha1_frontproxy.yaml

@@ -6,4 +6,7 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: frontproxy-sample
 spec:
-  # TODO(user): Add fields here
+  rootShard:
+    ref:
+      name: shard-sample
+  externalHostname: kcp.example.com

config/samples/v1alpha1_kubeconfig.yaml

@@ -6,13 +6,14 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: kubeconfig-sample
 spec:
-  username: logical-cluster-admin
+  username: [email protected]
   groups:
-    - system:kcp:logical-cluster-admin
-    - system:masters
+    - kcp-users
   validity: 8766h
   secretRef:
     name: sample-kubeconfig
   target:
-    rootShardRef:
-      name: shard-sample
+    frontProxyRef:
+      name: frontproxy-sample
+    # rootShardRef:
+    #   name: shard-sample

go.mod

@@ -23,6 +23,7 @@ require (
 	sigs.k8s.io/controller-runtime v0.19.0
 	sigs.k8s.io/controller-tools v0.16.1
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -114,5 +115,4 @@ require (
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )