Skip to content

feat: implement ConfigurationPlan CRD and Reconciler#16

Open
Vaishnav88sk wants to merge 1 commit into
reshaprio:mainfrom
Vaishnav88sk:feat/issue-13-configuration-plan
Open

feat: implement ConfigurationPlan CRD and Reconciler#16
Vaishnav88sk wants to merge 1 commit into
reshaprio:mainfrom
Vaishnav88sk:feat/issue-13-configuration-plan

Conversation

@Vaishnav88sk

Copy link
Copy Markdown
Contributor

Description

This PR implements the ConfigurationPlan Custom Resource Definition and its Reconciler, addressing the GitOps tenant lifecycle management requirements outlined in #13.

Key Changes:

  • API Models (reshapr-kube-api): Introduced ConfigurationPlan, ConfigurationPlanSpec, ConfigurationPlanStatus, and OAuth2Spec following the GitOps framework.
  • Reconciler (reshapr-kube-operator): Implemented ConfigurationPlanReconciler which extends BaseReshaprReconciler to manage synchronization with the Reshapr control plane.
  • Control Plane Sync:
    • Resolves target Services via pagination.
    • Dynamically provisions remote Secret resources (Type: ENDPOINT) when oauth2 credentials are provided in the CRD.
    • Generates the ConfigurationPlan on the remote platform, tracking the backendSecretId and generating API keys natively.

Verification Logs

Verified locally using Quarkus dev mode. The operator successfully parses the CRD, registers the Reconciler, intercepts the new resource, and initiates the authentication flow:

Operator Initialization:

[INFO] Generating 'configurationplans.reshapr.io' version 'v1alpha1' with io.reshapr.kubernetes.api.configurationplan.v1alpha1.ConfigurationPlan...
[INFO] [io.quarkiverse.operatorsdk.deployment.QuarkusControllerConfigurationBuildStep] Processed 'io.reshapr.kubernetes.operator.ConfigurationPlanReconciler' reconciler named 'configurationplanreconciler' for 'configurationplans.reshapr.io' resource (version 'reshapr.io/v1alpha1')
2026-06-25 23:35:50,659 INFO  [io.reshapr.kubernetes.operator.auth.ReshaprApiClientFactory] (ReconcilerExecutor-configurationplanreconciler-102) Creating authenticated API client for instance=reshapr-ctrl.reshapr-system, organization=acme-corp
2026-06-25 23:35:50,660 DEBUG [io.reshapr.kubernetes.operator.auth.ServiceAccountTokenProvider] (ReconcilerExecutor-configurationplanreconciler-102) Reading projected SA token from '/var/run/secrets/reshapr/serviceaccount/token'
2026-06-25 23:35:50,661 ERROR [io.reshapr.kubernetes.operator.BaseReshaprReconciler] (ReconcilerExecutor-configurationplanreconciler-102) Authentication failed for resource default/github-graphql-plan targeting instance=reshapr-ctrl.reshapr-system, organization=acme-corp

(Note: Authentication failure is expected during local execution outside the cluster since the projected service account token volume is absent).

Note to Maintainers (@lbroudoux ):

  • In the OpenAPI specification for ConfigurationPlan, the backendEndpoint property is marked as @Nonnull, but it was omitted in the Issue Provide a ConfigurationPlanReconciler for importing/syncing config plans into Reshapr #13 design draft. I have added backendEndpoint to the CRD Spec to prevent null reference errors during serialization.
  • OAuth2Spec currently maps to OAuth2ClientConfiguration. Required fields like authorizationEndpoint and tokenEndpoint have been defaulted to empty strings during creation if not explicitly provided.

Fixes #13

Signed-off-by: Vaishnav88sk <vaishnavsk8804@gmail.com>
@Vaishnav88sk Vaishnav88sk requested a review from lbroudoux as a code owner June 25, 2026 18:11
@lbroudoux

Copy link
Copy Markdown
Member

That's pretty fast! Have you been able to test it out from end to end? Because I haven't published any documentation yet on how to deploy it, how to configure the Reshapr control plane to allow Kubernetes service account authentication and so on ...

@Vaishnav88sk

Copy link
Copy Markdown
Contributor Author

That's pretty fast! Have you been able to test it out from end to end? Because I haven't published any documentation yet on how to deploy it, how to configure the Reshapr control plane to allow Kubernetes service account authentication and so on ...

Haha! Actually started coding when we discussed earlier..

I haven't been able to test the full end-to-end flow against a secured Reshapr control plane yet.

I've only tested the operator-side logic locally using Quarkus dev mode. I applied a dummy CRD to verify that the Operator SDK correctly parses the new ConfigurationPlan models, triggers the Reconciler, and initiates the API client factory logic.

The reason I couldn't test the full flow is twofold:

  1. Missing SA Tokens Locally: Because I was running the operator locally (and not deployed inside a real Kubernetes Pod), the projected service account token volume (/var/run/secrets/reshapr/serviceaccount/token) isn't present, so the ReshaprApiClientFactory intentionally fails authentication.
  2. Missing Control Plane Setup: As you mentioned, without documentation on how to configure the Reshapr control plane to trust a local Kubernetes OIDC issuer, I wasn't able to spin up a local control plane to authenticate against.
  3. My system constraints 🥲

Because I can't do end-to-end testing locally, this isn't a finalized PR. I think you might be much better equipped to test it with your system setup! And regarding the deployment docs, I just set it up following the normal standard processes.

@lbroudoux

lbroudoux commented Jun 26, 2026

Copy link
Copy Markdown
Member

Here is, for information, how I am testing things locally:

  • Running on Minikube with Ingress controller and ingress support
  • Installing a Reshapr control plane with the dedicated Helm chart on reshapr-system
  • Enabling the reshapr-system/reshapr-operator service account using this script after having adapted url and token
  • Installing the operator using this Yaml to reshapr-system after having adapted the image reference to one I own
  • Building everything locally and then running docker build -f src/main/docker/Dockerfile.jvm -t quay.io/lbroudoux/reshapr-operator:nightly . && docker push quay.io/lbroudoux/reshapr-operator:nightly
  • Starting/scaling the operator
  • Pushing or deleting sample CR like this one

@Vaishnav88sk

Copy link
Copy Markdown
Contributor Author

Ahhh, Thanks for it. I actually did by simple process. But I'll validate this by given flow. This is how I'm learning deeper things 😉. Will need some time for this and then I'll update here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Provide a ConfigurationPlanReconciler for importing/syncing config plans into Reshapr

2 participants