Feat: add new providers for config wf definitions

[roguepikachu]

Description

Add config management workflow step definitions (create-config, read-config, list-config, delete-config) to the standalone workflow controller, synced from the KubeVela repository. These definitions previously referenced the vela/op provider but had no backing Go implementation — they were broken stubs.

What this PR adds

1. New-style config provider (vela/config) — registered as a separate CUE internal package with $params/$returns dispatch pattern. Helm chart definitions use this style.

2. Legacy config provider (vela/op) — registered under the shared op namespace for backward compatibility with legacy-style definitions using op.#CreateConfig, op.#ReadConfig, etc.

3. ConfigFactory interface (pkg/config/types.go) — abstraction for config CRUD operations with nil-guard in WithRuntimeParams to preserve upstream-injected factories (used by KubeVela integration).

4. K8sFactory implementation (pkg/config/k8s_factory.go) — Kubernetes-backed factory storing configs as Secrets with config.oam.dev/catalog: velacore-config labels. Supports CUE template rendering, 3-way merge patch for updates, and output object lifecycle management.

5. Legacy provider key collision fix — renamed legacy config provider keys from read/list/delete to read-config/list-config/delete-config to avoid silent overwrite by kube provider in the flat op namespace.

---

Checklist

• Read and followed KubeVela's contribution guidelines
• Updated kubevela.io documentation (if applicable)
• Run make reviewable to ensure this PR is ready for review
• Added backport release-x.y labels to auto-backport this PR if necessary

---

How has this code been tested

Detailed documentation and testing results can be found here - Config Sync Implementation: KubeVela to Workflow

End-to-end tested on a k3d cluster (k3s v1.31.5, darwin/arm64) with custom-built controller image.

Environment setup:

k3d cluster create config-test --wait
docker buildx build --platform linux/arm64 -t vela-workflow:config-test --load .
k3d image import vela-workflow:config-test -c config-test
helm upgrade --install vela-workflow ./charts/vela-workflow -n vela-system \
  --create-namespace \
  --set image.repository=vela-workflow \
  --set image.tag=config-test \
  --set image.pullPolicy=Never \
  --wait

Test Suite A — New-style definitions (vela/config provider)

Test	Result
create-config → verify Secret created with correct labels + data	✅
read-config → succeeds on existing config	✅
list-config → returns empty list for unmatched template filter	✅
delete-config → succeeds, Secret removed from cluster	✅
Full CRUD pipeline (create → read → delete in single WorkflowRun)	✅

Test Suite B — Legacy-style definitions (vela/op provider)

Test	Result
create-config → verify Secret created with correct data	✅
read-config → succeeds (was nil-pointer panic before collision fix)	✅
list-config → succeeds	✅
delete-config → succeeds, Secret removed	✅
Full CRUD pipeline (create → read → delete in single WorkflowRun)	✅

Test Suite C — Edge cases

Test	Result
Read/delete non-existent config → appropriate errors	✅
Create with empty config {} → succeeds	✅
Update existing config → v2 data replaces v1	✅
Special characters (URLs, passwords, JSON, newlines) → preserved	✅
Namespace defaulting → uses context.namespace	✅
Kube read-object → unaffected by key rename	✅
Controller logs → zero panics	✅

19/19 tests passed.

---

Special notes for reviewer

1. Legacy provider key collision (bug fix)

The legacy config and kube providers both registered read, list, delete in the flat op namespace. Since kube was registered last in pkg/providers/legacy/legacy.go, it silently overwrote config's functions — causing op.#ReadConfig to dispatch to kube.Read and panic.

Fix: Renamed config's keys to create-config, read-config, list-config, delete-config.

KubeVela has the same collision but it doesn't surface because KubeVela uses the new-style vela/config provider exclusively.

2. Nil-guard in WithRuntimeParams

The if params.ConfigFactory != nil check at pkg/providers/types/types.go:176 preserves any ConfigFactory already in context (set by KubeVela's generator.go). In standalone mode, the controller sets it via context.WithValue.

3. K8sFactory scope

K8sFactory is a simplified standalone implementation. KubeVela's full kubeConfigFactory has additional features (Nacos sync, config distribution, Terraform integration) not needed here. KubeVela will inject its own factory via a thin adapter when using this library.

---

Summary by cubic

Adds a new config management provider (vela/config) with CRUD, CUE template rendering, and a Kubernetes Secret–backed factory. Charts switch to the new provider, the controller injects the factory, legacy key collisions are fixed, and example workflows are added for both new and legacy styles.

• New Features

  • Registered vela/config as an internal CUE package with $params/$returns; charts now import it, add a Config Management category, and default namespace to context.namespace.
  • Added K8sFactory that stores configs as Secrets with catalog/type/scope labels, enforces sensitivity, preserves alias/description, supports template refs as "ns/name" (default ns: vela-system), and performs 3‑way merge updates; the controller injects the factory.
  • Enabled CUE templates from ConfigMaps with validation via template.validation.$returns and template.outputs; output objects are applied and cleaned up.
  • Implemented provider functions (create/read/list/delete) with tests for new and legacy paths.
  • Added example WorkflowRuns for both new (examples/workflow-run/config/new-config-crud.yaml) and legacy (examples/workflow-run/config/legacy-config-crud.yaml) CRUD flows.

• Bug Fixes

  • Renamed legacy op keys to create-config/read-config/list-config/delete-config to avoid collisions with kube ops.
  • Fixed CI by renaming ConfigItem to Item and updating tests for the new keys.

^{Written for commit 48b5818. Summary will update on new commits.}

[codecov]

Codecov Report

❌ Patch coverage is 39.84962% with 240 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.60%. Comparing base (d7db9c4) to head (48b5818).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/config/k8s_factory.go	19.75%	180 Missing and 15 partials ⚠️
pkg/providers/legacy/config/config.go	55.71%	27 Missing and 4 partials ⚠️
pkg/providers/config/config.go	84.61%	6 Missing and 6 partials ⚠️
pkg/providers/types/types.go	50.00%	1 Missing and 1 partial ⚠️

❌ Your patch status has failed because the patch coverage (39.84%) is below the target coverage (70.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #225      +/-   ##
==========================================
+ Coverage   62.49%   67.60%   +5.11%     
==========================================
  Files          62       65       +3     
  Lines        4415     5408     +993     
==========================================
+ Hits         2759     3656     +897     
- Misses       1324     1366      +42     
- Partials      332      386      +54     

Flag	Coverage Δ
e2etests	21.34% <24.81%> (?)
unit-test	61.61% <28.82%> (-0.88%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cubic-dev-ai]

1 issue found across 16 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="pkg/config/k8s_factory.go">

<violation number="1" location="pkg/config/k8s_factory.go:353">
P2: CreateOrUpdateConfig updates the Secret and applies new output objects but never deletes output objects removed from the previous Secret’s objects-reference list, leaving orphaned resources after config updates.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}