Providers bootstrap APIs#612
Open
gman0 wants to merge 6 commits intoplatform-mesh:mainfrom
Open
Conversation
…s.platform-mesh.io default binding
* Implements first iteration of ManagedProvider and Provider APIs. * Adds a new Providers operator * Adds feature-enable-provider-manager On-behalf-of: @SAP robert.vasek@sap.com Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
gman0
moved this from In Progress
to In-Review
in Platform Mesh & Kube Projects - Backlog
gman0
commented
May 7, 2026
Comment on lines
+112
to
+122
| // Ensure Role. | ||
| role := &rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: roleName, Namespace: providerSANamespace}} | ||
| if _, err := controllerutil.CreateOrUpdate(ctx, cl, role, func() error { | ||
| role.Rules = []rbacv1.PolicyRule{ | ||
| // TODO: define exact permission claims required by the provider. ManagedProvider.Spec.PermissionClaims? | ||
| { // Until we figure this out. 🤩 | ||
| APIGroups: []string{"*"}, | ||
| Resources: []string{"*"}, | ||
| Verbs: []string{"*"}, | ||
| }, | ||
| } |
Author
There was a problem hiding this comment.
Probably needs API change? We need to decide what exactly will that look like, and then follow up with more PRs.
gman0
commented
May 7, 2026
Comment on lines
+138
to
+149
| // Ensure a static long-lived SA token Secret. | ||
| tokenSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: tokenSecretName, Namespace: providerSANamespace}} | ||
| if _, err := controllerutil.CreateOrUpdate(ctx, cl, tokenSecret, func() error { | ||
| tokenSecret.Type = corev1.SecretTypeServiceAccountToken | ||
| if tokenSecret.Annotations == nil { | ||
| tokenSecret.Annotations = map[string]string{} | ||
| } | ||
| tokenSecret.Annotations[corev1.ServiceAccountNameKey] = saName | ||
| return nil | ||
| }); err != nil { | ||
| return subroutines.OK(), gcerrors.Wrap(err, "create or update token Secret %s", tokenSecretName) | ||
| } |
Author
There was a problem hiding this comment.
We aim for OIDC, as per RFC. Will follow up in future PRs.
gman0
commented
May 7, 2026
Comment on lines
+136
to
+149
| - cmd: | | ||
| # Prepare manifests for apigen. | ||
| mkdir -p {{.CRD_DIRECTORY}}/apigen/{crd,out} | ||
| cp {{.CRD_DIRECTORY}}/providers.platform-mesh.io_providers.yaml {{.CRD_DIRECTORY}}/apigen/crd | ||
| # Run apigen and move the output files to their respective dirs. | ||
| {{.LOCAL_BIN}}/apigen --input-dir {{.CRD_DIRECTORY}}/apigen/crd --output-dir {{.CRD_DIRECTORY}}/apigen/out | ||
| mv {{.CRD_DIRECTORY}}/apigen/out/apiexport-providers.platform-mesh.io.yaml ./manifests/features/feature-enable-provider-manager/01-platform-mesh-system | ||
| mv {{.CRD_DIRECTORY}}/apigen/out/apiresourceschema-providers.providers.platform-mesh.io.yaml ./manifests/features/feature-enable-provider-manager/01-platform-mesh-system | ||
| # Merge permission claims into the generated Providers APIExport. | ||
| yq -i '. *= load("./manifests/features/feature-enable-provider-manager/permission-claims-patch.yamlpatch")' \ | ||
| ./manifests/features/feature-enable-provider-manager/01-platform-mesh-system/apiexport-providers.platform-mesh.io.yaml | ||
| # Cleanup. | ||
| [ -d {{.CRD_DIRECTORY}} ] && rm -rf {{.CRD_DIRECTORY}}/apigen || exit 1 | ||
| ignore_error: false |
Author
There was a problem hiding this comment.
Poor man's way to generate the APIExport + perm claims. Is there some established pattern across PM org to do this? Should apigen support that?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is a first iteration for https://github.com/platform-mesh/architecture/blob/main/rfc/006_provider-bootstrap-operator.md
It ensures the ManagedProvider Reconciliation Flow (see RFC) with caveats -- i.e. TODOs:
*RBACs for provider's SAThese (and more) will be amended in follow ups.