kube-bind v2: slim-core konnector#561
Closed
mjudeikis wants to merge 18 commits into
Closed
Conversation
Contributor
Author
|
I get this is HUGE PR. Plan is to ease this in, so make sure review the APIs, everything else we can swap later if we think its wrong. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces the kube-bind v2 “slim core” proof-of-concept: a new core.kube-bind.io/v1alpha1 API (Connection/ClusterBinding/Binding) plus a consumer-side “konnector” sync engine (with CRD delivery, binding-driven sync, related-resource sync, OpenAPI synthesis support, and a Helm chart + CI wiring).
Changes:
- Adds new v2 Go modules (
v2/sdk,v2/konnector) with the slim-core API types, generated CRDs, and the konnector engine/binary. - Implements core behaviors (Connection discovery/schema policy, binding reconciliation + cleanup, sync engine, OpenAPI-based CRD synthesis, related Secrets/ConfigMaps).
- Adds deployment packaging (Dockerfile + Helm chart) and CI/release workflows for v2 (tests + image build/release).
Reviewed changes
Copilot reviewed 64 out of 66 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| v2/sdk/go.mod | Introduces the v2 SDK module dependencies. |
| v2/sdk/config/crd/core.kube-bind.io_connections.yaml | Adds generated CRD manifest for Connection. |
| v2/sdk/config/crd/core.kube-bind.io_clusterbindings.yaml | Adds generated CRD manifest for ClusterBinding. |
| v2/sdk/config/crd/core.kube-bind.io_bindings.yaml | Adds generated CRD manifest for Binding. |
| v2/sdk/apis/core/v1alpha1/zz_generated.deepcopy.go | Adds controller-gen deep-copy implementations for v2 core types. |
| v2/sdk/apis/core/v1alpha1/shared_types.go | Adds shared type definitions (refs, policies, related resource selectors). |
| v2/sdk/apis/core/v1alpha1/labels.go | Defines v2 labels/annotations/finalizers used by the konnector. |
| v2/sdk/apis/core/v1alpha1/helpers.go | Adds helpers (BindingAccessor, ConnectionStatus.ExportsAPI). |
| v2/sdk/apis/core/v1alpha1/groupversion_info.go | Registers v2 core types into a scheme. |
| v2/sdk/apis/core/v1alpha1/doc.go | Package docs + kubebuilder markers for the v2 core API group. |
| v2/sdk/apis/core/v1alpha1/connection_types.go | Defines the Connection API, schema policy, and status fields. |
| v2/sdk/apis/core/v1alpha1/conditions.go | Defines v2 condition types/reasons shared across core kinds. |
| v2/sdk/apis/core/v1alpha1/clusterbinding_types.go | Defines ClusterBinding type and shared BindingStatus. |
| v2/sdk/apis/core/v1alpha1/binding_types.go | Defines namespaced Binding type. |
| v2/README.md | Documents v2 layout, behaviors, build/deploy/test/demo usage. |
| v2/Makefile | Adds v2 build/codegen/test/image/demo targets. |
| v2/konnector/test/e2e/schema_source_test.go | E2E coverage for OpenAPI schema source + kcp-like identity path. |
| v2/konnector/test/e2e/related_resources_test.go | E2E coverage for related Secret/ConfigMap syncing + GC. |
| v2/konnector/test/e2e/policies_test.go | E2E coverage for policy knobs (orphan, updatePolicy, autoBind, pullPolicy, RBAC denial). |
| v2/konnector/test/e2e/disengage_test.go | E2E coverage for stop-on-disengage and re-engage lifecycle. |
| v2/konnector/go.mod | Introduces the v2 konnector module dependencies + local replace to sdk. |
| v2/konnector/engine/sync/resolve.go | Adds binding→API resolution helper used by the syncer gate. |
| v2/konnector/engine/remote/remote.go | Resolves provider kubeconfig + cluster identity (kcp LogicalCluster vs kube-system). |
| v2/konnector/engine/remote/remote_test.go | Unit tests for provider identity selection behavior. |
| v2/konnector/engine/provider/connection_provider.go | Implements multicluster-runtime provider: engage/disengage per ready Connection. |
| v2/konnector/engine/openapi/openapi.go | Synthesizes CRDs from discovery + OpenAPI v3 for CRD-less providers. |
| v2/konnector/engine/mapper/mapper.go | Adds Mapper extension seam and Identity implementation. |
| v2/konnector/engine/mapper/mapper_test.go | Unit tests for mapper round-trip contract. |
| v2/konnector/engine/crdpull/crdpull.go | Implements CRD pull/install/update + schema hash stamping. |
| v2/konnector/engine/crdpull/crdpull_test.go | Unit tests for CRD pull policies and update behavior. |
| v2/konnector/engine/binding/related.go | Implements related Secret/ConfigMap syncing + GC. |
| v2/konnector/engine/binding/reconciler.go | Binding reconcilers (ClusterBinding/Binding) + CRD pull + conflict counting + related sync. |
| v2/konnector/engine/binding/cleanup.go | Binding cleanup (finalizers, provider copy deletion, CRD removal, related cleanup). |
| v2/konnector/Dockerfile | Distroless multi-stage image build for v2 konnector. |
| v2/konnector/deploy/charts/konnector/values.yaml | Helm values for v2 konnector chart (RBAC, HA, ports, etc). |
| v2/konnector/deploy/charts/konnector/templates/serviceaccount.yaml | Helm ServiceAccount template. |
| v2/konnector/deploy/charts/konnector/templates/rolebinding.yaml | Helm RoleBinding template for leader election. |
| v2/konnector/deploy/charts/konnector/templates/role.yaml | Helm Role template for leader election + events. |
| v2/konnector/deploy/charts/konnector/templates/NOTES.txt | Helm post-install notes and HA warning. |
| v2/konnector/deploy/charts/konnector/templates/deployment.yaml | Helm Deployment template for konnector. |
| v2/konnector/deploy/charts/konnector/templates/crds.yaml | Helm CRD installation wiring from bundled CRDs. |
| v2/konnector/deploy/charts/konnector/templates/clusterrolebinding.yaml | Helm ClusterRoleBinding template. |
| v2/konnector/deploy/charts/konnector/templates/clusterrole.yaml | Helm ClusterRole template (core CRDs, CRDs, secrets, events, bound API groups). |
| v2/konnector/deploy/charts/konnector/templates/_helpers.tpl | Helm helper templates (names/labels/leaderElect logic). |
| v2/konnector/deploy/charts/konnector/files/crds/core.kube-bind.io_connections.yaml | Bundled CRD for Connection in the Helm chart. |
| v2/konnector/deploy/charts/konnector/files/crds/core.kube-bind.io_clusterbindings.yaml | Bundled CRD for ClusterBinding in the Helm chart. |
| v2/konnector/deploy/charts/konnector/files/crds/core.kube-bind.io_bindings.yaml | Bundled CRD for Binding in the Helm chart. |
| v2/konnector/deploy/charts/konnector/Chart.yaml | Helm chart metadata for v2 konnector. |
| v2/konnector/deploy/charts/konnector/.helmignore | Helm packaging ignore patterns. |
| v2/konnector/config/samples/widget.yaml | Sample consumer instance manifest. |
| v2/konnector/config/samples/provider-widget-crd.yaml | Sample provider-exported CRD manifest. |
| v2/konnector/config/samples/binding.yaml | Sample one-apply bundle (Connection + ClusterBinding). |
| v2/konnector/cmd/konnector/main.go | v2 konnector main: manager + reconcilers + health/metrics + leader election. |
| v2/hack/demo.sh | Kind-based demo wiring for provider+consumer and sample bundle. |
| docs/proposals/v2-extended.md | Adds proposal doc for optional extended v2 backend/CLI/UI layer. |
| .github/workflows/image-konnector-v2.yaml | Adds tag-triggered v2 konnector image publish workflow. |
| .github/workflows/ci.yaml | Adds v2 test job + v2 multi-arch image build verification job. |
| .github/workflows/ci-docs-only.yaml | Adds v2-test no-op entry for docs-only CI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+130
to
+145
| // ConnectionStatus is the observed state of a Connection. | ||
| type ConnectionStatus struct { | ||
| // remoteClusterUID is the identity of the provider cluster, pinned on first | ||
| // connect and immutable thereafter. A Secret later pointing at a different | ||
| // cluster is rejected rather than silently re-homing synced objects. | ||
| // | ||
| // +optional | ||
| // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="remoteClusterUID is immutable" | ||
| RemoteClusterUID string `json:"remoteClusterUID,omitempty"` | ||
|
|
||
| // localClusterUID is the identity of the consumer cluster, pinned on first | ||
| // connect and immutable thereafter. | ||
| // | ||
| // +optional | ||
| // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="localClusterUID is immutable" | ||
| LocalClusterUID string `json:"localClusterUID,omitempty"` |
Comment on lines
+114
to
+121
| crd := &apiextensionsv1.CustomResourceDefinition{} | ||
| if err := b.client.Get(ctx, client.ObjectKey{Name: api.Name}, crd); err != nil { | ||
| if apierrors.IsNotFound(err) { | ||
| notExported = append(notExported, api.Name) | ||
| continue | ||
| } | ||
| return fmt.Errorf("getting synthesized CRD %q: %w", api.Name, err) | ||
| } |
Comment on lines
+48
to
+75
| func ResolveConnection(ctx context.Context, c client.Client, crdName, namespace string) (Resolution, error) { | ||
| var cbs corev1alpha1.ClusterBindingList | ||
| if err := c.List(ctx, &cbs); err != nil { | ||
| return Resolution{}, err | ||
| } | ||
| for i := range cbs.Items { | ||
| cb := &cbs.Items[i] | ||
| // A binding being deleted is no longer a valid sync source — this gates | ||
| // the syncer off during unbind so it doesn't re-add finalizers or | ||
| // re-create provider copies while cleanup runs. | ||
| if cb.DeletionTimestamp != nil { | ||
| continue | ||
| } | ||
| if listsAPI(cb.Spec.APIs, crdName) { | ||
| return Resolution{ | ||
| Found: true, | ||
| Ready: apimeta.IsStatusConditionTrue(cb.Status.Conditions, corev1alpha1.ConditionReady), | ||
| ConnectionName: cb.Spec.ConnectionRef.Name, | ||
| ConflictPolicy: cb.Spec.ConflictPolicy, | ||
| }, nil | ||
| } | ||
| } | ||
|
|
||
| if namespace != "" { | ||
| var bs corev1alpha1.BindingList | ||
| if err := c.List(ctx, &bs, client.InNamespace(namespace)); err != nil { | ||
| return Resolution{}, err | ||
| } |
| * Status: **DRAFT — for iteration** | ||
| * Authors: @mjudeikis | ||
| * Date: 2026-06-10 | ||
| * Builds on: [v2-slim-core.md](v2-slim-core.md) (Proposed)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
There is a lot. I would recommend reviewing the API more than the actual code. Everything else we can change, improve, or update.
/kind feature
/kind api-change
Core
One-apply, order-independent binding (Secret + Connection + bindings); level-triggered, kubectl delete -f order-don't-care via finalizers
Identity sync — spec consumer→provider (SSA), status provider→consumer; event-driven via engaged-cluster cache watch
Schema delivery: source: CRD | OpenAPI | Auto (+ pullPolicy/updatePolicy); OpenAPI synthesis supports CRD-less/kcp providers
First-class conflicts (conflictPolicy: Fail|Adopt, ownership markers, Event + conflictCount)
Related-resource sync (Secrets/ConfigMaps), Lease heartbeat, kcp-aware cluster identity
Lifecycle: stop-on-disengage (tear down syncers when a Connection loses readiness; rebuild on re-engage)
Mapper extension seam (Identity in-tree; out-of-tree key mapping via WithMapper)
Productionization
Leader election + health probes; distroless multi-arch Dockerfile; Helm chart (RBAC/HA/CRDs)
CI / release
v2-test job (build/vet/unit + envtest e2e) and v2-image-build job (multi-arch build, no push); lint/verify already cover v2 via GOMODS
( Separate v2 release workflow on konnector/v2* tags → publishes ghcr.io//konnector: (no latest); v1 infra untouched
Out of scope (documented): conversion-webhook CRDs not yet refused; provider-namespace cleanup on unbind; * OpenAPI fidelity best-effort; relatedResources not Mapper-routed.
What Type of PR Is This?
Related Issue(s)
Fixes #
Release Notes