Skip to content

krateoplatformops/composition-dynamic-controller

BranchesTags

Repository files navigation

Composition Dynamic Controller

The composition-dynamic-controller is an operator that is instantiated by the core-provider to manage the Custom Resources whose Custom Resource Definition is generated by the core-provider.

Summary

Architecture

composition-dynamic-controller architecture

Workflow

composition-dynamic-controller State Diagram

Composition Dynamic Controller (CDC) & Chart Inspector: Secure Helm Lifecycle Management

The Composition Dynamic Controller (CDC) is a specialized Kubernetes operator that orchestrates the end-to-end lifecycle of Krateo compositions. Acting as the reconciliation engine for Composition custom resources, it bridges declarative application definitions with Helm’s packaging system through intelligent automation. The Chart Inspector serves as its "safety advisor," enabling proactive decision-making via dry-run analysis.

Core CDC Workflow (with Chart Inspector Integration)

  1. Reconciliation Trigger

    • Watches for changes to Composition CRs or Helm chart versions.
    • Invokes the Chart Inspector to simulate installations/upgrades before execution.

  2. Dry-Run Analysis Phase (Chart Inspector)

    helm install --dry-run=server <chart> --version <ver>  # Returns:
    • Resource Manifest List: All Kubernetes objects (Deployments, CRDs, etc.) the chart would create along with filename to .
    • Dependency Graph: Order of operations (e.g., CRDs before custom resources).

  3. RBAC Auto-Provisioning (CDC)

    • Dynamically generates least-privilege Roles/ClusterRoles based on the Inspector’s output.
    • Ensures the CDC’s service account has exactly the permissions needed—no more, no less.

  4. Atomic Execution (CDC)

    • Proceeds with helm install/upgrade only after successful dry-run and RBAC setup.

Key Capabilities Enabled by This Collaboration

Feature CDC’s Role Chart Inspector’s Contribution
Version-Sensitive Reconciliation Detects chart version drift; rolls forward/back. Identifies version-specific resource changes during dry-run.
Atomic Upgrades Ensures all-or-nothing upgrades. Pre-flights resource compatibility (e.g., CRD schema changes).
Self-Healing Corrects configuration drift. Provides baseline "desired state" for comparison.
Declarative Enforcement Continuously reconciles actual vs. desired state. Supplies the desired state before cluster changes.
Secure RBAC Generates minimal required permissions. Audits chart manifests for required API operations.

Why This Architecture Matters

  1. Safety Net

    • The Chart Inspector’s dry-run prevents "helm surprises" (e.g., undeclared CRD creations or namespace pollution).
    • Example: Blocks a chart upgrade if the new version requires a ClusterRole the CDC isn’t authorized to manage.

  2. GitOps Compliance

    • The CDC enforces declarative intent by reconciling against the dry-run’s output, not just Helm’s last-applied state.
    • Self-healing kicks in if manual changes violate the composition’s definition.

  3. Multi-Tenancy Ready

    • RBAC is scoped per-composition, isolating teams/projects.
    • The Inspector’s resource listing ensures no cross-tenant leakage (e.g., a composition can’t create resources in forbidden namespaces).

Real-World Example: Handling a Breaking Chart Change

  1. Scenario: A Helm chart v1.2.0 introduces a new CustomResourceDefinition (CRD).
  2. CDC+Inspector Flow:
    • Dry-run detects the new CRD and its required API group permissions.
    • CDC creates a ClusterRole granting create/get/list for the CRD.
    • Upgrade proceeds only after the CRD and RBAC are confirmed active.
  3. Result: Zero downtime; no "helm upgrade failed: CRD missing" errors.

Configuration

Operator Env Vars

These enviroment varibles can be changed in the Deployment of the composition-dynamic-controller we need to tweak.

Name Description Default Value Notes
COMPOSITION_CONTROLLER_DEBUG dump verbose output false
COMPOSITION_CONTROLLER_WORKERS number of workers 1
COMPOSITION_CONTROLLER_RESYNC_INTERVAL resync interval 3m
COMPOSITION_CONTROLLER_GROUP resource api group populated by core-provider
COMPOSITION_CONTROLLER_VERSION resource api version populated by core-provider
COMPOSITION_CONTROLLER_RESOURCE resource plural name populated by core-provider
COMPOSITION_CONTROLLER_SA_NAME cdc deployment ServiceAccount name populated by core-provider
COMPOSITION_CONTROLLER_SA_NAMESPACE cdc deployment ServiceAccount namespace populated by core-provider
URL_PLURALS url to krateo pluraliser service http://snowplow.krateo-system.svc.cluster.local:8081/api-info/names
URL_CHART_INSPECTOR url to chart inspector http://chart-inspector.krateo-system.svc.cluster.local:8081/
KRATEO_NAMESPACE namespace where krateo is installed krateo-system
HELM_REGISTRY_CONFIG_PATH default helm config path /tmp
HELM_MAX_HISTORY Max Helm History 10
COMPOSITION_MAX_ERROR_RETRY_INTERVAL The maximum interval between retries when an error occurs. This should be less than the half of the poll interval. 0m
COMPOSITION_MIN_ERROR_RETRY_INTERVAL The minimum interval between retries when an error occurs. This should be less than max-error-retry-interval. 1m

About

No description or website provided.

Topics

krateo krateo-v2

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

71 tags

Packages

 
 
 

Contributors 5

Languages