feat: remote portal

Signed-off-by: David Sabatie <david.sabatie@notrenet.com>

Author: golgoth31

CLAUDE.md

@@ -185,15 +185,32 @@ type PortalSpec struct {
     Title   string `json:"title"`              // Display title
     Main    bool   `json:"main,omitempty"`     // Default portal flag
     SubPath string `json:"subPath,omitempty"`  // URL subpath (defaults to name)
+    URL     string `json:"url,omitempty"`      // Remote portal URL (cannot be set if Main=true)
 }
 
 // Status
 type PortalStatus struct {
     Ready      bool
     Conditions []metav1.Condition
+    RemoteSync *RemoteSyncStatus  // Only populated when URL is set
+}
+
+// RemoteSyncStatus contains status for remote portal synchronization
+type RemoteSyncStatus struct {
+    LastSyncTime  *metav1.Time  // Last successful sync timestamp
+    LastSyncError string        // Error from last failed sync (empty if success)
+    RemoteTitle   string        // Title fetched from remote portal
+    FQDNCount     int           // Number of FQDNs fetched from remote
 }
 ```
 
+**Remote Portal Feature:**
+- When `spec.url` is set, the Portal fetches DNS data from a remote SRE Portal instance
+- The main portal (`spec.main=true`) cannot have a URL (validated by webhook)
+- Remote portals are excluded from local source collection (SourceController)
+- PortalReconciler periodically syncs with remote portals (every 5 minutes)
+- Remote portal status includes sync time, error state, and FQDN count
+
 ## Controller Pattern: Chain of Responsibility
 
 All controllers use a generic Chain-of-Responsibility framework defined in `internal/reconciler/handler.go`:

Makefile

@@ -138,6 +138,10 @@ generate-all: manifests generate proto ## Generate all code (CRDs, DeepCopy, pro
 run: manifests generate fmt vet generate-certs ## Run a controller from your host.
 	go run ./cmd/main.go -zap-devel --webhook-cert-path=$(CERTSDIR) --config=./config/samples/test_config.yaml
 
+.PHONY: run2
+run2: manifests generate fmt vet generate-certs2 ## Run a controller from your host.
+	go run ./cmd/main.go -zap-devel --web-bind-address=:8082 --health-probe-bind-address=:9091 --webhook-port=9444 --webhook-cert-path=$(CERTSDIR) --config=./config/samples/test_config.yaml
+
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
@@ -304,3 +308,10 @@ generate-certs: ## Generates the certs required to run webhooks locally
 	cd $(CERTSDIR) && \
 		openssl genrsa 2048 > tls.key && \
 		openssl req -new -x509 -nodes -sha256 -days 365 -key tls.key -out tls.crt -subj "/C=XX"
+
+.PHONY: generate-certs2
+generate-certs2: ## Generates the certs required to run webhooks locally
+	mkdir -p $(CERTSDIR)
+	cd $(CERTSDIR) && \
+		openssl genrsa 2048 > tls.key2 && \
+		openssl req -new -x509 -nodes -sha256 -days 365 -key tls.key2 -out tls.crt2 -subj "/C=XX"

api/v1alpha1/dns_types.go

@@ -86,8 +86,8 @@ type FQDNGroupStatus struct {
 	// +optional
 	Description string `json:"description,omitempty"`
 
-	// source indicates where this group came from (manual or external-dns)
-	// +kubebuilder:validation:Enum=manual;external-dns
+	// source indicates where this group came from (manual, external-dns, or remote)
+	// +kubebuilder:validation:Enum=manual;external-dns;remote
 	Source string `json:"source"`
 
 	// fqdns is the list of FQDNs in this group

api/v1alpha1/portal_types.go

@@ -34,6 +34,26 @@ type PortalSpec struct {
 	// subPath is the URL subpath for this portal (defaults to metadata.name)
 	// +optional
 	SubPath string `json:"subPath,omitempty"`
+
+	// remote configures this portal to fetch data from a remote SRE Portal instance.
+	// When set, the operator will fetch DNS information from the remote portal
+	// instead of collecting data from the local cluster.
+	// This field cannot be set when main is true.
+	// +optional
+	Remote *RemotePortalSpec `json:"remote,omitempty"`
+}
+
+// RemotePortalSpec defines the configuration for fetching data from a remote portal.
+type RemotePortalSpec struct {
+	// url is the base URL of the remote SRE Portal instance.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^https?://.*`
+	URL string `json:"url"`
+
+	// portal is the name of the portal to target on the remote instance.
+	// If not set, the main portal of the remote instance will be used.
+	// +optional
+	Portal string `json:"portal,omitempty"`
 }
 
 // PortalStatus defines the observed state of Portal.
@@ -47,13 +67,39 @@ type PortalStatus struct {
 	// +listMapKey=type
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// remoteSync contains the status of synchronization with a remote portal.
+	// This is only populated when spec.remote is set.
+	// +optional
+	RemoteSync *RemoteSyncStatus `json:"remoteSync,omitempty"`
+}
+
+// RemoteSyncStatus contains status information about remote portal synchronization.
+type RemoteSyncStatus struct {
+	// lastSyncTime is the timestamp of the last successful synchronization.
+	// +optional
+	LastSyncTime *metav1.Time `json:"lastSyncTime,omitempty"`
+
+	// lastSyncError contains the error message from the last failed synchronization attempt.
+	// Empty if the last sync was successful.
+	// +optional
+	LastSyncError string `json:"lastSyncError,omitempty"`
+
+	// remoteTitle is the title of the remote portal as fetched from the remote server.
+	// +optional
+	RemoteTitle string `json:"remoteTitle,omitempty"`
+
+	// fqdnCount is the number of FQDNs fetched from the remote portal.
+	// +optional
+	FQDNCount int `json:"fqdnCount,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=portals,scope=Namespaced
 // +kubebuilder:printcolumn:name="Title",type=string,JSONPath=`.spec.title`
 // +kubebuilder:printcolumn:name="Main",type=boolean,JSONPath=`.spec.main`
+// +kubebuilder:printcolumn:name="Remote URL",type=string,JSONPath=`.spec.remote.url`,priority=1
 // +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -85,12 +85,14 @@ func main() {
 		"Path to the operator configuration file.")
 	flag.StringVar(&portalNamespace, "portal-namespace", "sreportal-system",
 		"The namespace where the main portal will be auto-created.")
-	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":9090", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&secureMetrics, "metrics-secure", true,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
+	var webhookPort int
+	flag.IntVar(&webhookPort, "webhook-port", 9443, "The port the webhook server binds to.")
 	flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.")
 	flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.")
 	flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.")
@@ -135,6 +137,7 @@ func main() {
 	webhookTLSOpts := tlsOpts
 	webhookServerOptions := webhook.Options{
 		TLSOpts: webhookTLSOpts,
+		Port:    webhookPort,
 	}
 
 	if len(webhookCertPath) > 0 {
@@ -277,6 +280,10 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "DNS")
 			os.Exit(1)
 		}
+		if err := webhookv1alpha1.SetupPortalWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "Portal")
+			os.Exit(1)
+		}
 	}
 	if err := controller.NewPortalReconciler(
 		mgr.GetClient(),
@@ -289,6 +296,7 @@ func main() {
 	// Add runnable to ensure main portal exists at startup
 	if err := mgr.Add(portalctrl.NewEnsureMainPortalRunnable(
 		mgr.GetClient(),
+		mgr.GetCache(),
 		portalNamespace,
 	)); err != nil {
 		setupLog.Error(err, "unable to add main portal ensure runnable")

cmd/main.go

@@ -191,11 +191,12 @@ spec:
                       description: name is the group name
                       type: string
                     source:
-                      description: source indicates where this group came from (manual
-                        or external-dns)
+                      description: source indicates where this group came from (manual,
+                        external-dns, or remote)
                       enum:
                       - manual
                       - external-dns
+                      - remote
                       type: string
                   required:
                   - name

config/crd/bases/sreportal.my.domain_dns.yaml

@@ -21,6 +21,10 @@ spec:
     - jsonPath: .spec.main
       name: Main
       type: boolean
+    - jsonPath: .spec.remote.url
+      name: Remote URL
+      priority: 1
+      type: string
     - jsonPath: .status.ready
       name: Ready
       type: boolean
@@ -56,6 +60,25 @@ spec:
                 description: main marks this portal as the default portal for unmatched
                   FQDNs
                 type: boolean
+              remote:
+                description: |-
+                  remote configures this portal to fetch data from a remote SRE Portal instance.
+                  When set, the operator will fetch DNS information from the remote portal
+                  instead of collecting data from the local cluster.
+                  This field cannot be set when main is true.
+                properties:
+                  portal:
+                    description: |-
+                      portal is the name of the portal to target on the remote instance.
+                      If not set, the main portal of the remote instance will be used.
+                    type: string
+                  url:
+                    description: url is the base URL of the remote SRE Portal instance.
+                    pattern: ^https?://.*
+                    type: string
+                required:
+                - url
+                type: object
               subPath:
                 description: subPath is the URL subpath for this portal (defaults
                   to metadata.name)
@@ -134,6 +157,30 @@ spec:
               ready:
                 description: ready indicates if the portal is fully configured
                 type: boolean
+              remoteSync:
+                description: |-
+                  remoteSync contains the status of synchronization with a remote portal.
+                  This is only populated when spec.remote is set.
+                properties:
+                  fqdnCount:
+                    description: fqdnCount is the number of FQDNs fetched from the
+                      remote portal.
+                    type: integer
+                  lastSyncError:
+                    description: |-
+                      lastSyncError contains the error message from the last failed synchronization attempt.
+                      Empty if the last sync was successful.
+                    type: string
+                  lastSyncTime:
+                    description: lastSyncTime is the timestamp of the last successful
+                      synchronization.
+                    format: date-time
+                    type: string
+                  remoteTitle:
+                    description: remoteTitle is the title of the remote portal as
+                      fetched from the remote server.
+                    type: string
+                type: object
             type: object
         required:
         - spec