Service provider Kyverno manages the lifecycle of Kyverno instances in a managed ControlPlane.
- Create a new repository based on this template.
- Execute the template to create a new
ServiceProvider. - Test your
ServiceProvider.
The template includes a basic code generation command that lets you create a ServiceProvider for your Go module, API kind and group.
You can also choose to add sample code to get a fully functional ServiceProvider.
For a complete usage overview with the default settings, run:
go run ./cmd/template -hThen execute the template, for example:
go run ./cmd/template -module github.com/yourorg/yourrepo -kind YourKind -group yourgroupRunning End-to-End tests:
task test-e2eThe template generator (cmd/template) supports the following flags:
-module: Go module path (default:github.com/openmcp-project/service-provider-template)-kind: GVK kind name (default:FooService)-group: GVK group prefix, will be suffixed withservices.openmcp.cloud(default:foo)-v: Generate with sample code (default:false)-w: Generate a service provider that reconciles itsDomainServiceAPIon the WorkloadCluster (default:false)
The generated service provider supports the following runtime flags:
--verbosity: Logging verbosity level (see controller-runtime logging)--environment: Name of the environment (required for operation)--provider-name: Name of the provider resource (required for operation)--metrics-bind-address: Address for the metrics endpoint (default:0, use:8443for HTTPS or:8080for HTTP)--health-probe-bind-address: Address for health probe endpoint (default::8081)--leader-elect: Enable leader election for controller manager (default:false)--metrics-secure: Serve metrics endpoint securely via HTTPS (default:true)--enable-http2: Enable HTTP/2 for metrics and webhook servers (default:false)
For a complete list of available flags, run the generated binary with -h or --help.
| Criterion | Status | Notes |
|---|---|---|
| Deletion behaviour | ❌ | The delete case is still work-in-progress. A finalizer ensures the Service Provider managed resources like Flux' OCIRepository and HelmRelease are cleaned-up. But there is no behaviour that ensures deletion is blocked if custom resources (e.g. Kyverno' ClusterPolicy objects) in a ControlPlane still exist. |
| Status reporting & error messages | ✅ | |
| Operation annotations | openmcp.cloud/operation: ignore is processed by opencontrolplane-runtime. openmcp.cloud/operation: reconcile is not processed. |
|
| API stability policy | ✅ | |
| Custom CA support | ❌ | Custom CA bundle propagation to Kyverno components is not implemented. |
| Release artifacts (image + OCM) | ✅ | |
| Testing | ✅ | |
| Ownership and maintenance docs | ✅ |
See the OpenControlPlane Quality Criteria for definitions.
This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.
If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.
Copyright OpenControlPlane contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.
OpenControlPlane is part of ApeiroRA, an EU Important Project of Common European Interest (IPCEI-CIS).
Copyright Linux Foundation Europe. For web site terms of use, trademark policy and other project policies please see https://linuxfoundation.eu/en/policies.