NVIDIA-472: csr approval

Author: linoyaslan

api/v1alpha1/dpfhcpprovisioner_types.go

@@ -178,6 +178,9 @@ const (
 	// HostedClusterCleanup indicates the status of HostedCluster deletion during finalizer cleanup.
 	HostedClusterCleanup string = "HostedClusterCleanup"
 
+	// CSRAutoApprovalActive indicates whether CSR auto-approval is active and watching for CSRs
+	CSRAutoApprovalActive string = "CSRAutoApprovalActive"
+
 	// Validation conditions.
 
 	// SecretsValid indicates whether required secrets (pull secret, SSH key) are valid.
@@ -224,6 +227,19 @@ const (
 	ReasonKubeConfigInjectionFailed string = "InjectionFailed"
 )
 
+// Condition reasons for DPFHCPProvisioner CSRAutoApprovalActive status.
+// These are used as the Reason field in the CSRAutoApprovalActive condition.
+const (
+	// ReasonCSRApprovalActive indicates CSR auto-approval is actively processing CSRs
+	ReasonCSRApprovalActive string = "Active"
+
+	// ReasonKubeconfigNotAvailable indicates the kubeconfig is not available
+	ReasonKubeconfigNotAvailable string = "KubeconfigNotAvailable"
+
+	// ReasonHostedClusterNotReachable indicates the hosted cluster is not reachable
+	ReasonHostedClusterNotReachable string = "HostedClusterNotReachable"
+)
+
 // DPFHCPProvisionerStatus defines the observed state of DPFHCPProvisioner
 type DPFHCPProvisionerStatus struct {
 	// Phase represents the current lifecycle phase

cmd/main.go

@@ -42,6 +42,7 @@ import (
 	provisioningv1alpha1 "github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/api/v1alpha1"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/bluefield"
+	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/csrapproval"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/dpucluster"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/finalizer"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/hostedcluster"
@@ -233,6 +234,9 @@ func main() {
 	// Initialize Kubeconfig Injector
 	kubeconfigInjector := kubeconfiginjection.NewKubeconfigInjector(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
 
+	// Initialize CSR Approver
+	csrApprover := csrapproval.NewCSRApprover(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
+
 	// Initialize Finalizer Manager with pluggable cleanup handlers
 	// Handlers are executed in registration order
 	finalizerManager := finalizer.NewManager(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
@@ -259,6 +263,7 @@ func main() {
 		FinalizerManager:     finalizerManager,
 		StatusSyncer:         statusSyncer,
 		KubeconfigInjector:   kubeconfigInjector,
+		CSRApprover:          csrApprover,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "DPFHCPProvisioner")
 		os.Exit(1)

config/rbac/role.yaml

@@ -109,3 +109,11 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - provisioning.dpu.nvidia.com
+  resources:
+  - dpus
+  verbs:
+  - get
+  - list
+  - watch

helm/dpf-hcp-provisioner-operator/templates/clusterrole.yaml

@@ -113,6 +113,16 @@ rules:
   - update
   - watch
 
+# DPU permissions (for CSR validation against DPU objects)
+- apiGroups:
+  - provisioning.dpu.nvidia.com
+  resources:
+  - dpus
+  verbs:
+  - get
+  - list
+  - watch
+
 # HyperShift HostedCluster and NodePool permissions
 - apiGroups:
   - hypershift.openshift.io

internal/controller/csrapproval/client.go

@@ -0,0 +1,138 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package csrapproval
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// ClientManager manages hosted cluster client lifecycle
+type ClientManager struct {
+	mgmtClient client.Client
+	// hcClients caches Kubernetes clientsets for hosted clusters to avoid recreating them on every reconciliation.
+	// Each DPFHCPProvisioner creates a hosted cluster with its own API server. This map stores one clientset
+	// per hosted cluster (keyed by "namespace/name") to reuse connections and avoid expensive client creation
+	// (parsing kubeconfig, establishing TCP connections) every 30 seconds during CSR polling.
+	// Without this cache, we would create 120+ clients per hour per hosted cluster.
+	hcClients map[string]*kubernetes.Clientset
+}
+
+// NewClientManager creates a new client manager
+func NewClientManager(mgmtClient client.Client) *ClientManager {
+	return &ClientManager{
+		mgmtClient: mgmtClient,
+		hcClients:  make(map[string]*kubernetes.Clientset),
+	}
+}
+
+// GetHostedClusterClient retrieves or creates a client for the hosted cluster
+func (cm *ClientManager) GetHostedClusterClient(ctx context.Context, namespace, name string) (*kubernetes.Clientset, error) {
+	key := namespace + "/" + name
+
+	// Return cached client if it exists
+	if clientset, ok := cm.hcClients[key]; ok {
+		return clientset, nil
+	}
+
+	// Create new client
+	clientset, err := cm.createHostedClusterClient(ctx, namespace, name)
+	if err != nil {
+		return nil, err
+	}
+
+	// Cache the client
+	cm.hcClients[key] = clientset
+
+	return clientset, nil
+}
+
+// InvalidateClient removes a cached client (useful when kubeconfig rotates)
+func (cm *ClientManager) InvalidateClient(namespace, name string) {
+	key := namespace + "/" + name
+	delete(cm.hcClients, key)
+}
+
+// createHostedClusterClient creates a Kubernetes client for the hosted cluster
+func (cm *ClientManager) createHostedClusterClient(ctx context.Context, namespace, name string) (*kubernetes.Clientset, error) {
+	// Fetch kubeconfig secret
+	kubeconfigData, err := cm.getKubeconfigData(ctx, namespace, name)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get kubeconfig: %w", err)
+	}
+
+	// Create REST config from kubeconfig
+	config, err := clientcmd.RESTConfigFromKubeConfig(kubeconfigData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create rest config from kubeconfig: %w", err)
+	}
+
+	// Set reasonable timeouts
+	config.Timeout = 0 // No timeout for long-lived connections (watches)
+	config.QPS = 5
+	config.Burst = 10
+
+	// Create clientset
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create clientset: %w", err)
+	}
+
+	return clientset, nil
+}
+
+// getKubeconfigData retrieves the kubeconfig data from the admin secret
+func (cm *ClientManager) getKubeconfigData(ctx context.Context, namespace, name string) ([]byte, error) {
+	// The kubeconfig secret name follows HyperShift convention: <hostedcluster-name>-admin-kubeconfig
+	secretName := name + "-admin-kubeconfig"
+
+	secret := &corev1.Secret{}
+	secretKey := types.NamespacedName{
+		Namespace: namespace,
+		Name:      secretName,
+	}
+
+	if err := cm.mgmtClient.Get(ctx, secretKey, secret); err != nil {
+		return nil, fmt.Errorf("failed to get kubeconfig secret %s: %w", secretKey, err)
+	}
+
+	kubeconfigData, ok := secret.Data["kubeconfig"]
+	if !ok {
+		return nil, fmt.Errorf("kubeconfig key not found in secret %s", secretKey)
+	}
+
+	if len(kubeconfigData) == 0 {
+		return nil, fmt.Errorf("kubeconfig data is empty in secret %s", secretKey)
+	}
+
+	return kubeconfigData, nil
+}
+
+// TestConnection verifies the hosted cluster client can connect to the API server
+func TestConnection(ctx context.Context, clientset *kubernetes.Clientset) error {
+	_, err := clientset.Discovery().ServerVersion()
+	if err != nil {
+		return fmt.Errorf("failed to connect to hosted cluster API server: %w", err)
+	}
+	return nil
+}