rewrite CRD discovery to use openapi instead

On-behalf-of: @SAP [email protected]

Author: xrstf

cmd/crd-puller/main.go

@@ -0,0 +1,81 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/spf13/pflag"
+
+	"github.com/kcp-dev/api-syncagent/internal/discovery"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/yaml"
+)
+
+var (
+	kubeconfigPath string
+)
+
+func main() {
+	ctx := context.Background()
+
+	pflag.StringVar(&kubeconfigPath, "kubeconfig", "", "Path to the kubeconfig file to use (defaults to $KUBECONFIG)")
+	pflag.Parse()
+
+	if pflag.NArg() == 0 {
+		log.Fatal("No argument given. Please specify a GVK in the form 'Kind.version.apigroup.com' to pull.")
+	}
+
+	gvk, _ := schema.ParseKindArg(pflag.Arg(0))
+	if gvk == nil {
+		log.Fatal("Invalid GVK, please use the format 'Kind.version.apigroup.com'.")
+	}
+
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	loadingRules.ExplicitPath = kubeconfigPath
+
+	startingConfig, err := loadingRules.GetStartingConfig()
+	if err != nil {
+		log.Fatalf("Failed to load Kubernetes configuration: %v.", err)
+	}
+
+	config, err := clientcmd.NewDefaultClientConfig(*startingConfig, nil).ClientConfig()
+	if err != nil {
+		log.Fatalf("Failed to load Kubernetes configuration: %v.", err)
+	}
+
+	discoveryClient, err := discovery.NewClient(config)
+	if err != nil {
+		log.Fatalf("Failed to create discovery client: %v.", err)
+	}
+
+	crd, err := discoveryClient.RetrieveCRD(ctx, *gvk)
+	if err != nil {
+		log.Fatalf("Failed to pull CRD: %v.", err)
+	}
+
+	enc, err := yaml.Marshal(crd)
+	if err != nil {
+		log.Fatalf("Failed to encode CRD as YAML: %v.", err)
+	}
+
+	fmt.Println(string(enc))
+}

internal/controller/apiresourceschema/controller.go

@@ -23,7 +23,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
-	"slices"
 	"strings"
 
 	"github.com/kcp-dev/logicalcluster/v3"
@@ -41,6 +40,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	ctrlruntimeclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -58,6 +58,7 @@ const (
 type Reconciler struct {
 	localClient   ctrlruntimeclient.Client
 	kcpClient     ctrlruntimeclient.Client
+	restConfig    *rest.Config
 	log           *zap.SugaredLogger
 	recorder      record.EventRecorder
 	lcName        logicalcluster.Name
@@ -79,6 +80,7 @@ func Add(
 	reconciler := &Reconciler{
 		localClient:   mgr.GetClient(),
 		kcpClient:     kcpCluster.GetClient(),
+		restConfig:    mgr.GetConfig(),
 		lcName:        lcName,
 		log:           log.Named(ControllerName),
 		recorder:      mgr.GetEventRecorderFor(ControllerName),
@@ -127,7 +129,12 @@ func (r *Reconciler) reconcile(ctx context.Context, log *zap.SugaredLogger, pubR
 	// find the resource that the PublishedResource is referring to
 	localGVK := projection.PublishedResourceSourceGVK(pubResource)
 
-	crd, err := discovery.NewClient(r.localClient).DiscoverResourceType(ctx, localGVK.GroupKind())
+	client, err := discovery.NewClient(r.restConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create discovery client: %w", err)
+	}
+
+	crd, err := client.RetrieveCRD(ctx, localGVK)
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover resource defined in PublishedResource: %w", err)
 	}
@@ -203,21 +210,9 @@ func (r *Reconciler) applyProjection(apiGroup string, crd *apiextensionsv1.Custo
 	result := crd.DeepCopy()
 	result.Spec.Group = apiGroup
 
-	// At this moment we ignore every non-selected version in the CRD, as we have not fully
-	// decided on how to support the API version lifecycle yet. Having multiple versions in
-	// the CRD will make kcp require a `conversion` to also be configured. Since we cannot
-	// enforce that and want to instead work with existing CRDs as best as we can, we chose
-	// this option (instead of error'ing out if a conversion is missing).
-	result.Spec.Conversion = nil
-	result.Spec.Versions = slices.DeleteFunc(result.Spec.Versions, func(v apiextensionsv1.CustomResourceDefinitionVersion) bool {
-		return v.Name != pr.Spec.Resource.Version
-	})
-
-	if len(result.Spec.Versions) != 1 {
-		// This should never happen because of checks earlier in the reconciler.
-		return nil, fmt.Errorf("invalid CRD: cannot find selected version %q", pr.Spec.Resource.Version)
-	}
-
+	// Currently CRDs generated by our discovery mechanism already set these to true, but that's just
+	// because it doesn't care to set them correctly; we keep this code here because from here on,
+	// in kcp, we definitely want them to be true.
 	result.Spec.Versions[0].Served = true
 	result.Spec.Versions[0].Storage = true
 

internal/controller/sync/controller.go

@@ -90,7 +90,7 @@ func Create(
 	remoteDummy.SetGroupVersionKind(remoteGVK)
 
 	// find the local CRD so we know the actual local object scope
-	localCRD, err := discoveryClient.DiscoverResourceType(ctx, localGVK.GroupKind())
+	localCRD, err := discoveryClient.RetrieveCRD(ctx, localGVK)
 	if err != nil {
 		return nil, fmt.Errorf("failed to find local CRD: %w", err)
 	}

internal/controller/syncmanager/controller.go

@@ -98,6 +98,11 @@ func Add(
 	stateNamespace string,
 	agentName string,
 ) error {
+	discoveryClient, err := discovery.NewClient(localManager.GetConfig())
+	if err != nil {
+		return fmt.Errorf("failed to create discovery client: %w", err)
+	}
+
 	reconciler := &Reconciler{
 		ctx:             ctx,
 		localManager:    localManager,
@@ -107,13 +112,13 @@ func Add(
 		log:             log,
 		recorder:        localManager.GetEventRecorderFor(ControllerName),
 		syncWorkers:     map[string]lifecycle.Controller{},
-		discoveryClient: discovery.NewClient(localManager.GetClient()),
+		discoveryClient: discoveryClient,
 		prFilter:        prFilter,
 		stateNamespace:  stateNamespace,
 		agentName:       agentName,
 	}
 
-	_, err := builder.ControllerManagedBy(localManager).
+	_, err = builder.ControllerManagedBy(localManager).
 		Named(ControllerName).
 		WithOptions(controller.Options{
 			// this controller is meant to control others, so we only want 1 thread

internal/discovery/client.go

@@ -19,39 +19,154 @@ package discovery
 import (
 	"context"
 	"fmt"
+	"strings"
 
+	"github.com/kcp-dev/kcp/pkg/crdpuller"
+
+	"k8s.io/apiextensions-apiserver/pkg/apihelpers"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	ctrlruntimeclient "sigs.k8s.io/controller-runtime/pkg/client"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/endpoints/openapi"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/kube-openapi/pkg/util/proto"
 )
 
 type Client struct {
-	kubeClient ctrlruntimeclient.Reader
+	discoveryClient discovery.DiscoveryInterface
 }
 
-func NewClient(kubeClient ctrlruntimeclient.Client) *Client {
-	return &Client{
-		kubeClient: kubeClient,
+func NewClient(config *rest.Config) (*Client, error) {
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		return nil, err
 	}
+
+	return &Client{
+		discoveryClient: discoveryClient,
+	}, nil
 }
 
-func (c *Client) DiscoverResourceType(ctx context.Context, gk schema.GroupKind) (*apiextensionsv1.CustomResourceDefinition, error) {
-	crds := &apiextensionsv1.CustomResourceDefinitionList{}
-	if err := c.kubeClient.List(ctx, crds); err != nil {
-		return nil, fmt.Errorf("failed to list CRDs: %w", err)
+func (c *Client) RetrieveCRD(ctx context.Context, gvk schema.GroupVersionKind) (*apiextensionsv1.CustomResourceDefinition, error) {
+	openapiSchema, err := c.discoveryClient.OpenAPISchema()
+	if err != nil {
+		return nil, err
+	}
+
+	// Most of this code follows the logic in kcp's crd-puller, but is slimmed down
+	// to a) only support openapi and b) extract a specific version, not necessarily
+	// the preferred version.
+
+	models, err := proto.NewOpenAPIData(openapiSchema)
+	if err != nil {
+		return nil, err
+	}
+	modelsByGKV, err := openapi.GetModelsByGKV(models)
+	if err != nil {
+		return nil, err
 	}
 
-	for _, crd := range crds.Items {
-		if crd.Spec.Group != gk.Group {
-			continue
+	protoSchema := modelsByGKV[gvk]
+	if protoSchema == nil {
+		return nil, fmt.Errorf("no models for %v", gvk)
+	}
+
+	var schemaProps apiextensionsv1.JSONSchemaProps
+	errs := crdpuller.Convert(protoSchema, &schemaProps)
+	if len(errs) > 0 {
+		return nil, utilerrors.NewAggregate(errs)
+	}
+
+	_, resourceLists, err := c.discoveryClient.ServerGroupsAndResources()
+	if err != nil {
+		return nil, err
+	}
+
+	var resource *metav1.APIResource
+	allResourceNames := sets.New[string]()
+	for _, resList := range resourceLists {
+		for _, res := range resList.APIResources {
+			allResourceNames.Insert(res.Name)
+
+			// find the requested resource based on the Kind, but ensure that subresources
+			// are not misinterpreted as the main resource by checking for "/"
+			if resList.GroupVersion == gvk.GroupVersion().String() && res.Kind == gvk.Kind && !strings.Contains(res.Name, "/") {
+				resource = &res
+			}
 		}
+	}
+
+	if resource == nil {
+		return nil, fmt.Errorf("could not find %v in APIs", gvk)
+	}
+
+	hasSubResource := func(subResource string) bool {
+		return allResourceNames.Has(resource.Name + "/" + subResource)
+	}
+
+	var statusSubResource *apiextensionsv1.CustomResourceSubresourceStatus
+	if hasSubResource("status") {
+		statusSubResource = &apiextensionsv1.CustomResourceSubresourceStatus{}
+	}
 
-		if crd.Spec.Names.Kind != gk.Kind {
-			continue
+	var scaleSubResource *apiextensionsv1.CustomResourceSubresourceScale
+	if hasSubResource("scale") {
+		scaleSubResource = &apiextensionsv1.CustomResourceSubresourceScale{
+			SpecReplicasPath:   ".spec.replicas",
+			StatusReplicasPath: ".status.replicas",
 		}
+	}
+
+	scope := apiextensionsv1.ClusterScoped
+	if resource.Namespaced {
+		scope = apiextensionsv1.NamespaceScoped
+	}
 
-		return &crd, nil
+	crd := &apiextensionsv1.CustomResourceDefinition{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "CustomResourceDefinition",
+			APIVersion: "apiextensions.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("%s.%s", resource.Name, gvk.Group),
+		},
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+			Group: gvk.Group,
+			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+				{
+					Name: gvk.Version,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &schemaProps,
+					},
+					Subresources: &apiextensionsv1.CustomResourceSubresources{
+						Status: statusSubResource,
+						Scale:  scaleSubResource,
+					},
+					Served:  true,
+					Storage: true,
+				},
+			},
+			Scope: scope,
+			Names: apiextensionsv1.CustomResourceDefinitionNames{
+				Plural:     resource.Name,
+				Kind:       resource.Kind,
+				Categories: resource.Categories,
+				ShortNames: resource.ShortNames,
+				Singular:   resource.SingularName,
+			},
+		},
+	}
+
+	apiextensionsv1.SetDefaults_CustomResourceDefinition(crd)
+
+	if apihelpers.IsProtectedCommunityGroup(gvk.Group) {
+		crd.Annotations = map[string]string{
+			apiextensionsv1.KubeAPIApprovedAnnotation: "https://github.com/kcp-dev/kubernetes/pull/4",
+		}
 	}
 
-	return nil, fmt.Errorf("CustomResourceDefinition for %s/%s does not exist", gk.Group, gk.Kind)
+	return crd, nil
 }