Configure e2e test in non converged mode

config/controller/cluster-role.yaml

@@ -59,7 +59,6 @@ rules:
   verbs:
   - get
   - list
-  - watch
 - apiGroups:
   - syn.tools
   resources:

pkg/apiserver/common.go

@@ -3,6 +3,7 @@ package apiserver
 import (
 	"context"
 	"errors"
+	crossplane_v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 	"sync"
 
 	"github.com/vshn/appcat/v4/pkg"
@@ -123,7 +124,12 @@ func (k *KubeClient) GetKubeClient(ctx context.Context, instance client.Object)
 		return k.WithWatch, nil
 	}
 
-	kubeconfig, err := k.getKubeConfig(ctx, instance)
+	providerConfig, err := k.fetchProvider(ctx, instance.GetLabels()[appcatruntime.ProviderConfigLabel])
+	if err != nil {
+		return nil, err
+	}
+
+	kubeconfig, err := k.getKubeConfig(ctx, providerConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -146,13 +152,23 @@ func (k *KubeClient) GetKubeClient(ctx context.Context, instance client.Object)
 // It will check where the instance is running on and will return either the client
 // for the remote cluster (non-converged) or the local cluster (converged)
 func (k *KubeClient) GetDynKubeClient(ctx context.Context, instance client.Object) (*dynClient.DynamicClient, error) {
-	providerConfig := instance.GetLabels()[appcatruntime.ProviderConfigLabel]
-	if providerConfig == "" || providerConfig == "local" {
+	providerConfigLabelValue := instance.GetLabels()[appcatruntime.ProviderConfigLabel]
+	if providerConfigLabelValue == "" || providerConfigLabelValue == "local" {
 		// For converged clusters, create a dynamic client using the loopback config
 		return dynClient.NewForConfig(loopback.GetLoopbackMasterClientConfig())
 	}
 
-	kubeconfig, err := k.getKubeConfig(ctx, instance)
+	providerConfig, err := k.fetchProvider(ctx, instance.GetLabels()[appcatruntime.ProviderConfigLabel])
+	if err != nil {
+		return nil, err
+	}
+
+	// In case credentials source is InjectedIdentity then use the same in-cluster connection.
+	if providerConfig.Spec.Credentials.Source == crossplane_v1.CredentialsSourceInjectedIdentity {
+		return dynClient.NewForConfig(loopback.GetLoopbackMasterClientConfig())
+	}
+
+	kubeconfig, err := k.getKubeConfig(ctx, providerConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -168,19 +184,20 @@ func (k *KubeClient) GetDynKubeClient(ctx context.Context, instance client.Objec
 	return client, nil
 }
 
-// GetKubeConfig will return a `Kubeconfig` for the provided instance and kubeclient
-func (k *KubeClient) getKubeConfig(ctx context.Context, instance client.Object) ([]byte, error) {
-	providerConfigName := instance.GetLabels()[appcatruntime.ProviderConfigLabel]
-
-	providerConfig := xkube.ProviderConfig{}
-	err := k.Get(ctx, client.ObjectKey{Name: providerConfigName}, &providerConfig)
+func (k *KubeClient) fetchProvider(ctx context.Context, providerConfigName string) (*xkube.ProviderConfig, error) {
+	providerConfig := &xkube.ProviderConfig{}
+	err := k.Get(ctx, client.ObjectKey{Name: providerConfigName}, providerConfig)
 	if err != nil {
-		return []byte{}, err
+		return nil, err
 	}
+	return providerConfig, err
+}
 
+// GetKubeConfig will return a `Kubeconfig` for the provided instance and kubeclient
+func (k *KubeClient) getKubeConfig(ctx context.Context, providerConfig *xkube.ProviderConfig) ([]byte, error) {
 	secretRef := providerConfig.Spec.Credentials.SecretRef
 	secret := v1.Secret{}
-	err = k.Get(ctx, client.ObjectKey{Name: secretRef.Name, Namespace: secretRef.Namespace}, &secret)
+	err := k.Get(ctx, client.ObjectKey{Name: secretRef.Name, Namespace: secretRef.Namespace}, &secret)
 	if err != nil {
 		return []byte{}, err
 	}

pkg/comp-functions/runtime/function_mgr.go

@@ -1505,8 +1505,11 @@ func (s *ServiceRuntime) CopyKubeResource(ctx context.Context, obj client.Object
 	observerObj := obj.DeepCopyObject().(client.Object)
 	observerObj.SetName(name)
 	observerObj.SetNamespace(fromNS)
+	objectExtraLabels := map[string]string{
+		ProviderConfigIgnoreLabel: "true",
+	}
 
-	if err := s.SetDesiredKubeObject(observerObj, observerName, KubeOptionObserve); err != nil {
+	if err := s.SetDesiredKubeObject(observerObj, observerName, KubeOptionObserve, KubeOptionAddLabels(objectExtraLabels)); err != nil {
 		return nil, err
 	}
 

pkg/controller/webhooks/default_handler.go

@@ -391,7 +391,17 @@ func (r *DefaultWebhookHandler) validateProviderConfigSecret(ctx context.Context
 		}
 	}
 
-	secretRef, found, err := unstructured.NestedMap(credentials, "secretRef")
+	_, foundSource, err := unstructured.NestedString(credentials, "source")
+	if err != nil {
+		return &field.Error{
+			Field:    labelPath.String(),
+			Detail:   fmt.Sprintf("failed to parse %s ProviderConfig %q source: %v", providerType, providerConfigName, err),
+			BadValue: providerConfigName,
+			Type:     field.ErrorTypeInternal,
+		}
+	}
+
+	secretRef, foundSecret, err := unstructured.NestedMap(credentials, "secretRef")
 	if err != nil {
 		return &field.Error{
 			Field:    labelPath.String(),
@@ -401,7 +411,19 @@ func (r *DefaultWebhookHandler) validateProviderConfigSecret(ctx context.Context
 		}
 	}
 
-	if !found {
+	if foundSource == false && foundSecret == false {
+		return &field.Error{
+			Field:    labelPath.String(),
+			Detail:   fmt.Sprintf("%s ProviderConfig %q has no secretRef or source configured", providerType, providerConfigName),
+			BadValue: providerConfigName,
+			Type:     field.ErrorTypeInvalid,
+		}
+	}
+	if foundSource == true {
+		return nil
+	}
+
+	if !foundSecret {
 		return &field.Error{
 			Field:    labelPath.String(),
 			Detail:   fmt.Sprintf("%s ProviderConfig %q has no secretRef configured", providerType, providerConfigName),

pkg/controller/webhooks/minio.go

@@ -11,6 +11,7 @@ import (
 
 //+kubebuilder:rbac:groups=vshn.appcat.vshn.io,resources=xvshnminios,verbs=get;list;watch;patch;update
 //+kubebuilder:rbac:groups=vshn.appcat.vshn.io,resources=xvshnminios/status,verbs=get;list;watch;patch;update
+//+kubebuilder:rbac:groups=minio.crossplane.io,resources=providerconfigs,verbs=get;list;watch;
 
 var (
 	minioGK = schema.GroupKind{Group: "vshn.appcat.vshn.io", Kind: "VSHNMinio"}

pkg/controller/webhooks/object.go

@@ -12,6 +12,7 @@ import (
 //+kubebuilder:rbac:groups=syn.tools,resources=compositeredisinstances/status,verbs=get;list;watch;patch;update
 //+kubebuilder:rbac:groups=syn.tools,resources=compositemariadbinstances,verbs=get;list;watch;patch;update
 //+kubebuilder:rbac:groups=syn.tools,resources=compositemariadbinstances/status,verbs=get;list;watch;patch;update
+//+kubebuilder:rbac:groups=kubernetes.crossplane.io,resources=providerconfigs,verbs=get;list;watch;
 
 // SetupObjectDeletionProtectionHandlerWithManager registers the validation webhook with the manager.
 func SetupObjectDeletionProtectionHandlerWithManager(mgr ctrl.Manager) error {

pkg/controller/webhooks/objectbuckets.go

@@ -17,6 +17,8 @@ import (
 )
 
 //+kubebuilder:webhook:verbs=delete;update,path=/validate-appcat-vshn-io-v1-objectbucket,mutating=false,failurePolicy=fail,groups=appcat.vshn.io,resources=objectbuckets,versions=v1,name=objectbuckets.vshn.appcat.vshn.io,sideEffects=None,admissionReviewVersions=v1
+//+kubebuilder:rbac:groups=cloudscale.crossplane.io,resources=providerconfigs,verbs=get;list;watch;
+//+kubebuilder:rbac:groups=exoscale.crossplane.io,resources=providerconfigs,verbs=get;list;watch;
 
 var _ webhook.CustomValidator = &ObjectbucketDeletionProtectionHandler{}
 

pkg/controller/webhooks/postgresql.go

@@ -30,6 +30,8 @@ import (
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;patch;update;delete
 //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;patch;update;delete
 
+//+kubebuilder:rbac:groups=postgresql.sql.crossplane.io,resources=providerconfigs,verbs=get;list;watch;
+
 const (
 	maxResourceNameLength = 30
 )

pkg/controller/webhooks/release.go

@@ -11,6 +11,7 @@ import (
 //+kubebuilder:rbac:groups=syn.tools,resources=compositeredisinstances/status,verbs=get;list;watch;patch;update
 //+kubebuilder:rbac:groups=syn.tools,resources=compositemariadbinstances,verbs=get;list;watch;patch;update
 //+kubebuilder:rbac:groups=syn.tools,resources=compositemariadbinstances/status,verbs=get;list;watch;patch;update
+//+kubebuilder:rbac:groups=helm.crossplane.io,resources=providerconfigs,verbs=get;list;watch;
 
 // SetupReleaseDeletionProtectionHandlerWithManager registers the validation webhook with the manager.
 func SetupReleaseDeletionProtectionHandlerWithManager(mgr ctrl.Manager) error {