Skip to content

packs: prep for namespace provisioner — simulate, reconciler, e2e, chart, beginner examples#191

Merged
iAlexeze merged 7 commits into
mainfrom
packs/prep-for-namespace-provisioner
Jun 27, 2026
Merged

packs: prep for namespace provisioner — simulate, reconciler, e2e, chart, beginner examples#191
iAlexeze merged 7 commits into
mainfrom
packs/prep-for-namespace-provisioner

Conversation

@iAlexeze

@iAlexeze iAlexeze commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes and improvements discovered while building the namespace-provisioner
example. No new user-facing resource types — this is correctness, tooling,
and experience work.

Simulate smarter

  • Cross-namespace copy resources (fromNamespace/toNamespaces) are
    automatically skipped before the fake reconciler runs. A note is printed
    for each skipped resource. Previously they errored and blocked the cycle.

Reconciler fixes

  • Namespace deletion: three layered bugs fixed — inverted finalizer guard,
    wrong field reference (r.crd.OperatorBoxr.operatorBox), and missing
    unconditional cleanup path in handleDeletion for katalogs without onDelete
  • labels.NsCleanupFinalizer auto-injected at construction time
  • ClusterRole / ClusterRoleBinding: reflect.DeepEqual guard before update

E2E structural improvements

  • setup.apply entries: flat string or {path, wait} struct — both forms supported
  • setup.helm entries: per-entry wait: list blocks inline after each install
  • New lifecycle event after: setup-complete for infrastructure assertions
    before any CR is applied. Defaults when after: is omitted
  • spec.crd and spec.cr optional when spec.custom.target is set
  • HelmInstall local chart path detection — skips repo add/update for ./

ork validate UX

  • Simulate and Motif output now use the same header + structured fields
    format as Katalog and E2E
  • after: in E2E output shows effective default (setup-complete) when omitted
  • katalog/crd/cr fields only shown when non-empty

Beginner examples

  • 03-secret-copy and 03b-configmap-copy open with ork simulate as step 1
  • READMEs reordered: simulate → ork run → verify (moved after run because
    the source object is created by ork run, not before it)
  • Root examples/beginner/simulate.yaml aggregator imports both new files

Chart dogfooding

  • charts/orkestra/e2e.yamlcustom.target: kubernetes spec that installs
    the chart via setup.helm and asserts all infrastructure with setup-complete
  • charts/orkestra/fixtures/ — katalog, CRD, CR, pre-generated bundle
  • Gateway PodDisruptionBudget added (enabled by default, minAvailable: 1)
  • fixture-chart CI job via orkspace/orkestra-action

Docs

  • e2e-universal restructured from flat file to folder (index + 3 pages)
  • 05-custom-target.md updated: two patterns, per-entry waits, lifecycle table

Test plan

  • make ork && make test-unit ./...
  • ork simulate on 03-secret-copy and 03b-configmap-copy — skip notice printed
  • ork validate -f charts/orkestra/e2e.yaml — 7 expectations valid
  • Delete a CR that owns a namespace — namespace removed, finalizer stripped

iAlexeze added 7 commits June 26, 2026 16:35
Resources with fromNamespace / toNamespaces require a live API server to read
the source object. Previously they errored during simulation and blocked all
subsequent resources in the same reconcile cycle.

Introduces CrossNamespaceChecker — a generic interface implemented by Secret,
ConfigMap, NetworkPolicy, ResourceQuota, and LimitRange template sources.
FilterSimulatable strips these resources from hook templates before the fake
reconciler runs and returns a skip notice for each one.

The simulate harness applies FilterSimulatable to onCreate / onReconcile /
onDelete before building the reconciler; notices surface in the result.Notes
field and are printed before the first cycle so users know exactly what was
omitted and why.
…rkPolicy update loop

Namespace cleanup was silently skipped due to three layered bugs:
- ensureFinalizers had an inverted condition that prevented finalizers from
  ever being added; removed the guard
- ensureFinalizers and removeFinalizers read r.crd.OperatorBox.Finalizers
  instead of r.operatorBox.Finalizers, so the auto-injected system finalizer
  was invisible
- deleteOwnedNamespaces was only reachable inside runTemplateOnDelete (requires
  OnDelete != nil); added an unconditional call in handleDeletion for katalogs
  without an explicit onDelete hook

Auto-injects labels.NsCleanupFinalizer at construction time whenever the
OperatorBox declares namespace sources.

ClusterRole and ClusterRoleBinding Update paths now guard with reflect.DeepEqual
before writing to avoid spurious updates.
…ete lifecycle, local chart support

setup.apply entries now support an inline wait: list that blocks after each
manifest is applied before moving to the next. Entries accept either a flat
string path or a {path, wait} struct — both forms unmarshal transparently.

setup.helm entries gain the same wait: list, blocking after each chart install
before the next helm entry runs.

Introduces E2EAfter typed string with three constants: setup-complete,
cr-applied, cr-deleted. after: defaults to setup-complete when omitted, making
it the natural choice for infrastructure assertions in non-operator tests.

HelmInstall now detects local chart paths (./, /, .) and skips repo add/update,
passing the path directly to helm upgrade --install.

isPureAggregator now returns false for kubernetesTarget specs so custom-target
e2e files with no katalog or cr are not silently skipped.
…og/E2E style

Simulate previously printed raw field: lines. Motif printed only the file
path and "valid". Both now use the same ● name / description / structured
fields / summary-line format as Katalog and E2E validation.

Motif output includes version, input count, and a compact resource-type
summary. Simulate output includes katalog path, cr path, cycle count, and
op rule count.

after: in E2E expect blocks now defaults to setup-complete when omitted;
validator and display both show the effective value. spec.cr and spec.crd
are no longer required when spec.custom.target is set.

katalog/crd/cr fields in E2E validate output are only shown when non-empty.
…ap-copy

Both examples now open with ork simulate as step 1 so users see the
cross-namespace skip notice before running the operator.

README steps reordered: simulate → ork run (second terminal) → verify CR
and source → verify copies → verify owner refs → test sync → test cleanup.
The verify step moved after ork run because the source object is created by
ork run applying setup.yaml, not before it.

Root examples/beginner/simulate.yaml aggregator updated to import both new
simulate files alongside the existing 02-with-serviceaccount entry.
Adds charts/orkestra/e2e.yaml — a custom.target: kubernetes e2e spec that
installs the chart itself via setup.helm and asserts infrastructure without
needing an Orkestra operator. Uses the new per-entry wait and setup-complete
lifecycle added in this branch.

charts/orkestra/fixtures/ contains the fixture katalog, CRD, CR, and
pre-generated orkestra-bundle.yaml used as setup.apply entries.

Gateway PodDisruptionBudget added (enabled by default, minAvailable: 1)
alongside the existing runtime and control-center PDBs.

CI: fixture-chart job in validate-pr.yml runs the chart e2e via
orkspace/orkestra-action on pull requests that touch charts/.
…ference

e2e-universal restructured from a single flat file into a folder with four
pages: index, 01-how-it-works, 02-use-cases, 03-ci. The use-cases page now
covers the Helm chart pattern (no crd/cr, setup.apply + setup.helm with
per-entry waits, after: setup-complete) and links to charts/orkestra/e2e.yaml
as a real working example.

custom-target reference updated to document the two patterns (pure Helm chart
test vs operator with CR), per-entry waits, and the lifecycle event table
(setup-complete / cr-applied / cr-deleted).

documentation/guides/index.md updated to point to the new folder.
@iAlexeze iAlexeze merged commit 59a54b4 into main Jun 27, 2026
5 of 7 checks passed
@iAlexeze iAlexeze deleted the packs/prep-for-namespace-provisioner branch June 27, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant