open-cluster-management-io
diff --git a/Diff for: ‎addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml
+59 b/Diff for: ‎addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml
+59
diff --git a/Diff for: ‎addon/v1alpha1/types_managedclusteraddon.go
+63-1 b/Diff for: ‎addon/v1alpha1/types_managedclusteraddon.go
+63-1
diff --git a/Diff for: ‎addon/v1alpha1/zz_generated.deepcopy.go
+50 b/Diff for: ‎addon/v1alpha1/zz_generated.deepcopy.go
+50
diff --git a/Diff for: ‎addon/v1alpha1/zz_generated.swagger_doc_generated.go
+24-1 b/Diff for: ‎addon/v1alpha1/zz_generated.swagger_doc_generated.go
+24-1
@@ -48,6 +48,14 @@ spec:
           spec:
             description: spec holds configuration that could apply to any operator.
             type: object
+            properties:
+              installNamespace:
+                description: installNamespace is the namespace on the managed cluster
+                  to install the addon agent. If it is not set, open-cluster-management-agent-addon
+                  namespace is used to install the addon agent.
+                type: string
+                maxLength: 63
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
           status:
             description: status holds the information about the state of an operator.  It
               is consistent with status information across the Kubernetes ecosystem.
@@ -156,6 +164,57 @@ spec:
                       type: string
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+              registrations:
+                description: registrations is the conifigurations for the addon agent
+                  to register to hub. It should be set by each addon controller on
+                  hub to define how the addon agent on managedcluster is registered.
+                  With the registration defined, The addon agent can access to kube
+                  apiserver with kube style API or other endpoints on hub cluster
+                  with client certificate authentication. A csr will be created per
+                  registration configuration. If more than one registrationConfig
+                  is defined, a csr will be created for each registration configuration.
+                  It is not allowed that multiple registrationConfigs have the same
+                  signer name. After the csr is approved on the hub cluster, the klusterlet
+                  agent will create a secret in the installNamespace for the registrationConfig.
+                  If the signerName is "kubernetes.io/kube-apiserver-client", the
+                  secret name will be "{addon name}-hub-kubeconfig" whose contents
+                  includes key/cert and kubeconfig. Otherwise, the secret name will
+                  be "{addon name}-{signer name}-client-cert" whose contents includes
+                  key/cert.
+                type: array
+                items:
+                  description: RegistrationConfig defines the configuration of the
+                    addon agent to register to hub. The Klusterlet agent will create
+                    a csr for the addon agent with the registrationConfig.
+                  type: object
+                  properties:
+                    signerName:
+                      description: signerName is the name of signer that addon agent
+                        will use to create csr.
+                      type: string
+                      maxLength: 571
+                      minLength: 5
+                    subject:
+                      description: "subject is the user subject of the addon agent
+                        to be registered to the hub. If it is not set, the addon agent
+                        will have the default subject \"subject\": { \t\"user\": \"system:open-cluster-management:addon:{addonName}:{clusterName}:{agentName}\",
+                        \t\"groups: [\"system:open-cluster-management:addon\", \"system:open-cluster-management:addon:{addonName}\",
+                        \"system:authenticated\"] }"
+                      type: object
+                      properties:
+                        groups:
+                          description: groups is the user group of the addon agent.
+                          type: array
+                          items:
+                            type: string
+                        organizationUnit:
+                          description: organizationUnit is the ou of the addon agent
+                          type: array
+                          items:
+                            type: string
+                        user:
+                          description: user is the user name of the addon agent.
+                          type: string
               relatedObjects:
                 description: 'relatedObjects is a list of objects that are "interesting"
                   or related to this operator. Common uses are: 1. the detailed resource
 
@@ -29,8 +29,49 @@ type ManagedClusterAddOn struct {
 	Status ManagedClusterAddOnStatus `json:"status"`
 }
 
-// ManagedClusterAddOnSpec is empty for now.
+// ManagedClusterAddOnSpec defines the install configuration of
+// an addon agent on managed cluster.
 type ManagedClusterAddOnSpec struct {
+	// installNamespace is the namespace on the managed cluster to install the addon agent.
+	// If it is not set, open-cluster-management-agent-addon namespace is used to install the addon agent.
+	// +optional
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	InstallNamespace string `json:"installNamespace,omitempty"`
+}
+
+// RegistrationConfig defines the configuration of the addon agent to register to hub. The Klusterlet agent will
+// create a csr for the addon agent with the registrationConfig.
+type RegistrationConfig struct {
+	// signerName is the name of signer that addon agent will use to create csr.
+	// +required
+	// +kubebuilder:validation:MaxLength=571
+	// +kubebuilder:validation:MinLength=5
+	SignerName string `json:"signerName"`
+
+	// subject is the user subject of the addon agent to be registered to the hub.
+	// If it is not set, the addon agent will have the default subject
+	// "subject": {
+	//	"user": "system:open-cluster-management:addon:{addonName}:{clusterName}:{agentName}",
+	//	"groups: ["system:open-cluster-management:addon", "system:open-cluster-management:addon:{addonName}", "system:authenticated"]
+	// }
+	//
+	// +optional
+	Subject Subject `json:"subject,omitempty"`
+}
+
+// Subject is the user subject of the addon agent to be registered to the hub.
+type Subject struct {
+	// user is the user name of the addon agent.
+	User string `json:"user"`
+
+	// groups is the user group of the addon agent.
+	// +optional
+	Groups []string `json:"groups,omitempty"`
+
+	// organizationUnit is the ou of the addon agent
+	// +optional
+	OrganizationUnits []string `json:"organizationUnit,omitempty"`
 }
 
 // ManagedClusterAddOnStatus provides information about the status of the operator.
@@ -59,8 +100,29 @@ type ManagedClusterAddOnStatus struct {
 	// This resource is use to locate the configuration resource for the add-on.
 	// +optional
 	AddOnConfiguration ConfigCoordinates `json:"addOnConfiguration"`
+
+	// registrations is the conifigurations for the addon agent to register to hub. It should be set by each addon controller
+	// on hub to define how the addon agent on managedcluster is registered. With the registration defined,
+	// The addon agent can access to kube apiserver with kube style API or other endpoints on hub cluster with client
+	// certificate authentication. A csr will be created per registration configuration. If more than one
+	// registrationConfig is defined, a csr will be created for each registration configuration. It is not allowed that
+	// multiple registrationConfigs have the same signer name. After the csr is approved on the hub cluster, the klusterlet
+	// agent will create a secret in the installNamespace for the registrationConfig. If the signerName is
+	// "kubernetes.io/kube-apiserver-client", the secret name will be "{addon name}-hub-kubeconfig" whose contents includes
+	// key/cert and kubeconfig. Otherwise, the secret name will be "{addon name}-{signer name}-client-cert" whose contents includes key/cert.
+	// +optional
+	Registrations []RegistrationConfig `json:"registrations,omitempty"`
 }
 
+const (
+	// ManagedClusterAddOnConditionAvailable represents that the addon agent is running on the managed cluster
+	ManagedClusterAddOnConditionAvailable string = "Available"
+
+	// ManagedClusterAddOnConditionDegraded represents that the addon agent is providing degraded service on
+	// the managed cluster.
+	ManagedClusterAddOnConditionDegraded string = "Degraded"
+)
+
 // ObjectReference contains enough information to let you inspect or modify the referred object.
 type ObjectReference struct {
 	// group of the referent.