kubernetes-sigs
diff --git a/‎internal/controller/phase_fetch.go‎
Lines changed: 193 additions & 0 deletions b/‎internal/controller/phase_fetch.go‎
Lines changed: 193 additions & 0 deletions
diff --git a/‎internal/controller/phase_initialize.go‎
Lines changed: 190 additions & 0 deletions b/‎internal/controller/phase_initialize.go‎
Lines changed: 190 additions & 0 deletions
@@ -0,0 +1,193 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	apijson "k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/client-go/kubernetes/scheme"
+	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha2"
+	"sigs.k8s.io/cluster-api/cmd/clusterctl/client/repository"
+	"sigs.k8s.io/cluster-api/cmd/clusterctl/client/yamlprocessor"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// Fetch fetches the provider components from the repository and processes all yaml manifests.
+func (p *PhaseReconciler) Fetch(ctx context.Context) (*Result, error) {
+	log := ctrl.LoggerFrom(ctx)
+	log.Info("Fetching provider")
+
+	// Fetch the provider components yaml file from the provided repository GitHub/GitLab/ConfigMap.
+	componentsFile, err := p.repo.GetFile(ctx, p.options.Version, p.repo.ComponentsPath())
+	if err != nil {
+		err = fmt.Errorf("failed to read %q from provider's repository %q: %w", p.repo.ComponentsPath(), p.providerConfig.ManifestLabel(), err)
+
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsFetchErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	// Check if components exceed the resource size.
+	p.needsCompression = needToCompress(componentsFile)
+
+	// Generate a set of new objects using the clusterctl library. NewComponents() will do the yaml processing,
+	// like ensure all the provider components are in proper namespace, replace variables, etc. See the clusterctl
+	// documentation for more details.
+	p.components, err = repository.NewComponents(repository.ComponentsInput{
+		Provider:     p.providerConfig,
+		ConfigClient: p.configClient,
+		Processor:    yamlprocessor.NewSimpleProcessor(),
+		RawYaml:      componentsFile,
+		Options:      p.options,
+	})
+	if err != nil {
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsFetchErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	// ProviderSpec provides fields for customizing the provider deployment options.
+	// We can use clusterctl library to apply this customizations.
+	if err := repository.AlterComponents(p.components, customizeObjectsFn(p.provider)); err != nil {
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsCustomizationErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	// Apply patches to the provider components if specified.
+	if err := repository.AlterComponents(p.components, applyPatches(ctx, p.provider)); err != nil {
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsPatchErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	// Apply image overrides to the provider manifests.
+	if err := repository.AlterComponents(p.components, imageOverrides(p.components.ManifestLabel(), p.overridesClient)); err != nil {
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsImageOverrideErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	for _, fn := range p.customAlterComponentsFuncs {
+		if err := repository.AlterComponents(p.components, fn); err != nil {
+			return &Result{}, wrapPhaseError(err, operatorv1.ComponentsCustomizationErrorReason, operatorv1.ProviderInstalledCondition)
+		}
+	}
+
+	return &Result{}, nil
+}
+
+// Store stores the provider components in the cache.
+func (p *PhaseReconciler) Store(ctx context.Context) (*Result, error) {
+	log := ctrl.LoggerFrom(ctx)
+	log.Info("Storing provider in cache")
+
+	kinds, _, err := scheme.Scheme.ObjectKinds(&corev1.Secret{})
+	if err != nil || len(kinds) == 0 {
+		log.Error(err, "cannot fetch kind of the Secret resource")
+		err = fmt.Errorf("cannot fetch kind of the Secret resource: %w", err)
+
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsCustomizationErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	secret := &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       kinds[0].Kind,
+			APIVersion: kinds[0].GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        ProviderCacheName(p.provider),
+			Namespace:   p.provider.GetNamespace(),
+			Annotations: map[string]string{},
+		},
+		StringData: map[string]string{},
+		Data:       map[string][]byte{},
+	}
+
+	gvk := p.provider.GetObjectKind().GroupVersionKind()
+
+	secret.SetOwnerReferences([]metav1.OwnerReference{
+		{
+			APIVersion: gvk.GroupVersion().String(),
+			Kind:       gvk.Kind,
+			Name:       p.provider.GetName(),
+			UID:        p.provider.GetUID(),
+		},
+	})
+
+	if p.needsCompression {
+		secret.Annotations[operatorv1.CompressedAnnotation] = "true"
+	}
+
+	manifests, err := apijson.Marshal(addNamespaceIfMissing(p.components.Objs(), p.provider.GetNamespace()))
+	if err != nil {
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsCustomizationErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	if p.needsCompression {
+		var buf bytes.Buffer
+		if err := compressData(&buf, manifests); err != nil {
+			return &Result{}, wrapPhaseError(err, operatorv1.ComponentsCustomizationErrorReason, operatorv1.ProviderInstalledCondition)
+		}
+
+		secret.Data["cache"] = buf.Bytes()
+	} else {
+		secret.StringData["cache"] = string(manifests)
+	}
+
+	if err := p.ctrlClient.Patch(ctx, secret, client.Apply, client.ForceOwnership, client.FieldOwner(cacheOwner)); err != nil {
+		log.Error(err, "failed to apply cache config map")
+
+		return &Result{}, wrapPhaseError(err, operatorv1.ComponentsCustomizationErrorReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	return &Result{}, nil
+}
+
+// addNamespaceIfMissing adda a Namespace object if missing (this ensure the targetNamespace will be created).
+func addNamespaceIfMissing(objs []unstructured.Unstructured, targetNamespace string) []unstructured.Unstructured {
+	namespaceObjectFound := false
+
+	for _, o := range objs {
+		// if the object has Kind Namespace, fix the namespace name
+		if o.GetKind() == namespaceKind {
+			namespaceObjectFound = true
+		}
+	}
+
+	// if there isn't an object with Kind Namespace, add it
+	if !namespaceObjectFound {
+		objs = append(objs, unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "v1",
+				"kind":       namespaceKind,
+				"metadata": map[string]interface{}{
+					"name": targetNamespace,
+				},
+			},
+		})
+	}
+
+	return objs
+}
+
+func (p *PhaseReconciler) ReportStatus(_ context.Context) (*Result, error) {
+	status := p.provider.GetStatus()
+	status.Contract = &p.contract
+	installedVersion := p.components.Version()
+	status.InstalledVersion = &installedVersion
+	p.provider.SetStatus(status)
+
+	return &Result{}, nil
+}
@@ -0,0 +1,190 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"cmp"
+	"context"
+	"fmt"
+	"os"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	operatorv1 "sigs.k8s.io/cluster-api-operator/api/v1alpha2"
+	"sigs.k8s.io/cluster-api-operator/internal/controller/genericprovider"
+	clusterctlv1 "sigs.k8s.io/cluster-api/cmd/clusterctl/api/v1alpha3"
+	configclient "sigs.k8s.io/cluster-api/cmd/clusterctl/client/config"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// initReaderVariables initializes the given reader with configuration variables from the provider's
+// Spec.ConfigSecret if it is set.
+func initReaderVariables(ctx context.Context, cl client.Client, reader configclient.Reader, provider genericprovider.GenericProvider) error {
+	log := log.FromContext(ctx)
+
+	// Fetch configuration variables from the secret. See API field docs for more info.
+	if provider.GetSpec().ConfigSecret == nil {
+		log.Info("No configuration secret was specified")
+
+		return nil
+	}
+
+	secret := &corev1.Secret{}
+	key := types.NamespacedName{Namespace: provider.GetSpec().ConfigSecret.Namespace, Name: provider.GetSpec().ConfigSecret.Name}
+
+	if err := cl.Get(ctx, key, secret); err != nil {
+		log.Error(err, "failed to get referenced secret")
+
+		return err
+	}
+
+	for k, v := range secret.Data {
+		reader.Set(k, string(v))
+	}
+
+	return nil
+}
+
+// InitializePhaseReconciler initializes phase reconciler.
+func (p *PhaseReconciler) InitializePhaseReconciler(ctx context.Context) (*Result, error) {
+	path := configPath
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		path = ""
+	} else if err != nil {
+		return &Result{}, err
+	}
+
+	// Initialize a client for interacting with the clusterctl configuration.
+	initConfig, err := configclient.New(ctx, path)
+	if err != nil {
+		return &Result{}, err
+	} else if path != "" {
+		// Set the image and providers override client
+		p.overridesClient = initConfig
+	}
+
+	overrideProviders := []configclient.Provider{}
+
+	if p.overridesClient != nil {
+		providers, err := p.overridesClient.Providers().List()
+		if err != nil {
+			return &Result{}, err
+		}
+
+		overrideProviders = providers
+	}
+
+	reader, err := p.secretReader(ctx, overrideProviders...)
+	if err != nil {
+		return &Result{}, err
+	}
+
+	// retrieves all custom providers using `FetchConfig` that aren't the current provider and adds them into MemoryReader.
+	if err := p.providerLister(ctx, &clusterctlv1.ProviderList{}, loadCustomProvider(reader, p.provider, p.providerTypeMapper)); err != nil {
+		return &Result{}, err
+	}
+
+	// Load provider's secret and config url.
+	p.configClient, err = configclient.New(ctx, "", configclient.InjectReader(reader))
+	if err != nil {
+		return &Result{}, wrapPhaseError(err, "failed to load the secret reader", operatorv1.ProviderInstalledCondition)
+	}
+
+	// Get returns the configuration for the provider with a given name/type.
+	// This is done using clusterctl internal API types.
+	p.providerConfig, err = p.configClient.Providers().Get(p.provider.ProviderName(), p.providerTypeMapper(p.provider))
+	if err != nil {
+		return &Result{}, wrapPhaseError(err, operatorv1.UnknownProviderReason, operatorv1.ProviderInstalledCondition)
+	}
+
+	return &Result{}, nil
+}
+
+// secretReader use clusterctl MemoryReader structure to store the configuration variables
+// that are obtained from a secret and try to set fetch url config.
+func (p *PhaseReconciler) secretReader(ctx context.Context, providers ...configclient.Provider) (configclient.Reader, error) {
+	log := ctrl.LoggerFrom(ctx)
+
+	mr := configclient.NewMemoryReader()
+
+	if err := mr.Init(ctx, ""); err != nil {
+		return nil, err
+	}
+
+	// Fetch configuration variables from the secret. See API field docs for more info.
+	if err := initReaderVariables(ctx, p.ctrlClient, mr, p.provider); err != nil {
+		return nil, err
+	}
+
+	isCustom := true
+
+	for _, provider := range providers {
+		if _, err := mr.AddProvider(provider.Name(), provider.Type(), provider.URL()); err != nil {
+			return nil, err
+		}
+
+		if provider.Type() == clusterctlv1.ProviderType(p.provider.GetType()) && provider.Name() == p.provider.ProviderName() {
+			isCustom = false
+		}
+	}
+
+	// If provided store fetch config url in memory reader.
+	if p.provider.GetSpec().FetchConfig != nil {
+		if p.provider.GetSpec().FetchConfig.URL != "" {
+			log.Info("Custom fetch configuration url was provided")
+			return mr.AddProvider(p.provider.ProviderName(), p.providerTypeMapper(p.provider), p.provider.GetSpec().FetchConfig.URL)
+		}
+
+		if p.provider.GetSpec().FetchConfig.Selector != nil {
+			log.Info("Custom fetch configuration config map was provided")
+
+			// To register a new provider from the config map, we need to specify a URL with a valid
+			// format. However, since we're using data from a local config map, URLs are not needed.
+			// As a workaround, we add a fake but well-formatted URL.
+			return mr.AddProvider(p.provider.ProviderName(), p.providerTypeMapper(p.provider), fakeURL)
+		}
+
+		if isCustom && p.provider.GetSpec().FetchConfig.OCI != "" {
+			return mr.AddProvider(p.provider.ProviderName(), p.providerTypeMapper(p.provider), fakeURL)
+		}
+	}
+
+	return mr, nil
+}
+
+// loadCustomProvider loads the passed provider into the clusterctl configuration via the MemoryReader.
+func loadCustomProvider(reader configclient.Reader, current operatorv1.GenericProvider, mapper ProviderTypeMapper) ProviderOperation {
+	mr, ok := reader.(*configclient.MemoryReader)
+	currProviderName := current.GetName()
+	currProviderType := current.GetType()
+
+	return func(provider operatorv1.GenericProvider) error {
+		if !ok {
+			return fmt.Errorf("unable to load custom provider, invalid reader passed")
+		}
+
+		if provider.GetName() == currProviderName && provider.GetType() == currProviderType || provider.GetSpec().FetchConfig == nil {
+			return nil
+		}
+
+		_, err := mr.AddProvider(provider.ProviderName(), mapper(provider), cmp.Or(provider.GetSpec().FetchConfig.URL, fakeURL))
+
+		return err
+	}
+}