Add controller-runtime client example and rename credentialProviders to accessProviders

cmd/secretreader-plugin/README.md

@@ -57,7 +57,7 @@ Use the following provider config to exec the secret-reader plugin.
 }
 ```
 
-### Note: `ClusterProfile.status.credentialProviders[].cluster.extensions`
+### Note: `ClusterProfile.status.accessProviders[].cluster.extensions`
 
 - Required: set `extensions[].name` to `client.authentication.k8s.io/exec`.
 - The library reads only the `extension` field of that entry and passes it through to `ExecCredential.Spec.Cluster.Config`.
@@ -67,7 +67,7 @@ Example:
 
 ```yaml
 status:
-  credentialProviders:
+  accessProviders:
   - name: secretreader
     cluster:
       server: https://<spoke-server>

examples/controller-example/README.md

@@ -5,7 +5,7 @@ This example automatically sets up the following, stores the spoke cluster token
 - Create a hub cluster and a spoke cluster with kind
 - On the spoke, create a ServiceAccount and ClusterRole/Binding that can list Pods and issue a token
 - On the hub, create a Secret with the token in `data.token`
-- On the hub, create a `ClusterProfile` with spoke information (set `secretreader` in `status.credentialProviders`)
+- On the hub, create a `ClusterProfile` with spoke information (set `secretreader` in `status.accessProviders`)
 
 ## Prerequisites
 
@@ -43,15 +43,15 @@ KUBECONFIG=./examples/controller-example/hub.kubeconfig ./examples/controller-ex
 
 ## Note: ClusterProfile extensions
 
-- Required: set `status.credentialProviders[].cluster.extensions[].name` to `client.authentication.k8s.io/exec`.
+- Required: set `status.accessProviders[].cluster.extensions[].name` to `client.authentication.k8s.io/exec`.
 - The library reads only the `extension` field of that entry (arbitrary JSON). Other `extensions` entries are ignored.
 - That `extension` is passed through to `ExecCredential.Spec.Cluster.Config`. The `secretreader` plugin uses `clusterName` in that object.
 
 Example (to be merged into `ClusterProfile.status`):
 
 ```yaml
 status:
-  credentialProviders:
+  accessProviders:
   - name: secretreader
     cluster:
       server: https://<spoke-server>

examples/controller-example/main.go

@@ -5,16 +5,20 @@ import (
 	"flag"
 	"log"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	k8sclient "k8s.io/client-go/kubernetes"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/clientcmd"
 	ciaclient "sigs.k8s.io/cluster-inventory-api/client/clientset/versioned"
 	"sigs.k8s.io/cluster-inventory-api/pkg/credentials"
+	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func main() {
 	// Flags
-	credentialsProviders := credentials.SetupProviderFileFlag()
+	accessProviders := credentials.SetupProviderFileFlag()
 	namespace := flag.String("namespace", "default", "Namespace of the ClusterProfile on the hub cluster")
 	clusterProfileName := flag.String("clusterprofile", "", "Name of the ClusterProfile to target (required)")
 	flag.Parse()
@@ -24,7 +28,7 @@ func main() {
 	}
 
 	// Load providers file
-	cpCreds, err := credentials.NewFromFile(*credentialsProviders)
+	cpCreds, err := credentials.NewFromFile(*accessProviders)
 	if err != nil {
 		log.Fatalf("Got error reading credentials providers: %v", err)
 	}
@@ -52,7 +56,7 @@ func main() {
 		log.Fatalf("Got error generating spoke rest.Config: %v", err)
 	}
 
-	// Create a Kubernetes client for the spoke cluster and list pods
+	// Example using client-go: Create a Kubernetes client for the spoke cluster and list pods
 	mclient, err := k8sclient.NewForConfig(spokeConfig)
 	if err != nil {
 		log.Fatalf("failed to create spoke client: %v", err)
@@ -61,8 +65,26 @@ func main() {
 	if err != nil {
 		log.Fatalf("failed to list pods on spoke: %v", err)
 	}
-	log.Printf("Listed %d pods on spoke cluster", len(plist.Items))
+	log.Printf("[client-go] Listed %d pods on spoke cluster", len(plist.Items))
 	for _, p := range plist.Items {
-		log.Printf("pod: %s/%s", p.Namespace, p.Name)
+		log.Printf("[client-go] pod: %s/%s", p.Namespace, p.Name)
+	}
+
+	// Example using controller-runtime client
+	scheme := runtime.NewScheme()
+	if err := clientgoscheme.AddToScheme(scheme); err != nil {
+		log.Fatalf("failed to add core scheme: %v", err)
+	}
+	crc, err := crclient.New(spokeConfig, crclient.Options{Scheme: scheme})
+	if err != nil {
+		log.Fatalf("failed to create controller-runtime client: %v", err)
+	}
+	var crPodList corev1.PodList
+	if err := crc.List(context.Background(), &crPodList); err != nil {
+		log.Fatalf("failed to list pods with controller-runtime: %v", err)
+	}
+	log.Printf("[controller-runtime] Listed %d pods on spoke cluster", len(crPodList.Items))
+	for _, p := range crPodList.Items {
+		log.Printf("[controller-runtime] pod: %s/%s", p.Namespace, p.Name)
 	}
 }

examples/controller-example/setup-kind-demo.sh

@@ -125,7 +125,7 @@ EOF
 STATUS_PATCH=$(cat <<EOF
 {
   "status": {
-    "credentialProviders": [
+    "accessProviders": [
       {
         "name": "secretreader",
         "cluster": {