feat: Deco CRD and BuildReconciler for cfworkers (#5)

* feat: add DecoBuild CRD and BuildReconciler for cfworkers builds

- DecoBuild CRD: represents a cfworkers build request; operator creates K8s Jobs
- BuildReconciler: watches DecoBuild, generates S3 presigned URLs, creates Job
- build/job.go: Job spec builder (cfworkers-builder image, env vars, TTL 24h)
- build/s3presign.go: generates presigned URLs for logs/cache using aws-sdk-go-v2
- RBAC: batch/jobs + deco.sites/decobuilds permissions
- Chart bumped to v0.3.0; cfworkers env vars injected from ExternalSecret

* chore: go mod tidy — add aws-sdk-go-v2 go.sum entries

* fix: gofmt formatting in build/job.go constants

* fix: wire DecoBuild CRD and cfworkers env vars into Helm generator

- Add deco.sites_decobuilds.yaml to config/crd/kustomization.yaml so helm-generator picks it up
- Add cfworkers env vars block to helm-generator addEnvVarsToDeployment
- Regenerate chart templates via make manifests helm

* feat: replace DecoBuild CRD with Deco CR for cfworkers builds and previews

Replaces the per-build DecoBuild CRD with a site-scoped Deco CR that owns
both production and preview builds. The operator reconciles spec.build.source
for production deploys and spec.previews.active[] for concurrent PR previews,
fixing the concurrent PR overwrite bug.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: also set WORKER_NAME env var for backwards compat with existing builder images

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* revert: remove WORKER_NAME backwards compat, use DECO_SITE_NAME only

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: remove DecoBuild CRD — using Deco CR directly for cfworkers builds

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(operator): decouple reconciler from cfworkers via JobFactory

The DecoReconciler no longer holds cfworkers-specific credentials
(CfApiToken, CfAccountId, S3Config). A JobFactory function type is
injected at startup, keeping the reconciler platform-agnostic. Future
serving types just need a new factory wired in main.go.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(operator): move platform-specific constants into JobFactory

BuilderImage, TTLSeconds, LogsBucket and CacheBucket are now fields on
JobOpts/S3Config instead of hardcoded constants. The cfworkers factory in
main.go owns these values. spec.build.builder in the CR still takes
precedence over the platform default for BuilderImage.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(operator): support multiple serving types via factory registry

Replace single JobFactory field with Factories map[string]JobFactory keyed
by spec.serving.type. createJob looks up the factory by type and returns an
error for unknown types. A new platform just registers its factory in main.go.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* rename: JobOpts → CfWorkersJobOpts, NewJob → NewCfWorkersJob

Makes the cfworkers-specific types explicit in the build package so future
platforms can add their own types alongside without ambiguity.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(operator): introduce build.Registry for platform dispatch

Move serving-type dispatch out of the controller into build.Registry.
The controller now holds a *build.Registry and calls registry.NewJob()
without knowing about platforms. New platforms register via registry.Register()
in main.go.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* rename: build/job.go → build/cfworkers.go

Clarifies that this file is cfworkers-specific. Generic build helpers
(registry, s3presign) stay at the package level; platform-specific
implementations get their own file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: bump version to 0.2.7

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: revert version to 0.2.6

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: move s3Region from values to secret

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat: add cfworkers build duration and count metrics

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: address CI lint failures and move S3_REGION to secretKeyRef

- Fix goconst: extract Succeeded/Failed as constants
- Fix prealloc: pre-allocate newStatuses slice
- Fix lll: break long factory func signature in cmd/main.go
- Fix helm-generator to emit S3_REGION as secretKeyRef (key: s3-region)
- Regenerate CRD template (alphabetical field ordering from controller-gen)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: pin CRD plural to 'decos' via +kubebuilder:resource:path=decos

Without this annotation controller-gen auto-pluralises 'Deco' as 'decoes',
creating a second deco.sites_decoes.yaml alongside the committed
deco.sites_decos.yaml. envtest loads every yaml in config/crd/bases/ so
both CRDs were registered, causing the BeforeSuite context deadline timeout.

Also regenerates deco.sites_decos.yaml from current types (updated schema,
alphabetical field ordering, adds previews/branchRef fields).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: regenerate helm chart CRD template from updated deco.sites_decos.yaml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(build): replace Factory func type with Builder interface

* feat(build): add CfWorkersConfig, cfWorkersBuilder, NewCloudflareFactory

* refactor(controller): hold build.Builder interface; update default bucket names

* refactor(main): remove CF/S3 specifics — wire via build.NewCloudflareFactory

* refactor(build): unexport internal types NewCfWorkersJob, CfWorkersJobOpts, PresignedURLs, GeneratePresignedURLs

* refactor(build): remove defaults test — buckets are env-configurable

* chore: remove cfworkers_test.go — follow-up PR

* refactor(build): remove hardcoded default bucket/image names — repo is public

* feat(helm): move S3_REGION to values; add builderImage, s3LogsBucket, s3CacheBucket as plain values

* refactor(helm): split S3 into dedicated s3.existingSecret — shared across build platforms

* refactor(build): rename Registry to BuilderRegistry for clarity

* fix(build): update compile-time check to BuilderRegistry after rename

* feat(crd): add envs and secrets fields to DecoSpecBuild for custom Job env injection

* refactor(build): read envs/secrets directly from Deco spec in newCfWorkersJob

* fix(build): prealloc envFrom, make TTLSecondsAfterFinished configurable via CRD (default 10m)

* fix(build): fix prealloc lint — use make+index instead of make+append for envFrom

* refactor(s3): rename cacheBucket to artifactsBucket — build artifacts not just npm cache

* chore: remove values-local.yaml from .gitignore

* refactor: move artifactsBucket from s3 to cfworkers in chart values

artifactsBucket is platform-specific (Cloudflare Workers), not shared S3
infrastructure, so it belongs under the cfworkers section.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: use Status().Patch() to avoid optimistic concurrency conflicts on status update

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: resolve helm-verify and lint CI failures

- Regenerate CRDs with controller-gen v0.18.0 to match Makefile pin
- Fix gofmt: remove extra alignment spaces in cfworkers.go
- Add phaseRunning constant; replace all "Running" literals in deco_controller
- Add condTypePodsNotified constant in decofile_controller
- Add metricsNamespace/metricsSubsystemValkey constants in metrics.go
- Add valkeyReservedDefault constant in namespace_controller
- Exclude test files from goconst in .golangci.yml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: igoramf

.golangci.yml

@@ -22,6 +22,8 @@ linters:
     - unparam
     - unused
   settings:
+    goconst:
+      min-occurrences: 3
     revive:
       rules:
         - name: comment-spacings
@@ -36,6 +38,9 @@ linters:
           - dupl
           - lll
         path: internal/*
+      - linters:
+          - goconst
+        path: _test\.go$
     paths:
       - third_party$
       - builtin$

api/v1alpha1/deco_types.go

@@ -0,0 +1,225 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// DecoSpec defines the desired state of a Deco workload.
+type DecoSpec struct {
+	// Type is the workload type. site | server | admin | preview
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Site is the site/repository name.
+	// +kubebuilder:validation:Required
+	Site string `json:"site"`
+
+	// Org is the GitHub organization or owner.
+	// +kubebuilder:validation:Required
+	Org string `json:"org"`
+
+	// Framework is the site framework. deno | tanstack | next | remix | static
+	// +optional
+	Framework string `json:"framework,omitempty"`
+
+	// Build describes the production build pipeline.
+	// +optional
+	Build *DecoSpecBuild `json:"build,omitempty"`
+
+	// Serving describes the runtime serving configuration.
+	// +optional
+	Serving *DecoSpecServing `json:"serving,omitempty"`
+
+	// Previews configures preview builds for this site.
+	// Admin adds entries to Previews.Active on PR open and removes on PR close.
+	// +optional
+	Previews *DecoPreviewPolicy `json:"previews,omitempty"`
+}
+
+// DecoEnvVar is a plain environment variable injected into the build Job.
+type DecoEnvVar struct {
+	// Name is the environment variable name.
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+	// Value is the literal value.
+	// +optional
+	Value string `json:"value,omitempty"`
+}
+
+// DecoSecretRef mounts all keys of a K8s Secret as environment variables in the build Job.
+type DecoSecretRef struct {
+	// Name is the name of the K8s Secret in the same namespace as the Job.
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+	// Optional specifies whether the Secret must exist. Defaults to false.
+	// +optional
+	Optional *bool `json:"optional,omitempty"`
+}
+
+// DecoSpecBuild describes the build pipeline for a workload.
+type DecoSpecBuild struct {
+	// Type is the build mechanism. Currently only k8s-job is supported.
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Source identifies the code revision to build.
+	// Repository and owner come from spec.site and spec.org.
+	Source DecoSpecBuildSource `json:"source"`
+
+	// Builder overrides the builder image (repository:tag).
+	// +optional
+	Builder string `json:"builder,omitempty"`
+
+	// Envs are additional plain environment variables injected into the build Job.
+	// +optional
+	Envs []DecoEnvVar `json:"envs,omitempty"`
+
+	// Secrets are K8s Secrets whose keys are mounted as environment variables in the build Job.
+	// The secrets must exist in the same namespace as the Job (the site namespace).
+	// +optional
+	Secrets []DecoSecretRef `json:"secrets,omitempty"`
+
+	// TTLSecondsAfterFinished controls how long the Job is kept after completion.
+	// Defaults to 600 (10 minutes) when not set.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	TTLSecondsAfterFinished *int32 `json:"ttlSecondsAfterFinished,omitempty"`
+}
+
+// DecoSpecBuildSource identifies the code revision to build.
+type DecoSpecBuildSource struct {
+	// CommitSha is the git commit SHA to build.
+	// Updating this field triggers a new build.
+	// +kubebuilder:validation:Required
+	CommitSha string `json:"commitSha"`
+
+	// Production indicates whether this is a production deploy.
+	// +optional
+	Production bool `json:"production,omitempty"`
+
+	// BranchRef is the branch name for preview aliases (non-production only).
+	// +optional
+	BranchRef string `json:"branchRef,omitempty"`
+}
+
+// DecoSpecServing describes the runtime serving configuration.
+type DecoSpecServing struct {
+	// Type is the serving runtime. Drives both serving and build job selection.
+	// Supported: cloudflare-worker | knative | deployment
+	// +kubebuilder:validation:Required
+	Type string `json:"type"`
+}
+
+// DecoPreviewPolicy configures the preview system for this site.
+type DecoPreviewPolicy struct {
+	// Type is the preview runtime. cloudflare-preview | statefulset | sandbox
+	// +kubebuilder:validation:Required
+	Type string `json:"type"`
+
+	// MaxActive is the maximum number of concurrent previews the operator will build.
+	// Operator processes only the most recent MaxActive entries in Active.
+	// +optional
+	MaxActive int32 `json:"maxActive,omitempty"`
+
+	// TTL is the duration after which completed previews are eligible for cleanup (e.g. "48h").
+	// +optional
+	TTL string `json:"ttl,omitempty"`
+
+	// Active is the list of preview builds currently requested.
+	// Admin adds entries on PR open, removes on PR close.
+	// +optional
+	Active []DecoPreviewRequest `json:"active,omitempty"`
+}
+
+// DecoPreviewRequest identifies a single preview build request.
+type DecoPreviewRequest struct {
+	// CommitSha is the git commit SHA to build.
+	// +kubebuilder:validation:Required
+	CommitSha string `json:"commitSha"`
+
+	// BranchRef is the branch or PR ref (used as the wrangler preview alias).
+	// +kubebuilder:validation:Required
+	BranchRef string `json:"branchRef"`
+
+	// PrId is the pull request ID, for tracking.
+	// +optional
+	PrId string `json:"prId,omitempty"`
+}
+
+// DecoStatus defines the observed state of a Deco workload.
+type DecoStatus struct {
+	// Build tracks the current production build lifecycle.
+	// +optional
+	Build *DecoStatusBuild `json:"build,omitempty"`
+
+	// Previews tracks the build status of each active preview.
+	// +optional
+	Previews []DecoPreviewStatus `json:"previews,omitempty"`
+}
+
+// DecoStatusBuild tracks the production build lifecycle.
+type DecoStatusBuild struct {
+	// Phase is the current build phase: Running | Succeeded | Failed
+	// +optional
+	Phase string `json:"phase,omitempty"`
+
+	// CommitSha is the commit currently being built (or last attempted).
+	// +optional
+	CommitSha string `json:"commitSha,omitempty"`
+
+	// LastBuiltCommit is the commit SHA of the last successful build.
+	// +optional
+	LastBuiltCommit string `json:"lastBuiltCommit,omitempty"`
+
+	// JobName is the K8s Job name for the current build.
+	// +optional
+	JobName string `json:"jobName,omitempty"`
+
+	// StartTime is when the current build started.
+	// +optional
+	StartTime *metav1.Time `json:"startTime,omitempty"`
+
+	// CompletionTime is when the current build finished.
+	// +optional
+	CompletionTime *metav1.Time `json:"completionTime,omitempty"`
+}
+
+// DecoPreviewStatus tracks the build status of a single preview.
+type DecoPreviewStatus struct {
+	CommitSha      string       `json:"commitSha"`
+	BranchRef      string       `json:"branchRef"`
+	PrId           string       `json:"prId,omitempty"`
+	JobName        string       `json:"jobName,omitempty"`
+	Phase          string       `json:"phase"`
+	StartTime      *metav1.Time `json:"startTime,omitempty"`
+	CompletionTime *metav1.Time `json:"completionTime,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=decos
+// +kubebuilder:printcolumn:name="Site",type=string,JSONPath=`.spec.site`
+// +kubebuilder:printcolumn:name="Serving",type=string,JSONPath=`.spec.serving.type`
+// +kubebuilder:printcolumn:name="Commit",type=string,JSONPath=`.spec.build.source.commitSha`
+// +kubebuilder:printcolumn:name="Phase",type=string,JSONPath=`.status.build.phase`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// Deco is the Schema for the decos API.
+type Deco struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   DecoSpec   `json:"spec,omitempty"`
+	Status DecoStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// DecoList contains a list of Deco.
+type DecoList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Deco `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Deco{}, &DecoList{})
+}