knative
diff --git a/‎cmd/operator/main.go‎
Lines changed: 15 additions & 0 deletions b/‎cmd/operator/main.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎config/charts/knative-operator/templates/crds/knativeeventings.yaml‎
Lines changed: 27 additions & 1 deletion b/‎config/charts/knative-operator/templates/crds/knativeeventings.yaml‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎config/charts/knative-operator/templates/crds/knativeservings.yaml‎
Lines changed: 27 additions & 1 deletion b/‎config/charts/knative-operator/templates/crds/knativeservings.yaml‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎config/charts/knative-operator/templates/credential-providers-config.yaml‎
Lines changed: 44 additions & 0 deletions b/‎config/charts/knative-operator/templates/credential-providers-config.yaml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎config/charts/knative-operator/templates/operator.yaml‎
Lines changed: 25 additions & 0 deletions b/‎config/charts/knative-operator/templates/operator.yaml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎config/charts/knative-operator/templates/rbac/eventing-operator-role.yaml‎
Lines changed: 9 additions & 0 deletions b/‎config/charts/knative-operator/templates/rbac/eventing-operator-role.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎config/charts/knative-operator/templates/rbac/serving-operator-role.yaml‎
Lines changed: 9 additions & 0 deletions b/‎config/charts/knative-operator/templates/rbac/serving-operator-role.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎config/charts/knative-operator/values.yaml‎
Lines changed: 20 additions & 0 deletions b/‎config/charts/knative-operator/values.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎config/crd/bases/operator.knative.dev_knativeeventings.yaml‎
Lines changed: 30 additions & 1 deletion b/‎config/crd/bases/operator.knative.dev_knativeeventings.yaml‎
Lines changed: 30 additions & 1 deletion
diff --git a/‎config/crd/bases/operator.knative.dev_knativeservings.yaml‎
Lines changed: 30 additions & 1 deletion b/‎config/crd/bases/operator.knative.dev_knativeservings.yaml‎
Lines changed: 30 additions & 1 deletion
@@ -17,6 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"flag"
+	"log"
+	"os"
+
+	// Register --clusterprofile-provider-file before sharedmain parses flags.
+	"knative.dev/operator/pkg/reconciler/common"
 	"knative.dev/operator/pkg/reconciler/knativeeventing"
 	"knative.dev/operator/pkg/reconciler/knativeserving"
 	kubefilteredfactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
@@ -25,6 +31,15 @@ import (
 )
 
 func main() {
+	// Parse flags early so we can validate --clusterprofile-provider-file
+	// before sharedmain starts the controllers. sharedmain.MainWithContext
+	// tolerates a second flag.Parse() call, so we can safely do this here.
+	flag.Parse()
+	if err := common.ValidateClusterProfileProviderFile(); err != nil {
+		log.Printf("invalid multi-cluster configuration: %v", err)
+		os.Exit(2)
+	}
+
 	ctx := signals.NewContext()
 	ctx = kubefilteredfactory.WithSelectors(ctx,
 		knativeserving.Selector,
 
@@ -32,7 +32,11 @@ spec:
     singular: knativeeventing
   scope: Namespaced
   versions:
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clusterProfileRef.name
+      name: Target Cluster
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: KnativeEventing is the Schema for the eventings API
@@ -69,6 +73,25 @@ spec:
                   - URL
                   type: object
                 type: array
+              clusterProfileRef:
+                description: |-
+                  ClusterProfileRef is an optional reference to a ClusterProfile resource
+                  (multicluster.x-k8s.io/v1alpha1). When set, the operator reconciles
+                  the component on the remote cluster described by the referenced
+                  ClusterProfile instead of the local cluster.
+                properties:
+                  name:
+                    description: Name is the name of the ClusterProfile resource.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the ClusterProfile resource.
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
               config:
                 additionalProperties:
                   additionalProperties:
@@ -3363,6 +3386,9 @@ spec:
                   type: object
                 type: array
             type: object
+            x-kubernetes-validations:
+            - message: spec.clusterProfileRef is immutable
+              rule: (!has(self.clusterProfileRef) && !has(oldSelf.clusterProfileRef)) || (has(self.clusterProfileRef) && has(oldSelf.clusterProfileRef) && self.clusterProfileRef == oldSelf.clusterProfileRef)
           status:
             description: KnativeEventingStatus defines the observed state of KnativeEventing
             properties:
 
@@ -32,7 +32,11 @@ spec:
     singular: knativeserving
   scope: Namespaced
   versions:
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clusterProfileRef.name
+      name: Target Cluster
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: KnativeServing is the Schema for the knativeservings API
@@ -69,6 +73,25 @@ spec:
                   - URL
                   type: object
                 type: array
+              clusterProfileRef:
+                description: |-
+                  ClusterProfileRef is an optional reference to a ClusterProfile resource
+                  (multicluster.x-k8s.io/v1alpha1). When set, the operator reconciles
+                  the component on the remote cluster described by the referenced
+                  ClusterProfile instead of the local cluster.
+                properties:
+                  name:
+                    description: Name is the name of the ClusterProfile resource.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the ClusterProfile resource.
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
               config:
                 additionalProperties:
                   additionalProperties:
@@ -3796,6 +3819,9 @@ spec:
                   type: object
                 type: array
             type: object
+            x-kubernetes-validations:
+            - message: spec.clusterProfileRef is immutable
+              rule: (!has(self.clusterProfileRef) && !has(oldSelf.clusterProfileRef)) || (has(self.clusterProfileRef) && has(oldSelf.clusterProfileRef) && self.clusterProfileRef == oldSelf.clusterProfileRef)
           status:
             description: KnativeServingStatus defines the observed state of KnativeServing
             properties:
 
@@ -0,0 +1,44 @@
+# Copyright 2025 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $mc := .Values.knative_operator.multicluster | default dict }}
+{{- if $mc.enabled }}
+{{- if not $mc.accessProvidersConfig }}
+{{-   fail "knative_operator.multicluster.enabled is true but knative_operator.multicluster.accessProvidersConfig is empty — either provide an access-providers config or disable multi-cluster support" }}
+{{- end }}
+{{- $mountPaths := list }}
+{{- range ($mc.plugins | default (list)) }}
+{{-   $mountPaths = append $mountPaths .mountPath }}
+{{- end }}
+{{- $cfg := $mc.accessProvidersConfig | default dict }}
+{{- range ($cfg.providers | default (list)) }}
+{{-   $cmd := (.execConfig | default dict).command | default "" }}
+{{-   if $cmd }}
+{{-     $cmdDir := dir $cmd }}
+{{-     if not (has $cmdDir $mountPaths) }}
+{{-       fail (printf "multicluster validation error: provider %q command %q has parent dir %q which does not match any plugins[].mountPath (have %v); execConfig.command parent directory must equal a plugin mountPath" .name $cmd $cmdDir $mountPaths) }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clusterprofile-provider-file
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    app.kubernetes.io/name: knative-operator
+    app.kubernetes.io/version: "{{ .Chart.Version }}"
+data:
+  config.json: {{ $mc.accessProvidersConfig | default dict | mustToJson | quote }}
+{{- end }}
@@ -855,5 +855,30 @@ spec:
           ports:
             - name: metrics
               containerPort: 9090
+{{- $mc := .Values.knative_operator.multicluster | default dict }}
+{{- if $mc.enabled }}
+          args:
+            - --clusterprofile-provider-file=/etc/cluster-inventory/config.json
+          volumeMounts:
+            - name: cred-config
+              mountPath: /etc/cluster-inventory
+              readOnly: true
+{{- range ($mc.plugins | default list) }}
+            - name: {{ .name }}
+              mountPath: {{ .mountPath }}
+              readOnly: true
+{{- end }}
+{{- end }}
+{{- if $mc.enabled }}
+      volumes:
+        - name: cred-config
+          configMap:
+            name: clusterprofile-provider-file
+{{- range ($mc.plugins | default list) }}
+        - name: {{ .name }}
+          image:
+            reference: {{ .image }}
+{{- end }}
+{{- end }}
 
 ---
@@ -401,3 +401,12 @@ rules:
       - list
       - get
       - watch
+  # for multicluster support
+  - apiGroups:
+      - multicluster.x-k8s.io
+    resources:
+      - clusterprofiles
+    verbs:
+      - get
+      - list
+      - watch
@@ -252,6 +252,15 @@ rules:
       - pods
     verbs:
       - get
+  # for multicluster support
+  - apiGroups:
+      - multicluster.x-k8s.io
+    resources:
+      - clusterprofiles
+    verbs:
+      - get
+      - list
+      - watch
 # Copyright 2020 The Knative Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 
@@ -1,4 +1,24 @@
 knative_operator:
+  # Multi-cluster (Cluster Inventory API): when enabled, the chart mounts
+  # access provider config and optional plugin images, and sets
+  # --clusterprofile-provider-file on the operator. ClusterProfile.status
+  # accessProviders are not managed by this chart.
+  multicluster:
+    enabled: false
+    accessProvidersConfig: {}
+    # plugins[] uses the Kubernetes "image" volume type
+    plugins: []
+    # accessProvidersConfig:
+    #   providers:
+    #     - name: token-secretreader
+    #       execConfig:
+    #         apiVersion: client.authentication.k8s.io/v1
+    #         command: /credential-plugins/token-secretreader/kubeconfig-secretreader-plugin
+    #         provideClusterInfo: true
+    # plugins:
+    #   - name: token-secretreader
+    #     image: ghcr.io/example/plugin:v1.0.0
+    #     mountPath: /credential-plugins/token-secretreader
   knative_operator:
     image: gcr.io/knative-releases/knative.dev/operator/cmd/operator
     tag: {{ tag }}
 
@@ -28,7 +28,11 @@ spec:
     singular: knativeeventing
   scope: Namespaced
   versions:
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clusterProfileRef.name
+      name: Target Cluster
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: KnativeEventing is the Schema for the eventings API
@@ -66,6 +70,26 @@ spec:
                   - URL
                   type: object
                 type: array
+              clusterProfileRef:
+                description: |-
+                  ClusterProfileRef is an optional reference to a ClusterProfile resource
+                  (multicluster.x-k8s.io/v1alpha1). When set, the operator reconciles
+                  the component on the remote cluster described by the referenced
+                  ClusterProfile instead of the local cluster.
+                properties:
+                  name:
+                    description: Name is the name of the ClusterProfile resource.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the ClusterProfile
+                      resource.
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
               config:
                 additionalProperties:
                   additionalProperties:
@@ -3524,6 +3548,11 @@ spec:
                   type: object
                 type: array
             type: object
+            x-kubernetes-validations:
+            - message: spec.clusterProfileRef is immutable
+              rule: (!has(self.clusterProfileRef) && !has(oldSelf.clusterProfileRef))
+                || (has(self.clusterProfileRef) && has(oldSelf.clusterProfileRef)
+                && self.clusterProfileRef == oldSelf.clusterProfileRef)
           status:
             description: KnativeEventingStatus defines the observed state of KnativeEventing
             properties:
 
@@ -28,7 +28,11 @@ spec:
     singular: knativeserving
   scope: Namespaced
   versions:
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clusterProfileRef.name
+      name: Target Cluster
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: KnativeServing is the Schema for the knativeservings API
@@ -66,6 +70,26 @@ spec:
                   - URL
                   type: object
                 type: array
+              clusterProfileRef:
+                description: |-
+                  ClusterProfileRef is an optional reference to a ClusterProfile resource
+                  (multicluster.x-k8s.io/v1alpha1). When set, the operator reconciles
+                  the component on the remote cluster described by the referenced
+                  ClusterProfile instead of the local cluster.
+                properties:
+                  name:
+                    description: Name is the name of the ClusterProfile resource.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the ClusterProfile
+                      resource.
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
               config:
                 additionalProperties:
                   additionalProperties:
@@ -4043,6 +4067,11 @@ spec:
                   type: object
                 type: array
             type: object
+            x-kubernetes-validations:
+            - message: spec.clusterProfileRef is immutable
+              rule: (!has(self.clusterProfileRef) && !has(oldSelf.clusterProfileRef))
+                || (has(self.clusterProfileRef) && has(oldSelf.clusterProfileRef)
+                && self.clusterProfileRef == oldSelf.clusterProfileRef)
           status:
             description: KnativeServingStatus defines the observed state of KnativeServing
             properties: