cyborg: Implement Cyborg top-level controller reconcile loop

Add full reconcile logic for the Cyborg CR:
- Manage RBAC resources (ServiceAccount, Role, RoleBinding)
- Validate input password secret and RabbitMQ TransportURL secret
- Create MariaDB database and run DB sync job via a batch Job
- Register Cyborg service in Keystone
- Create a sub-level secret aggregating DB credentials, transport URL
  and service password to be consumed by CyborgAPI and CyborgConductor
- Track readiness via structured conditions on CyborgStatus
- Add functional tests covering the full reconcile flow

Assisted-By: Claude
Signed-off-by: Alfredo Moralejo <amoralej@redhat.com>

Author: amoralej

Makefile

@@ -114,13 +114,13 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
 
 .PHONY: manifests
 manifests: gowork controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) crd webhook paths="./api/nova/..." paths="./api/placement/..." paths="./internal/webhook/nova/..." paths="./internal/webhook/placement/..." output:crd:artifacts:config=config/crd/bases output:webhook:artifacts:config=config/webhook && \
+	$(CONTROLLER_GEN) crd webhook paths="./api/nova/..." paths="./api/placement/..." paths="./api/cyborg/..." paths="./internal/webhook/nova/..." paths="./internal/webhook/placement/..." paths="./internal/webhook/cyborg/..." output:crd:artifacts:config=config/crd/bases output:webhook:artifacts:config=config/webhook && \
 	$(CONTROLLER_GEN) rbac:roleName=manager-role paths="./..." output:dir=config/rbac && \
 	rm -f api/bases/* && cp -a config/crd/bases api/
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/nova/..." paths="./api/placement/..."
+	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/nova/..." paths="./api/placement/..." paths="./api/cyborg/..."
 
 .PHONY: fmt
 fmt: ## Run go fmt against code.

api/bases/cyborg.openstack.org_cyborgs.yaml

@@ -524,6 +524,7 @@ spec:
                   e.g. to check logs
                 type: boolean
               secret:
+                default: osp-secret
                 description: |-
                   Secret is the name of the Secret instance containing password
                   information for cyborg like the keystone service password and DB passwords
@@ -554,7 +555,6 @@ spec:
             - agentContainerImageURL
             - apiContainerImageURL
             - conductorContainerImageURL
-            - secret
             type: object
           status:
             description: CyborgStatus defines the observed state of Cyborg.
@@ -564,6 +564,13 @@ spec:
                   from cyborg-api
                 format: int32
                 type: integer
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret cyborg is currently
+                  consuming and protecting with the openstack.org/cyborg-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:
@@ -611,12 +618,22 @@ spec:
                   ready from cyborg-conductor
                 format: int32
                 type: integer
+              hash:
+                additionalProperties:
+                  type: string
+                description: Hash - Map of hashes to track e.g. job status
+                type: object
               observedGeneration:
-                description: ObservedGeneration - the most recent generation observed
-                  for this service. If the observed generation is less than the spec
-                  generation, then the controller has not processed the latest changes.
+                description: |-
+                  ObservedGeneration - the most recent generation observed for this
+                  service. If the observed generation is less than the spec generation,
+                  then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              serviceID:
+                description: ServiceID - The ID of the cyborg service registered in
+                  keystone
+                type: string
             type: object
         type: object
     served: true

api/cyborg/v1beta1/conditions.go

@@ -0,0 +1,55 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+
+const (
+	// DbSyncHash hash
+	DbSyncHash = "dbsync"
+)
+
+const (
+	// CyborgRabbitMQTransportURLReadyCondition indicates whether the Cyborg RabbitMQ TransportURL is ready
+	CyborgRabbitMQTransportURLReadyCondition condition.Type = "CyborgRabbitMQTransportURLReady"
+
+	// CyborgAPIReadyCondition indicates whether the CyborgAPI is ready
+	CyborgAPIReadyCondition condition.Type = "CyborgAPIReady"
+
+	// CyborgConductorReadyCondition indicates whether the CyborgConductor is ready
+	CyborgConductorReadyCondition condition.Type = "CyborgConductorReady"
+)
+
+const (
+	// CyborgRabbitMQTransportURLReadyRunningMessage -
+	CyborgRabbitMQTransportURLReadyRunningMessage = "CyborgRabbitMQTransportURL creation in progress"
+
+	// CyborgRabbitMQTransportURLReadyMessage -
+	CyborgRabbitMQTransportURLReadyMessage = "CyborgRabbitMQTransportURL successfully created"
+
+	// CyborgRabbitMQTransportURLReadyErrorMessage -
+	CyborgRabbitMQTransportURLReadyErrorMessage = "CyborgRabbitMQTransportURL error occurred %s"
+
+	// CyborgAPIReadyInitMessage -
+	CyborgAPIReadyInitMessage = "CyborgAPI not started"
+
+	// CyborgConductorReadyInitMessage -
+	CyborgConductorReadyInitMessage = "CyborgConductor not started"
+
+	// CyborgApplicationCredentialSecretErrorMessage -
+	CyborgApplicationCredentialSecretErrorMessage = "Error with application credential secret"
+)

api/cyborg/v1beta1/cyborg_types.go

@@ -64,7 +64,8 @@ type CyborgSpecCore struct {
 	// APITimeout for Route and Apache
 	APITimeout *int `json:"apiTimeout"`
 
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=osp-secret
 	// Secret is the name of the Secret instance containing password
 	// information for cyborg like the keystone service password and DB passwords
 	Secret *string `json:"secret"`
@@ -114,14 +115,28 @@ type CyborgStatus struct {
 	// Conditions
 	Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"`
 
+	// ServiceID - The ID of the cyborg service registered in keystone
+	ServiceID string `json:"serviceID,omitempty"`
+
+	// Hash - Map of hashes to track e.g. job status
+	Hash map[string]string `json:"hash,omitempty"`
+
 	// APIServiceReadyCount defines the number or replicas ready from cyborg-api
 	APIServiceReadyCount int32 `json:"apiServiceReadyCount,omitempty"`
 
 	// ConductorServiceReadyCount defines the number or replicas ready from cyborg-conductor
 	ConductorServiceReadyCount int32 `json:"conductorServiceReadyCount,omitempty"`
 
-	//ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
+	// ObservedGeneration - the most recent generation observed for this
+	// service. If the observed generation is less than the spec generation,
+	// then the controller has not processed the latest changes.
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// ApplicationCredentialSecret - the AC secret cyborg is currently
+	// consuming and protecting with the openstack.org/cyborg-ac-consumer
+	// finalizer. Tracked so the controller can remove its finalizer from the
+	// old secret when the openstack-operator rotates the reference.
+	ApplicationCredentialSecret string `json:"applicationCredentialSecret,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -145,6 +160,26 @@ type CyborgList struct {
 	Items           []Cyborg `json:"items"`
 }
 
+// RbacConditionsSet sets the conditions for the RBAC reconciliation
+func (instance Cyborg) RbacConditionsSet(c *condition.Condition) {
+	instance.Status.Conditions.Set(c)
+}
+
+// RbacNamespace returns the namespace
+func (instance Cyborg) RbacNamespace() string {
+	return instance.Namespace
+}
+
+// RbacResourceName returns the name to be used for RBAC objects (serviceaccount, role, rolebinding)
+func (instance Cyborg) RbacResourceName() string {
+	return "cyborg-" + instance.Name
+}
+
+// IsReady returns true if the ReadyCondition is true
+func (instance *Cyborg) IsReady() bool {
+	return instance.Status.Conditions.IsTrue(condition.ReadyCondition)
+}
+
 func init() {
 	SchemeBuilder.Register(&Cyborg{}, &CyborgList{})
 }

api/cyborg/v1beta1/zz_generated.deepcopy.go

@@ -41,6 +41,7 @@ import (
 	cyborgcontroller "github.com/openstack-k8s-operators/nova-operator/internal/controller/cyborg"
 	novacontroller "github.com/openstack-k8s-operators/nova-operator/internal/controller/nova"
 	placementcontroller "github.com/openstack-k8s-operators/nova-operator/internal/controller/placement"
+	cyborgwebhookv1beta1 "github.com/openstack-k8s-operators/nova-operator/internal/webhook/cyborg/v1beta1"
 	webhookv1beta1 "github.com/openstack-k8s-operators/nova-operator/internal/webhook/nova/v1beta1"
 	placementwebhookv1 "github.com/openstack-k8s-operators/nova-operator/internal/webhook/placement/v1beta1"
 	// +kubebuilder:scaffold:imports
@@ -51,7 +52,7 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/operator"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
-	cyborgv1beta1 "github.com/openstack-k8s-operators/nova-operator/api/cyborg/v1beta1"
+	cyborgv1 "github.com/openstack-k8s-operators/nova-operator/api/cyborg/v1beta1"
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/nova/v1beta1"
 	placementv1 "github.com/openstack-k8s-operators/nova-operator/api/placement/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -77,7 +78,7 @@ func init() {
 	utilruntime.Must(networkv1.AddToScheme(scheme))
 	utilruntime.Must(memcachedv1.AddToScheme(scheme))
 	utilruntime.Must(topologyv1.AddToScheme(scheme))
-	utilruntime.Must(cyborgv1beta1.AddToScheme(scheme))
+	utilruntime.Must(cyborgv1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -280,6 +281,16 @@ func main() {
 	novav1.SetupDefaults()
 	placementv1.SetupDefaults()
 
+	if os.Getenv("ENABLE_CYBORG") == "true" {
+		cyborgreconcilers := cyborgcontroller.NewReconcilers(mgr, kclient)
+		err = cyborgreconcilers.Setup(mgr, setupLog)
+		if err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "Cyborg")
+			os.Exit(1)
+		}
+		cyborgv1.SetupDefaults()
+	}
+
 	// nolint:goconst
 	checker := healthz.Ping
 	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
@@ -321,30 +332,23 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "PlacementAPI")
 			os.Exit(1)
 		}
+		if os.Getenv("ENABLE_CYBORG") == "true" {
+			if err := cyborgwebhookv1beta1.SetupCyborgWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, "unable to create webhook", "webhook", "Cyborg")
+				os.Exit(1)
+			}
+			if err := cyborgwebhookv1beta1.SetupCyborgAPIWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, "unable to create webhook", "webhook", "CyborgAPI")
+				os.Exit(1)
+			}
+			if err := cyborgwebhookv1beta1.SetupCyborgConductorWebhookWithManager(mgr); err != nil {
+				setupLog.Error(err, "unable to create webhook", "webhook", "CyborgConductor")
+				os.Exit(1)
+			}
+		}
 		checker = mgr.GetWebhookServer().StartedChecker()
-
-	}
-	if err := (&cyborgcontroller.CyborgReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "Cyborg")
-		os.Exit(1)
-	}
-	if err := (&cyborgcontroller.CyborgAPIReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "CyborgAPI")
-		os.Exit(1)
-	}
-	if err := (&cyborgcontroller.CyborgConductorReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "CyborgConductor")
-		os.Exit(1)
 	}
+
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {

cmd/main.go

@@ -524,6 +524,7 @@ spec:
                   e.g. to check logs
                 type: boolean
               secret:
+                default: osp-secret
                 description: |-
                   Secret is the name of the Secret instance containing password
                   information for cyborg like the keystone service password and DB passwords
@@ -554,7 +555,6 @@ spec:
             - agentContainerImageURL
             - apiContainerImageURL
             - conductorContainerImageURL
-            - secret
             type: object
           status:
             description: CyborgStatus defines the observed state of Cyborg.
@@ -564,6 +564,13 @@ spec:
                   from cyborg-api
                 format: int32
                 type: integer
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret cyborg is currently
+                  consuming and protecting with the openstack.org/cyborg-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               conditions:
                 description: Conditions
                 items:
@@ -611,12 +618,22 @@ spec:
                   ready from cyborg-conductor
                 format: int32
                 type: integer
+              hash:
+                additionalProperties:
+                  type: string
+                description: Hash - Map of hashes to track e.g. job status
+                type: object
               observedGeneration:
-                description: ObservedGeneration - the most recent generation observed
-                  for this service. If the observed generation is less than the spec
-                  generation, then the controller has not processed the latest changes.
+                description: |-
+                  ObservedGeneration - the most recent generation observed for this
+                  service. If the observed generation is less than the spec generation,
+                  then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              serviceID:
+                description: ServiceID - The ID of the cyborg service registered in
+                  keystone
+                type: string
             type: object
         type: object
     served: true