Add OpenStackAssistant CRD with MCP server support

Introduces a new OpenStackAssistant custom resource
(assistant.openstack.org/v1beta1) that deploys a managed Goose AI agent
pod for cluster diagnostics via Lightspeed Stack.

OpenStackAssistant CRD and controller:
- New CRD with spec fields for provider type, container image,
  Lightspeed Stack backend configuration, node selectors, and
  additional environment variables
- GooseConfig supports model selection, recipe ConfigMaps (registered
  as Goose slash commands), hints ConfigMaps (written to .goosehints),
  and MCP server references
- Controller creates a ServiceAccount, ClusterRole with read-only RBAC
  for cluster diagnostics, ClusterRoleBinding, ConfigMap with Goose
  configuration and entrypoint script, and the assistant Pod
- Watches referenced Secrets and ConfigMaps; reconciles on changes and
  tracks input hashes to detect drift
- Defaulting webhook sets the container image from an environment
  variable fallback
- Condition-based status reporting (ServiceAccount, RBAC, ConfigMap,
  Pod readiness)

MCP server sidecar support for OpenStackClient:
- New MCPConfig struct (enabled flag, containerImage) on the
  OpenStackClient CR spec
- When enabled, the OpenStackClient controller adds a rhos-mcps MCP
  server sidecar container sharing the same clouds.yaml/secure.yaml
  credential mounts
- Controller creates a ConfigMap with rhos-mcps config (openstack
  enabled, openshift disabled, allow_write: false) and a Service on
  port 8080 for the MCP endpoint
- OpenStackAssistant can reference an OpenStackClient CR by name via
  the openstackClientRef field; the controller auto-computes the
  service URL and TLS CA configuration

Tests:
- Unit tests for the OpenStackAssistant controller covering
  reconciliation, pod creation, config generation, and status
  conditions
- Unit tests for helper functions (entrypoint script generation,
  config building, hash computation)

44 files changed, ~4,300 lines added.

Author: dprince

api/assistant/v1beta1/conditions.go

@@ -0,0 +1,49 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+)
+
+// OpenStackAssistant Condition Types used by API objects.
+const (
+	// OpenStackAssistantReadyCondition Status=True condition which indicates if OpenStackAssistant is configured and operational
+	OpenStackAssistantReadyCondition condition.Type = "OpenStackAssistantReady"
+)
+
+// Common Messages used by API objects.
+const (
+	// OpenStackAssistantReadyInitMessage
+	OpenStackAssistantReadyInitMessage = "OpenStack Assistant not started"
+
+	// OpenStackAssistantReadyRunningMessage
+	OpenStackAssistantReadyRunningMessage = "OpenStack Assistant in progress"
+
+	// OpenStackAssistantReadyMessage
+	OpenStackAssistantReadyMessage = "OpenStack Assistant created"
+
+	// OpenStackAssistantReadyErrorMessage
+	OpenStackAssistantReadyErrorMessage = "OpenStack Assistant error occured %s"
+
+	// OpenStackAssistantProviderSecretWaitingMessage
+	OpenStackAssistantProviderSecretWaitingMessage = "Waiting for lightspeed provider secret"
+
+	// OpenStackAssistantRecipesWaitingMessage
+	OpenStackAssistantRecipesWaitingMessage = "Waiting for Goose recipes ConfigMap"
+
+	// OpenStackAssistantHintsWaitingMessage
+	OpenStackAssistantHintsWaitingMessage = "Waiting for Goose hints ConfigMap"
+)

api/assistant/v1beta1/groupversion_info.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022.
+Copyright 2026.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

api/assistant/v1beta1/openstackassistant_types.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022.
+Copyright 2026.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,31 +17,139 @@ limitations under the License.
 package v1beta1
 
 import (
+	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+const (
+	// OpenStackAssistantContainerImage is the fall-back container image for OpenStackAssistant
+	OpenStackAssistantContainerImage = "quay.io/dprince/goose:oc-fedora"
+)
+
+// ProviderType defines the AI agent provider
+// +kubebuilder:validation:Enum=goose
+type ProviderType string
+
+const (
+	// ProviderGoose is the Goose AI agent provider
+	ProviderGoose ProviderType = "goose"
+)
+
+// LightspeedStackSpec defines connectivity to the Lightspeed Stack AI backend
+type LightspeedStackSpec struct {
+	// ProviderSecret is the name of a Secret containing the lightspeed
+	// provider config JSON (custom_providers/lightspeed.json content).
+	// Must contain key "lightspeed.json".
+	// +kubebuilder:validation:Required
+	ProviderSecret string `json:"providerSecret"`
+
+	// CaBundleSecretName is the name of a Secret containing CA certs
+	// to trust for TLS connections to the lightspeed-stack endpoint.
+	// The Secret must contain a key "ca-bundle.crt" with PEM-encoded certs.
+	// +kubebuilder:validation:Optional
+	CaBundleSecretName string `json:"caBundleSecretName,omitempty"`
+}
+
+// MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+// Either URL or OpenStackClientRef must be specified, but not both.
+type MCPServerRef struct {
+	// Name is the extension name in Goose config
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// URL is the MCP server's Streamable HTTP endpoint.
+	// Mutually exclusive with OpenStackClientRef.
+	// +kubebuilder:validation:Optional
+	URL string `json:"url,omitempty"`
+
+	// OpenStackClientRef is the name of an OpenStackClient CR in the same
+	// namespace that has MCP enabled. The controller auto-computes the
+	// correct service URL and TLS CA configuration.
+	// Mutually exclusive with URL.
+	// +kubebuilder:validation:Optional
+	OpenStackClientRef string `json:"openstackClientRef,omitempty"`
+}
 
-// OpenStackAssistantSpec defines the desired state of OpenStackAssistant.
+// GooseConfig defines Goose-specific provider configuration
+type GooseConfig struct {
+	// Model is the model identifier for the Goose AI agent
+	// (e.g., "gemini/models/gemini-2.5-flash"). Sets the GOOSE_MODEL env var.
+	// +kubebuilder:validation:Optional
+	Model string `json:"model,omitempty"`
+
+	// Recipes is a ConfigMap name containing Goose recipe YAML files.
+	// Each key in the ConfigMap becomes a recipe file registered as a
+	// Goose slash command (e.g., /cluster-health).
+	// +kubebuilder:validation:Optional
+	Recipes *string `json:"recipes,omitempty"`
+
+	// Hints is a ConfigMap name containing Goose hints/context.
+	// The ConfigMap must have a key "hints" with the content that
+	// will be written to ~/.goosehints in the pod.
+	// +kubebuilder:validation:Optional
+	Hints *string `json:"hints,omitempty"`
+
+	// MCPServers lists MCP server endpoints to configure as Goose extensions.
+	// +kubebuilder:validation:Optional
+	MCPServers []MCPServerRef `json:"mcpServers,omitempty"`
+}
+
+// OpenStackAssistantSpec defines the desired state of OpenStackAssistant
 type OpenStackAssistantSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// ContainerImage for the assistant container (will be set to environmental default if empty).
+	// +kubebuilder:validation:Optional
+	ContainerImage string `json:"containerImage,omitempty"`
 
-	// Foo is an example field of OpenStackAssistant. Edit openstackassistant_types.go to remove/update
-	Foo string `json:"foo,omitempty"`
+	// Provider is the AI agent provider type. Currently only "goose" is supported.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=goose
+	Provider ProviderType `json:"provider"`
+
+	// LightspeedStack configuration for the AI backend.
+	// +kubebuilder:validation:Required
+	LightspeedStack LightspeedStackSpec `json:"lightspeedStack"`
+
+	// Goose contains Goose-specific provider configuration.
+	// Only applicable when provider is "goose".
+	// +kubebuilder:validation:Optional
+	Goose *GooseConfig `json:"goose,omitempty"`
+
+	// NodeSelector to target subset of worker nodes for pod scheduling.
+	// +kubebuilder:validation:Optional
+	NodeSelector *map[string]string `json:"nodeSelector,omitempty"`
+
+	// Env is a list of additional environment variables for the container.
+	// +kubebuilder:validation:Optional
+	// +listType=map
+	// +listMapKey=name
+	Env []corev1.EnvVar `json:"env,omitempty"`
 }
 
-// OpenStackAssistantStatus defines the observed state of OpenStackAssistant.
+// OpenStackAssistantStatus defines the observed state of OpenStackAssistant
 type OpenStackAssistantStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// PodName is the name of the running assistant pod
+	PodName string `json:"podName,omitempty"`
+
+	// Conditions tracks the state of each sub-resource
+	Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"`
+
+	// ObservedGeneration - the most recent generation observed
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Hash tracks input hashes to detect changes
+	Hash map[string]string `json:"hash,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +operator-sdk:csv:customresourcedefinitions:displayName="OpenStack Assistant"
+// +kubebuilder:resource:shortName=osassistant;osassistants
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[0].status",description="Status"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[0].message",description="Message"
 
-// OpenStackAssistant is the Schema for the openstackassistants API.
+// OpenStackAssistant is the Schema for the openstackassistants API
 type OpenStackAssistant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -52,7 +160,7 @@ type OpenStackAssistant struct {
 
 // +kubebuilder:object:root=true
 
-// OpenStackAssistantList contains a list of OpenStackAssistant.
+// OpenStackAssistantList contains a list of OpenStackAssistant
 type OpenStackAssistantList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
@@ -62,3 +170,51 @@ type OpenStackAssistantList struct {
 func init() {
 	SchemeBuilder.Register(&OpenStackAssistant{}, &OpenStackAssistantList{})
 }
+
+// IsReady - returns true if OpenStackAssistant is reconciled successfully
+func (instance OpenStackAssistant) IsReady() bool {
+	return instance.Status.Conditions.IsTrue(OpenStackAssistantReadyCondition)
+}
+
+// RbacConditionsSet - set the conditions for the rbac object
+func (instance OpenStackAssistant) RbacConditionsSet(c *condition.Condition) {
+	instance.Status.Conditions.Set(c)
+}
+
+// RbacNamespace - return the namespace
+func (instance OpenStackAssistant) RbacNamespace() string {
+	return instance.Namespace
+}
+
+// RbacResourceName - return the name to be used for rbac objects (serviceaccount, role, rolebinding)
+func (instance OpenStackAssistant) RbacResourceName() string {
+	return "openstackassistant-" + instance.Name
+}
+
+// OpenStackAssistantDefaults holds defaults for the assistant
+type OpenStackAssistantDefaults struct {
+	ContainerImageURL string
+}
+
+var openStackAssistantDefaults OpenStackAssistantDefaults
+
+// SetupOpenStackAssistantDefaults - initialize OpenStackAssistant spec defaults
+func SetupOpenStackAssistantDefaults(defaults OpenStackAssistantDefaults) {
+	openStackAssistantDefaults = defaults
+}
+
+// SetupDefaults - initializes any CRD field defaults based on environment variables
+func SetupDefaults() {
+	openStackAssistantDefaults := OpenStackAssistantDefaults{
+		ContainerImageURL: util.GetEnvVar("RELATED_IMAGE_OPENSTACK_ASSISTANT_IMAGE_URL_DEFAULT", OpenStackAssistantContainerImage),
+	}
+
+	SetupOpenStackAssistantDefaults(openStackAssistantDefaults)
+}
+
+// Default implements webhook.Defaulter
+func (r *OpenStackAssistant) Default() {
+	if r.Spec.ContainerImage == "" {
+		r.Spec.ContainerImage = openStackAssistantDefaults.ContainerImageURL
+	}
+}

api/assistant/v1beta1/openstackassistant_webhook.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// ValidateCreate implements webhook.Validator
+func (r *OpenStackAssistant) ValidateCreate() (admission.Warnings, error) {
+	return nil, nil
+}
+
+// ValidateUpdate implements webhook.Validator
+func (r *OpenStackAssistant) ValidateUpdate(_ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.Validator
+func (r *OpenStackAssistant) ValidateDelete() (admission.Warnings, error) {
+	return nil, nil
+}