Skip to content

feat: add --milo-kubeconfig and --leader-election-namespace flags#13

Merged
mattdjenkinson merged 1 commit into
mainfrom
feat/milo-kubeconfig-flag
May 6, 2026
Merged

feat: add --milo-kubeconfig and --leader-election-namespace flags#13
mattdjenkinson merged 1 commit into
mainfrom
feat/milo-kubeconfig-flag

Conversation

@mattdjenkinson

@mattdjenkinson mattdjenkinson commented May 5, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add a --milo-kubeconfig flag mirroring the fraud manager. When set, the controller's REST config is loaded from that kubeconfig so reconcilers watch Vendor/Subprocessor on Milo's aggregated API server.
  • Add a --leader-election-namespace flag so callers can place the leader-election Lease in a namespace that actually exists on whichever cluster the manager is pointed at. Without this, the live staging deployment had KUBECONFIG overridden to point at Milo and the manager attempted to write the lease into a compliance-system namespace that does not exist on Milo, looping forever on `namespaces "compliance-system" not found` and never starting reconcilers (so no Subprocessor was ever derived from the Active Vendor).
  • Local development (no flags) is unchanged: ctrl.GetConfigOrDie() still picks up the in-cluster or default kubeconfig and lease namespace detection still falls back to controller-runtime's defaults.

This keeps both the reconcilers and the lease on the same control plane (Milo, when configured), which is what we want once multiple replicas run across host clusters: the lease is coordinated by the same API server that owns the resources.

Test plan

  • go build ./... and go vet ./... pass.
  • After this lands and a paired infra PR drops the KUBECONFIG override and adds --milo-kubeconfig=/etc/kubernetes/project-discovery/auth/discovery-kubeconfig.yaml --leader-election-namespace=milo-system, the controller logs `using milo kubeconfig …` followed by `starting manager` and starts reconciling Vendors.
  • `kubectl get leases.coordination.k8s.io -n milo-system compliance.miloapis.com` resolves on Milo (lease lives on Milo, not the host cluster).
  • `kubectl get subprocessors.compliance.miloapis.com -A` shows one Subprocessor for each Active Vendor; the staff portal Subprocessors list populates.

@mattdjenkinson mattdjenkinson requested a review from scotwells May 5, 2026 16:09
When the controller is deployed alongside Milo's aggregated API server,
the Vendor and Subprocessor CRDs live in Milo while the controller pod
runs in the local `compliance-system` namespace on the host cluster.
Forcing every client-go call at Milo (e.g. via `KUBECONFIG`) breaks
leader election because controller-runtime's default lease namespace
detection picks up the host pod's `compliance-system` namespace, which
does not exist on Milo, and the manager spins forever logging
"namespaces \"compliance-system\" not found".

Add two flags so callers can place the manager and its lease anywhere
they need:

- `--milo-kubeconfig`: path to a kubeconfig for the Milo API server.
  When set, the manager's REST config is built from it and reconcilers
  watch Milo CRs. Empty falls back to the in-cluster config for local
  development.
- `--leader-election-namespace`: explicit namespace for the
  leader-election Lease. Defaults to controller-runtime's auto-detection.
  When the manager is pointed at Milo, callers should set this to a
  namespace that exists there (e.g. `milo-system`); the lease is then
  coordinated by the same control plane that owns the resources, which
  matters once we run multiple replicas across host clusters.

Existing local-development setups (no flags) are unaffected.
@mattdjenkinson mattdjenkinson force-pushed the feat/milo-kubeconfig-flag branch from ada7a3d to 3820a9c Compare May 5, 2026 17:02
@mattdjenkinson mattdjenkinson changed the title feat: add --milo-kubeconfig flag for split client config feat: add --milo-kubeconfig and --leader-election-namespace flags May 5, 2026
@mattdjenkinson mattdjenkinson merged commit 6c3229f into main May 6, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants