🤖 feat: reconcile CoderControlPlane licenses from Secret

api/v1alpha1/codercontrolplane_types.go

@@ -10,6 +10,8 @@ const (
 	CoderControlPlanePhasePending = "Pending"
 	// CoderControlPlanePhaseReady indicates at least one control plane pod is ready.
 	CoderControlPlanePhaseReady = "Ready"
+	// CoderControlPlaneConditionLicenseApplied indicates whether the operator uploaded the configured license.
+	CoderControlPlaneConditionLicenseApplied = "LicenseApplied"
 )
 
 // CoderControlPlaneSpec defines the desired state of a CoderControlPlane.
@@ -32,6 +34,11 @@ type CoderControlPlaneSpec struct {
 	// OperatorAccess configures bootstrap API access to the coderd instance.
 	// +kubebuilder:default={}
 	OperatorAccess OperatorAccessSpec `json:"operatorAccess,omitempty"`
+	// LicenseSecretRef references a Secret key containing a Coder Enterprise
+	// license JWT. When set, the controller uploads the license after the
+	// control plane is ready and re-uploads when the Secret value changes.
+	// +optional
+	LicenseSecretRef *SecretKeySelector `json:"licenseSecretRef,omitempty"`
 }
 
 // OperatorAccessSpec configures the controller-managed coderd operator user.
@@ -56,6 +63,14 @@ type CoderControlPlaneStatus struct {
 	OperatorTokenSecretRef *SecretKeySelector `json:"operatorTokenSecretRef,omitempty"`
 	// OperatorAccessReady reports whether operator API access bootstrap succeeded.
 	OperatorAccessReady bool `json:"operatorAccessReady,omitempty"`
+	// LicenseLastApplied is the timestamp of the most recent successful
+	// operator-managed license upload.
+	// +optional
+	LicenseLastApplied *metav1.Time `json:"licenseLastApplied,omitempty"`
+	// LicenseLastAppliedHash is the SHA-256 hex hash of the trimmed license JWT
+	// that LicenseLastApplied refers to.
+	// +optional
+	LicenseLastAppliedHash string `json:"licenseLastAppliedHash,omitempty"`
 	// Phase is a high-level readiness indicator.
 	Phase string `json:"phase,omitempty"`
 	// Conditions are Kubernetes-standard conditions for this resource.

api/v1alpha1/types_shared.go

@@ -5,6 +5,8 @@ import corev1 "k8s.io/api/core/v1"
 const (
 	// DefaultTokenSecretKey is the default key used for proxy session tokens.
 	DefaultTokenSecretKey = "token"
+	// DefaultLicenseSecretKey is the default key used for Coder license JWTs.
+	DefaultLicenseSecretKey = "license"
 )
 
 // ServiceSpec defines the Service configuration reconciled by the operator.

config/crd/bases/coder.com_codercontrolplanes.yaml

@@ -226,6 +226,21 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
                 type: array
+              licenseSecretRef:
+                description: |-
+                  LicenseSecretRef references a Secret key containing a Coder Enterprise
+                  license JWT. When set, the controller uploads the license after the
+                  control plane is ready and re-uploads when the Secret value changes.
+                properties:
+                  key:
+                    description: Key is the key inside the Secret data map.
+                    type: string
+                  name:
+                    description: Name is the Kubernetes Secret name.
+                    type: string
+                required:
+                - name
+                type: object
               operatorAccess:
                 default: {}
                 description: OperatorAccess configures bootstrap API access to the
@@ -330,6 +345,17 @@ spec:
                   - type
                   type: object
                 type: array
+              licenseLastApplied:
+                description: |-
+                  LicenseLastApplied is the timestamp of the most recent successful
+                  operator-managed license upload.
+                format: date-time
+                type: string
+              licenseLastAppliedHash:
+                description: |-
+                  LicenseLastAppliedHash is the SHA-256 hex hash of the trimmed license JWT
+                  that LicenseLastApplied refers to.
+                type: string
               observedGeneration:
                 description: ObservedGeneration tracks the spec generation this status
                   reflects.

config/samples/coder_v1alpha1_codercontrolplane.yaml

@@ -5,3 +5,6 @@ metadata:
   namespace: default
 spec:
   image: "ghcr.io/coder/coder-k8s:main"
+  licenseSecretRef:
+    name: coder-license
+    key: license

docs/reference/api/codercontrolplane.md

@@ -20,6 +20,7 @@
 | `extraEnv` | [EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#envvar-v1-core) array | ExtraEnv are injected into the Coder control plane container. |
 | `imagePullSecrets` | [LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#localobjectreference-v1-core) array | ImagePullSecrets are used by the pod to pull private images. |
 | `operatorAccess` | [OperatorAccessSpec](#operatoraccessspec) | OperatorAccess configures bootstrap API access to the coderd instance. |
+| `licenseSecretRef` | [SecretKeySelector](#secretkeyselector) | LicenseSecretRef references a Secret key containing a Coder Enterprise license JWT. When set, the controller uploads the license after the control plane is ready and re-uploads when the Secret value changes. |
 
 ## Status
 
@@ -30,6 +31,8 @@
 | `url` | string | URL is the in-cluster URL for the control plane service. |
 | `operatorTokenSecretRef` | [SecretKeySelector](#secretkeyselector) | OperatorTokenSecretRef points to the Secret key containing the `coder-k8s-operator` API token. |
 | `operatorAccessReady` | boolean | OperatorAccessReady reports whether operator API access bootstrap succeeded. |
+| `licenseLastApplied` | [Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#time-v1-meta) | LicenseLastApplied is the timestamp of the most recent successful operator-managed license upload. |
+| `licenseLastAppliedHash` | string | LicenseLastAppliedHash is the SHA-256 hex hash of the trimmed license JWT that LicenseLastApplied refers to. |
 | `phase` | string | Phase is a high-level readiness indicator. |
 | `conditions` | [Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#condition-v1-meta) array | Conditions are Kubernetes-standard conditions for this resource. |
 

internal/app/controllerapp/controllerapp.go

@@ -88,8 +88,10 @@ func SetupControllers(mgr manager.Manager) error {
 
 	reconciler := &controller.CoderControlPlaneReconciler{
 		Client:                    client,
+		APIReader:                 mgr.GetAPIReader(),
 		Scheme:                    managerScheme,
 		OperatorAccessProvisioner: coderbootstrap.NewPostgresOperatorAccessProvisioner(),
+		LicenseUploader:           controller.NewSDKLicenseUploader(),
 	}
 	if err := reconciler.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller: %w", err)