add multicluster access provider options to Helm chart

kahirokunn · kahirokunn · commit 29a93173af74 · 2026-04-08T13:04:55.000+09:00
Signed-off-by: kahirokunn &lt;okinakahiro@gmail.com&gt;
Made-with: Cursor
diff --git a/config/charts/knative-operator/templates/credential-providers-config.yaml b/config/charts/knative-operator/templates/credential-providers-config.yaml
@@ -0,0 +1,41 @@
+# Copyright 2026 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $mc := .Values.knative_operator.knative_operator.multicluster | default dict }}
+{{- if $mc.enabled }}
+{{- $mountPaths := list }}
+{{- range ($mc.plugins | default (list)) }}
+{{-   $mountPaths = append $mountPaths .mountPath }}
+{{- end }}
+{{- $cfg := $mc.accessProvidersConfig | default dict }}
+{{- range ($cfg.providers | default (list)) }}
+{{-   $cmd := (.execConfig | default dict).command | default "" }}
+{{-   if $cmd }}
+{{-     $cmdDir := dir $cmd }}
+{{-     if not (has $cmdDir $mountPaths) }}
+{{-       fail (printf "multicluster validation error: provider %q command %q has parent dir %q which does not match any plugins[].mountPath (have %v); execConfig.command parent directory must equal a plugin mountPath" .name $cmd $cmdDir $mountPaths) }}
+{{-     end }}
+{{-   end }}
+{{- end }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: credential-providers-config
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    app.kubernetes.io/name: knative-operator
+    app.kubernetes.io/version: "{{ .Chart.Version }}"
+data:
+  config.json: {{ $mc.accessProvidersConfig | default dict | mustToJson | quote }}
+{{- end }}
diff --git a/config/charts/knative-operator/templates/operator.yaml b/config/charts/knative-operator/templates/operator.yaml
@@ -855,5 +855,31 @@ spec:
           ports:
             - name: metrics
               containerPort: 9090
+{{- $mc := .Values.knative_operator.knative_operator.multicluster | default dict }}
+{{- if $mc.enabled }}
+          args:
+            - --credential-providers-config=/etc/cluster-inventory/config.json
+          volumeMounts:
+            - name: cred-config
+              mountPath: /etc/cluster-inventory
+              readOnly: true
+{{- range ($mc.plugins | default list) }}
+            - name: {{ .name }}
+              mountPath: {{ .mountPath }}
+              readOnly: true
+{{- end }}
+{{- end }}
+{{- $mc := .Values.knative_operator.knative_operator.multicluster | default dict }}
+{{- if $mc.enabled }}
+      volumes:
+        - name: cred-config
+          configMap:
+            name: credential-providers-config
+{{- range ($mc.plugins | default list) }}
+        - name: {{ .name }}
+          image:
+            reference: {{ .image }}
+{{- end }}
+{{- end }}
 
 ---
diff --git a/config/charts/knative-operator/values.yaml b/config/charts/knative-operator/values.yaml
@@ -15,6 +15,25 @@ knative_operator:
       limits:
         cpu: 1000m
         memory: 1000Mi
+    # Multi-cluster (Cluster Inventory API): when enabled, the chart mounts
+    # access provider config and optional plugin images, and sets
+    # --credential-providers-config on the operator. ClusterProfile.status
+    # accessProviders are not managed by this chart.
+    multicluster:
+      enabled: false
+      accessProvidersConfig: {}
+      plugins: []
+      # accessProvidersConfig:
+      #   providers:
+      #     - name: token-secretreader
+      #       execConfig:
+      #         apiVersion: client.authentication.k8s.io/v1
+      #         command: /credential-plugins/token-secretreader/kubeconfig-secretreader-plugin
+      #         provideClusterInfo: true
+      # plugins:
+      #   - name: token-secretreader
+      #     image: ghcr.io/example/plugin:v1.0.0
+      #     mountPath: /credential-plugins/token-secretreader
   operator_webhook:
     image: gcr.io/knative-releases/knative.dev/operator/cmd/webhook
     tag: {{ tag }}
diff --git a/docs/release.md b/docs/release.md
@@ -85,7 +85,7 @@ spec:
             ...
             - name: KUBERNETES_MIN_VERSION
               value: "{{ .Values.knative_operator.kubernetes_min_version }}"
-            ...      
+            ...
 ```
 
 and
@@ -106,7 +106,7 @@ spec:
             ...
             - name: KUBERNETES_MIN_VERSION
               value: "{{ .Values.knative_operator.kubernetes_min_version }}"
-            ...      
+            ...
 ```
 
 You need to remove the line containing `logging.request-log-template:`, because the value of this key contains `{{ }}` in the example,
@@ -128,3 +128,8 @@ helm install knative-operator ./knative-operator-{version}.tgz
 ```
 
 Replace `{version}` with the correct version for your artifact.
+
+For multi-cluster installs using `spec.clusterProfileRef` on `KnativeServing` / `KnativeEventing`, set
+`knative_operator.knative_operator.multicluster.enabled` to `true` in `values.yaml` and provide
+`multicluster.accessProvidersConfig` (structured YAML; rendered to the operator's `config.json`) and
+`multicluster.plugins` (image volume mounts for exec plugins).
