feat(conductor): mismatchContext + RemediationApproval gate + seam webhook enable

Makefile

@@ -1,6 +1,11 @@
-# Image tag default — override via environment: TAG=v1.9.3-r1 make docker-build
+# Image tag default — override via environment: TAG=v0.1.0 make docker-build
+# EXEC_TAG controls the conductor-exec image tag independently; defaults to TAG.
+# conductor-exec tracks the Talos version (e.g. v1.9.3). Bump EXEC_TAG when
+# a new Talos version is validated, not when the operator code changes.
+# Example: make docker-build TAG=v0.1.0 EXEC_TAG=v1.9.3
 IMAGE_REGISTRY ?= registry.ontai.dev/ontai-dev
 TAG            ?= dev
+EXEC_TAG       ?= $(TAG)
 
 .PHONY: build test test-unit test-integration test-all e2e lint lint-docs lint-images install-hooks clean docker-build docker-push
 
@@ -67,21 +72,25 @@ docker-build:
 		..
 	docker build \
 		--platform linux/amd64 \
-		-f Dockerfile.execute \
-		-t $(IMAGE_REGISTRY)/conductor-execute:$(TAG) \
+		-f Dockerfile.agent \
+		-t $(IMAGE_REGISTRY)/conductor:$(TAG) \
 		..
+
+docker-build-execute:
 	docker build \
 		--platform linux/amd64 \
-		-f Dockerfile.agent \
-		-t $(IMAGE_REGISTRY)/conductor:$(TAG) \
+		-f Dockerfile.execute \
+		-t $(IMAGE_REGISTRY)/conductor-exec:$(EXEC_TAG) \
 		..
 
-# docker-push pushes all three already-built conductor images to the registry.
+# docker-push pushes compiler and agent images to the registry.
 docker-push:
 	docker push $(IMAGE_REGISTRY)/compiler:$(TAG)
-	docker push $(IMAGE_REGISTRY)/conductor-execute:$(TAG)
 	docker push $(IMAGE_REGISTRY)/conductor:$(TAG)
 
+docker-push-execute:
+	docker push $(IMAGE_REGISTRY)/conductor-exec:$(EXEC_TAG)
+
 # lint-images verifies all three conductor images exist in the local OCI registry.
 lint-images:
 	@echo ">>> lint-images: checking conductor images in registry"

api/conductor/v1alpha1/groupversion_info.go

@@ -0,0 +1,19 @@
+// Package v1alpha1 contains API types for the conductor.ontai.dev group.
+// CRDs in this package are Conductor-internal resources (RemediationPolicy,
+// RemediationApproval) that govern the Conductor Watchdog remediation lifecycle.
+// Group: conductor.ontai.dev.
+//
+// +groupName=conductor.ontai.dev
+// +kubebuilder:object:generate=true
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	GroupVersion  = schema.GroupVersion{Group: "conductor.ontai.dev", Version: "v1alpha1"}
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+	AddToScheme   = SchemeBuilder.AddToScheme
+)

api/conductor/v1alpha1/remediationapproval_types.go

@@ -0,0 +1,78 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// RemediationApprovalSpec is authored by a human operator to grant permission
+// for automatic redeployment of an exhausted PackInstalled. INV-007.
+type RemediationApprovalSpec struct {
+	// PackInstalledRef is the name+namespace of the PackInstalled that requires
+	// redeployment approval.
+	PackInstalledRef RemediationApprovalRef `json:"packInstalledRef"`
+
+	// FailureReason is the FailureReason enum value from the Exhausted DriftSignal
+	// that triggered this approval request.
+	// +kubebuilder:validation:Enum=CrashLoopBackOff;OOMKilled;ImagePullBackOff;FailedMount;MultiAttachError
+	FailureReason string `json:"failureReason"`
+
+	// ApprovedBy is the identity of the human approver.
+	ApprovedBy string `json:"approvedBy"`
+
+	// ApprovedAt is the time this approval was granted.
+	ApprovedAt metav1.Time `json:"approvedAt"`
+}
+
+// RemediationApprovalRef is a name+namespace reference to a PackInstalled CR.
+type RemediationApprovalRef struct {
+	// Name is the PackInstalled CR name.
+	Name string `json:"name"`
+	// Namespace is the namespace of the PackInstalled CR.
+	Namespace string `json:"namespace"`
+}
+
+// RemediationApprovalStatus is the observed state of a RemediationApproval.
+type RemediationApprovalStatus struct {
+	// ObservedGeneration is the generation most recently reconciled.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Acted is true when the management Conductor has consumed this approval
+	// and initiated redeployment.
+	// +optional
+	Acted bool `json:"acted,omitempty"`
+
+	// ActedAt is the time the approval was consumed.
+	// +optional
+	ActedAt *metav1.Time `json:"actedAt,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,shortName=ra
+
+// RemediationApproval is a human-authored CR that grants permission for the
+// Conductor Watchdog to initiate a full PackDelivery redeployment after exhausting
+// automated remediation attempts. INV-007: destructive operations require an
+// affirmative CR with a human approval gate.
+// group: conductor.ontai.dev.
+type RemediationApproval struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RemediationApprovalSpec   `json:"spec,omitempty"`
+	Status RemediationApprovalStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RemediationApprovalList contains a list of RemediationApproval.
+type RemediationApprovalList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RemediationApproval `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&RemediationApproval{}, &RemediationApprovalList{})
+}

api/conductor/v1alpha1/remediationpolicy_types.go

@@ -0,0 +1,125 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ThresholdsSection maps each FailureReason to the consecutive failure count
+// required to trigger the watchdog. Keys are seam-sdk FailureReason string values.
+// When a FailureReason key is absent, the default threshold of 3 applies.
+type ThresholdsSection struct {
+	// PerReason maps FailureReason string values to threshold counts.
+	// Absent keys use the default threshold of 3.
+	// +optional
+	PerReason map[string]int32 `json:"perReason,omitempty"`
+}
+
+// StrategySection maps each FailureReason to the RemediationStrategy to apply.
+// Keys are seam-sdk FailureReason string values.
+// When a FailureReason key is absent, the DefaultStrategy() from seam-sdk applies.
+type StrategySection struct {
+	// PerReason maps FailureReason string values to RemediationStrategy string values.
+	// Absent keys use the seam-sdk DefaultStrategy for the given reason.
+	// +optional
+	PerReason map[string]string `json:"perReason,omitempty"`
+}
+
+// EscalationSection defines behaviour after the remediation attempt count is exhausted.
+type EscalationSection struct {
+	// MaxAttempts is the maximum number of remediation Jobs to submit before
+	// marking the DriftSignal as Exhausted. Default: 3.
+	// +kubebuilder:default=3
+	// +optional
+	MaxAttempts int32 `json:"maxAttempts,omitempty"`
+
+	// TimeoutWindow is the duration the tenant Conductor waits for acknowledgement
+	// before re-emitting the DriftSignal. Default: 5m.
+	// +optional
+	TimeoutWindow *metav1.Duration `json:"timeoutWindow,omitempty"`
+
+	// AutomaticRedeployment enables the Conductor to signal the Dispatcher for a
+	// full PackDelivery redeployment when Exhausted=true. Requires explicit Governor
+	// enablement. Default: false. INV-007.
+	// +kubebuilder:default=false
+	// +optional
+	AutomaticRedeployment bool `json:"automaticRedeployment,omitempty"`
+}
+
+// RemediationPolicySpec declares the remediation behaviour for packs referencing
+// this policy. When a PackInstalled does not reference a policy, the platform
+// defaults apply (threshold=3, per-reason default strategies, MaxAttempts=3, 5m window).
+type RemediationPolicySpec struct {
+	// Thresholds configures per-FailureReason consecutive failure counts.
+	// +optional
+	Thresholds ThresholdsSection `json:"thresholds,omitempty"`
+
+	// Strategy configures per-FailureReason remediation actions.
+	// +optional
+	Strategy StrategySection `json:"strategy,omitempty"`
+
+	// Escalation configures the post-exhaustion behaviour.
+	// +optional
+	Escalation EscalationSection `json:"escalation,omitempty"`
+}
+
+// RemediationPolicyStatus is the observed state of a RemediationPolicy.
+type RemediationPolicyStatus struct {
+	// ObservedGeneration is the generation most recently reconciled.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,shortName=rp
+
+// RemediationPolicy declares the automated remediation behaviour for packs
+// on a target cluster. Referenced by PackInstalled.spec.remediationPolicyRef.
+// group: conductor.ontai.dev.
+type RemediationPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   RemediationPolicySpec   `json:"spec,omitempty"`
+	Status RemediationPolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// RemediationPolicyList contains a list of RemediationPolicy.
+type RemediationPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RemediationPolicy `json:"items"`
+}
+
+// DefaultThreshold is the consecutive failure count applied when a FailureReason
+// has no explicit entry in ThresholdsSection.
+const DefaultThreshold int32 = 3
+
+// DefaultMaxAttempts is the maximum remediation Job count when
+// EscalationSection.MaxAttempts is zero.
+const DefaultMaxAttempts int32 = 3
+
+// ThresholdFor returns the configured threshold for the given FailureReason,
+// falling back to DefaultThreshold when not explicitly set.
+func (p *RemediationPolicySpec) ThresholdFor(reason string) int32 {
+	if p.Thresholds.PerReason != nil {
+		if v, ok := p.Thresholds.PerReason[reason]; ok && v > 0 {
+			return v
+		}
+	}
+	return DefaultThreshold
+}
+
+// MaxAttempts returns the effective MaxAttempts, applying the default when zero.
+func (p *RemediationPolicySpec) EffectiveMaxAttempts() int32 {
+	if p.Escalation.MaxAttempts > 0 {
+		return p.Escalation.MaxAttempts
+	}
+	return DefaultMaxAttempts
+}
+
+func init() {
+	SchemeBuilder.Register(&RemediationPolicy{}, &RemediationPolicyList{})
+}

api/conductor/v1alpha1/remediationpolicy_types_test.go

@@ -0,0 +1,45 @@
+package v1alpha1
+
+import (
+	"testing"
+)
+
+func TestThresholdForDefault(t *testing.T) {
+	spec := &RemediationPolicySpec{}
+	got := spec.ThresholdFor("CrashLoopBackOff")
+	if got != DefaultThreshold {
+		t.Errorf("ThresholdFor with empty policy = %d, want %d", got, DefaultThreshold)
+	}
+}
+
+func TestThresholdForExplicit(t *testing.T) {
+	spec := &RemediationPolicySpec{
+		Thresholds: ThresholdsSection{
+			PerReason: map[string]int32{"CrashLoopBackOff": 5},
+		},
+	}
+	got := spec.ThresholdFor("CrashLoopBackOff")
+	if got != 5 {
+		t.Errorf("ThresholdFor explicit = %d, want 5", got)
+	}
+	other := spec.ThresholdFor("OOMKilled")
+	if other != DefaultThreshold {
+		t.Errorf("ThresholdFor absent key = %d, want %d", other, DefaultThreshold)
+	}
+}
+
+func TestEffectiveMaxAttemptsDefault(t *testing.T) {
+	spec := &RemediationPolicySpec{}
+	if spec.EffectiveMaxAttempts() != DefaultMaxAttempts {
+		t.Errorf("EffectiveMaxAttempts empty = %d, want %d", spec.EffectiveMaxAttempts(), DefaultMaxAttempts)
+	}
+}
+
+func TestEffectiveMaxAttemptsExplicit(t *testing.T) {
+	spec := &RemediationPolicySpec{
+		Escalation: EscalationSection{MaxAttempts: 7},
+	}
+	if spec.EffectiveMaxAttempts() != 7 {
+		t.Errorf("EffectiveMaxAttempts explicit = %d, want 7", spec.EffectiveMaxAttempts())
+	}
+}