Merge pull request #23 from negz/operational

Add support for operations

Author: negz

.github/workflows/ci.yml

@@ -176,4 +176,5 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push Multi-Platform Package to GHCR
+        if: env.XPKG_ACCESS_ID != ''
         run: "./crossplane --verbose xpkg push --package-files $(echo *.xpkg|tr ' ' ,) ${{ env.CROSSPLANE_REGORG }}:${{ env.XPKG_VERSION }}"

README.md

@@ -2,9 +2,11 @@
 
 [![CI](https://github.com/crossplane-contrib/function-python/actions/workflows/ci.yml/badge.svg)](https://github.com/crossplane-contrib/function-python/actions/workflows/ci.yml)
 
-A Crossplane composition function that lets you compose resources using Python.
+A Crossplane function that lets you compose resources and run operational tasks using Python.
 
-Provide a Python script that defines a `compose` function with this signature:
+## Composition Functions
+
+To compose resources, provide a Python script that defines a `compose` function with this signature:
 
 ```python
 from crossplane.function.proto.v1 import run_function_pb2 as fnv1
@@ -60,6 +62,56 @@ spec:
             rsp.desired.resources["bucket"].ready = True
 ```
 
+## Operations Functions (Alpha)
+
+`function-python` also supports Crossplane Operations, which are one-time operational tasks that run to completion (like Kubernetes Jobs). For operations, provide a Python script that defines an `operate` function with this signature:
+
+```python
+from crossplane.function.proto.v1 import run_function_pb2 as fnv1
+
+def operate(req: fnv1.RunFunctionRequest, rsp: fnv1.RunFunctionResponse):
+    # Your operational logic here
+
+    # Set output for operation monitoring
+    rsp.output["result"] = "success"
+    rsp.output["message"] = "Operation completed successfully"
+```
+
+### Operation Example
+
+```yaml
+apiVersion: ops.crossplane.io/v1alpha1
+kind: Operation
+metadata:
+  name: check-cert-expiry
+spec:
+  template:
+    spec:
+      pipeline:
+      - step: check-certificate
+        functionRef:
+          name: function-python
+        input:
+          apiVersion: python.fn.crossplane.io/v1beta1
+          kind: Script
+          script: |
+            from crossplane.function.proto.v1 import run_function_pb2 as fnv1
+            import datetime
+
+            def operate(req: fnv1.RunFunctionRequest, rsp: fnv1.RunFunctionResponse):
+                # Example: Check certificate expiration
+                # In real use, you'd retrieve and validate actual certificates
+
+                # Set operation output
+                rsp.output["check_time"] = datetime.datetime.now().isoformat()
+                rsp.output["status"] = "healthy"
+                rsp.output["message"] = "Certificate expiry check completed"
+```
+
+For more complex operations, see the [operation examples](example/operation/).
+
+## Usage Notes
+
 `function-python` is best for very simple cases. If writing Python inline of
 YAML becomes unwieldy, consider building a Python function using
 [function-template-python].

example/README.md renamed to example/composition/README.md

@@ -10,5 +10,5 @@ $ hatch run development
 
 ```shell
 # Then, in another terminal, call it with these example manifests
-$ crossplane beta render xr.yaml composition.yaml functions.yaml -r
+$ crossplane render xr.yaml composition.yaml functions.yaml -r
 ```

example/composition.yaml renamed to example/composition/composition.yaml

@@ -0,0 +1,63 @@
+# Operations Example
+
+This example demonstrates using function-python with Crossplane Operations to
+check SSL certificate expiry for websites referenced in Kubernetes Ingress
+resources.
+
+## Files
+
+- `operation.yaml` - The Operation that checks certificate expiry
+- `functions.yaml` - Function definition for local development
+- `ingress.yaml` - Sample Ingress resource to check
+- `rbac.yaml` - RBAC permissions for Operations to access Ingress resources
+- `README.md` - This file
+
+## Testing
+
+Since Operations are runtime-only (they can't be statically rendered), you can
+test this example locally using the new `crossplane alpha render op` command.
+
+### Prerequisites
+
+1. Run the function in development mode:
+   ```bash
+   hatch run development
+   ```
+
+2. In another terminal, render the operation:
+   ```bash
+   crossplane alpha render op operation.yaml functions.yaml --required-resources . -r
+   ```
+
+The `-r` flag includes function results in the output, and
+`--required-resources .` tells the command to use the ingress.yaml file in this
+directory as the required resource.
+
+## What it does
+
+The Operation:
+
+1. **Reads the Ingress** resource specified in `requirements.requiredResources`
+2. **Extracts the hostname** from the Ingress rules (`google.com` in this
+   example)
+3. **Fetches the SSL certificate** for that hostname
+4. **Calculates expiry information** (days until expiration)
+5. **Annotates the Ingress** with certificate monitoring annotations
+6. **Returns status information** in the Operation's output field
+
+This pattern is useful for:
+- Certificate monitoring and alerting
+- Compliance checking
+- Automated certificate renewal workflows
+- Integration with monitoring tools that read annotations
+
+## Function Details
+
+The operation function (`operate()`) demonstrates key Operations patterns:
+
+- **Required Resources**: Accessing pre-populated resources via
+  `request.get_required_resources(req, "ingress")`
+- **Resource Updates**: Using `rsp.desired.resources` to update existing
+  resources
+- **Operation Output**: Using `rsp.output.update()` for monitoring data
+- **Server-side Apply**: Crossplane applies the changes with force ownership

example/functions.yaml renamed to example/composition/functions.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: pkg.crossplane.io/v1beta1
+kind: Function
+metadata:
+  name: function-python
+  annotations:
+    # This tells crossplane beta render to connect to the function locally.
+    render.crossplane.io/runtime: Development
+spec:
+  # This is ignored when using the Development runtime.
+  package: function-python

example/xr.yaml renamed to example/composition/xr.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: example-ingress
+  namespace: default
+spec:
+  rules:
+  - host: google.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: example-service
+            port:
+              number: 80

example/operation/README.md

@@ -0,0 +1,74 @@
+apiVersion: ops.crossplane.io/v1alpha1
+kind: Operation
+metadata:
+  name: check-cert-expiry
+spec:
+  mode: Pipeline
+  pipeline:
+  - step: check-certificate
+    functionRef:
+      name: function-python
+    requirements:
+      requiredResources:
+      - requirementName: ingress
+        apiVersion: networking.k8s.io/v1
+        kind: Ingress
+        name: example-ingress
+        namespace: default
+    input:
+      apiVersion: python.fn.crossplane.io/v1beta1
+      kind: Script
+      script: |
+        import ssl
+        import socket
+        from datetime import datetime
+        
+        from crossplane.function import request, response
+
+        def operate(req, rsp):
+            # Get the Ingress resource
+            ingress = request.get_required_resource(req, "ingress")
+            if not ingress:
+                response.set_output(rsp, {"error": "No ingress resource found"})
+                return
+            
+            # Extract hostname from Ingress rules
+            hostname = ingress["spec"]["rules"][0]["host"]
+            port = 443
+            
+            # Get SSL certificate info
+            context = ssl.create_default_context()
+            with socket.create_connection((hostname, port)) as sock:
+                with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+                    cert = ssock.getpeercert()
+            
+            # Parse expiration date
+            expiry_date = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
+            days_until_expiry = (expiry_date - datetime.now()).days
+            
+            # Add warning if certificate expires soon
+            if days_until_expiry < 30:
+                response.warning(rsp, f"Certificate for {hostname} expires in {days_until_expiry} days")
+            
+            # Annotate the Ingress with certificate expiry info
+            rsp.desired.resources["ingress"].resource.update({
+                "apiVersion": "networking.k8s.io/v1",
+                "kind": "Ingress",
+                "metadata": {
+                    "name": ingress["metadata"]["name"],
+                    "namespace": ingress["metadata"]["namespace"],
+                    "annotations": {
+                        "cert-monitor.crossplane.io/expires": cert['notAfter'],
+                        "cert-monitor.crossplane.io/days-until-expiry": str(days_until_expiry),
+                        "cert-monitor.crossplane.io/status": "warning" if days_until_expiry < 30 else "ok"
+                    }
+                }
+            })
+            
+            # Return results in operation output for monitoring
+            response.set_output(rsp, {
+                "hostname": hostname,
+                "certificateExpires": cert['notAfter'],
+                "daysUntilExpiry": days_until_expiry,
+                "status": "warning" if days_until_expiry < 30 else "ok"
+            })