feat(controlplane): wire Lakekeeper provisioner into control plane (PR5)#583
Merged
fuziontech merged 1 commit intoMay 20, 2026
Merged
Conversation
…rol plane (PR5)
Enables the per-org Lakekeeper provisioning branch end-to-end. The
provisioning controller already had WithLakekeeperProvisioner (PR3) but
nothing called it, so reconcileLakekeeper was inert in every deployment.
- newLakekeeperInputsResolver resolves per-org ProvisioningInputs:
1. Crossplane Duckling CR status (prod) — the metadata-store master
creds double as the admin connection that CREATEs the
lakekeeper_<orgid> db/role; data-store bucket is the S3 warehouse.
Admin DDL + the Lakekeeper pod target the DIRECT Aurora endpoint,
never the PgBouncer pooler (transaction pooling breaks CREATE
DATABASE and Lakekeeper's own migrations). S3 uses pod IRSA.
2. Env fallback (dev/orbstack + MinIO) when no usable Duckling CR.
- multitenant.go wires it after NewController, gated behind
DUCKGRES_LAKEKEEPER_PROVISIONER_ENABLED (off by default; best-effort if
the K8s client can't be built). S3-Tables warehouses are unaffected.
- KubernetesAuthAudiences left empty: this is the allowall + NetworkPolicy
deployment shape. OIDC SA-token auth remains a separate flag-day change.
Builds clean with -tags kubernetes; resolver unit tests cover the CR path,
env fallback, CR-error fallback, and the no-source error.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fuziontech
merged commit 8a76b67
into
lakekeeper-pr3-provisioning-trigger
5 checks passed
fuziontech
added a commit
that referenced
this pull request
May 20, 2026
…R5) (#583) Enables the per-org Lakekeeper provisioning branch end-to-end. The provisioning controller already had WithLakekeeperProvisioner (PR3) but nothing called it, so reconcileLakekeeper was inert in every deployment. - newLakekeeperInputsResolver resolves per-org ProvisioningInputs: 1. Crossplane Duckling CR status (prod) — the metadata-store master creds double as the admin connection that CREATEs the lakekeeper_<orgid> db/role; data-store bucket is the S3 warehouse. Admin DDL + the Lakekeeper pod target the DIRECT Aurora endpoint, never the PgBouncer pooler (transaction pooling breaks CREATE DATABASE and Lakekeeper's own migrations). S3 uses pod IRSA. 2. Env fallback (dev/orbstack + MinIO) when no usable Duckling CR. - multitenant.go wires it after NewController, gated behind DUCKGRES_LAKEKEEPER_PROVISIONER_ENABLED (off by default; best-effort if the K8s client can't be built). S3-Tables warehouses are unaffected. - KubernetesAuthAudiences left empty: this is the allowall + NetworkPolicy deployment shape. OIDC SA-token auth remains a separate flag-day change. Builds clean with -tags kubernetes; resolver unit tests cover the CR path, env fallback, CR-error fallback, and the no-source error. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
The provisioning controller gained
WithLakekeeperProvisionerin PR3, but nothing ever called it — soreconcileLakekeeperwas inert in every deployment. This PR wires it into the multitenant control plane, making per-org Lakekeeper provisioning actually run.Lands the allowall + NetworkPolicy deployment shape (empty
KubernetesAuthAudiences). OIDC SA-token auth (PR4's broker) remains a separate flag-day change.Changes
controlplane/lakekeeper_inputs.go—newLakekeeperInputsResolver, resolving per-orgProvisioningInputsfrom two sources:shared_worker_activator.goalready reads. Metadata-store master creds → admin DSN (CREATE DATABASE/ROLE); data-store bucket → S3 warehouse. Admin DDL and the Lakekeeper pod target the direct Aurora endpoint, never PgBouncer (transaction pooling breaksCREATE DATABASEand Lakekeeper's own migrations). S3 uses the pod's IRSA identity (no static creds).controlplane/multitenant.go— wiresWithLakekeeperProvisionerafterNewController, gated behindDUCKGRES_LAKEKEEPER_PROVISIONER_ENABLED(off by default; best-effort if the K8s client can't be built). S3-Tables warehouses are unaffected.Testing
go build -tags kubernetes ./controlplane/...clean; default build clean.-tags kubernetes.Deploy notes
DUCKGRES_LAKEKEEPER_PROVISIONER_ENABLED=trueplus theDUCKGRES_LAKEKEEPER_*env fallbacks (admin DSN, S3 bucket/region/endpoint, MinIO creds).🤖 Generated with Claude Code