This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
Pulp Access Controller is a Kubernetes operator built with the Kopf framework that watches for PulpAccessRequest custom resources (API group pulp.konflux-ci.dev/v1alpha1) and automatically provisions secrets for accessing Red Hat Pulp services.
# Install dependencies
pip install -r requirements.txt
# Run locally (requires kubeconfig with cluster access)
kopf run --standalone main.py
# Build container
docker build -f docker/Dockerfile -t pulp-access-controller .There are no tests, linter configuration, or a Makefile in this project. CI/CD is handled by Tekton pipelines via Red Hat Konflux (see .tekton/).
The codebase has two source files:
main.py— The entire operator. Contains Kopf event handlers (@kopf.on.create,@kopf.on.update,@kopf.on.delete) forPulpAccessRequestresources, plus all helper functions for Pulp API calls, secret management, and Quay backend configuration.pulp_oauth2_auth.py— Standalone OAuth2 client credentials auth library (PulpOAuth2Sessionextendingrequests.Session). Used for Red Hat SSO token-based authentication against the Pulp API. Not currently imported bymain.py(main.py uses mTLS or Basic Auth directly).
- Create handler: Validates credentials secret → extracts cert/key or username/password → creates Pulp domain via API → builds and creates
pulp-accessK8s secret → optionally creates ImageRepository CR and configures Quay OCI backend - Update handler: Re-reads credentials → updates or recreates the
pulp-accesssecret - Delete handler: Cleans up
pulp-accesssecret and ImageRepository if created
The operator supports certificate-based (mTLS) and Basic Auth. Certificate auth takes precedence when both are present. This affects:
- How credentials are extracted from the input secret (
extract_credentials_from_secret) - The generated
cli.tomlformat (generate_cli_toml) - How Pulp API calls are made (client certs via
temp_cert_filescontext manager vs. HTTP Basic Auth)
PULP_API_BASE_URL=https://mtls.internal.console.redhat.comPULP_ACCESS_SECRET_NAME=pulp-access(the output secret name)- Domain naming convention:
konflux-<namespace>
- CRD:
kubernetes/crd.yaml— definesPulpAccessRequestwith spec fieldscredentialsSecretNameanduse_quay_backend - RBAC/Deployment:
kubernetes/directory contains role, rolebinding, serviceaccount, and deployment manifests - Kustomize:
config/manifests/{production,staging}/bundle all manifests with namespace set topulp-access-controller
Only three Python packages: kopf, kubernetes, requests. No dev dependencies or test frameworks are configured.