chore(deps): Bump actions/setup-python from 5.4.0 to 5.6.0 (#122)

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.4.0 to 5.6.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5.4.0...v5.6.0)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 5.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# wasmCloud operator maintainers
+* @wasmCloud/operator-maintainers

.github/workflows/build.yml

@@ -16,7 +16,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Lint
         run: |
           cargo clippy -- --no-deps
@@ -71,7 +71,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -86,6 +86,15 @@ jobs:
             type=sha,prefix=
             type=semver,pattern={{version}}
 
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta_wolfi
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=,suffix=-wolfi
+            type=semver,pattern={{version}},suffix=-wolfi
+
       - name: Load artifacts
         uses: actions/download-artifact@v4
         with:
@@ -98,7 +107,7 @@ jobs:
           chmod +x artifacts/wasmcloud-operator*
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           push: true
           context: .
@@ -106,3 +115,14 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
           build-args: "BIN_PATH=artifacts/wasmcloud-operator"
+
+      - name: Build and push Docker image (wolfi)
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          context: .
+          file: './Dockerfile.wolfi'
+          tags: ${{ steps.meta_wolfi.outputs.tags }}
+          labels: ${{ steps.meta_wolfi.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          build-args: "BIN_PATH=artifacts/wasmcloud-operator"

.github/workflows/chart.yaml

@@ -32,12 +32,12 @@ jobs:
 
       # Used by helm chart-testing below
       - name: Set up Python
-        uses: actions/setup-python@v5.0.0
+        uses: actions/setup-python@v5.6.0
         with:
           python-version: '3.12.2'
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@v2.7.0
         with:
           version: v3.10.1
           yamllint_version: 1.35.1
@@ -48,7 +48,7 @@ jobs:
           ct lint --config charts/wasmcloud-operator/ct.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.9.0
+        uses: helm/kind-action@v1.12.0
         with:
           version: "v0.22.0"
 

Cargo.lock

@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "addr2line"
@@ -17,6 +17,16 @@ version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
 
+[[package]]
+name = "aead"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
+dependencies = [
+ "crypto-common",
+ "generic-array",
+]
+
 [[package]]
 name = "ahash"
 version = "0.7.8"
@@ -121,9 +131,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.75"
+version = "1.0.86"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6"
+checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
 
 [[package]]
 name = "arc-swap"
@@ -142,7 +152,7 @@ dependencies = [
  "futures",
  "http",
  "memchr",
- "nkeys",
+ "nkeys 0.3.2",
  "nuid 0.5.0",
  "once_cell",
  "rand",
@@ -401,6 +411,17 @@ dependencies = [
  "windows-targets 0.52.0",
 ]
 
+[[package]]
+name = "cipher"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+dependencies = [
+ "crypto-common",
+ "inout",
+ "zeroize",
+]
+
 [[package]]
 name = "clap"
 version = "4.4.6"
@@ -546,9 +567,39 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
 dependencies = [
  "generic-array",
+ "rand_core",
  "typenum",
 ]
 
+[[package]]
+name = "crypto_box"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16182b4f39a82ec8a6851155cc4c0cda3065bb1db33651726a29e1951de0f009"
+dependencies = [
+ "aead",
+ "crypto_secretbox",
+ "curve25519-dalek",
+ "salsa20",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "crypto_secretbox"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9d6cf87adf719ddf43a805e92c6870a531aedda35ff640442cbaf8674e141e1"
+dependencies = [
+ "aead",
+ "cipher",
+ "generic-array",
+ "poly1305",
+ "salsa20",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "ctrlc"
 version = "3.4.1"
@@ -573,6 +624,7 @@ dependencies = [
  "platforms",
  "rustc_version",
  "subtle",
+ "zeroize",
 ]
 
 [[package]]
@@ -873,6 +925,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
+ "zeroize",
 ]
 
 [[package]]
@@ -894,6 +947,12 @@ version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6fb8d784f27acf97159b40fc4db5ecd8aa23b9ad5ef69cdd136d3bc80665f0c0"
 
+[[package]]
+name = "glob"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+
 [[package]]
 name = "h2"
 version = "0.3.26"
@@ -915,9 +974,9 @@ dependencies = [
 
 [[package]]
 name = "handlebars"
-version = "5.1.0"
+version = "5.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab283476b99e66691dee3f1640fea91487a8d81f50fb5ecc75538f8f8879a1e4"
+checksum = "d08485b96a0e6393e9e4d1b8d48cf74ad6c063cd905eb33f42c1ce3f0377539b"
 dependencies = [
  "log",
  "pest",
@@ -978,9 +1037,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
 
 [[package]]
 name = "hermit-abi"
-version = "0.3.3"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7"
+checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
 
 [[package]]
 name = "hex"
@@ -1190,6 +1249,15 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "inout"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "instant"
 version = "0.1.12"
@@ -1240,14 +1308,13 @@ dependencies = [
 
 [[package]]
 name = "json-patch"
-version = "1.2.0"
+version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55ff1e1486799e3f64129f8ccad108b38290df9cd7015cd31bed17239f0789d6"
+checksum = "ec9ad60d674508f3ca8f380a928cfe7b096bc729c4e2dbfe3852bc45da3ab30b"
 dependencies = [
  "serde",
  "serde_json",
  "thiserror",
- "treediff",
 ]
 
 [[package]]
@@ -1513,13 +1580,14 @@ dependencies = [
 
 [[package]]
 name = "mio"
-version = "0.8.11"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
+checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec"
 dependencies = [
+ "hermit-abi",
  "libc",
  "wasi",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -1549,6 +1617,22 @@ dependencies = [
  "signatory",
 ]
 
+[[package]]
+name = "nkeys"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2de02c883c178998da8d0c9816a88ef7ef5c58314dd1585c97a4a5679f3ab337"
+dependencies = [
+ "crypto_box",
+ "data-encoding",
+ "ed25519",
+ "ed25519-dalek",
+ "getrandom",
+ "log",
+ "rand",
+ "signatory",
+]
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -1628,6 +1712,12 @@ dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
 [[package]]
 name = "num-integer"
 version = "0.1.45"
@@ -1670,16 +1760,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "num_cpus"
-version = "1.16.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
-dependencies = [
- "hermit-abi",
- "libc",
-]
-
 [[package]]
 name = "object"
 version = "0.32.1"
@@ -1731,22 +1811,18 @@ version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
 
+[[package]]
+name = "opaque-debug"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+
 [[package]]
 name = "openssl-probe"
 version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
 
-[[package]]
-name = "opentelemetry"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9591d937bc0e6d2feb6f71a559540ab300ea49955229c347a517a28d27784c54"
-dependencies = [
- "opentelemetry_api",
- "opentelemetry_sdk 0.20.0",
-]
-
 [[package]]
 name = "opentelemetry"
 version = "0.21.0"
@@ -1765,17 +1841,17 @@ dependencies = [
 
 [[package]]
 name = "opentelemetry-otlp"
-version = "0.13.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e5e5a5c4135864099f3faafbe939eb4d7f9b80ebf68a8448da961b32a7c1275"
+checksum = "f24cda83b20ed2433c68241f918d0f6fdec8b1d43b7a9590ab4420c5095ca930"
 dependencies = [
  "async-trait",
  "futures-core",
  "http",
+ "opentelemetry",
  "opentelemetry-proto",
  "opentelemetry-semantic-conventions",
- "opentelemetry_api",
- "opentelemetry_sdk 0.20.0",
+ "opentelemetry_sdk",
  "prost",
  "thiserror",
  "tokio",
@@ -1784,62 +1860,23 @@ dependencies = [
 
 [[package]]
 name = "opentelemetry-proto"
-version = "0.3.0"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e3f814aa9f8c905d0ee4bde026afd3b2577a97c10e1699912e3e44f0c4cbeb"
+checksum = "a2e155ce5cc812ea3d1dffbd1539aed653de4bf4882d60e6e04dcf0901d674e1"
 dependencies = [
- "opentelemetry_api",
- "opentelemetry_sdk 0.20.0",
+ "opentelemetry",
+ "opentelemetry_sdk",
  "prost",
  "tonic",
 ]
 
 [[package]]
 name = "opentelemetry-semantic-conventions"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73c9f9340ad135068800e7f1b24e9e09ed9e7143f5bf8518ded3d3ec69789269"
+checksum = "f5774f1ef1f982ef2a447f6ee04ec383981a3ab99c8e77a1a7b30182e65bbc84"
 dependencies = [
- "opentelemetry 0.20.0",
-]
-
-[[package]]
-name = "opentelemetry_api"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a81f725323db1b1206ca3da8bb19874bbd3f57c3bcd59471bfb04525b265b9b"
-dependencies = [
- "futures-channel",
- "futures-util",
- "indexmap 1.9.3",
- "js-sys",
- "once_cell",
- "pin-project-lite",
- "thiserror",
- "urlencoding",
-]
-
-[[package]]
-name = "opentelemetry_sdk"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa8e705a0612d48139799fcbaba0d4a90f06277153e43dd2bdc16c6f0edd8026"
-dependencies = [
- "async-trait",
- "crossbeam-channel",
- "futures-channel",
- "futures-executor",
- "futures-util",
- "once_cell",
- "opentelemetry_api",
- "ordered-float 3.9.2",
- "percent-encoding",
- "rand",
- "regex",
- "serde_json",
- "thiserror",
- "tokio",
- "tokio-stream",
+ "opentelemetry",
 ]
 
 [[package]]
@@ -1853,8 +1890,9 @@ dependencies = [
  "futures-channel",
  "futures-executor",
  "futures-util",
+ "glob",
  "once_cell",
- "opentelemetry 0.21.0",
+ "opentelemetry",
  "ordered-float 4.2.0",
  "percent-encoding",
  "rand",
@@ -1873,15 +1911,6 @@ dependencies = [
  "num-traits",
 ]
 
-[[package]]
-name = "ordered-float"
-version = "3.9.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1e1c390732d15f1d48471625cd92d154e66db2c56645e29a9cd26f4699f72dc"
-dependencies = [
- "num-traits",
-]
-
 [[package]]
 name = "ordered-float"
 version = "4.2.0"
@@ -2044,6 +2073,17 @@ version = "3.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4503fa043bf02cee09a9582e9554b4c6403b2ef55e4612e96561d294419429f8"
 
+[[package]]
+name = "poly1305"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf"
+dependencies = [
+ "cpufeatures",
+ "opaque-debug",
+ "universal-hash",
+]
+
 [[package]]
 name = "powerfmt"
 version = "0.2.0"
@@ -2399,6 +2439,15 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741"
 
+[[package]]
+name = "salsa20"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "schannel"
 version = "0.1.22"
@@ -2410,9 +2459,9 @@ dependencies = [
 
 [[package]]
 name = "schemars"
-version = "0.8.15"
+version = "0.8.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f7b0ce13155372a76ee2e1c5ffba1fe61ede73fbea5630d61eee6fac4929c0c"
+checksum = "3fbf2ae1b8bc8e02df939598064d22402220cd5bbcca1c76f7d6a310974d5615"
 dependencies = [
  "dyn-clone",
  "schemars_derive",
@@ -2422,14 +2471,14 @@ dependencies = [
 
 [[package]]
 name = "schemars_derive"
-version = "0.8.15"
+version = "0.8.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e85e2a16b12bdb763244c69ab79363d71db2b4b918a2def53f80b02e0574b13c"
+checksum = "32e265784ad618884abaea0600a9adf15393368d840e0222d101a072f3f7534d"
 dependencies = [
  "proc-macro2",
  "quote",
  "serde_derive_internals",
- "syn 1.0.109",
+ "syn 2.0.38",
 ]
 
 [[package]]
@@ -2492,9 +2541,9 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.189"
+version = "1.0.193"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e422a44e74ad4001bdc8eede9a4570ab52f71190e9c076d14369f38b9200537"
+checksum = "25dd9975e68d0cb5aa1120c288333fc98731bd1dd12f561e468ea4728c042b89"
 dependencies = [
  "serde_derive",
 ]
@@ -2520,9 +2569,9 @@ dependencies = [
 
 [[package]]
 name = "serde_derive"
-version = "1.0.189"
+version = "1.0.193"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e48d1f918009ce3145511378cf68d613e3b3d9137d67272562080d68a2b32d5"
+checksum = "43576ca501357b9b071ac53cdc7da8ef0cbd9493d8df094cd821777ea6e894d3"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2531,13 +2580,13 @@ dependencies = [
 
 [[package]]
 name = "serde_derive_internals"
-version = "0.26.0"
+version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85bf8229e7920a9f636479437026331ce11aa132b4dde37d121944a44d6e5f3c"
+checksum = "330f01ce65a3a5fe59a60c82f3c9a024b573b8a6e875bd233fe5f934e71d54e3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 1.0.109",
+ "syn 2.0.38",
 ]
 
 [[package]]
@@ -2595,9 +2644,9 @@ dependencies = [
 
 [[package]]
 name = "serde_yaml"
-version = "0.9.25"
+version = "0.9.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a49e178e4452f45cb61d0cd8cebc1b0fafd3e41929e996cef79aa3aca91f574"
+checksum = "a15e0ef66bf939a7c890a0bf6d5a733c70202225f9888a89ed5c62298b019129"
 dependencies = [
  "indexmap 2.0.2",
  "itoa",
@@ -2844,12 +2893,13 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.30"
+version = "0.3.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4a34ab300f2dee6e562c10a046fc05e358b29f9bf92277f30c3c8d82275f6f5"
+checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885"
 dependencies = [
  "deranged",
  "itoa",
+ "num-conv",
  "powerfmt",
  "serde",
  "time-core",
@@ -2864,10 +2914,11 @@ checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
 
 [[package]]
 name = "time-macros"
-version = "0.2.15"
+version = "0.2.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ad70d68dba9e1f8aceda7aa6711965dfec1cac869f311a51bd08b3a2ccbce20"
+checksum = "3f252a68540fde3a3877aeea552b832b40ab9a69e318efd078774a01ddee1ccf"
 dependencies = [
+ "num-conv",
  "time-core",
 ]
 
@@ -2888,21 +2939,20 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.36.0"
+version = "1.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61285f6515fa018fb2d1e46eb21223fff441ee8db5d0f1435e8ab4f5cdb80931"
+checksum = "2209a14885b74764cce87ffa777ffa1b8ce81a3f3166c6f886b83337fe7e077f"
 dependencies = [
  "backtrace",
  "bytes",
  "libc",
  "mio",
- "num_cpus",
  "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
  "socket2 0.5.6",
  "tokio-macros",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -2917,9 +2967,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-macros"
-version = "2.2.0"
+version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b"
+checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3123,17 +3173,14 @@ dependencies = [
 ]
 
 [[package]]
-name = "tracing-opentelemetry"
-version = "0.20.0"
+name = "tracing-log"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc09e402904a5261e42cf27aea09ccb7d5318c6717a9eec3d8e2e65c56b18f19"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
 dependencies = [
+ "log",
  "once_cell",
- "opentelemetry 0.20.0",
- "tracing",
  "tracing-core",
- "tracing-log",
- "tracing-subscriber",
 ]
 
 [[package]]
@@ -3144,10 +3191,12 @@ checksum = "c67ac25c5407e7b961fafc6f7e9aa5958fd297aada2d20fa2ae1737357e55596"
 dependencies = [
  "js-sys",
  "once_cell",
- "opentelemetry 0.21.0",
- "opentelemetry_sdk 0.21.2",
+ "opentelemetry",
+ "opentelemetry_sdk",
+ "smallvec",
  "tracing",
  "tracing-core",
+ "tracing-log 0.2.0",
  "tracing-subscriber",
  "web-time",
 ]
@@ -3179,19 +3228,10 @@ dependencies = [
  "thread_local",
  "tracing",
  "tracing-core",
- "tracing-log",
+ "tracing-log 0.1.3",
  "tracing-serde",
 ]
 
-[[package]]
-name = "treediff"
-version = "4.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52984d277bdf2a751072b5df30ec0377febdb02f7696d64c2d7d54630bac4303"
-dependencies = [
- "serde_json",
-]
-
 [[package]]
 name = "try-lock"
 version = "0.2.4"
@@ -3262,6 +3302,16 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
 
+[[package]]
+name = "universal-hash"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
+dependencies = [
+ "crypto-common",
+ "subtle",
+]
+
 [[package]]
 name = "unsafe-libyaml"
 version = "0.2.11"
@@ -3331,9 +3381,9 @@ dependencies = [
 
 [[package]]
 name = "uuid"
-version = "1.5.0"
+version = "1.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "88ad59a7560b41a70d191093a945f0b87bc1deeda46fb237479708a1d6b6cdfc"
+checksum = "b3758f5e68192bb96cc8f9b7e2c2cfdabb435499a28499a42f8f984092adad4b"
 dependencies = [
  "getrandom",
  "serde",
@@ -3354,9 +3404,9 @@ checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 
 [[package]]
 name = "wadm"
-version = "0.12.2"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d20c671aabb8fee1d7a688a81be4ebe14cbc4ae3a01db5dd62202ad39538fa5"
+checksum = "40216dc6034c5e71bf773cea191e13581def996d21acf99fcc9347cc254b0490"
 dependencies = [
  "anyhow",
  "async-nats",
@@ -3369,7 +3419,7 @@ dependencies = [
  "indexmap 2.0.2",
  "jsonschema",
  "lazy_static",
- "nkeys",
+ "nkeys 0.3.2",
  "rand",
  "regex",
  "semver",
@@ -3385,19 +3435,20 @@ dependencies = [
  "uuid",
  "wadm-types",
  "wasmcloud-control-interface",
+ "wasmcloud-secrets-types",
 ]
 
 [[package]]
 name = "wadm-client"
-version = "0.1.2"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "422db00d06cf461d6410396dd5a2653bcf21bccb883659f39173756b91f3f477"
+checksum = "4aaf51fde61578275a9d7f19b7732219162c279dc76f02e2779a5e11beb33240"
 dependencies = [
  "anyhow",
  "async-nats",
  "bytes",
- "nkeys",
- "once_cell",
+ "futures",
+ "nkeys 0.3.2",
  "serde",
  "serde_json",
  "serde_yaml",
@@ -3410,9 +3461,9 @@ dependencies = [
 
 [[package]]
 name = "wadm-types"
-version = "0.1.0"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af535df65c0387b6a8ef521aca58a239af817f03ebf676f91e982b9b919bc513"
+checksum = "00e7f30261740ec9da4d038cf719032d4bc00437b3e0252e258d0308d44fb576"
 dependencies = [
  "anyhow",
  "async-nats",
@@ -3421,13 +3472,13 @@ dependencies = [
  "bytes",
  "chrono",
  "cloudevents-sdk",
- "futures",
  "indexmap 2.0.2",
  "jsonschema",
  "lazy_static",
- "nkeys",
+ "nkeys 0.3.2",
  "rand",
  "regex",
+ "schemars",
  "semver",
  "serde",
  "serde_json",
@@ -3438,8 +3489,10 @@ dependencies = [
  "tracing",
  "tracing-futures",
  "ulid",
+ "utoipa",
  "uuid",
  "wasmcloud-control-interface",
+ "wasmcloud-secrets-types",
 ]
 
 [[package]]
@@ -3460,14 +3513,32 @@ dependencies = [
  "data-encoding",
  "humantime",
  "log",
- "nkeys",
+ "nkeys 0.3.2",
  "nuid 0.4.1",
  "ring 0.17.5",
  "serde",
  "serde_json",
- "wasm-encoder",
+ "wasm-encoder 0.41.2",
  "wasm-gen",
- "wasmparser",
+ "wasmparser 0.121.2",
+]
+
+[[package]]
+name = "wascap"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d394c2c59661bff13bea8bd7c8bf30618bafa671ef9f408ae9c3aa71ede5bb0"
+dependencies = [
+ "data-encoding",
+ "humantime",
+ "nkeys 0.4.3",
+ "nuid 0.4.1",
+ "ring 0.17.5",
+ "serde",
+ "serde_json",
+ "wasm-encoder 0.208.1",
+ "wasm-gen",
+ "wasmparser 0.202.0",
 ]
 
 [[package]]
@@ -3551,6 +3622,15 @@ dependencies = [
  "leb128",
 ]
 
+[[package]]
+name = "wasm-encoder"
+version = "0.208.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6425e84e42f7f558478e40ecc2287912cb319f2ca68e5c0bb93c61d4fc63fa17"
+dependencies = [
+ "leb128",
+]
+
 [[package]]
 name = "wasm-gen"
 version = "0.1.4"
@@ -3587,13 +3667,13 @@ dependencies = [
  "cloudevents-sdk",
  "futures",
  "oci-distribution",
- "opentelemetry 0.21.0",
- "opentelemetry_sdk 0.21.2",
+ "opentelemetry",
+ "opentelemetry_sdk",
  "serde",
  "serde_json",
  "tokio",
  "tracing",
- "tracing-opentelemetry 0.22.0",
+ "tracing-opentelemetry",
  "wasmcloud-core",
 ]
 
@@ -3609,7 +3689,7 @@ dependencies = [
  "bytes",
  "futures",
  "hex",
- "nkeys",
+ "nkeys 0.3.2",
  "once_cell",
  "rustls 0.23.4",
  "serde",
@@ -3620,14 +3700,14 @@ dependencies = [
  "tracing",
  "ulid",
  "uuid",
- "wascap",
+ "wascap 0.13.0",
  "wrpc-transport",
  "wrpc-transport-nats",
 ]
 
 [[package]]
 name = "wasmcloud-operator"
-version = "0.3.0"
+version = "0.5.0"
 dependencies = [
  "anyhow",
  "async-nats",
@@ -3641,8 +3721,9 @@ dependencies = [
  "json-patch",
  "k8s-openapi",
  "kube",
- "opentelemetry 0.20.0",
+ "opentelemetry",
  "opentelemetry-otlp",
+ "opentelemetry_sdk",
  "rcgen",
  "schemars",
  "secrecy",
@@ -3654,7 +3735,7 @@ dependencies = [
  "tokio",
  "tokio-util",
  "tracing",
- "tracing-opentelemetry 0.20.0",
+ "tracing-opentelemetry",
  "tracing-subscriber",
  "utoipa",
  "uuid",
@@ -3666,7 +3747,7 @@ dependencies = [
 
 [[package]]
 name = "wasmcloud-operator-types"
-version = "0.1.6"
+version = "0.1.9"
 dependencies = [
  "k8s-openapi",
  "kube",
@@ -3675,6 +3756,22 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "wasmcloud-secrets-types"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e141cc3ac1fd9b71ec0813796e0a40767afea090d6395fa2b82abca9c882426"
+dependencies = [
+ "anyhow",
+ "async-trait",
+ "bytes",
+ "nkeys 0.4.3",
+ "serde",
+ "serde_json",
+ "thiserror",
+ "wascap 0.15.0",
+]
+
 [[package]]
 name = "wasmparser"
 version = "0.121.2"
@@ -3686,6 +3783,17 @@ dependencies = [
  "semver",
 ]
 
+[[package]]
+name = "wasmparser"
+version = "0.202.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6998515d3cf3f8b980ef7c11b29a9b1017d4cf86b99ae93b546992df9931413"
+dependencies = [
+ "bitflags 2.4.1",
+ "indexmap 2.0.2",
+ "semver",
+]
+
 [[package]]
 name = "web-sys"
 version = "0.3.64"

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "wasmcloud-operator"
-version = "0.3.0"
+version = "0.5.0"
 edition = "2021"
 
 [[bin]]
@@ -34,6 +34,7 @@ json-patch = { workspace = true }
 k8s-openapi = { workspace = true, features = ["v1_28", "schemars"] }
 kube = { workspace = true, features = ["runtime", "derive", "default"] }
 opentelemetry = { workspace = true }
+opentelemetry_sdk = { workspace = true }
 opentelemetry-otlp = { workspace = true }
 rcgen = { workspace = true }
 schemars = { workspace = true }
@@ -68,15 +69,16 @@ cloudevents-sdk = "0.7"
 ctrlc = "3"
 futures = "0.3"
 handlebars = "5.1"
-json-patch = "1.2.0"
+json-patch = "1.4.0"
 k8s-openapi = { version = "0.20", default-features = false }
 kube = { version = "0.87", default-features = false }
-opentelemetry = { version = "0.20", features = [
+opentelemetry = { version = "0.21", default-features = false }
+opentelemetry_sdk = { version = "0.21", features = [
   "metrics",
   "trace",
   "rt-tokio",
 ] }
-opentelemetry-otlp = { version = "0.13", features = ["tokio"] }
+opentelemetry-otlp = { version = "0.14", features = ["tokio"] }
 rcgen = "0.11"
 schemars = "0.8"
 secrecy = "0.8"
@@ -88,13 +90,13 @@ time = "0.3"
 tokio = { version = "1", features = ["full"] }
 tokio-util = { version = "0.7", features = ["rt"] }
 tracing = "0.1"
-tracing-opentelemetry = "0.20"
+tracing-opentelemetry = "0.22"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 utoipa = { version = "4.1", features = ["axum_extras"] }
 uuid = { version = "1", features = ["v5"] }
-wadm = "0.12.2"
-wadm-client = "0.1.2"
-wadm-types = "0.1.0"
+wadm = "0.13.0"
+wadm-client = "0.2.0"
+wadm-types = "0.2.0"
 wasmcloud-operator-types = { version = "*", path = "./crates/types" }
 
 [workspace]

Dockerfile.wolfi

@@ -0,0 +1,7 @@
+# syntax=docker/dockerfile:1
+FROM chainguard/wolfi-base:latest
+ARG BIN_PATH
+ARG TARGETARCH
+
+COPY ${BIN_PATH}-${TARGETARCH} /usr/local/bin/wasmcloud-operator
+ENTRYPOINT ["/usr/local/bin/wasmcloud-operator"]

MAINTAINERS.md

@@ -0,0 +1,22 @@
+# MAINTAINERS
+
+The following individuals are responsible for reviewing code, managing issues, and ensuring the overall quality of `wasmcloud-operator`.
+
+## @wasmCloud/operator-maintainers
+
+Name: Joonas Bergius
+GitHub: @joonas
+Organization: Cosmonic
+
+Name: Dan Norris
+GitHub: @protochron
+Organization: Cosmonic
+
+Name: Taylor Thomas
+GitHub: @thomastaylor312
+Organization: Cosmonic
+
+Name: Lucas Fontes
+GitHub: @lxfontes
+Organization: Cosmonic
+

README.md

@@ -17,22 +17,15 @@ metadata:
 spec:
   # The number of wasmCloud host pods to run
   hostReplicas: 2
-  # The cluster issuers to use for each host
-  issuers:
-    # This needs to be the public key of a cluster seed generated by
-    # `wash keys gen cluster`
-    - CDK...
   # The lattice to connect the hosts to
-  lattice: 83a5b52e-17cf-4080-bac8-f844099f142e
+  lattice: default
   # Additional labels to apply to the host other than the defaults set in the operator
   hostLabels:
     some-label: value
-  # The address to connect to nats 
-  natsAddress: nats://nats-cluster.default.svc.cluster.local
+  # The address to connect to nats
+  natsAddress: nats://nats.default.svc.cluster.local
   # Which wasmCloud version to use
-  version: 1.0.2
-  # The name of a secret in the same namespace that provides the required secrets.
-  secretName: my-wasmcloud-cluster
+  version: 1.0.4
   # Enable the following to run the wasmCloud hosts as a DaemonSet
   #daemonset: true
   # The name of the image pull secret to use with wasmCloud hosts so that they
@@ -47,13 +40,9 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: my-wasmcloud-cluster
-stringData:
-  # You can generate this with wash:
-  # `wash keys gen cluster`
-  WASMCLOUD_CLUSTER_SEED: <seed>
 #data:
-  # Only required if using a NATS creds file
-  # nats.creds: <creds file>
+# Only required if using a NATS creds file
+# nats.creds: <creds file>
 ```
 
 The operator will fail to provision the wasmCloud Deployment if any of these
@@ -132,7 +121,7 @@ config:
 
 ```sh
 helm repo add nats https://nats-io.github.io/k8s/helm/charts/
-helm upgrade --install -f values.yaml nats-cluster nats/nats
+helm upgrade --install -f values.yaml nats nats/nats
 ```
 
 ### Running Wadm
@@ -144,7 +133,7 @@ NATS server deployed above, all you need in your `values.yaml` file is:
 wadm:
   config:
     nats:
-      server: "nats-cluster.default.svc.cluster.local:4222"
+      server: "nats.default.svc.cluster.local:4222"
 ```
 
 You can deploy Wadm using your values file and Helm:
@@ -227,7 +216,6 @@ data:
   include [Kind](https://kind.sigs.k8s.io/) or Docker Desktop.
 - `RUST_LOG=info cargo run`
 
-
 ## Types crate
 
 This repo stores the types for any CRDs used by the operator in a separate

SECURITY.md

@@ -0,0 +1,3 @@
+# Reporting a security issue
+
+Please refer to the [wasmCloud Security Process and Policy](https://github.com/wasmCloud/wasmCloud/blob/main/SECURITY.md) for details on how to report security issues and vulnerabilities.

charts/wasmcloud-operator/Chart.yaml

@@ -7,10 +7,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.1.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.3"
+appVersion: "0.4.0"

charts/wasmcloud-operator/templates/_helpers.tpl

@@ -43,10 +43,15 @@ Common labels
 {{- define "wasmcloud-operator.labels" -}}
 helm.sh/chart: {{ include "wasmcloud-operator.chart" . }}
 {{ include "wasmcloud-operator.selectorLabels" . }}
+app.kubernetes.io/component: operator
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/part-of: wasmcloud-operator
+{{- with .Values.additionalLabels }}
+{{ . | toYaml }}
+{{- end }}
 {{- end }}
 
 {{/*

charts/wasmcloud-operator/values.yaml

@@ -12,6 +12,9 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+additionalLabels: {}
+  # app: wasmcloud-operator
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true

crates/types/Cargo.toml

@@ -1,11 +1,16 @@
 [package]
 name = "wasmcloud-operator-types"
-version = "0.1.6"
+version = "0.1.9"
 edition = "2021"
 
+[package.metadata.cargo-machete]
+# NOTE: This exists because kube-derive needs it, and for reasons I don't
+# fully understand, it's not coming through kube-derive's own depedendencies.
+ignored = ["serde_json"]
+
 [dependencies]
-k8s-openapi = {workspace = true}
-kube = {workspace = true, features = ["derive"]}
-schemars = {workspace = true}
-serde = {workspace = true}
-serde_json = {workspace = true}
+k8s-openapi = { workspace = true }
+kube = { workspace = true, features = ["derive"] }
+schemars = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }

crates/types/src/v1alpha1/wasmcloud_host_config.rs

@@ -1,4 +1,4 @@
-use k8s_openapi::api::core::v1::{PodSpec, ResourceRequirements};
+use k8s_openapi::api::core::v1::{Container, PodSpec, ResourceRequirements, Volume};
 use kube::CustomResource;
 use schemars::{gen::SchemaGenerator, schema::Schema, JsonSchema};
 use serde::{Deserialize, Serialize};
@@ -20,9 +20,10 @@ pub struct WasmCloudHostConfigSpec {
     /// The number of replicas to use for the wasmCloud host Deployment.
     #[serde(default = "default_host_replicas")]
     pub host_replicas: u32,
-    /// A list of cluster issuers to use when provisioning hosts. See
+    /// DEPRECATED: A list of cluster issuers to use when provisioning hosts. See
     /// https://wasmcloud.com/docs/deployment/security/zero-trust-invocations for more information.
-    pub issuers: Vec<String>,
+    #[deprecated(since = "0.3.1", note = "Removed in wasmcloud 1.0.0")]
+    pub issuers: Option<Vec<String>>,
     /// The lattice to use for these hosts.
     pub lattice: String,
     /// An optional set of labels to apply to these hosts.
@@ -37,9 +38,8 @@ pub struct WasmCloudHostConfigSpec {
     /// If not provided, the default upstream image will be used.
     /// If provided, it should be fully qualified by including the image tag.
     pub nats_leaf_image: Option<String>,
-    /// The name of a secret containing the primary cluster issuer key along with an optional set
-    /// of NATS credentials.
-    pub secret_name: String,
+    /// Optional. The name of a secret containing a set of NATS credentials under 'nats.creds' key.
+    pub secret_name: Option<String>,
     /// Enable structured logging for host logs.
     pub enable_structured_logging: Option<bool>,
     /// Name of a secret containing the registry credentials
@@ -78,6 +78,12 @@ pub struct WasmCloudHostConfigSpec {
     pub scheduling_options: Option<KubernetesSchedulingOptions>,
     /// Observability options for configuring the OpenTelemetry integration
     pub observability: Option<ObservabilityConfiguration>,
+    /// Certificates: Authorities, client certificates
+    pub certificates: Option<WasmCloudHostCertificates>,
+    /// wasmCloud secrets topic prefix, must not be empty if set.
+    pub secrets_topic_prefix: Option<String>,
+    /// Maximum memory in bytes that components can use.
+    pub max_linear_memory_bytes: Option<u32>,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
@@ -98,9 +104,23 @@ pub struct KubernetesSchedulingOptions {
     /// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for valid
     /// values to use here.
     pub resources: Option<WasmCloudHostConfigResources>,
-    #[schemars(schema_with = "pod_schema")]
     /// Any other pod template spec options to set for the underlying wasmCloud host pods.
+    #[schemars(schema_with = "pod_schema")]
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub pod_template_additions: Option<PodSpec>,
+    /// Allow for customization of either the wasmcloud or nats leaf container inside of the wasmCloud host pod.
+    pub container_template_additions: Option<ContainerTemplateAdditions>,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct ContainerTemplateAdditions {
+    #[schemars(schema_with = "container_schema")]
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub nats: Option<Container>,
+    #[schemars(schema_with = "container_schema")]
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub wasmcloud: Option<Container>,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
@@ -159,6 +179,24 @@ fn pod_schema(_gen: &mut SchemaGenerator) -> Schema {
     val.schema.into()
 }
 
+/// This is a workaround for the fact that we can't override the Container schema to make name
+/// an optional field. It generates the OpenAPI schema for the Container type the same way that
+/// kube.rs does while dropping any required fields.
+fn container_schema(_gen: &mut SchemaGenerator) -> Schema {
+    let gen = schemars::gen::SchemaSettings::openapi3()
+        .with(|s| {
+            s.inline_subschemas = true;
+            s.meta_schema = None;
+        })
+        .with_visitor(kube::core::schema::StructuralSchemaRewriter)
+        .into_generator();
+    let mut val = gen.into_root_schema_for::<Container>();
+    // Drop `name` as a required field as it will be filled in from container
+    // definition coming the controller that this configuration gets merged into.
+    val.schema.object.as_mut().unwrap().required = BTreeSet::new();
+    val.schema.into()
+}
+
 fn default_host_replicas() -> u32 {
     1
 }
@@ -187,6 +225,11 @@ fn default_nats_leafnode_port() -> u16 {
     7422
 }
 
+#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
+pub struct WasmCloudHostCertificates {
+    pub authorities: Option<Vec<Volume>>,
+}
+
 #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
 pub struct WasmCloudHostConfigResources {
     pub nats: Option<ResourceRequirements>,

deploy/base/deployment.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       serviceAccountName: wasmcloud-operator
       containers:
-        - image: ghcr.io/wasmcloud/wasmcloud-operator:0.2.3
+        - image: ghcr.io/wasmcloud/wasmcloud-operator:0.5.0
           imagePullPolicy: Always
           name: wasmcloud-operator
           ports:

examples/full-config/wasmcloud-annotated.yaml

@@ -0,0 +1,97 @@
+apiVersion: k8s.wasmcloud.dev/v1alpha1
+kind: WasmCloudHostConfig
+metadata:
+  name: my-wasmcloud-cluster
+  namespace: default
+spec:
+  # Optional: Number of hosts (pods). Defaults to 1.
+  hostReplicas: 1
+  # Required: The lattice to connect the hosts to.
+  lattice: default
+  # Optional: Additional labels to apply to the host other than the defaults set in the controller.
+  hostLabels:
+    test: value
+    cluster: kind
+  # Required: Which wasmCloud version to use.
+  version: "1.0.4"
+  # Optional: The image to use for the wasmCloud host.
+  # If provided, the 'version' field will be ignored.
+  image: "registry/wasmcloud:tag"
+  # Optional: The image to use for the NATS leaf that is deployed alongside the wasmCloud host.
+  # If not provided, the default upstream image will be used.
+  natsLeafImage: "registry/nats:tag"
+  # Optional. The name of a secret containing a set of NATS credentials under 'nats.creds' key.
+  secretName: "wasmcloud-host-nats-secret"
+  # Optional: Enable structured logging for host logs. Defaults to "false".
+  enableStructuredLogging: true
+  # Optional: The name of a secret containing the registry credentials.
+  # See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line
+  registryCredentialsSecret: "wasmcloud-pull-secret"
+  # Optional: The control topic prefix to use for the host. Defaults to "wasmbus.ctl"
+  controlTopicPrefix: "wasmbus.custom-ctl"
+  # Optional: The leaf node domain to use for the NATS sidecar. Defaults to "leaf".
+  leafNodeDomain: "custom-leaf"
+  # Optional: Enable the config service for this host. Defaults to "false".
+  # Makes wasmCloud host issue requests to a config service on startup.
+  configServiceEnabled: true
+  # Optional: The log level to use for the host. Defaults to "INFO".
+  logLevel: INFO
+  # Optional: The address of the NATS server to connect to. Defaults to "nats://nats.default.svc.cluster.local".
+  natsAddress: nats://nats.default.svc.cluster.local
+  # Optional: Allow the host to deploy using the latest tag on OCI components or providers. Defaults to "false".
+  allowLatest: true
+  # Optional: Allow the host to pull artifacts from OCI registries insecurely.
+  allowedInsecure:
+    - "localhost:5001"
+    - "kind-registry:5000"
+  # Optional: Policy service configuration.
+  policyService:
+    # If provided, enables policy checks on start actions and component invocations.
+    topic: "wasmcloud.policy"
+    # If provided, allows the host to subscribe to updates on past policy decisions. Requires 'topic' above to be set.
+    changesTopic: "wasmcloud.policy.changes"
+    # If provided, allows setting a custom timeout for requesting policy decisions. Defaults to 1000. Requires 'topic' to be set.
+    timeoutMs: 10000
+  # Optional: Observability options for configuring the OpenTelemetry integration.
+  observability:
+    # NOTE: Enables all signals (logs/metrics/traces) at once. Set it to 'false' and enable each signal individually in case you don't need all of them.
+    enable: true
+    endpoint: "otel-collector.svc"
+    # Either 'grpc' or 'http'
+    protocol: "http"
+    logs:
+      enable: false
+      endpoint: "logs-specific-otel-collector.svc"
+    metrics:
+      enable: false
+      endpoint: "metrics-specific-otel-collector.svc"
+    traces:
+      enable: false
+      endpoint: "traces-specific-otel-collector.svc"
+  # Optional: Subject prefix that will be used by the host to query for wasmCloud Secrets.
+  # See https://wasmcloud.com/docs/concepts/secrets for more context
+  secretsTopicPrefix: "wasmcloud.secrets"
+  # Optional: The maximum amount of memory bytes that a component can allocate.
+  maxLinearMemoryBytes: 20000000
+  # Optional: Additional options to control how the underlying wasmCloud hosts are scheduled in Kubernetes.
+  # This includes setting resource requirements for the nats and wasmCloud host
+  # containers along with any additional pot template settings.
+  schedulingOptions:
+    # Optional: Enable the following to run the wasmCloud hosts as a DaemonSet. Defaults to "false".
+    daemonset: true
+    # Optional: Set the resource requirements for the nats and wasmCloud host containers.
+    # See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for valid values
+    resources:
+      nats:
+        requests:
+          cpu: "1"
+      wasmCloudHost:
+        requests:
+          cpu: "1"
+    # Optional: Any additional pod template settings to apply to the wasmCloud host pods.
+    # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podspec-v1-core for all valid options.
+    # Note that you *cannot* set the `containers` field here as it is managed by the controller.
+    podTemplateAdditions:
+      spec:
+        nodeSelector:
+          kubernetes.io/os: linux

examples/quickstart/README.md

@@ -0,0 +1,87 @@
+# Example setup
+
+This example shows the bare minimum requirements to deploy applications on wasmCloud.
+
+It relies on the Kubernetes `default` namespace for simplicity.
+
+## Install [NATS](https://github.com/nats-io/nats-server)
+
+```bash
+helm repo add nats https://nats-io.github.io/k8s/helm/charts/
+helm upgrade --install -f nats-values.yaml nats nats/nats
+```
+
+Validate installation with:
+
+```bash
+# make sure pods are ready
+kubectl rollout status deploy,sts -l app.kubernetes.io/instance=nats
+```
+
+## Install wasmCloud Application Deployment Manager - [wadm](https://github.com/wasmCloud/wadm)
+
+```sh
+helm install wadm -f wadm-values.yaml oci://ghcr.io/wasmcloud/charts/wadm
+```
+
+Validate installation with:
+
+```bash
+# make sure pods are ready
+kubectl rollout status deploy -l app.kubernetes.io/instance=wadm
+```
+
+## Install the operator
+
+```sh
+kubectl apply -k ../../deploy/base
+```
+
+Validate installation with:
+
+```bash
+# make sure pods are ready
+kubectl rollout status deploy -l app=wasmcloud-operator -n wasmcloud-operator
+# apiservice should be available
+kubectl get apiservices.apiregistration.k8s.io v1beta1.core.oam.dev
+```
+
+## Create wasmcloud cluster
+
+```bash
+kubectl apply -f wasmcloud-host.yaml
+```
+
+Check wasmCloud host status with:
+
+```bash
+kubectl describe wasmcloudhostconfig wasmcloud-host
+```
+
+## Managing applications using kubectl
+
+Install the rust hello world application:
+
+```bash
+kubectl apply -f hello-world-application.yaml
+```
+
+Check application status with:
+
+```bash
+kubectl get applications
+```
+
+## Managing applications with wash
+
+Port forward into the NATS cluster. 4222 = NATS Service, 4223 = NATS Websockets
+
+```bash
+kubectl port-forward svc/nats 4222:4222 4223:4223
+```
+
+In another shell:
+
+```bash
+wash app list
+```

examples/quickstart/hello-world-application.yaml

@@ -0,0 +1,53 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: hello-world
+  annotations:
+    version: v0.0.1
+    description: "HTTP hello world demo in Rust, using the WebAssembly Component Model and WebAssembly Interfaces Types (WIT)"
+    wasmcloud.dev/authors: wasmCloud team
+    wasmcloud.dev/source-url: https://github.com/wasmCloud/wasmCloud/blob/main/examples/rusg/components/http-hello-world/wadm.yaml
+    wasmcloud.dev/readme-md-url: https://github.com/wasmCloud/wasmCloud/blob/main/examples/rusg/components/http-hello-world/README.md
+    wasmcloud.dev/homepage: https://github.com/wasmCloud/wasmCloud/tree/main/examples/rusg/components/http-hello-world
+    wasmcloud.dev/categories: |
+      http,http-server,rust,hello-world,example
+spec:
+  components:
+    - name: http-component
+      type: component
+      properties:
+        image: ghcr.io/wasmcloud/components/http-hello-world-rust:0.1.0
+      traits:
+        # Govern the spread/scheduling of the component
+        - type: daemonscaler
+          properties:
+            replicas: 100
+
+    # Add a capability provider that enables HTTP access
+    - name: httpserver
+      type: capability
+      properties:
+        image: ghcr.io/wasmcloud/http-server:0.21.0
+      traits:
+        # Establish a unidirectional link from this http server provider (the "source")
+        # to the `http-component` component (the "target") so the component can handle incoming HTTP requests.
+        #
+        # The source (this provider) is configured such that the HTTP server listens on 0.0.0.0:8000. 
+        # When running the application on Kubernetes with the wasmCloud operator, you can change the 
+        # port but the address must be 0.0.0.0.
+        - type: link
+          properties:
+            target: http-component
+            namespace: wasi
+            package: http
+            interfaces: [incoming-handler]
+            source_config:
+              - name: default-http
+                properties:
+                  address: 0.0.0.0:8000
+        # When running the application on Kubernetes with the wasmCloud operator, 
+        # the operator automatically creates a Kubernetes service for applications that use 
+        # the httpserver provider with a daemonscaler.
+        - type: daemonscaler
+          properties:
+            replicas: 1

examples/quickstart/nats-values.yaml

@@ -0,0 +1,16 @@
+config:
+  cluster:
+    enabled: true
+    replicas: 3
+  leafnodes:
+    enabled: true
+  websocket:
+    enabled: true
+    port: 4223
+  jetstream:
+    enabled: true
+    fileStore:
+      pvc:
+        size: 10Gi
+    merge:
+      domain: default

examples/quickstart/wadm-values.yaml

@@ -0,0 +1,6 @@
+wadm:
+  image:
+    tag: v0.12.2
+  config:
+    nats:
+      server: "nats.default.svc.cluster.local:4222"

examples/quickstart/wasmcloud-host.yaml

@@ -0,0 +1,7 @@
+apiVersion: k8s.wasmcloud.dev/v1alpha1
+kind: WasmCloudHostConfig
+metadata:
+  name: wasmcloud-host
+spec:
+  lattice: default
+  version: "1.0.4"

sample.yaml

@@ -1,57 +0,0 @@
-apiVersion: k8s.wasmcloud.dev/v1alpha1
-kind: WasmCloudHostConfig
-metadata:
-  name: my-wasmcloud-cluster
-  namespace: default
-spec:
-  hostReplicas: 1
-  issuers:
-    - CDKF6OKPOBQKAX57UOXO7SCHURTOZWKWIVPC2HFJTGFXY5VJX44ECEHH
-  # The lattice to connect the hosts to
-  lattice: default
-  # Additional labels to apply to the host other than the defaults set in the controller
-  hostLabels:
-    test: value
-    cluster: kind
-  # Which wasmCloud version to use
-  version: "1.0.2"
-  # The name of a secret in the same namespace that provides the required secrets.
-  secretName: cluster-secrets
-  logLevel: INFO
-  natsAddress: nats://nats-cluster.default.svc.cluster.local
-  ################################################
-  # Additional options that can be set for hosts:
-  ################################################
-  # allowLatest: true
-  # allowedInsecure:
-  #   - "localhost:5001"
-  #   - "kind-registry:5000"
-  # Policy service configuration
-  # policyService:
-  #  topic: "wasmcloud.policy"
-  #  changesTopic: "bar"
-  #  timeoutMs: 10000
-  # Additional options to control how the underlying wasmCloud hosts are scheduled in Kubernetes.
-  # This includes setting resource requirements for the nats and wasmCloud host
-  # containers along with any additional pot template settings.
-  # schedulingOptions:
-  # Enable the following to run the wasmCloud hosts as a DaemonSet
-  # daemonset: true
-  # Set the resource requirements for the nats and wasmCloud host containers.
-  # resources:
-  #   nats:
-  #     requests:
-  #       cpu: 100m
-  #  wasmCloudHost:
-  #     requests:
-  #       cpu: 100m
-  # Any additional pod template settings to apply to the wasmCloud host pods.
-  # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podspec-v1-core for all valid options.
-  # Note that you *cannot* set the `containers` field here as it is managed by the controller.
-  # podTemplateAdditions:
-  #   spec:
-  #     env:
-  #       - name: HOST_IP
-  #         value: spec.hostIP
-  #  nodeSelector:
-  #    kubernetes.io/os: linux

src/controller.rs

@@ -7,12 +7,13 @@ use futures::StreamExt;
 use handlebars::Handlebars;
 use k8s_openapi::api::apps::v1::{DaemonSet, DaemonSetSpec, Deployment, DeploymentSpec};
 use k8s_openapi::api::core::v1::{
-    ConfigMap, ConfigMapVolumeSource, Container, ContainerPort, EnvVar, EnvVarSource, ExecAction,
-    Lifecycle, LifecycleHandler, Pod, PodSpec, PodTemplateSpec, Secret, SecretKeySelector,
-    SecretVolumeSource, Service, ServiceAccount, ServicePort, ServiceSpec, Volume, VolumeMount,
+    ConfigMap, ConfigMapVolumeSource, Container, ContainerPort, EnvVar, ExecAction, Lifecycle,
+    LifecycleHandler, Pod, PodSpec, PodTemplateSpec, Secret, SecretVolumeSource, Service,
+    ServiceAccount, ServicePort, ServiceSpec, Volume, VolumeMount,
 };
 use k8s_openapi::api::rbac::v1::{PolicyRule, Role, RoleBinding, RoleRef, Subject};
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::LabelSelector;
+use k8s_openapi::DeepMerge;
 use kube::{
     api::{Api, ObjectMeta, Patch, PatchParams},
     client::Client as KubeClient,
@@ -56,7 +57,6 @@ pub struct Context {
 
 #[derive(Clone, Default)]
 pub struct Secrets {
-    pub wasmcloud_cluster_seed: String,
     pub nats_creds: Option<String>,
 }
 
@@ -69,18 +69,9 @@ impl Secrets {
             );
         };
         let data = secret.data.as_ref().unwrap();
-        let wasmcloud_cluster_seed = data.get("WASMCLOUD_CLUSTER_SEED");
         let nats_creds = data.get("nats.creds");
 
-        if wasmcloud_cluster_seed.is_none() {
-            bail!(
-                "Secret {} has no WASMCLOUD_CLUSTER_SEED",
-                secret.metadata.name.as_ref().unwrap()
-            );
-        };
-
         Ok(Self {
-            wasmcloud_cluster_seed: from_utf8(&wasmcloud_cluster_seed.unwrap().0)?.to_string(),
             nats_creds: match &nats_creds {
                 Some(c) => from_utf8(&c.0).ok().map(|s| s.to_string()),
                 None => None,
@@ -119,33 +110,37 @@ async fn reconcile_crd(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Resul
     let name = config.name_any();
     let config: Api<WasmCloudHostConfig> = Api::namespaced(kube_client.clone(), &ns);
     let mut cfg = config.get(&name).await?;
-    let secrets = Api::<Secret>::namespaced(kube_client, &ns);
+    let secrets_api = Api::<Secret>::namespaced(kube_client, &ns);
 
-    let secret = secrets.get(&cfg.spec.secret_name).await.map_err(|e| {
-        warn!("Failed to read secrets: {}", e);
-        e
-    })?;
-    let s = Secrets::from_k8s_secret(&secret).map_err(|e| {
-        warn!("Failed to read secrets: {}", e);
-        Error::SecretError(format!(
-            "Failed to read all secrets from {}: {}",
-            secret.metadata.name.unwrap(),
+    let mut secrets = Secrets::default();
+
+    if let Some(secret_name) = &cfg.spec.secret_name {
+        let kube_secrets = secrets_api.get(secret_name).await.map_err(|e| {
+            warn!("Failed to read secrets: {}", e);
             e
-        ))
-    })?;
+        })?;
+        secrets = Secrets::from_k8s_secret(&kube_secrets).map_err(|e| {
+            warn!("Failed to read secrets: {}", e);
+            Error::SecretError(format!(
+                "Failed to read all secrets from {}: {}",
+                kube_secrets.metadata.name.unwrap(),
+                e
+            ))
+        })?;
 
-    if let Err(e) = configmap(&cfg, ctx.clone(), s.nats_creds.is_some()).await {
+        if let Some(nats_creds) = &secrets.nats_creds {
+            if let Err(e) = store_nats_creds(&cfg, ctx.clone(), nats_creds.clone()).await {
+                warn!("Failed to reconcile secret: {}", e);
+                return Err(e);
+            };
+        }
+    }
+
+    if let Err(e) = configmap(&cfg, ctx.clone(), secrets.nats_creds.is_some()).await {
         warn!("Failed to reconcile configmap: {}", e);
         return Err(e);
     };
 
-    if let Some(nats_creds) = &s.nats_creds {
-        if let Err(e) = store_nats_creds(&cfg, ctx.clone(), nats_creds.clone()).await {
-            warn!("Failed to reconcile secret: {}", e);
-            return Err(e);
-        };
-    }
-
     // TODO(protochron) these could be split out into separate functions.
     if let Err(e) = configure_auth(&cfg, ctx.clone()).await {
         warn!("Failed to configure auth: {}", e);
@@ -162,7 +157,7 @@ async fn reconcile_crd(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Resul
         return Err(e);
     };
 
-    let nc = s.nats_creds.map(SecretString::new);
+    let nc = secrets.nats_creds.map(SecretString::new);
     let apps = crate::resources::application::list_apps(
         &cfg.spec.nats_address,
         &cfg.spec.nats_client_port,
@@ -253,22 +248,10 @@ async fn cleanup(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Result<Acti
     Ok(Action::await_change())
 }
 
-fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplateSpec {
+async fn pod_template(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Result<PodTemplateSpec> {
     let labels = pod_labels(config);
 
     let mut wasmcloud_env = vec![
-        EnvVar {
-            name: "WASMCLOUD_CLUSTER_SEED".to_string(),
-            value_from: Some(EnvVarSource {
-                secret_key_ref: Some(SecretKeySelector {
-                    name: Some(config.spec.secret_name.clone()),
-                    key: "WASMCLOUD_CLUSTER_SEED".to_string(),
-                    ..Default::default()
-                }),
-                ..Default::default()
-            }),
-            ..Default::default()
-        },
         EnvVar {
             name: "WASMCLOUD_STRUCTURED_LOGGING_ENABLED".to_string(),
             value: Some(
@@ -301,11 +284,6 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
             value: Some(config.spec.lattice.clone()),
             ..Default::default()
         },
-        EnvVar {
-            name: "WASMCLOUD_CLUSTER_ISSUERS".to_string(),
-            value: Some(config.spec.issuers.join(",")),
-            ..Default::default()
-        },
         EnvVar {
             name: "WASMCLOUD_NATS_HOST".to_string(),
             value: Some("127.0.0.1".to_string()),
@@ -396,15 +374,34 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
         }
     }
 
-    let wasmcloud_args = configure_observability(&config.spec);
+    if let Some(secrets_prefix) = &config.spec.secrets_topic_prefix {
+        wasmcloud_env.push(EnvVar {
+            name: "WASMCLOUD_SECRETS_TOPIC".to_string(),
+            value: Some(secrets_prefix.clone()),
+            ..Default::default()
+        })
+    }
+
+    if let Some(max_linear_memory_bytes) = &config.spec.max_linear_memory_bytes {
+        wasmcloud_env.push(EnvVar {
+            name: "WASMCLOUD_MAX_LINEAR_MEMORY".to_string(),
+            value: Some(max_linear_memory_bytes.to_string()),
+            ..Default::default()
+        })
+    }
+
+    let mut wasmcloud_args = configure_observability(&config.spec);
 
     let mut nats_resources: Option<k8s_openapi::api::core::v1::ResourceRequirements> = None;
     let mut wasmcloud_resources: Option<k8s_openapi::api::core::v1::ResourceRequirements> = None;
-    if let Some(scheduling_options) = &config.spec.scheduling_options {
-        if let Some(resources) = &scheduling_options.resources {
-            nats_resources = resources.nats.clone();
-            wasmcloud_resources = resources.wasmcloud.clone();
-        }
+    if let Some(resources) = &config
+        .spec
+        .scheduling_options
+        .as_ref()
+        .and_then(|so| so.resources.clone())
+    {
+        nats_resources.clone_from(&resources.nats);
+        wasmcloud_resources.clone_from(&resources.wasmcloud);
     }
 
     let image = match &config.spec.image {
@@ -417,7 +414,140 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
         None => "nats:2.10-alpine".to_string(),
     };
 
-    let containers = vec![
+    let mut volumes = vec![Volume {
+        name: "nats-config".to_string(),
+        config_map: Some(ConfigMapVolumeSource {
+            name: Some(config.name_any()),
+            ..Default::default()
+        }),
+        ..Default::default()
+    }];
+
+    let mut nats_volume_mounts = vec![VolumeMount {
+        name: "nats-config".to_string(),
+        mount_path: "/nats/nats.conf".to_string(),
+        read_only: Some(true),
+        sub_path: Some("nats.conf".to_string()),
+        ..Default::default()
+    }];
+
+    let mut wasm_volume_mounts: Vec<VolumeMount> = vec![];
+    if let Some(authorities) = &config
+        .spec
+        .certificates
+        .clone()
+        .and_then(|certificates| certificates.authorities)
+    {
+        for authority in authorities.iter() {
+            let authority_name = authority.name.clone();
+            let volume_name = format!("ca-{authority_name}");
+            let volume_path = format!("/wasmcloud/certificates/{volume_name}");
+            let mut items: Vec<String> = vec![];
+
+            // The Volume interface is quite broad. Permit only known types.
+            if authority.secret.is_none() && authority.config_map.is_none() {
+                return Err(Error::CertificateError(format!(
+                    "'{authority_name}' has to be a Configmap or Secret"
+                )));
+            }
+
+            // secrets
+            if let Some(secret_ref) = &authority.secret {
+                let secret_name = match &secret_ref.secret_name {
+                    Some(s) => s,
+                    None => {
+                        return Err(Error::CertificateError(format!(
+                            "Missing secret name for authority '{authority_name}'"
+                        )))
+                    }
+                };
+
+                items = discover_secret_certificates(
+                    &config.namespace().unwrap_or_default(),
+                    secret_name,
+                    &ctx,
+                )
+                .await?;
+
+                if items.is_empty() {
+                    continue;
+                }
+
+                volumes.push(Volume {
+                    name: volume_name.clone(),
+                    secret: Some(SecretVolumeSource {
+                        secret_name: Some(secret_name.to_string()),
+                        ..Default::default()
+                    }),
+                    ..Default::default()
+                });
+            }
+
+            // configmaps
+            if let Some(configmap_ref) = &authority.config_map {
+                let configmap_name = match &configmap_ref.name {
+                    Some(s) => s,
+                    None => {
+                        return Err(Error::CertificateError(format!(
+                            "Missing configmap name for authority '{authority_name}'"
+                        )))
+                    }
+                };
+                items = discover_configmap_certificates(
+                    &config.namespace().unwrap_or_default(),
+                    configmap_name,
+                    &ctx,
+                )
+                .await?;
+
+                if items.is_empty() {
+                    continue;
+                }
+
+                volumes.push(Volume {
+                    name: volume_name.clone(),
+                    config_map: Some(ConfigMapVolumeSource {
+                        name: Some(configmap_name.to_string()),
+                        ..Default::default()
+                    }),
+                    ..Default::default()
+                });
+            }
+
+            wasm_volume_mounts.push(VolumeMount {
+                name: volume_name.clone(),
+                read_only: Some(true),
+                mount_path: volume_path.clone(),
+                ..Default::default()
+            });
+
+            for item in items {
+                wasmcloud_args.push("--tls-ca-path".to_string());
+                wasmcloud_args.push(format!("{volume_path}/{item}"));
+            }
+        }
+    }
+
+    if let Some(secret_name) = &config.spec.secret_name {
+        volumes.push(Volume {
+            name: "nats-creds".to_string(),
+            secret: Some(SecretVolumeSource {
+                secret_name: Some(secret_name.clone()),
+                ..Default::default()
+            }),
+            ..Default::default()
+        });
+
+        nats_volume_mounts.push(VolumeMount {
+            name: "nats-creds".to_string(),
+            mount_path: "/nats/nats.creds".to_string(),
+            sub_path: Some("nats.creds".to_string()),
+            read_only: Some(true),
+            ..Default::default()
+        });
+    }
+
+    let mut containers = vec![
         Container {
             name: "nats-leaf".to_string(),
             image: Some(leaf_image),
@@ -442,22 +572,7 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
                 ..Default::default()
             }),
             resources: nats_resources,
-            volume_mounts: Some(vec![
-                VolumeMount {
-                    name: "nats-config".to_string(),
-                    mount_path: "/nats/nats.conf".to_string(),
-                    read_only: Some(true),
-                    sub_path: Some("nats.conf".to_string()),
-                    ..Default::default()
-                },
-                VolumeMount {
-                    name: "nats-creds".to_string(),
-                    mount_path: "/nats/nats.creds".to_string(),
-                    sub_path: Some("nats.creds".to_string()),
-                    read_only: Some(true),
-                    ..Default::default()
-                },
-            ]),
+            volume_mounts: Some(nats_volume_mounts),
             ..Default::default()
         },
         Container {
@@ -467,28 +582,27 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
             args: Some(wasmcloud_args),
             env: Some(wasmcloud_env),
             resources: wasmcloud_resources,
+            volume_mounts: Some(wasm_volume_mounts),
             ..Default::default()
         },
     ];
 
-    let mut volumes = vec![
-        Volume {
-            name: "nats-config".to_string(),
-            config_map: Some(ConfigMapVolumeSource {
-                name: Some(config.name_any()),
-                ..Default::default()
-            }),
-            ..Default::default()
-        },
-        Volume {
-            name: "nats-creds".to_string(),
-            secret: Some(SecretVolumeSource {
-                secret_name: Some(config.spec.secret_name.clone()),
-                ..Default::default()
-            }),
-            ..Default::default()
-        },
-    ];
+    if let Some(cta) = &config
+        .spec
+        .scheduling_options
+        .as_ref()
+        .and_then(|so| so.container_template_additions.clone())
+    {
+        if let Some(mut nats_container) = cta.nats.clone() {
+            nats_container.merge_from(containers[0].clone());
+            containers[0] = nats_container;
+        }
+        if let Some(mut wasmcloud_container) = cta.wasmcloud.clone() {
+            wasmcloud_container.merge_from(containers[1].clone());
+            containers[1] = wasmcloud_container;
+        }
+    }
+
     let service_account = config.name_any();
     let mut template = PodTemplateSpec {
         metadata: Some(ObjectMeta {
@@ -498,41 +612,71 @@ fn pod_template(config: &WasmCloudHostConfig, _ctx: Arc<Context>) -> PodTemplate
         spec: Some(PodSpec {
             service_account: Some(config.name_any()),
             containers: containers.clone(),
-            volumes: Some(vec![
-                Volume {
-                    name: "nats-config".to_string(),
-                    config_map: Some(ConfigMapVolumeSource {
-                        name: Some(config.name_any()),
-                        ..Default::default()
-                    }),
-                    ..Default::default()
-                },
-                Volume {
-                    name: "nats-creds".to_string(),
-                    secret: Some(SecretVolumeSource {
-                        secret_name: Some(config.spec.secret_name.clone()),
-                        ..Default::default()
-                    }),
-                    ..Default::default()
-                },
-            ]),
+            volumes: Some(volumes.clone()),
             ..Default::default()
         }),
     };
 
-    if let Some(scheduling_options) = &config.spec.scheduling_options {
-        if let Some(pod_overrides) = &scheduling_options.pod_template_additions {
-            let mut overrides = pod_overrides.clone();
-            overrides.service_account_name = Some(service_account);
-            overrides.containers = containers.clone();
-            if let Some(vols) = overrides.volumes {
-                volumes.extend(vols);
-            }
-            overrides.volumes = Some(volumes);
-            template.spec = Some(overrides);
+    if let Some(pod_overrides) = &config
+        .spec
+        .scheduling_options
+        .as_ref()
+        .and_then(|so| so.pod_template_additions.clone())
+    {
+        let mut overrides = pod_overrides.clone();
+        overrides.service_account_name = Some(service_account);
+        overrides.containers.clone_from(&containers);
+        if let Some(vols) = overrides.volumes {
+            volumes.extend(vols);
         }
+        overrides.volumes = Some(volumes);
+        template.spec = Some(overrides);
     };
-    template
+    Ok(template)
+}
+
+async fn discover_configmap_certificates(
+    namespace: &str,
+    name: &str,
+    ctx: &Context,
+) -> Result<Vec<String>> {
+    let kube_client = ctx.client.clone();
+    let api = Api::<ConfigMap>::namespaced(kube_client, namespace);
+    let mut certs = Vec::new();
+
+    let raw_config_map = api.get(name).await?;
+
+    if let Some(raw_data) = raw_config_map.data {
+        for (key, _) in raw_data {
+            if key.ends_with(".crt") {
+                certs.push(key)
+            }
+        }
+    }
+
+    Ok(certs)
+}
+
+async fn discover_secret_certificates(
+    namespace: &str,
+    name: &str,
+    ctx: &Context,
+) -> Result<Vec<String>> {
+    let kube_client = ctx.client.clone();
+    let api = Api::<Secret>::namespaced(kube_client, namespace);
+    let mut certs = Vec::new();
+
+    let raw_config_map = api.get(name).await?;
+
+    if let Some(raw_data) = raw_config_map.data {
+        for (key, _) in raw_data {
+            if key.ends_with(".crt") {
+                certs.push(key)
+            }
+        }
+    }
+
+    Ok(certs)
 }
 
 fn configure_observability(spec: &WasmCloudHostConfigSpec) -> Vec<String> {
@@ -580,19 +724,22 @@ fn configure_observability(spec: &WasmCloudHostConfigSpec) -> Vec<String> {
     args
 }
 
-fn deployment_spec(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> DeploymentSpec {
-    let pod_template = pod_template(config, ctx);
+async fn deployment_spec(
+    config: &WasmCloudHostConfig,
+    ctx: Arc<Context>,
+) -> Result<DeploymentSpec> {
+    let pod_template = pod_template(config, ctx).await?;
     let ls = LabelSelector {
         match_labels: Some(selector_labels(config)),
         ..Default::default()
     };
 
-    DeploymentSpec {
+    Ok(DeploymentSpec {
         replicas: Some(config.spec.host_replicas as i32),
         selector: ls,
         template: pod_template,
         ..Default::default()
-    }
+    })
 }
 
 fn pod_labels(config: &WasmCloudHostConfig) -> BTreeMap<String, String> {
@@ -619,18 +766,18 @@ fn selector_labels(config: &WasmCloudHostConfig) -> BTreeMap<String, String> {
     labels
 }
 
-fn daemonset_spec(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> DaemonSetSpec {
-    let pod_template = pod_template(config, ctx);
+async fn daemonset_spec(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Result<DaemonSetSpec> {
+    let pod_template = pod_template(config, ctx).await?;
     let ls = LabelSelector {
         match_labels: Some(selector_labels(config)),
         ..Default::default()
     };
 
-    DaemonSetSpec {
+    Ok(DaemonSetSpec {
         selector: ls,
         template: pod_template,
         ..Default::default()
-    }
+    })
 }
 
 async fn configure_hosts(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Result<()> {
@@ -700,37 +847,39 @@ async fn configure_hosts(config: &WasmCloudHostConfig, ctx: Arc<Context>) -> Res
         ];
     }
 
-    if let Some(scheduling_options) = &config.spec.scheduling_options {
-        if scheduling_options.daemonset {
-            let mut spec = daemonset_spec(config, ctx.clone());
-            spec.template.spec.as_mut().unwrap().containers[1]
-                .env
-                .as_mut()
-                .unwrap()
-                .append(&mut env_vars);
-            let ds = DaemonSet {
-                metadata: ObjectMeta {
-                    name: Some(config.name_any()),
-                    namespace: Some(config.namespace().unwrap()),
-                    owner_references: Some(vec![config.controller_owner_ref(&()).unwrap()]),
-                    labels: Some(common_labels()),
-                    ..Default::default()
-                },
-                spec: Some(spec),
+    if config
+        .spec
+        .scheduling_options
+        .as_ref()
+        .is_some_and(|so| so.daemonset)
+    {
+        let mut spec = daemonset_spec(config, ctx.clone()).await?;
+        spec.template.spec.as_mut().unwrap().containers[1]
+            .env
+            .as_mut()
+            .unwrap()
+            .append(&mut env_vars);
+        let ds = DaemonSet {
+            metadata: ObjectMeta {
+                name: Some(config.name_any()),
+                namespace: Some(config.namespace().unwrap()),
+                owner_references: Some(vec![config.controller_owner_ref(&()).unwrap()]),
+                labels: Some(common_labels()),
                 ..Default::default()
-            };
+            },
+            spec: Some(spec),
+            ..Default::default()
+        };
 
-            let api =
-                Api::<DaemonSet>::namespaced(ctx.client.clone(), &config.namespace().unwrap());
-            api.patch(
-                &config.name_any(),
-                &PatchParams::apply(CLUSTER_CONFIG_FINALIZER),
-                &Patch::Apply(ds),
-            )
-            .await?;
-        }
+        let api = Api::<DaemonSet>::namespaced(ctx.client.clone(), &config.namespace().unwrap());
+        api.patch(
+            &config.name_any(),
+            &PatchParams::apply(CLUSTER_CONFIG_FINALIZER),
+            &Patch::Apply(ds),
+        )
+        .await?;
     } else {
-        let mut spec = deployment_spec(config, ctx.clone());
+        let mut spec = deployment_spec(config, ctx.clone()).await?;
         spec.template.spec.as_mut().unwrap().containers[1]
             .env
             .as_mut()

src/lib.rs

@@ -31,6 +31,9 @@ pub enum Error {
     #[error("Error retrieving secrets: {0}")]
     SecretError(String),
 
+    #[error("Certificate error: {0}")]
+    CertificateError(String),
+
     #[error("Error rendering template: {0}")]
     RenderError(#[from] RenderError),
 }

src/main.rs

@@ -13,9 +13,10 @@ use kube::{
     client::Client,
     CustomResourceExt,
 };
-use opentelemetry::sdk::{
-    trace::{self, RandomIdGenerator, Sampler},
-    Resource as OTELResource,
+use opentelemetry::KeyValue;
+use opentelemetry_sdk::{
+    trace::{RandomIdGenerator, Sampler},
+    Resource,
 };
 use std::io::IsTerminal;
 use std::net::SocketAddr;
@@ -27,6 +28,13 @@ use wasmcloud_operator_types::v1alpha1::WasmCloudHostConfig;
 
 #[tokio::main]
 async fn main() -> Result<()> {
+    let args = std::env::args().collect::<Vec<_>>();
+    if args.iter().any(|arg| arg == "-V" || arg == "--version") {
+        let version = version();
+        println!("{} {version}", env!("CARGO_BIN_NAME"));
+        std::process::exit(0);
+    }
+
     let tracing_enabled = std::env::var("OTEL_EXPORTER_OTLP_ENDPOINT").is_ok();
     configure_tracing(tracing_enabled).map_err(|e| {
         error!("Failed to configure tracing: {}", e);
@@ -80,12 +88,12 @@ fn configure_tracing(enabled: bool) -> anyhow::Result<()> {
         .tracing()
         .with_exporter(opentelemetry_otlp::new_exporter().tonic())
         .with_trace_config(
-            trace::config()
+            opentelemetry_sdk::trace::config()
                 .with_sampler(Sampler::AlwaysOn)
                 .with_id_generator(RandomIdGenerator::default())
                 .with_max_attributes_per_span(32)
                 .with_max_events_per_span(32)
-                .with_resource(OTELResource::new(vec![opentelemetry::KeyValue::new(
+                .with_resource(Resource::new(vec![KeyValue::new(
                     "service.name",
                     "wasmcloud-operator",
                 )])),
@@ -191,3 +199,7 @@ async fn install_crd(client: &Client) -> anyhow::Result<()> {
 
     Ok(())
 }
+
+fn version() -> &'static str {
+    option_env!("CARGO_VERSION_INFO").unwrap_or(env!("CARGO_PKG_VERSION"))
+}

src/resources/application.rs

@@ -17,7 +17,7 @@ use kube::{
 };
 use secrecy::{ExposeSecret, SecretString};
 use serde::Serialize;
-use serde_json::json;
+use serde_json::{json, Value};
 use tokio::sync::RwLock;
 use tracing::error;
 use uuid::Uuid;
@@ -46,6 +46,8 @@ use crate::{
  */
 
 const GROUP_VERSION: &str = "core.oam.dev/v1beta1";
+const KUBECTL_LAST_APPLIED_CONFIG_ANNOTATION: &str =
+    "kubectl.kubernetes.io/last-applied-configuration";
 
 pub struct AppError(Error);
 
@@ -614,16 +616,63 @@ pub async fn patch_application(
         },
     };
 
-    let mut model = serde_json::to_value(current_manifest).unwrap();
+    let mut current = serde_json::to_value(current_manifest).unwrap();
     // Parse the Kubernetes-provided RFC 7386 patch
-    let patch: serde_json::Value = match serde_json::from_slice(&body) {
+    let patch = match serde_json::from_slice::<Value>(&body) {
         Ok(p) => p,
         Err(e) => return internal_error(anyhow!("unable to decode the patch: {}", e)),
     };
 
+    // Remove kubectl.kubernetes.io/last-applied-configuration annotation before
+    // we compare against the patch, otherwise we'll always end up creating a new version.
+    let last_applied_configuration = current
+        .get_mut("metadata")
+        .and_then(|metadata| metadata.get_mut("annotations"))
+        .and_then(|annotations| annotations.as_object_mut())
+        .and_then(|annotations| annotations.remove(KUBECTL_LAST_APPLIED_CONFIG_ANNOTATION));
+
+    // TODO(joonas): This doesn't quite work as intended at the moment,
+    // there are some differences in terms like replicas vs. instances:
+    // * Add(AddOperation { path: "/spec/components/0/traits/0/properties/replicas", value: Number(1) }),
+    // * Remove(RemoveOperation { path: "/spec/components/0/traits/0/properties/instances" }),
+    //
+    // which cause the server to always patch. Also, top-level entries such
+    // as apiVersion, kind and metadata are always removed.
+    //
+    // let diff = json_patch::diff(&current, &patch);
+    // if diff.is_empty() {
+    //     // If there's nothing to patch, return early.
+    //     return Json(()).into_response();
+    // };
+
+    // Remove current version so that either a new version is generated,
+    // or the one set in the incoming patch gets used.
+    if let Some(annotations) = current
+        .get_mut("metadata")
+        .and_then(|metadata| metadata.get_mut("annotations"))
+        .and_then(|annotations| annotations.as_object_mut())
+    {
+        annotations.remove("version");
+    }
+
     // Attempt to patch the currently running version
-    json_patch::merge(&mut model, &patch);
-    let updated_manifest: Manifest = match serde_json::from_value(model) {
+    json_patch::merge(&mut current, &patch);
+
+    // Re-insert "kubectl.kubernetes.io/last-applied-configuration" if one was set
+    if let Some(last_applied_config) = last_applied_configuration {
+        if let Some(annotations) = current
+            .get_mut("metadata")
+            .and_then(|metadata| metadata.get_mut("annotations"))
+            .and_then(|annotations| annotations.as_object_mut())
+        {
+            annotations.insert(
+                KUBECTL_LAST_APPLIED_CONFIG_ANNOTATION.to_string(),
+                last_applied_config,
+            );
+        }
+    }
+
+    let updated_manifest = match serde_json::from_value::<Manifest>(current) {
         Ok(m) => m,
         Err(e) => return internal_error(anyhow!("unable to patch the application: {}", e)),
     };

src/services.rs

@@ -618,13 +618,13 @@ fn http_server_component(manifest: &Manifest) -> Option<HttpServerComponent> {
                 if props.namespace == "wasi"
                     && props.package == "http"
                     && props.interfaces.contains(&"incoming-handler".to_string())
+                    && props.source.is_some()
                 {
-                    for p in props.source_config.iter() {
-                        if let Some(config_props) = &p.properties {
-                            if let Some(addr) = config_props.get("address") {
-                                details.address.clone_from(addr);
-                                should_create_service = true;
-                            };
+                    let source = props.source.as_ref().unwrap();
+                    for cp in source.config.iter() {
+                        if let Some(addr) = cp.properties.as_ref().and_then(|p| p.get("address")) {
+                            details.address.clone_from(addr);
+                            should_create_service = true;
                         }
                     }
                 }